Difference between revisions of "Detecting captive portals"

From WikiWikiWiki
Jump to navigation Jump to search
(Captive portal action)
(Roku)
 
(One intermediate revision by the same user not shown)
Line 267: Line 267:
 
==Google Home==
 
==Google Home==
 
I suspect this uses the same test URLs and mechanisms as Google Chrome/Chromium/Android. It would not be able to pop up a web browser, but Google Home devices will sometimes broadcast an open WiFi SSID for configuration purposes if they lose their WiFi or Internet connections.
 
I suspect this uses the same test URLs and mechanisms as Google Chrome/Chromium/Android. It would not be able to pop up a web browser, but Google Home devices will sometimes broadcast an open WiFi SSID for configuration purposes if they lose their WiFi or Internet connections.
 +
 +
==Roku==
 +
Current generation Roku streaming devices support a feature called [https://support.roku.com/article/215058118-how-do-i-use-hotel-dorm-connect-to-connect-to-the-internet- Hotel and Dorm Connect]. If the Roku thinks it has found a captive portal, it asks the user if it's on a hotel or dorm network. If so, it sets up a temporary WiFi network and displays connection information on the TV screen that the user can use to connect to the Roku network with their laptop or phone and go through the captive portal authentication process on that browser.
  
 
=Other Software=
 
=Other Software=

Latest revision as of 16:14, 8 November 2019

This is a collection of information from over a decade working at and with hospitality captive portal providers (LodgeNet/Sonifi, DOCOMO interTouch, GuestTek, Hoist/Locatel/Swisscom, Quadriga...).

The challenge for these network providers is understanding what client behavior triggers the captive portal redirects. Software vendors sometimes make drastic changes without notice (Apple is notorious for this), so your mileage may vary with the information on this page.

I've also tried to include information where possible on how to disable the captive portal checks, as well as what exactly the test is looking for. This can be useful if you're trying to build an isolated network segment without Internet connectivity and don't want captive portal logins to constantly pop up on your signboards, POS systems, kiosks, etc. You can set up an internal server that will intercept the network test requests and return the correct response so that network devices don't complain.

Contents

Desktop Operating Systems

Apple Mac OS

How to tell if there's an Internet connection

The OS will attempt to connect to http://captive.apple.com/hotspot-detect.html and will look for the word "Success" in the body of the response.

Endpoints

  • /hotspot-detect.html
  • /hotspotdetect.html
  • /library/test/success.html
  • /success.txt

Captive portal action

If a CP is detected, the OS will open a limited browser called the Captive Network Assistant that attempts to open http://captive.apple.com/hotspot-detect.html again and trigger a captive portal redirect to the network's authentication server.

The Captive Network Assistant app is Safari-based but is very limited in functionality:

  • The window size is hard-set to 900px by 572px. It can be moved but not resized.
  • It has limited Javascript functionality.
  • It can't open new browser windows.
  • There is no tabbed window support.
  • There is limited cookie support (cookies can be set but not saved for future sessions).

Alex Meub has created a tool that lets you see what your page would look like in the Captive Network Assistant (helpful if you're designing a CP authentication page) here: Apple CNA Preview

ChromiumOS

Essentially the same as Android - see the Android section.

Linux variants

This section is a bit all over the place. It's not only that each Linux distribution can do things their own way, it's also that there are multiple network manager packages that a user could possibly install in Linux, so you can't always assume that someone will be using GNOME NetworkManager, they might be using ConnMan, something else, or nothing at all. If you're troubleshooting CP trigger problems on a Linux desktop, it's best to read through this entire section regardless of the distribution and also do some additional Googling.

Arch Linux

Attempts to connect to http://archlinux.org/ successfully using GNOME NetworkManager (see the GNOME NetworkManager section below). May also use ConnMan (see below).

Documentation

ConnMan

Tries to connect to one of the below URLs to test IPv4 or IPv6 connectivity. It looks in the HTTP response headers for X-ConnMan-Status: online. If this is not set, ConnMan launches a browser to attempt to trigger a captive portal authentication redirect.

