[isf-wifidog] Wifidog, portal page and Apple auto-login
Max Horváth
info at maxhorvath.com
Ven 2 Sep 15:05:27 EDT 2011
Thinking about this solution (or any other) has its flaw ... it only works in the context of browsing the web using a browser.
But if the user decides to use any other app (with HTTP communication), it just sabotages the workflow ... and the user won't use the browser anyway ...
Just my 2 cents ...
On 02.09.2011, at 18:04, acv wrote:
> I've got an idea that might work and be a bit more flexible:
>
> 1. Add something to the configuration for know "signatures" of verification
> pages
>
> 2. Upon authentication, mark the user as authenticated and lift all restrictions
> but redirect HTTP to a different port on the device. Call this state "post-splash".
>
> 3. In post-splash status, a config file would specify the known signatures for
> "online test" URLs and proxy those. This could also be done with firewall rules
> I think.
>
> 4. The first web request that's not an online test gets redirected to post-authentication
> splash page.
>
> 5. Router lifts the redirect altogether immediately after 4. above. So only *1* HTTP call
> gets redirected.
>
> What do you think?
>
> Alex
>
> On Thu, Aug 25, 2011 at 06:33:52PM -0400, Genevive Bastien wrote:
>> Date: Thu, 25 Aug 2011 18:33:52 -0400
>> From: Geneviève Bastien <gbastien at versatic.net>
>> To: wifidog at listes.ilesansfil.org
>> Subject: Re: [isf-wifidog] Wifidog, portal page and Apple auto-login
>>
>> If I can get my hands on a Apple product I'll make some further tests
>> and outputs... I'll keep you posted.
>>
>> Thanks,
>> Geneviève
>>
>>
>> On 11-08-25 06:03 PM, Alexandre Carmel-Veilleux wrote:
>>> The problem is that the best place to put this is in the URL handler
>>> on the ap. Then it's a basically no-op as far as the firewall rules
>>> are concerned.
>>>
>>> The issue is that I don't believe it will follow an http redirect and
>>> even if it did, the login page entry point on the auth server would
>>> need to identify and respond.
>>>
>>> Maybe if you can get me verbose httpd logs from an apple device? Or
>>> better yet a fell packet capture of the authentication transaction?
>>>
>>> Alex
>>>
>>>
>>>
>>> On 2011-08-25, at 16:47, Geneviève Bastien <gbastien at versatic.net
>>> <mailto:gbastien at versatic.net>> wrote:
>>>
>>>> Thanks Alex for this fast patch!
>>>>
>>>> But I think I'd prefer the server side solution if possible, as it
>>>> does not involve reflashing our few hundreds access points and the
>>>> day android thinks this feature is so great and decide to implement
>>>> it as well, it would be easier to modify...
>>>>
>>>> Unless there is a reason to favor a client-side solution? Maybe
>>>> Apple will not like the url redirect to login page...
>>>>
>>>> Geneviève
>>>>
>>>>
>>>> On 11-08-25 02:44 PM, acv wrote:
>>>>> And of course I screw up the URL. Forgot the leading /. Please use this
>>>>> instead.
>>>>>
>>>>> Alex
>>>>>
>>>>> On Thu, Aug 25, 2011 at 01:40:40PM -0400, Genevive Bastien wrote:
>>>>>> Date: Thu, 25 Aug 2011 13:40:40 -0400
>>>>>> From: Geneviève Bastien<gbastien at versatic.net
>>>>>> <mailto:gbastien at versatic.net>>
>>>>>> To:wifidog at listes.ilesansfil.org <mailto:wifidog at listes.ilesansfil.org>
>>>>>> Subject: Re: [isf-wifidog] Wifidog, portal page and Apple auto-login
>>>>>>
>>>>>> Thanks for the answer, but that is not the issue. It is more Apple
>>>>>> products bypassing the portal page, the whole login process is all fine.
>>>>>>
>>>>>> I found this:
>>>>>> http://blogs.oucs.ox.ac.uk/networks/2009/10/12/fixing-the-iphone-os-wifi-auto-login-problem/
>>>>>> Which may suggest that we could bypass the auto-login feature from the
>>>>>> server side by answering the request with the expected output. The user
>>>>>> will then have to open a browser page to see the actual login and portal
>>>>>> pages.
