You have probably experienced this happen on an iPhone or an iPad and never knew what it was called. The Captive Network Assistant is a capability built into the iOS and now OS X Lion operating systems to detect the presence of a Captive Portal enabled network when connecting to an Open WiFi network.
The operating system attempts to make a HTTP call to a defined URL on the apple.com website and if this page is not successfully returned by the transit network, a mini browser window or 'web sheet' is displayed to prompt the user to enter their web authentication user credentials.
Figure 1: Sample of iPad Web Sheet
This is a great usability enhancement added by Apple so users of non-web based Apps are not left wondering why their email is not downloading or facebook posts are not updating as examples.
Figure 2: Sample of iPhone Web Sheet
Unfortunately, in some WiFi networks, this Captive Network Assistant prevents the operator of the WiFi network delivering the user experience desired for their users. Their aim is to have a full browser session invoked and control the user experience as they login, post authentication and potentially post logout. The Captive Network Assistant will terminate the WiFi session if the user opts to click the Cancel button as shown in the screenshots below from both an iPad and an iPhone.
Amigopod have developed a method when combined with the external Captive Portal Redirect capabilities of the ArubaOS controller to trick iOS or OS X Lion devices into thinking they have unobstructed access to the Internet by simulating the response from the apple.com website. This results in the suppression of the Captive Network Assistant web sheet and allows the user to open a native browser such as Safari and enjoy a fully crafted user experience.
This feature is of particular interest in public access and retail environments where a post authentication welcome page may be used to promote further services, a complimentary mobile device App or provide a platform for generic advertising.
Another example of where this bypass capability can be useful is when performing device enrolment as part of a Mobile Device provisioning strategy. Post successful authentication and authorization of the enrolling device and users, device specific configuration profiles can be downloaded to the device using the native web browser.