Community discussions

MUM Europe 2020
 
mati83
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Thu Aug 28, 2014 12:12 am

Force "Sign-in to WiFi network"

Thu Mar 05, 2015 9:34 pm

Hi,

I have several routers running with hotspot but I noticed that only some devices are displaying to the user the message about the "Sign-in to WiFi network" and then opening the browser so my question is: can I force all devices to show this message doing something on the router side?
I guess that Android devices are making some kind of request to verify if the sign in is required or not, do you know what kind of request or check is doing? so I can block it to force the message?
Thanks!!
 
mati83
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Thu Aug 28, 2014 12:12 am

Re: Force "Sign-in to WiFi network"

Thu Mar 05, 2015 9:38 pm

maybe is related with using or not Google DNS? if I use them then the "Sign-in to WiFi network" won't be displayed in the hotspot? (just a theory)
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Force "Sign-in to WiFi network"

Thu Mar 05, 2015 9:43 pm

That's pretty much going to depend on the OS of the device in question.
I know Apple devices do it also.
Windows apparently sends checks too, but I've never had a browser window pop up with a login screen.

If you could force a device to run an application and for that application to perform a specific task, just by sending/manipulating network packets... there's a word for that: security exploit. :lol:

If the device doesn't do it, then you just have to post signs / tent cards / stickers / train clerks to tell people / etc.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
TonyJr
Member Candidate
Member Candidate
Posts: 201
Joined: Sat Nov 12, 2011 1:30 am
Location: UK
Contact:

Re: Force "Sign-in to WiFi network"

Thu Mar 05, 2015 11:58 pm

Hi,

I have several routers running with hotspot but I noticed that only some devices are displaying to the user the message about the "Sign-in to WiFi network" and then opening the browser so my question is: can I force all devices to show this message doing something on the router side?
I guess that Android devices are making some kind of request to verify if the sign in is required or not, do you know what kind of request or check is doing? so I can block it to force the message?
Thanks!!

For iOS, the requirements are:
To implement a Wi-Fi popup login page:
1.DNS request for http://www.apple.com must not fail
2.HTTP request for http://www.apple.com/library/test/success.html with special user agent CaptiveNetworkSupport/1.0 wispr must not return Success.

Windows Phone 8 and 8.1 are WISP-r capable https://msdn.microsoft.com/en-us/librar ... 08679.aspx.

They also do this:
To determine Internet connectivity and captive portal status when a client first connects to a network, Windows performs a series of network tests. The destination site of these tests is msftncsi.com, which is a reserved domain that is used exclusively for connectivity testing. When a captive portal is detected, these tests are periodically repeated until the captive portal is released.

To avoid false positive or false negative test results, your captive portal should not do the following:
• Allow access to http://www.msftncsi.com when the user does not have access to the Internet.


• Change the captive portal behavior that is displayed to clients. For example, do not redirect some requests and drop other requests; you should continue to redirect all requests until authentication succeeds.
Android does this:
Android's captive portal detection, as of AOSP 4.0.1, tries to contact http://clients3.google.com/generate_204 or http://www.google.com/blank.html.
TonyJr
 
mati83
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Thu Aug 28, 2014 12:12 am

Re: Force "Sign-in to WiFi network"

Wed Mar 11, 2015 1:10 pm

Excellent information!!

Is it possible to block http://clients3.google.com/generate_204 or http://www.google.com/blank.html requests in the router until the user is validated by the hotspot? I guess is possible with some script, no? To block those urls until user get 'active' in the hotspot? Can anyone help me with such script?

Thanks!!
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Force "Sign-in to WiFi network"

Thu Mar 12, 2015 4:49 am

Excellent information!!

Is it possible to block http://clients3.google.com/generate_204 or http://www.google.com/blank.html requests in the router until the user is validated by the hotspot? I guess is possible with some script, no? To block those urls until user get 'active' in the hotspot? Can anyone help me with such script?

Thanks!!
That's the behavior of the Hotspot already, unless you have *.google.com in your walled garden to avoid SSL certificate errors scaring your customers. You could probably make a rule in walled garden that overrides *.google.com, for example walled garden IP list, add dst-host clients3.google.com action=reject.
That would keep the bulk of google.com working with SSL walled garden, but causing the detection URL to get redirected to the login screen, which is how the device knows there's a captive portal.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
hossain2004a
Member Candidate
Member Candidate
Posts: 247
Joined: Mon Dec 22, 2014 7:34 pm
Location: Iran

Re: Force "Sign-in to WiFi network"

Thu Mar 12, 2015 8:53 am


If you could force a device to run an application and for that application to perform a specific task, just by sending/manipulating network packets... there's a word for that: security exploit. :lol:

When I was child (years ago), I was trying to do that, but fail :D


My best way is to tell your customer to open browser - as I do
 
mati83
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Thu Aug 28, 2014 12:12 am

Re: Force "Sign-in to WiFi network"