>>>>>>
>>>>>> Geneviève
>>>>>>
>>>>>>
>>>>>> On 11-08-25 01:12 PM, acv wrote:
>>>>>>> Marcos' comments below are not completely accurate, the ping was not a
>>>>>>> test itself,
>>>>>>> in fact the gateway never bothered reading the response... The idea
>>>>>>> was to
>>>>>>> cause
>>>>>>> the client to generate activity. Then activity (measured in bytes
>>>>>>> received
>>>>>>> from
>>>>>>> client since last polling) was used.
>>>>>>>
>>>>>>> In src/firewall.c, fw_sync_with_authserver() implements the timeout
>>>>>>> logic,
>>>>>>> it includes
>>>>>>> this tidbit:
>>>>>>>
>>>>>>> /* Ping the client, if he responds it'll keep activity on the
>>>>>>> link.
>>>>>>> * However, if the firewall blocks it, it will not help. The suggested
>>>>>>> * way to deal witht his is to keep the DHCP lease time extremely
>>>>>>> * short: Shorter than config->checkinterval * config->clienttimeout
>>>>>>> */
>>>>>>>
>>>>>>> ping was to be a BACKUP way of generating activity but using DHCP as
>>>>>>> suggested here is
>>>>>>> much more reliable.
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Alexandre
>>>>>>>
>>>>>>> On Thu, Aug 25, 2011 at 01:06:29PM -0300, Marcos Tadeu wrote:
>>>>>>>> Date: Thu, 25 Aug 2011 13:06:29 -0300
>>>>>>>> From: Marcos Tadeu<marcos at v2r.com.br <mailto:marcos at v2r.com.br>>
>>>>>>>> To:wifidog at listes.ilesansfil.org
>>>>>>>> <mailto:wifidog at listes.ilesansfil.org>
>>>>>>>> Subject: Re: [isf-wifidog] Wifidog, portal page and Apple auto-login
>>>>>>>>
>>>>>>>> Can you ping the Apple products from wifidog captive portal machine,
>>>>>>>> after login?
>>>>>>>> If not, it is the problema: wifidog need to ping client to know that
>>>>>>>> it
>>>>>>>> is alive. If an firewall drop the ping, wifidog consider it dead.
>>>>>>>> And...
>>>>>>>> pouf.
>>>>>>>>
>>>>>>>> On 08/25/2011 12:38 PM, Geneviève Bastien wrote:
>>>>>>>>> Hello all,
>>>>>>>>>
>>>>>>>>> We have a problem with the portal page and Apple products and their
>>>>>>>>> auto-login feature. Right now, when any iOs product and now Lion
>>>>>>>>> connects to a wifidog router, they are shown the login page right
>>>>>>>>> away, and the minute they have access to the internet (apple.com
>>>>>>>>> <http://apple.com>
>>>>>>>>> site), pouf! it's gone, so they never see the portal page.
>>>>>>>>>
>>>>>>>>> But the portal page is really important to us and this situation is
>>>>>>>>> really annoying (40 to 50% of our users use Apple products!).
>>>>>>>>>
>>>>>>>>> Did anyone come up with a solution to this? Or do you know any
>>>>>>>>> captive portal solution that did? Any ideas on the topic? (putting
>>>>>>>>> apple.com <http://apple.com> in the walled garden is not a viable
>>>>>>>>> option)
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Geneviève
>>>>>>>>> _______________________________________________
>>>>>>>>> WiFiDog mailing list
>>>>>>>>> WiFiDog at listes.ilesansfil.org <mailto:WiFiDog at listes.ilesansfil.org>
>>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>> _______________________________________________
>>>>>>>> WiFiDog mailing list
>>>>>>>> WiFiDog at listes.ilesansfil.org <mailto:WiFiDog at listes.ilesansfil.org>
>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> WiFiDog mailing list
>>>>>>>> WiFiDog at listes.ilesansfil.org <mailto:WiFiDog at listes.ilesansfil.org>
>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>> _______________________________________________
>>>>>> WiFiDog mailing list
>>>>>> WiFiDog at listes.ilesansfil.org <mailto:WiFiDog at listes.ilesansfil.org>
>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> WiFiDog mailing list
>>>>>> WiFiDog at listes.ilesansfil.org <mailto:WiFiDog at listes.ilesansfil.org>
>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>
>>>> _______________________________________________
>>>> WiFiDog mailing list
>>>> WiFiDog at listes.ilesansfil.org <mailto:WiFiDog at listes.ilesansfil.org>
>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>
>>>
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
>
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4887 bytes
Desc: not available
URL: <http://listes.ilesansfil.org/pipermail/wifidog/attachments/20110902/7617b29d/attachment-0001.bin>
Plus d'informations sur la liste de diffusion WiFiDog