[isf-wifidog] Wifidog, portal page and Apple auto-login

Geneviève Bastien gbastien at versatic.net
Ven 2 Sep 15:31:55 EDT 2011 

Indeed, we force-feed the portal page to the user for a reason and we 
don't want Apple user to be another category of users who do not see the 
portal page.

I think a solution like Alex says would be a good start, at least it is 
worth a try and see how our users react (we'll know soon enough, once 
this is on ;-)
But it should remains configurable so groups who don't care about the 
portal page can disable this.

The ideal solution, that wouldn't ruin the UX of Apple users and still 
show the content of the portal page would need to come from Apple 
themselves, but I wouldn't count on that anytime soon.

Gen



On 11-09-02 03:14 PM, acv wrote:
> There's no way to have the cake and eat it too.
>
> If the service provider wants to provide a splash page as condition for
> making it worth their while to provide the service, it is their
> prerogative.
>
> If the service provider want to provide convenient internet access with
> the least fuss, then the status quo is good enough.
>
> Alex
>
> On Fri, Sep 02, 2011 at 09:05:27PM +0200, Max Horvth wrote:
>> From: Max Horváth<info at maxhorvath.com>
>> Date: Fri, 2 Sep 2011 21:05:27 +0200
>> To: WiFiDog Captive Portal<wifidog at listes.ilesansfil.org>
>> X-Mailer: Apple Mail (2.1244.3)
>> Subject: Re: [isf-wifidog] Wifidog, portal page and Apple auto-login
>>
>> Thinking about this solution (or any other) has its flaw ... it only works in the context of browsing the web using a browser.
>>
>> But if the user decides to use any other app (with HTTP communication), it just sabotages the workflow ... and the user won't use the browser anyway ...
>>
>> Just my 2 cents ...
>>
>> On 02.09.2011, at 18:04, acv wrote:
>>
>>> I've got an idea that might work and be a bit more flexible:
>>>
>>> 1. Add something to the configuration for know "signatures" of verification
>>> pages
>>>
>>> 2. Upon authentication, mark the user as authenticated and lift all restrictions
>>> but redirect HTTP to a different port on the device. Call this state "post-splash".
>>>
>>> 3. In post-splash status, a config file would specify the known signatures for
>>> "online test" URLs and proxy those. This could also be done with firewall rules
>>> I think.
>>>
>>> 4. The first web request that's not an online test gets redirected to post-authentication
>>> splash page.
>>>
>>> 5. Router lifts the redirect altogether immediately after 4. above. So only *1* HTTP call
>>> gets redirected.
>>>
>>> What do you think?
>>>
>>> Alex
>>>
>>> On Thu, Aug 25, 2011 at 06:33:52PM -0400, Genevive Bastien wrote:
>>>> Date: Thu, 25 Aug 2011 18:33:52 -0400
>>>> From: Geneviève Bastien<gbastien at versatic.net>
>>>> To: wifidog at listes.ilesansfil.org
>>>> Subject: Re: [isf-wifidog] Wifidog, portal page and Apple auto-login
>>>>
>>>> If I can get my hands on a Apple product I'll make some further tests
>>>> and outputs...  I'll keep you posted.
>>>>
>>>> Thanks,
>>>> Geneviève
>>>>
>>>>
>>>> On 11-08-25 06:03 PM, Alexandre Carmel-Veilleux wrote:
>>>>> The problem is that the best place to put this is in the URL handler
>>>>> on the ap. Then it's a basically no-op as far as the firewall rules
>>>>> are concerned.
>>>>>
>>>>> The issue is that I don't believe it will follow an http redirect and
>>>>> even if it did, the login page entry point on the auth server would
>>>>> need to identify and respond.
>>>>>
>>>>> Maybe if you can get me verbose httpd logs from an apple device? Or
>>>>> better yet a fell packet capture of the authentication transaction?
>>>>>
>>>>> Alex
>>>>>
>>>>>
>>>>>
>>>>> On 2011-08-25, at 16:47, Geneviève Bastien<gbastien at versatic.net
>>>>> <mailto:gbastien at versatic.net>>  wrote:
>>>>>
>>>>>> Thanks Alex for this fast patch!
>>>>>>
>>>>>> But I think I'd prefer the server side solution if possible, as it
>>>>>> does not involve reflashing our few hundreds access points and the
>>>>>> day android thinks this feature is so great and decide to implement
>>>>>> it as well, it would be easier to modify...
>>>>>>
>>>>>> Unless there is a reason to favor a client-side solution?  Maybe
>>>>>> Apple will not like the url redirect to login page...
>>>>>>
>>>>>> Geneviève
>>>>>>
>>>>>>
>>>>>> On 11-08-25 02:44 PM, acv wrote:
>>>>>>> And of course I screw up the URL. Forgot the leading /. Please use this
>>>>>>> instead.
>>>>>>>
>>>>>>> Alex
>>>>>>>
>>>>>>> On Thu, Aug 25, 2011 at 01:40:40PM -0400, Genevive Bastien wrote:
>>>>>>>> Date: Thu, 25 Aug 2011 13:40:40 -0400
>>>>>>>> From: Geneviève Bastien<gbastien at versatic.net
>>>>>>>> <mailto:gbastien at versatic.net>>
>>>>>>>> To:wifidog at listes.ilesansfil.org<mailto:wifidog at listes.ilesansfil.org>
>>>>>>>> Subject: Re: [isf-wifidog] Wifidog, portal page and Apple auto-login
>>>>>>>>
>>>>>>>> Thanks for the answer, but that is not the issue.  It is more Apple
>>>>>>>> products bypassing the portal page, the whole login process is all fine.
>>>>>>>>
>>>>>>>> I found this:
>>>>>>>> http://blogs.oucs.ox.ac.uk/networks/2009/10/12/fixing-the-iphone-os-wifi-auto-login-problem/
