5 Replies Latest reply on Nov 7, 2013 6:29 AM by nick

    Turning off SSL / eliminate certificate ?

    joetho New Member

      Hello,

       

      I had a BSC2200 here in our shop for a few years and was told by my support vendor there was no way to make the certificate work (long story, moot point).

       

      I recently migrated to a hosted offsite VWLAN (serving our 15 locations) and the certificate on THAT one doesn't work either. Thus, my question: since I don't require the certificate for my own happiness, and make no pretense of offering high security to the user, can't I just turn the thing off and not even use it?

       

      Users are told "oh just click past all those warnings" but I am not liking that solution. All I want is an "I agree" page, and I could even live without that. A simple splash page would be even better. I just need to be able to count # of sessions per location per month.

       

      How do you turn this certificate off?

       

      Thanks, Joe

        • Re: Turning off SSL / eliminate certificate ?
          joetho New Member

          A little more information:

          It appears to be a DNS error, but I don't care. Even if the DNS record or certificate is fixed, it's probably going to be a problem again with some browser or other and I just don't want to deal with it.

           

          Currently, a user gets the initial dhcp IP address from the controller, all from the same pool. Then, when they successfully get through this #$^% certificate mess and click "I Agree" they get a NEW dhcp address from the AP location, using the location's gateway. THAT part I like, but I could do without getting the first IP address from the controller. Seems like overkill to me.

           

          Thanks for your opinions, help, sympathy, constructive criticism, and even grammar corrections,

          - Joe

            • Re: Turning off SSL / eliminate certificate ?
              nick Employee

              By default the BSC uses a pre-installed self-signed SSL certificate to encrypt login transactions. The BSC uses this SSL certificate when:

               

              • Clients connect to the secure user login page which uses http over SSL (HTTPS).

              • Administrators connect to the secure web based administrative console which also uses HTTP over SSL (HTTPS).

               

              In either case, when using the default Bluesocket self-signed SSL certificate the user may receive a certificate error from the browser indicating the certificate was not issued by a trusted certificate authority. This is because the Bluesocket self-signed certificate is not in the browsers list of trusted root certificate authorities.

               

              There are two ways to stop the generation of this web browser certificate error:

               

              • Use the default Bluesocket self-signed certificate on the BSC and install the Bluesocket self-signed certificate on the client in the browser’s list of trusted root certificate authorities.

              • Install an SSL Certificate Provided by a CA such as VeriSign or GoDaddy on the BSC that is already in the client’s list of trusted root certificate authorities using the following guide: Installing an SSL Certificate on a Bluesocket Controller (BSC)

               

              Alternatively, instead of redirecting users to the HTTPS page, you could edit the managed interface associated with the SSID to have a default role of anything other than "-Authenticate -” or "Un-registered".  These are the only two roles that will require users to web authenticate via the HTTPS page served by the BSC.  If you were to change the role to "Guest" for example, users will be placed directly on the network with the firewall rules from the "Guest" role.

                • Re: Turning off SSL / eliminate certificate ?
                  joetho New Member

                  Thanks Nick! 

                   

                  That's what I've ended up doing- but users now go directly to internet access with no splash page. All I want is an http splash page. No submit/agree button, no authentication, just a page. 

                   

                  Any ideas?

                   

                  Sent from my U.S. Cellular® Smartphone

                    • Re: Turning off SSL / eliminate certificate ?
                      daniel.blackmon Employee

                      joetho

                       

                      It sounds like you are more looking for reporting than a splash page if you just need to be able to count the number of sessions per location per month. Depending on the version of vWLAN you are running (2.1 vs. 2.2 or higher) the reporting feature may be in a different location in the administrative interface. Regardless, you should be able to gather the information with relative ease.

                       

                      The reason vWLAN does not support a non-SSL (or basic HTTP) captive portal is security. The vWLAN may hold quite a bit of information on other systems in the network such as Active Directory and RADIUS servers. Further, one of the best aspects of wireless also happens to be a great weakness. The wireless connection (as the name implies) means devices do not have to be physically plugged into the LAN. The vWLAN is what controls access to the LAN through the wireless medium, and compromising the vWLAN could effectively mean compromising the entire LAN infrastructure.

                       

                      In order to protect your network, and the vWLAN software, support for non-SSL captive portal in any fashion (simple splash page included) has not been added to the product.

                        • Re: Turning off SSL / eliminate certificate ?
                          nick Employee

                          I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                           

                           

                           

                          Thanks,

                           

                          Nick