So is there a matching method to neatly introduce MITM in the connection? Our portal would let you log on but you'll still fail to connect to anything as we have to inspect it.
> So is there a matching method to neatly introduce MITM in the connection?
No, for fairly obvious reasons. If you MITM traffic, clients will correctly flag security errors. No method exists or ever should exist for a network to cause clients to not flag such security errors. Any such method would defeat one of the primary purposes of TLS: to protect against hostile networks.
> Our portal would let you log on but you'll still fail to connect to anything as we have to inspect it.
For what purpose? I have not seen any legal jurisdiction sufficiently draconian to impose such a requirement. (I've seen a few terrible ones that might require logging IP addresses.)
I know MITM should never be silent of course but some kind of interaction flow would be good. When you try to add a school account to your android it won't let you if you don't install the MDM client. A similar thing for the network would be great (of course, the MDM will install the cert).
I'd love if I could also pin our MITM cert to only be valid when the client is on our IP address' which if using ipv6 could work very nicely.
