By default, the USG / ZyWALL / ATP Series have an untrusted certificate and Hotspot User (Guest) need to click to continue/skip certificate message to maybe see the Login Page Information. This article describes the best-known scenario of how to cover that.
You may see such messages in your environment.
- You need to purchase a certificate with an FQDN Name i.e. "hotspot.hotelname.de" (Usually a cheap Domain verified type certificate is enough)
- Import the certificate include private key within the firewall device under
Configuration -> Object -> Certificate and upload it to "My Certificates"
- Change under System -> WWW the certificate to uploaded one
You can decide if you want to keep "Redirect HTTP to HTTPS" active or not. Both can work in the end.
- Add an A-Record in DNS setting to match your prefer: WAN IP to your FQDN Name
Only use WAN IP, if this IP is not used in NAT for HTTP / HTTPS Port and if it´s a static IP, otherwise use LAN IP, but WAN is recommended.
- Login by SSH to USG and enter the following commands:
web-auth redirect-fqdn <FQDNNAME>
- Make sure your LAN Subnet (for Hotspot Users) have ZyWALL as first DNS Server to catch FQDN
With these Best Practice configuration, we can support up to 80% of all clients / mobile phones that can avoid the HTTPS issue or HSTS issue, but also this solution has some limitations.
3. Limitations and Tips&Tricks
Limitations if the client i.e. Android Phone, iPhone, Mac, Windows 10 .. .. can´t! support Hotspot Detection Feature (older versions, blocked by software...)
- If the Website not support HSTS certificate warning still pop-up but can skip
- If the Website support HSTS (google, facebook..) it shows certificate warning and blocks it (no way to continue from here), in that case, a customer must visit 126.96.36.199 IP configured here to access it.
- You can try to disable "Redirect HTTP to HTTPS" and see if that works better
- Walled Garden list for some known HSTS pages can help to exclude some from Web-Auth first (no authentication) and let customer authenticate when visiting a page without HSTS (Hotspot license required)
The * acts like a wildcard.
4. Info Note
As soon as there is a new RFC Standard in place, we´ll monitor the situation and update our software versions, to deliver the best solution, which is available in the market, you can monitor it from here:
Here is an article that describes a way of how to use Let's Encrypt certificates on a USG