[isf-wifidog] Wifidog, portal page and Apple auto-login

Max Horváth info at maxhorvath.com
Ven 2 Sep 15:05:27 EDT 2011


Thinking about this solution (or any other) has its flaw ... it only works in the context of browsing the web using a browser.

But if the user decides to use any other app (with HTTP communication), it just sabotages the workflow ... and the user won't use the browser anyway ...

Just my 2 cents ...

On 02.09.2011, at 18:04, acv wrote:

> I've got an idea that might work and be a bit more flexible:
> 
> 1. Add something to the configuration for know "signatures" of verification
> pages
> 
> 2. Upon authentication, mark the user as authenticated and lift all restrictions
> but redirect HTTP to a different port on the device. Call this state "post-splash".
> 
> 3. In post-splash status, a config file would specify the known signatures for
> "online test" URLs and proxy those. This could also be done with firewall rules
> I think.
> 
> 4. The first web request that's not an online test gets redirected to post-authentication
> splash page.
> 
> 5. Router lifts the redirect altogether immediately after 4. above. So only *1* HTTP call
> gets redirected.
> 
> What do you think?
> 
> Alex
> 
> On Thu, Aug 25, 2011 at 06:33:52PM -0400, Genevive Bastien wrote:
>> Date: Thu, 25 Aug 2011 18:33:52 -0400
>> From: Geneviève Bastien <gbastien at versatic.net>
>> To: wifidog at listes.ilesansfil.org
>> Subject: Re: [isf-wifidog] Wifidog, portal page and Apple auto-login
>> 
>> If I can get my hands on a Apple product I'll make some further tests 
>> and outputs...  I'll keep you posted.
>> 
>> Thanks,
>> Geneviève
>> 
>> 
>> On 11-08-25 06:03 PM, Alexandre Carmel-Veilleux wrote:
>>> The problem is that the best place to put this is in the URL handler 
>>> on the ap. Then it's a basically no-op as far as the firewall rules 
>>> are concerned.
>>> 
>>> The issue is that I don't believe it will follow an http redirect and 
>>> even if it did, the login page entry point on the auth server would 
>>> need to identify and respond.
>>> 
>>> Maybe if you can get me verbose httpd logs from an apple device? Or 
>>> better yet a fell packet capture of the authentication transaction?
>>> 
>>> Alex
>>> 
>>> 
>>> 
>>> On 2011-08-25, at 16:47, Geneviève Bastien <gbastien at versatic.net 
>>> <mailto:gbastien at versatic.net>> wrote:
>>> 
>>>> Thanks Alex for this fast patch!
>>>> 
>>>> But I think I'd prefer the server side solution if possible, as it 
>>>> does not involve reflashing our few hundreds access points and the 
>>>> day android thinks this feature is so great and decide to implement 
>>>> it as well, it would be easier to modify...
>>>> 
>>>> Unless there is a reason to favor a client-side solution?  Maybe 
>>>> Apple will not like the url redirect to login page...
>>>> 
>>>> Geneviève
>>>> 
>>>> 
>>>> On 11-08-25 02:44 PM, acv wrote:
>>>>> And of course I screw up the URL. Forgot the leading /. Please use this 
>>>>> instead.
>>>>> 
>>>>> Alex
>>>>> 
>>>>> On Thu, Aug 25, 2011 at 01:40:40PM -0400, Genevive Bastien wrote:
>>>>>> Date: Thu, 25 Aug 2011 13:40:40 -0400
>>>>>> From: Geneviève Bastien<gbastien at versatic.net  
>>>>>> <mailto:gbastien at versatic.net>>
>>>>>> To:wifidog at listes.ilesansfil.org  <mailto:wifidog at listes.ilesansfil.org>
>>>>>> Subject: Re: [isf-wifidog] Wifidog, portal page and Apple auto-login
>>>>>> 
>>>>>> Thanks for the answer, but that is not the issue.  It is more Apple
>>>>>> products bypassing the portal page, the whole login process is all fine.
>>>>>> 
>>>>>> I found this:
>>>>>> http://blogs.oucs.ox.ac.uk/networks/2009/10/12/fixing-the-iphone-os-wifi-auto-login-problem/
>>>>>> Which may suggest that we could bypass the auto-login feature from the
>>>>>> server side by answering the request with the expected output.  The user
>>>>>> will then have to open a browser page to see the actual login and portal
>>>>>> pages.
>>>>>> 
>>>>>> Geneviève
>>>>>> 
>>>>>> 
>>>>>> On 11-08-25 01:12 PM, acv wrote:
>>>>>>> Marcos' comments below are not completely accurate, the ping was not a
>>>>>>> test itself,