Documentation

elementary OS

How to tell if there's an Internet connection

elementary OS attempts to connect to http://capnet.elementary.io/ successfully. If this works, the user will either get a browser popup that explains that the user is online and can close the window or nothing at all. If this doesn't work, the user will get a browser window that will attempt to trigger a redirect to the authentication page by loading http://capnet.elementary.io/

Documentation

GNOME NetworkManager

How to tell if there's an Internet connection

GNOME's NetworkManager attempts to connect to a test URL successfully. NetworkManager then checks for one of the following conditions to be true:

  • The body of the response contains the text "NetworkManager is online" and/or;
  • the X-NetworkManager-Status HTTP header has a value of "online"
Test URLs

These vary depending on the distribution. A few known ones are:

Documentation

Microsoft Windows

How to tell if there's an Internet connection

The OS attempts to connect to one of the following URLs and receive the text "Microsoft NCSI" in the body of the response:

The OS may also connect to one of these URLs and look for the text "Microsoft Connect test" in the body of the response:

Windows checks for IPv6 connectivity using one of the following URLs and looking for "Microsoft NCSI" in the body of the response. These FQDNs only have IPv6 AAAA DNS records and will not resolve to IPv4 A records.

All of the above domains are fronted by Akamai's CDN.

NCSI stands for Network Connection Status Indicator, if you're curious.

Endpoints

  • /ncsi.txt
  • /connecttest.txt

Captive portal action

Windows will pop up an alert "Additional log on information may be required" in the system toolbar. Clicking on the alert will open a web browser to trigger a redirect to the network's captive portal authentication page.

Documentation

Mobile Operating Systems

Amazon Kindle and Kindle Fire

How to tell if there's an Internet connection

Endpoints

  • /kindle-wifi/wifiredirect.html
  • /kindle-wifi/wifistub.html

Apple IOS

How to tell if there's an Internet connection

IOS attempts to connect to http://www.apple.com/library/test/success.html and looks for the text "Success" in the body of the response. Most (modern) IOS devices will have a User-Agent string with CaptiveNetworkSupport and wispr.

This domain is fronted by Akamai's CDN.

IOS6 and earlier

This version of IOS attempts to connect to one of these URLs:

IOS7 and later

Apple made major changes in IOS7. This version of IOS attempts to connect to one of these URLs and looks for the text "Success" in the body of the response. This is not necessarily an exhaustive list of URLs - Cisco reported that there are as many as 200 URLs that the device may probe to determine if a CP is in use.

Various hosts under the akamaiedge.net, akamaitechnologies.com, and edgekey.net domains were also sometimes checked.

The following URLs were also used at one point for CP detection but now redirect to other TLS-encrypted sites and likely no longer work for CP detection:

Endpoints

Note that the endpoint may be the root of the website.

  • /
  • /hotspot-detect.html
  • /hotspotdetect.html
  • /library/test/success.html
  • /success.txt

Captive portal action

If a captive portal is suspected, a browser will open and attempt to trigger a redirect to the captive portal authentication page.

Troubleshooting

IOS12+

  • If:
    • The device can't use the internet, but it's connected to the CP WiFi network and has a valid local IP address and/or;
    • The user gets an error saying the WiFi network isn't connected to the Internet and prompts them to choose between using the network without Internet or connecting to another network

Try triggering the CP authentication page manually - open a web browser and go to http://login.ding.net/ to try and trigger a redirect.

Documentation

Blackberry

Google Android

How to tell if there's an Internet connection

The device attempts to connect to the following URLs. If it receives a HTTP response code of 204 (No Content), it assumes there is open Internet.

Older versions of Android checked connectivity to http://www.google.com, but that check will fail now that Google redirects all connections to https (and those older versions of Android likely have outdated root CA information anyway). There are reports that URLs like http://www.google.com/blank.html were also used, but these are also redirected to TLS pages now.

clients2.google.com also exists, as does clients5 and clients6, but those haven't been documented in use in the wild yet.

In China

Most of Google's domains are blocked or extremely unreliable in China. Google and other brands brands have begun using other URLs for phones that are sold or may be used in China. There are probably many, many more of these that aren't listed here due to the many, many different phone brands and models using different versions of Android.