Thu Mar 12, 2015 1:49 pm

You could probably make a rule in walled garden that overrides *.google.com, for example walled garden IP list, add dst-host clients3.google.com action=reject.
Yes, I do have *.google.com in my walled garden list.
So, I just need to create this rule to reject clients3.google.com and set it before the one of *.google.com, right? In that case I will reject only that host and the rest of *.google.com will pass.... correct? :?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Force "Sign-in to WiFi network"

Thu Mar 12, 2015 2:02 pm

You could probably make a rule in walled garden that overrides *.google.com, for example walled garden IP list, add dst-host clients3.google.com action=reject.
Yes, I do have *.google.com in my walled garden list.
So, I just need to create this rule to reject clients3.google.com and set it before the one of *.google.com, right? In that case I will reject only that host and the rest of *.google.com will pass.... correct? :?
That should be correct.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
mati83
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Thu Aug 28, 2014 12:12 am

Re: Force "Sign-in to WiFi network"

Fri Mar 13, 2015 5:02 pm

Capture.JPG
even if I create the deny for clients3.google.com before the allow of *.google.com, it always goes after it... do you think it will work anyway? or it works like firewall rules where the order matters?
You do not have the required permissions to view the files attached to this post.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Force "Sign-in to WiFi network"

Fri Mar 13, 2015 5:43 pm

If you have access to the site, try opening it in a browser.
If you see your hotspot page, there's your answer, right?

I would think that the most specific match should win in this case, but haven't ever tested such a thing.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
mati83
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Thu Aug 28, 2014 12:12 am

Re: Force "Sign-in to WiFi network"

Fri Mar 13, 2015 6:13 pm

I have all these routers installed on remote locations... I still don't see Hits on this deny rule so I'm not sure is working... :(
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Force "Sign-in to WiFi network"

Fri Mar 13, 2015 6:20 pm

I have all these routers installed on remote locations... I still don't see Hits on this deny rule so I'm not sure is working... :(
If memory serves, these hostname walled garden rules function by creating dynamic entries in the firewall rules whenever they get matched. If clients3 is already in the table due to previously being matched by *.google, then perhaps it is still being allowed because of this.

Try disable / re-enable these two rules and watch what happens in the IP firewall rules while you do it.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
mati83
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Thu Aug 28, 2014 12:12 am

Re: Force "Sign-in to WiFi network"

Fri Mar 20, 2015 10:32 pm

I tried disable/enable these two rules and it didn't work (also tried restarting the routers). I did several tests with different routers having both rules and the results are not good... only a few of the times the domain was really blocked and I got the popup :(

Maybe I can do some script to block this domain until the user is authenticated in the hotspot? do you think is possible?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Force "Sign-in to WiFi network"

Fri Mar 20, 2015 11:09 pm

put clients3.google.com in the IP walled garden.
The IP walled garden will create dynamic rules in the hs-unauth chain by performing DNS lookup on the hostname(s) you specify. This should do what you want using automatic, always-running features in the Mikrotik.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
mati83
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Thu Aug 28, 2014 12:12 am

Re: Force "Sign-in to WiFi network"

Mon Mar 23, 2015 5:06 pm

Great idea, I will do that!
Thanks!!
 
tarasius
just joined
Posts: 5
Joined: Thu Apr 16, 2015 1:06 pm

Re: Force "Sign-in to WiFi network"

Sat Apr 25, 2015 7:37 pm

Hello.
Am I right that to force the captive portal notification I need to block clients3.google.com?
I want to make captive portal without internet. I did a DNS record like .* = ROUTER_IP
And popup of login page works in Windows and iOS but not in Android.
So what is the workaround to make the notification appear in Android if there is no internet access in the router?
Thanks.
 
mati83
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Thu Aug 28, 2014 12:12 am

Re: Force "Sign-in to WiFi network"

Wed May 27, 2015 3:36 pm

my solution was tu remove *.google.com from the Walled Garden list...
 
User avatar
m4t7e0
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Jun 09, 2015 12:17 am
Contact:

Re: Force "Sign-in to WiFi network"

Tue Aug 04, 2015 6:01 pm

Nothing to do..
 
User avatar
davey
just joined
Posts: 8
Joined: Tue Jan 17, 2017 1:22 pm
Location: Nairobi Kenya
Contact:

Re: Force "Sign-in to WiFi network"

Tue Mar 20, 2018 8:52 pm

Anyone ever got this to work? im facing the same exact issue. the captive portal wont load and the gstatic connectivity returns net::ERR_CONNECTION_RESET
¦ MTCNA MTCRE MTCTCE MTCINE ¦ CCNA-RS CCNA-SEC CCNP-RS ¦ CWNA
 
User avatar
m4t7e0
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Jun 09, 2015 12:17 am
Contact:

Re: Force "Sign-in to WiFi network"

Tue Nov 20, 2018 6:21 pm

Anyone ever got this to work? im facing the same exact issue. the captive portal wont load and the gstatic connectivity returns net::ERR_CONNECTION_RESET
probabily depends on https site..
Try to load an http site instead https.

Who is online

Users browsing this forum: No registered users and 85 guests