>>>>>>>> Which may suggest that we could bypass the auto-login feature from the
>>>>>>>> server side by answering the request with the expected output.  The user
>>>>>>>> will then have to open a browser page to see the actual login and portal
>>>>>>>> pages.
>>>>>>>>
>>>>>>>> Geneviève
>>>>>>>>
>>>>>>>>
>>>>>>>> On 11-08-25 01:12 PM, acv wrote:
>>>>>>>>> Marcos' comments below are not completely accurate, the ping was not a
>>>>>>>>> test itself,
>>>>>>>>> in fact the gateway never bothered reading the response... The idea
>>>>>>>>> was to
>>>>>>>>> cause
>>>>>>>>> the client to generate activity. Then activity (measured in bytes
>>>>>>>>> received
>>>>>>>>> from
>>>>>>>>> client since last polling) was used.
>>>>>>>>>
>>>>>>>>> In src/firewall.c, fw_sync_with_authserver() implements the timeout
>>>>>>>>> logic,
>>>>>>>>> it includes
>>>>>>>>> this tidbit:
>>>>>>>>>
>>>>>>>>>         /* Ping the client, if he responds it'll keep activity on the
>>>>>>>>>         link.
>>>>>>>>> 	* However, if the firewall blocks it, it will not help. The suggested
>>>>>>>>> 	* way to deal witht his is to keep the DHCP lease time extremely
>>>>>>>>> 	* short: Shorter than config->checkinterval * config->clienttimeout
>>>>>>>>> 	*/
>>>>>>>>>
>>>>>>>>> ping was to be a BACKUP way of generating activity but using DHCP as
>>>>>>>>> suggested here is
>>>>>>>>> much more reliable.
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>>
>>>>>>>>> Alexandre
>>>>>>>>>
>>>>>>>>> On Thu, Aug 25, 2011 at 01:06:29PM -0300, Marcos Tadeu wrote:
>>>>>>>>>> Date: Thu, 25 Aug 2011 13:06:29 -0300
>>>>>>>>>> From: Marcos Tadeu<marcos at v2r.com.br<mailto:marcos at v2r.com.br>>
>>>>>>>>>> To:wifidog at listes.ilesansfil.org
>>>>>>>>>> <mailto:wifidog at listes.ilesansfil.org>
>>>>>>>>>> Subject: Re: [isf-wifidog] Wifidog, portal page and Apple auto-login
>>>>>>>>>>
>>>>>>>>>> Can you ping the Apple products from wifidog captive portal machine,
>>>>>>>>>> after login?
>>>>>>>>>> If not, it is the problema: wifidog need to ping client to know that
>>>>>>>>>> it
>>>>>>>>>> is alive. If an firewall drop the ping, wifidog consider it dead.
>>>>>>>>>> And...
>>>>>>>>>> pouf.
>>>>>>>>>>
>>>>>>>>>> On 08/25/2011 12:38 PM, Geneviève Bastien wrote:
>>>>>>>>>>> Hello all,
>>>>>>>>>>>
>>>>>>>>>>> We have a problem with the portal page and Apple products and their
>>>>>>>>>>> auto-login feature.  Right now, when any iOs product and now Lion
>>>>>>>>>>> connects to a wifidog router, they are shown the login page right
>>>>>>>>>>> away, and the minute they have access to the internet (apple.com
>>>>>>>>>>> <http://apple.com>
>>>>>>>>>>> site), pouf! it's gone, so they never see the portal page.
>>>>>>>>>>>
>>>>>>>>>>> But the portal page is really important to us and this situation is
>>>>>>>>>>> really annoying (40 to 50% of our users use Apple products!).
>>>>>>>>>>>
>>>>>>>>>>> Did anyone come up with a solution to this?  Or do you know any
>>>>>>>>>>> captive portal solution that did?  Any ideas on the topic? (putting
>>>>>>>>>>> apple.com<http://apple.com>   in the walled garden is not a viable
>>>>>>>>>>> option)
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Geneviève
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> WiFiDog mailing list
>>>>>>>>>>> WiFiDog at listes.ilesansfil.org<mailto:WiFiDog at listes.ilesansfil.org>
>>>>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>>>> _______________________________________________
>>>>>>>>>> WiFiDog mailing list
>>>>>>>>>> WiFiDog at listes.ilesansfil.org<mailto:WiFiDog at listes.ilesansfil.org>
>>>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> WiFiDog mailing list
>>>>>>>>>> WiFiDog at listes.ilesansfil.org<mailto:WiFiDog at listes.ilesansfil.org>
>>>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>> _______________________________________________
>>>>>>>> WiFiDog mailing list
>>>>>>>> WiFiDog at listes.ilesansfil.org<mailto:WiFiDog at listes.ilesansfil.org>
>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> WiFiDog mailing list
>>>>>>>> WiFiDog at listes.ilesansfil.org<mailto:WiFiDog at listes.ilesansfil.org>
>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>> _______________________________________________
>>>>>> WiFiDog mailing list
>>>>>> WiFiDog at listes.ilesansfil.org<mailto:WiFiDog at listes.ilesansfil.org>
>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>
>>>>> _______________________________________________
>>>>> WiFiDog mailing list
>>>>> WiFiDog at listes.ilesansfil.org
>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>> _______________________________________________
>>>> WiFiDog mailing list
>>>> WiFiDog at listes.ilesansfil.org
>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
>
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
>>
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog

-------------- section suivante --------------
Une pièce jointe HTML a été nettoyée...
URL: <http://listes.ilesansfil.org/pipermail/wifidog/attachments/20110902/a948ecf0/attachment-0001.html>

Plus d'informations sur la liste de diffusion WiFiDog