It's easy enough to configure a web server to generate a 204 response. There are also existing projects that let you stand up a small app that does this out of the box like this one: Android Captive Portal.

Endpoints

  • /mobile/status.php
  • /generate_204
  • /gen_204
  • /blank.html

Configuration

How to change the default captive portal server

The main use case for this is for users in mainland China who cannot normally reach the standard Google servers. Some set their server to g.cn (still owned by Google so YMMV) or another site. To do this, use the adb shell or a terminal session to the phone:

Android 4-5
settings put global captive_portal_server g.cn

The phone must be rebooted for the setting to become active.

Android 6+
settings put global_captive_portal_server g.cn

The phone must be rebooted for the setting to become active.

How to disable captive portal detection

Android 4-5

Using adb shell or a terminal session to the phone:

settings put global captive_portal_detection_enabled 0

Then confirm the setting:

settings get global captive_portal_detection_enabled

You should get "0". If you get "1" or "null", detection has not been disabled. You must reboot for this to take effect.

Android 6+

Using adb shell or a terminal session to the phone:

settings put global_captive_portal_mode 0

Then confirm the setting:

settings get global_captive_portal_mode 

You should get "0". If you get "1" or "null", detection has not been disabled. You must reboot for this to take effect.

Documentation

IoT/Embedded Operating Systems

I need to do more network tests with these. I've seen some connections from Amazon Echo and Google Home devices that look very similar to the Kindle and Android tests, so I assume they generally use the same network connectivity tests.

Amazon Echo - "Alexa"

The Amazon Echo likely uses the same test URLs and mechanisms as the Amazon Kindles and FireOS devices do to test connectivity. If WiFi or Internet is not available, they will sometimes flash a different color to alert that there is a network problem.

Google Home

I suspect this uses the same test URLs and mechanisms as Google Chrome/Chromium/Android. It would not be able to pop up a web browser, but Google Home devices will sometimes broadcast an open WiFi SSID for configuration purposes if they lose their WiFi or Internet connections.

Roku

Current generation Roku streaming devices support a feature called Hotel and Dorm Connect. If the Roku thinks it has found a captive portal, it asks the user if it's on a hotel or dorm network. If so, it sets up a temporary WiFi network and displays connection information on the TV screen that the user can use to connect to the Roku network with their laptop or phone and go through the captive portal authentication process on that browser.

Other Software

Cloudflare Warp/1.1.1.1 app

How to tell if there's an Internet connection

The app attempts to connect to http://cp.cloudflare.com/ and looks for an HTTP 204 response.

Captive portal action

If a portal is suspected, the app will not redirect DNS requests to 1.1.1.1.

Firefox browser

How to tell if there's an Internet connection

The browser attempts to connect to the following URLs. It looks for the word "success" in the body of the response.

This URL is fronted by Amazon's Cloudfront CDN.

Captive portal action

If a portal is detected, the browser attempts to load the test URL in a visible window to trigger a redirect to the network authentication page.

Troubleshooting

If Firefox is using DNS-over-HTTPS in trr-only mode behind a captive portal, name resolution will fail (if the browser can't establish a secure https connection to the DoH server, it can't resolve hostnames, so it can't even get to the point of being redirected to the captive portal authentication page).

  • Reconfiguring the Firefox browser out of trr-only mode may allow it to fallback to non-DoH DNS lookups.
  • Use another browser on the system that isn't configured for DoH (IE or Safari) to trigger the captive portal redirect.
  • Users can try connecting to http://1.1.1.1/ or another IP URL.

Google Chrome browser

Also see the section on Android devices.

How to tell if there's an Internet connection

The browser attempts to connect to the following URLs. If it receives a HTTP response code of 204 (No Content), it assumes there is open Internet.

clients2.google.com also exists, as does clients5 and clients6, but those haven't been documented in use in the wild yet.

Captive portal action

If a portal is detected, the browser attempts to load the test URL in a visible window to trigger a redirect to the network authentication page.

The Future

There are many attempts to standardize this process, however none are widely adopted yet.

IETF

WBA