0

I have a Unifi UAP-AC-LR access point and wanted to setup the guest portal for friends. It sort-of-worked on my phone, but didn't work on my laptop. I think it had to do with the self-signed cert/keystore on the Unifi.

Since I have a signed cert on my pfsense firewall (for a webserver) I imported that cert into the Unifi keystore thinking it would remedy the browser warnings and errors when trying to connect to guest portal. Thing is, I don't think DNS works, pre-logon, from the guest portal.

Is there a setting on the Unifi to allow the guest to query DNS for the hostname redirect so the cert works? I ran tcpdump on pfsense using the VLAN interface for the guest portal and I don't see any DNS requests being sent out. Just a BOOTP and a couple of ARPS.

Nstevens
  • 121
  • 2
  • Not sure what your problem is, the description isn't clear to me. All modern operating systems query, intentionally, a HTTP (unencrypted!) URL to detect _captive portals_. You should stick to this method. If you don't have a trusted certificate, don't use HTTPS. – Daniel B Apr 28 '22 at 10:04
  • *"Is there a setting on the Unifi to allow the guest to query DNS for the hostname redirect ..."* - which DNS server gets queried is a client side property. It usually gets the DNS server from DHCP but might have client side overrides, for example to use external servers to avoid DNS based blocking or to increase privacy. If you don't see DNS then the browser might try to use [DoH](https://en.wikipedia.org/wiki/DNS_over_HTTPS) or the system might try to use [DoT](https://en.wikipedia.org/wiki/DNS_over_TLS). – Steffen Ullrich Apr 28 '22 at 10:08
  • @DanielB the portal has a password for access so HTTPS is needed to keep the password protected in transit. – Nstevens Apr 28 '22 at 13:01
  • @SteffenUllrich I do see TCP 443 going to 1.1.1.1 on the pfsense VLAN interface, but not sure the return traffic is getting back to the client. I'll dig into it. – Nstevens Apr 28 '22 at 13:02
  • @Nstevens: *"I do see TCP 443 going to 1.1.1.1"* - yes, this looks like DoH. 1.1.1.1 is the well known DoH supporting DNS server from Cloudflare. – Steffen Ullrich Apr 28 '22 at 13:49
  • Whoops - I take that back. There isn't any DNS traffic pre-logon. Just the DHCP/BOOTP request, then an ARP for the first hop gateway, then an ICMP ping to the gateway. A few seconds later my Android phone says "ERR_CONNECTION_TIMED_OUT" while trying to get to the portal page. I'm thinking the Unifi must be blocking anything that's not DHCP so I'm not seeing the DNS lookup for the hostname in my portal redirect. I can use the IP address and it works fine, but there's still a cert error on the client because an IP address isn't a hostname in an SSL cert. – Nstevens Apr 28 '22 at 14:19

0 Answers0