we would appreciate your help regarding the following problem:
IOS7 uses the Captive Network Assistent (CNA) function to recognize if the hotspot is open or if there is a captive portal.
When connecting to a wireless network the Apple iOS device sends a request to a specific page on the Apple Site to verify Internet connectivity.
• If the page is accessed successfully, the device assumes it has network connectivity.
• In the event of a failure, CNA assumes a captive portal and launches a CNA browser to prompt the user with the Splash Portal.
In IOS6 you could avoid the problem opening the domain apple.com in the walled garden of the captive portal.
In IOS7 this trick doesn’t work anymore, whitelisting a specific URLs will no longer be sufficient since the list of those domain is very long (Cisco says more than 200… and of course the list of URLs is not publicly available!).
As a result this causes Login problems to our hotspot infrastructures.
Is there any chance that Mikrotik can do something about it, as it is crucial to our hotspot installations due to the fact that more than 50% of the devices are IOS devices.
Thanks for pointing this out cellfinity. Tested with an iPhone on IOS7 and the only difference we see is that the login page pops up automatically once connected (we specifically disabled this by bypassing the success page in the walled garden for older devices). It’s not preventing the login from working though - can you provide any detail on the login issue this is causing you?
I am also interested in Mikrotik solution to this problem. The iOS Login page must be prevented from appearing at all, as it just confuses users. Attempts to cancel the Login returns the user to the Wi-Fi settings on the device, so more confusion.
I do not require login; the user must have full access to the browser after Wi-Fi connection.
In iOS7 the request is actually sent to a random URL on a randomly chosen Apple site, but always returns the same content.
Whitelisting the Apple domains is not a solution, for at least two reasons:
The domains are impossible to predict. There is no reason to assume that the small list of known domains will not be changed or added to and the devices updated; and
Whitelisting the domains assumes that the LAN is connected to the Internet. It does nothing for applications where the LAN is isolated from the Internet and cannot reach the Apple sites.
You see as you wrote below with older IOS6 devices all needed was to allow traffic to a specific apple.com URL but with IOS7 Apple decided to randomnly check about 200 URLs using a protocol known as WISPr (which we know very little about). The problem is that our external captive portal uses cookies, and unfortunately cookies are not supported anymore in IOS7 mini popup browser (CNA)! that causes us login problems. So there are 2 ways to avoid this:
To inform the users that they must disable the auto login function inside our SSIDs WIFI connection information - that is on their IOS7 device settings - which they don’t seem to like it so much…
or
Have RouterOS detect those WISPr packets and reply in such a way that IOS will think that there is no hotspot captive portal behind the wireless network connected. In that way the users will have to open safari and that is when they will be redirected to our external portal.
Having users to open safari is OK (for now) for us, as safari supports cookies which are vital for the operation of our portal (Until we modify it, but that takes time!!!)
and may I say that strahlen’s post, reasons and assumptions are absolutely correct. Mikrotik or someone must do something about that and the only possible solution we can think is some sort of an algorithm that identifies WISPr packets and replies in a “positive” manner in such a way that IOS thinks that there is internet connection.
Meanwhile after the support we received from Mikrotik and another source we have managed to trick IOS7 devices by adding the following rules in our walled garden
A different solution was found that does not involve listing the known Apple sites. The credit goes to Matthias Strubel of Wiesbaden in Germany.
It makes use of the User Agent (UA) data transmitted by the iOS7 device.
A typical string looks like: CaptiveNetworkSupport-277 wispr
The URL requested will change, the site requested will change, and number after the hyphen will change, but the device always identifies as CaptiveNetworkSupport to the website.
It appears that the Apple site will respond to this with success.html regardless of URL or which Apple site is chosen from the list.
The solution is to send the device a locally served success.html page if the requesting UA contains CaptiveNetworkSupport. Historically this page has lived at apple.com in the path /library/test/success.html. It can also be seen at captive.apple.com.
I do not yet have Mikrotik equipment. I have tested this solution with the Lighttpd web server and confirmed that it works. I would hope that someone could develop a similar configuration for Mikrotik and openly publish the settings.
We are actually making full use of the captive portal helpers built into as many of the different O/S as possible to fight the issue with Apple etc now using Google as the embedded search (and search being an SSL site now).
Our support calls dropped by around 300 per month once we removed apple.com from the walled garden.
Similarly to this, I tried to implement this workaround with a firewall layer 7 rule, but no success.
The regexp is “user-agent: (captivenetworksupport|server-bag)” but I cannot find how to apply it.
The idea is to let bypass the hotspot authentication when a packet matches this string (on tcp/80).
Is it possible until there is a proper hotspot code compatible with CNS/CNA ?
We had a the same trouble on a RB1200 5.26 in a hotel.
Windows, Android were able to connect but Not IOS 7.x.x nor MacOS
We found that on mac os, the hotpost.local did not resolve.
After many gess, I found that it was a dns resolution problem.
Ping hotspot.local worked on android, windows, linux but did NOT worked on MacOS nor IOS 7.x.x
Ping www.hotspot.local works for every platform.
The trick was to rename the dns name of the hotspot login page web server from hotspot.local to www.hotspot.local
IP → hotspot → Server profile → DNS name → [ http://www.hotspot.local ]
It seems that new IOS and MacOS are using MDNS responder in place of DNS request while searching for the IP of hotspot.local
Now safari is able to correctly be redirected to the login web page and IOS 7 device are authenticated.
I think we should mount a joint effort to get Apple IOS fixed. Why is it that Cisco, Mikrotik and other all need to change their code when it is Apple who screwed it up?
Yes i have two IPHONEs one with IOS 7.0 second with IOS 7.0.4
I was tryiing to get it working with the link-redirect but i don’t know how to use a variable on mikrotik.
My idea is (because i want to popup ONCE the iPhone window to tell user go to safari)–> i’ve seen it in other hotspots (don’t know captive portal software)
rlogin.html
if mivap=“” redirect normaly (to my_php.php (ip opened on garden) post link-redirect)
iphon will check again connection so rlogin now with this variable will know that is iPhone
rlogin.html
if myvar=“CAPTIVE” success…
maybe in login the same
at this momento iPhone will think is with intenet and the Windows popus iPhone (that have to apears to let know the user to log someow) wil change to OK press ok and you can browse safari.
Hi,
is not working trying all the convinations with “” with ‘’ with /1.0 with //1.0 …
But is not getting any difference.
If I write only the HTML code with Success then the CNA is not opening.
I’ve seen with openWRT the next behavior that i think is the BEST solution.
Connects WIFI
Open CNA
(Some work with php, HTML ¿?¿?) CNA thinks the wifi has internet and change CANCEL link on top right to GO link
Then you insert a message telling OPEN YOUR BROWSER to GET TO INTERNET or some link to any page and
then redirects with BROWSER to the captive portal.
We should try to get it with mikrotik .. i’ve been trying lots of things but I can’t get it.
Always return Success2-Mozilla. Even with CNA and safari (you can get safari cancelling CNA manually and select Use without internet)
So please mikrotik give us a solutions to let iPhone show the CNA and then return success or wherever to make belive CNA you reach internet and change cancel button to OK.