Captive Portal - SFOS 18.5.0 GA-Build264

Ok so upgrade to SFOS 19.0.0 GA-Build317 issues I had on captive portal are now resolved but I have another problem.

If a user requests HTTPS site they are re-directed to captive portal, they authenticate but then the page originally requested shows invalid certificate and they cannot continue. I can't install certs on all devices as there a literally over a 100 devices as well as guests.

Doesn't matter what OS or browser they all have the same issue. 

So for now match known users is off.

Hey Marco Camacho2,

Thank you for the update, ensure if you are using a captive portal authentication you must have a plain FW rule LAN to WAN with only DNS service allowed !! 

Is already there.

Can you move the LAN to WAN just below the Allow DNS rule?

Done and will revert when tested but I do think the LAN - WAN was below it before.

Hi Marco Camacho2 

As per your current firewall rules, all LAN user traffic is passing from rule id #5 and it is a plain/bypass firewall rule now the user will have access to the internet without authentication and security.

Hope you have a valid license on Sophos XG to use all Security features 

If you want to authenticate users you can use the Captive Portal Page or CAA client to be installed on the end System or you can configure STAS, where no Captive Portal or CAA client is required to install, and clientless users, are required to be configured to authenticate users/devices(such as printer, IP Phone) and on firewall rule, you have to tick mark "Match known users" on the firewall rule for authentication to work.

Browsers don’t trust Sophos IP,to resolve Default CA need to install. You can push certificate at once to all windows systems with AD sever some system or devices required manual installation or  try to check Sophos Network Agent for challenging devices like mobile device and CAA or STAS for windows systems and Clientless user for  printer or IP phone

Try to check the issue and requirement with the Latest firmware is available: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-re_2d00_release-build-365-is-now-available 

Thanks and Regards

Hi Marco Camacho2 

As per your current firewall rules, all LAN user traffic is passing from rule id #5 and it is a plain/bypass firewall rule now the user will have access to the internet without authentication and security.

Hope you have a valid license on Sophos XG to use all Security features 

If you want to authenticate users you can use the Captive Portal Page or CAA client to be installed on the end System or you can configure STAS, where no Captive Portal or CAA client is required to install, and clientless users, are required to be configured to authenticate users/devices(such as printer, IP Phone) and on firewall rule, you have to tick mark "Match known users" on the firewall rule for authentication to work.

Browsers don’t trust Sophos IP,to resolve Default CA need to install. You can push certificate at once to all windows systems with AD sever some system or devices required manual installation or  try to check Sophos Network Agent for challenging devices like mobile device and CAA or STAS for windows systems and Clientless user for  printer or IP phone

Try to check the issue and requirement with the Latest firmware is available: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-re_2d00_release-build-365-is-now-available 

Thanks and Regards

We have  a mixed environment of Apple, Linux and windows. Also we have contractors who access our LAN not the guest network so I can't be installing CA on all theses devices. Is there no way to use captive portal without installing CA?

Hi  Marco Camacho2 

There is no other way with HTTPS but you can get a captive portal page on HTTP with no certificate error with a captive portal which is not recommended in case of security and HTTS required certificate needs to install in the end system or device on LAN.

Please tick mark "Use insecure HTTP instead of HTTPS and try 

Make sure you clear the cache and history of the browser in case not working properly. 

Thanks and Regards

No you missing the point on my initial post. 

If a user opens a browser and goes https://www.facebook.com for example, they are  re-directed to captive portal and they can login.

The issue from here is when once authenticated the user is re-directed to https://facebook.com but are presented with invalid certificate and they cannot proceed further.

Hi Marco Camacho2 

When the SSL content inspection for HTTPS traffic is turned on Sophos Firewall, the web browsers prompt a warning message if the Certificate Authority (CA) for the certificate used by the Sophos Firewall SSL inspection is unknown by the browser. You need to import an SSL Proxy certificate into browsers or decryption on SSL Inspection to fix this.

All Sophos firewalls are shipped with an SSL CA Certificate that is used in HTTPS Deep Scan Inspection. To download and install the certificate on your browser and local computer, follow the link below:

https://support.sophos.com/support/s/article/KB-000035645?language=en_US 

Regards

"or decryption on SSL Inspection to fix this" how is this achieved as installing certificates is not an option.

How many numbers of system and browsers in it getting invalid certificate error message?

All just give can't give you a number.

Please open Chrome browser and press "f12" and click on View Certificate and share the output