>>>>>>> in fact the gateway never bothered reading the response... The idea 
>>>>>>> was to
>>>>>>> cause
>>>>>>> the client to generate activity. Then activity (measured in bytes 
>>>>>>> received
>>>>>>> from
>>>>>>> client since last polling) was used.
>>>>>>> 
>>>>>>> In src/firewall.c, fw_sync_with_authserver() implements the timeout 
>>>>>>> logic,
>>>>>>> it includes
>>>>>>> this tidbit:
>>>>>>> 
>>>>>>>        /* Ping the client, if he responds it'll keep activity on the
>>>>>>>        link.
>>>>>>> 	* However, if the firewall blocks it, it will not help. The suggested
>>>>>>> 	* way to deal witht his is to keep the DHCP lease time extremely
>>>>>>> 	* short: Shorter than config->checkinterval * config->clienttimeout
>>>>>>> 	*/
>>>>>>> 
>>>>>>> ping was to be a BACKUP way of generating activity but using DHCP as
>>>>>>> suggested here is
>>>>>>> much more reliable.
>>>>>>> 
>>>>>>> Cheers,
>>>>>>> 
>>>>>>> Alexandre
>>>>>>> 
>>>>>>> On Thu, Aug 25, 2011 at 01:06:29PM -0300, Marcos Tadeu wrote:
>>>>>>>> Date: Thu, 25 Aug 2011 13:06:29 -0300
>>>>>>>> From: Marcos Tadeu<marcos at v2r.com.br  <mailto:marcos at v2r.com.br>>
>>>>>>>> To:wifidog at listes.ilesansfil.org  
>>>>>>>> <mailto:wifidog at listes.ilesansfil.org>
>>>>>>>> Subject: Re: [isf-wifidog] Wifidog, portal page and Apple auto-login
>>>>>>>> 
>>>>>>>> Can you ping the Apple products from wifidog captive portal machine,
>>>>>>>> after login?
>>>>>>>> If not, it is the problema: wifidog need to ping client to know that 
>>>>>>>> it
>>>>>>>> is alive. If an firewall drop the ping, wifidog consider it dead. 
>>>>>>>> And...
>>>>>>>> pouf.
>>>>>>>> 
>>>>>>>> On 08/25/2011 12:38 PM, Geneviève Bastien wrote:
>>>>>>>>> Hello all,
>>>>>>>>> 
>>>>>>>>> We have a problem with the portal page and Apple products and their
>>>>>>>>> auto-login feature.  Right now, when any iOs product and now Lion
>>>>>>>>> connects to a wifidog router, they are shown the login page right
>>>>>>>>> away, and the minute they have access to the internet (apple.com  
>>>>>>>>> <http://apple.com>
>>>>>>>>> site), pouf! it's gone, so they never see the portal page.
>>>>>>>>> 
>>>>>>>>> But the portal page is really important to us and this situation is
>>>>>>>>> really annoying (40 to 50% of our users use Apple products!).
>>>>>>>>> 
>>>>>>>>> Did anyone come up with a solution to this?  Or do you know any
>>>>>>>>> captive portal solution that did?  Any ideas on the topic? (putting
>>>>>>>>> apple.com  <http://apple.com>  in the walled garden is not a viable 
>>>>>>>>> option)
>>>>>>>>> 
>>>>>>>>> Thanks,
>>>>>>>>> Geneviève
>>>>>>>>> _______________________________________________
>>>>>>>>> WiFiDog mailing list
>>>>>>>>> WiFiDog at listes.ilesansfil.org  <mailto:WiFiDog at listes.ilesansfil.org>
>>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>> _______________________________________________
>>>>>>>> WiFiDog mailing list
>>>>>>>> WiFiDog at listes.ilesansfil.org  <mailto:WiFiDog at listes.ilesansfil.org>
>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>> 
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> WiFiDog mailing list
>>>>>>>> WiFiDog at listes.ilesansfil.org  <mailto:WiFiDog at listes.ilesansfil.org>
>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>> _______________________________________________
>>>>>> WiFiDog mailing list
>>>>>> WiFiDog at listes.ilesansfil.org  <mailto:WiFiDog at listes.ilesansfil.org>
>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> WiFiDog mailing list
>>>>>> WiFiDog at listes.ilesansfil.org  <mailto:WiFiDog at listes.ilesansfil.org>
>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>> 
>>>> _______________________________________________
>>>> WiFiDog mailing list
>>>> WiFiDog at listes.ilesansfil.org <mailto:WiFiDog at listes.ilesansfil.org>
>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>> 
>>> 
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>> 
> 
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4887 bytes
Desc: not available
URL: <http://listes.ilesansfil.org/pipermail/wifidog/attachments/20110902/7617b29d/attachment-0001.bin>


Plus d'informations sur la liste de diffusion WiFiDog