[isf-wifidog] Wifidog, portal page and Apple auto-login
acv
acv at miniguru.ca
Ven 2 Sep 12:04:47 EDT 2011
I've got an idea that might work and be a bit more flexible:
1. Add something to the configuration for know "signatures" of verification
pages
2. Upon authentication, mark the user as authenticated and lift all restrictions
but redirect HTTP to a different port on the device. Call this state "post-splash".
3. In post-splash status, a config file would specify the known signatures for
"online test" URLs and proxy those. This could also be done with firewall rules
I think.
4. The first web request that's not an online test gets redirected to post-authentication
splash page.
5. Router lifts the redirect altogether immediately after 4. above. So only *1* HTTP call
gets redirected.
What do you think?
Alex
On Thu, Aug 25, 2011 at 06:33:52PM -0400, Genevive Bastien wrote:
> Date: Thu, 25 Aug 2011 18:33:52 -0400
> From: Geneviève Bastien <gbastien at versatic.net>
> To: wifidog at listes.ilesansfil.org
> Subject: Re: [isf-wifidog] Wifidog, portal page and Apple auto-login
>
> If I can get my hands on a Apple product I'll make some further tests
> and outputs... I'll keep you posted.
>
> Thanks,
> Geneviève
>
>
> On 11-08-25 06:03 PM, Alexandre Carmel-Veilleux wrote:
> >The problem is that the best place to put this is in the URL handler
> >on the ap. Then it's a basically no-op as far as the firewall rules
> >are concerned.
> >
> >The issue is that I don't believe it will follow an http redirect and
> >even if it did, the login page entry point on the auth server would
> >need to identify and respond.
> >
> >Maybe if you can get me verbose httpd logs from an apple device? Or
> >better yet a fell packet capture of the authentication transaction?
> >
> >Alex
> >
> >
> >
> >On 2011-08-25, at 16:47, Geneviève Bastien <gbastien at versatic.net
> ><mailto:gbastien at versatic.net>> wrote:
> >
> >>Thanks Alex for this fast patch!
> >>
> >>But I think I'd prefer the server side solution if possible, as it
> >>does not involve reflashing our few hundreds access points and the
> >>day android thinks this feature is so great and decide to implement
> >>it as well, it would be easier to modify...
> >>
> >>Unless there is a reason to favor a client-side solution? Maybe
> >>Apple will not like the url redirect to login page...
> >>
> >>Geneviève
> >>
> >>
> >>On 11-08-25 02:44 PM, acv wrote:
> >>>And of course I screw up the URL. Forgot the leading /. Please use this
> >>>instead.
> >>>
> >>>Alex
> >>>
> >>>On Thu, Aug 25, 2011 at 01:40:40PM -0400, Genevive Bastien wrote:
> >>>>Date: Thu, 25 Aug 2011 13:40:40 -0400
> >>>>From: Geneviève Bastien<gbastien at versatic.net
> >>>><mailto:gbastien at versatic.net>>
> >>>>To:wifidog at listes.ilesansfil.org <mailto:wifidog at listes.ilesansfil.org>
> >>>>Subject: Re: [isf-wifidog] Wifidog, portal page and Apple auto-login
> >>>>
> >>>>Thanks for the answer, but that is not the issue. It is more Apple
> >>>>products bypassing the portal page, the whole login process is all fine.
> >>>>
> >>>>I found this:
> >>>>http://blogs.oucs.ox.ac.uk/networks/2009/10/12/fixing-the-iphone-os-wifi-auto-login-problem/
> >>>>Which may suggest that we could bypass the auto-login feature from the
> >>>>server side by answering the request with the expected output. The user
> >>>>will then have to open a browser page to see the actual login and portal
> >>>>pages.
> >>>>
> >>>>Geneviève
> >>>>
> >>>>
> >>>>On 11-08-25 01:12 PM, acv wrote:
> >>>>>Marcos' comments below are not completely accurate, the ping was not a
> >>>>>test itself,
> >>>>>in fact the gateway never bothered reading the response... The idea
> >>>>>was to
> >>>>>cause
> >>>>>the client to generate activity. Then activity (measured in bytes
> >>>>>received
> >>>>>from
> >>>>>client since last polling) was used.
> >>>>>
> >>>>>In src/firewall.c, fw_sync_with_authserver() implements the timeout
> >>>>>logic,
> >>>>>it includes
> >>>>>this tidbit:
> >>>>>
> >>>>> /* Ping the client, if he responds it'll keep activity on the
> >>>>> link.
