[WLUG] Apple Captive Network Assistant

Kuch/Mitchell/D. mitch at basejp.com
Wed Sep 20 16:56:15 EDT 2017 

SW -

Apple's iOS and macOS use their Captive Network Assistant (CNA) to pop up a lite browser when a client
  A - connects to a Wi-Fi network
  B - is assigned a default gateway
  C - the new connection is "hijacked" by the captive portal
      C0 - the gateway may hijack all http traffic or
      C1 - current DNS falsely responds with the local portal IP

The client attempts to download a webpage via an http (non tls) connection from a handful of websites [0]. If the client CNA receives an acceptable response [1], the CNA never pops up and the client considers that it has full internet access via the Wi-Fi default gateway. If the client CNA receives no response and times out, the CNA never pops up and it assumes it has no internet access via the Wi-Fi gateway. Finally, if the CNA receives anything other then the expected response [1], then it pops up the lite browser for user interaction.

Many folks have documented this, the closest resource that I have to me is a guide from Aruba Networks [2]. >> This HTTP GET process retrieves a simple success.html file from the Apple web servers and the operating system uses the successful receipt of this file to assume that it is connected to an open network without the requirement for captive portal authentication. If the success.html file is not received, the operating system conversely assumes that a captive portal is in place and presents the CNA automatically to prompt the user to perform a web authentication task. 

Be aware that Apple's "Wi-Fi Assist" technology complicates all of the above.


Okay... so now that we have a baseline for whats happening (it's got to be similar for other platforms), let's take a look at your problem.
>> will ultimately 'not' be connected to the internet

In your shoes, I'd avoid telling the client that is has an internet connection. The "Access Point" should provide a local only network, no default gateway, and no DNS. In this case, the DHCP server will only hand out a client IP address leaving all other parameters blank. The client will understand that it is now on a new local-only network and all internet services will take other available paths. This will require the user to browse to the IP address of your ESP8266. Alternatively, you could distribute an app that is hardcoded to check just http://192.168.0.1/geocache

If you are going down the path of using the CNA pop up consider:
  A - the pop up browser is lite. Good luck doing anything neat
  B - if you ultimately return "Success" or equivalent the device will think it has an internet connection via your ESP8266
      B0 - you'll get a lot of traffic your don't want
      B1 - you'll break all other traffic on the client
           B1i - iMessage will break while connected
      B2 - Wi-Fi Assist will send traffic via cell awfully quickly without notice to the user they are no longer using the Wi-Fi
           B2i - your application has just broke

So... how would you use the CNA to pop up your login page? As you suggested, you could hijack port 80 traffic. That sounds complicated but doable with netcat or iptables. Instead, I'd have my DHCP server assign a DNS server controlled locally. I'd have that DNS process always return the IP address of the ESP8266. This way every resource will head toward your device.

best of luck, keep up posted.

 - - Mitchell



[0] http://captive.apple.com/
[0] http://captive.apple.com/hotspot-detect.html
[0] http://captive.apple.com/success.html
[0] http://www.airport.us/
[0] http://www.airport.us/hotspot-detect.html
[0] http://www.airport.us/success.html
[0] http://www.ibook.info/
[0] http://www.ibook.info/hotspot-detect.html
[0] http://www.ibook.info/success.html
[0] http://www.thinkdifferent.us/
[0] http://www.thinkdifferent.us/hotspot-detect.html
[0] http://www.thinkdifferent.us/success.html
[0] http://www.appleiphonecell.com/hotspot-detect.html
[0] http://www.appleiphonecell.com/success.html
[0] http://www.itools.info/
[0] http://www.itools.info/hotspot-detect.html
[0] http://www.itools.info/success.html
[0] ... many more???
[1] I presume an acceptable response is an HTTP 200 and the body contains the text "Success"
[1] Today, http://captive.apple.com/hotspot-detect.html returns
<HTML><HEAD><TITLE>Success</TITLE></HEAD><BODY>Success</BODY></HTML>
[3] http://www.arubanetworks.com/assets/vrd/Amigopod-CNA-bypass-AppNote.pdf


----- Original Message -----
From: "Scott Webster Wood" <treii28 at yahoo.com>
To: "Washtenaw Linux Users Group (WLUG)" <washlug at washlug.org>
Sent: Wednesday, September 20, 2017 2:23:56 PM
Subject: [WLUG] captive portals with pop-ups

Does anyone know what actually has to occur to cause an Android or Apple phone to cause a pop-up to be redirected to a sign-in/landing page when connecting to a captive portal hotspot? 

I'm trying to create a captive portal on an ESP8266 that will ultimately 'not' be connected to the internet to use it as a WiFi-based digital geocache essentially. But to make it effective, the user should be directed to the log-in page automatically. 

Examples exist using existing Arduino/ESP8266 libraries that 'try' to do this by directing all DNS queries to the access point's IP address then assigning handlers to the various device-based internet-connectivity-check urls (e.g. /generate_204 on android which exists on a handful of google servers, hostname depending on the version of android OS) 

I think the problem is that the device (phone/tablet) is relying on a dns cache and trying to request the url from the google server's (or other device's respective host for the url) when the dns reports the localnet address. (I can see the requests are being answered by the ESP8266 DNS server code, responding with the access point IP address, but the HTTP request never appears on the device's web server which makes me think it's still being requested of a cached address) 

I'm trying to find out if there's existing ways (short of diving deep into the source code for esp8266 wifi) to grab anything on port 80 regardless of the address, but in the meantime, I want to figure out a little more about what is actually going on, and/or what actually happens on routers/hotspots that successfully achieve this behaviour if possible (rather than guessing). 

Any help is appreciated. 

SW

More information about the washlug mailing list