> >>>>> * However, if the firewall blocks it, it will not help. The suggested
> >>>>> * way to deal witht his is to keep the DHCP lease time extremely
> >>>>> * short: Shorter than config->checkinterval * config->clienttimeout
> >>>>> */
> >>>>>
> >>>>>ping was to be a BACKUP way of generating activity but using DHCP as
> >>>>>suggested here is
> >>>>>much more reliable.
> >>>>>
> >>>>>Cheers,
> >>>>>
> >>>>>Alexandre
> >>>>>
> >>>>>On Thu, Aug 25, 2011 at 01:06:29PM -0300, Marcos Tadeu wrote:
> >>>>>>Date: Thu, 25 Aug 2011 13:06:29 -0300
> >>>>>>From: Marcos Tadeu<marcos at v2r.com.br <mailto:marcos at v2r.com.br>>
> >>>>>>To:wifidog at listes.ilesansfil.org
> >>>>>><mailto:wifidog at listes.ilesansfil.org>
> >>>>>>Subject: Re: [isf-wifidog] Wifidog, portal page and Apple auto-login
> >>>>>>
> >>>>>>Can you ping the Apple products from wifidog captive portal machine,
> >>>>>>after login?
> >>>>>>If not, it is the problema: wifidog need to ping client to know that
> >>>>>>it
> >>>>>>is alive. If an firewall drop the ping, wifidog consider it dead.
> >>>>>>And...
> >>>>>>pouf.
> >>>>>>
> >>>>>>On 08/25/2011 12:38 PM, Geneviève Bastien wrote:
> >>>>>>>Hello all,
> >>>>>>>
> >>>>>>>We have a problem with the portal page and Apple products and their
> >>>>>>>auto-login feature. Right now, when any iOs product and now Lion
> >>>>>>>connects to a wifidog router, they are shown the login page right
> >>>>>>>away, and the minute they have access to the internet (apple.com
> >>>>>>><http://apple.com>
> >>>>>>>site), pouf! it's gone, so they never see the portal page.
> >>>>>>>
> >>>>>>>But the portal page is really important to us and this situation is
> >>>>>>>really annoying (40 to 50% of our users use Apple products!).
> >>>>>>>
> >>>>>>>Did anyone come up with a solution to this? Or do you know any
> >>>>>>>captive portal solution that did? Any ideas on the topic? (putting
> >>>>>>>apple.com <http://apple.com> in the walled garden is not a viable
> >>>>>>>option)
> >>>>>>>
> >>>>>>>Thanks,
> >>>>>>>Geneviève
> >>>>>>>_______________________________________________
> >>>>>>>WiFiDog mailing list
> >>>>>>>WiFiDog at listes.ilesansfil.org <mailto:WiFiDog at listes.ilesansfil.org>
> >>>>>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>>>_______________________________________________
> >>>>>>WiFiDog mailing list
> >>>>>>WiFiDog at listes.ilesansfil.org <mailto:WiFiDog at listes.ilesansfil.org>
> >>>>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>>>
> >>>>>>
> >>>>>>_______________________________________________
> >>>>>>WiFiDog mailing list
> >>>>>>WiFiDog at listes.ilesansfil.org <mailto:WiFiDog at listes.ilesansfil.org>
> >>>>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>_______________________________________________
> >>>>WiFiDog mailing list
> >>>>WiFiDog at listes.ilesansfil.org <mailto:WiFiDog at listes.ilesansfil.org>
> >>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>
> >>>>
> >>>>_______________________________________________
> >>>>WiFiDog mailing list
> >>>>WiFiDog at listes.ilesansfil.org <mailto:WiFiDog at listes.ilesansfil.org>
> >>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>
> >>_______________________________________________
> >>WiFiDog mailing list
> >>WiFiDog at listes.ilesansfil.org <mailto:WiFiDog at listes.ilesansfil.org>
> >>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >
> >
> >_______________________________________________
> >WiFiDog mailing list
> >WiFiDog at listes.ilesansfil.org
> >http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
-------------- section suivante --------------
Une pièce jointe autre que texte a été nettoyée...
Nom: non disponible
Type: application/pgp-signature
Taille: 195 octets
Desc: non disponible
URL: <http://listes.ilesansfil.org/pipermail/wifidog/attachments/20110902/96beacaa/attachment.pgp>
Plus d'informations sur la liste de diffusion WiFiDog