Hi, first of all sorry if I posted this in the wrong forum. I was just wondering how samsung detects captive portals? We have a media server with a captive portal without internet and all phones and laptops aside from samsung phones get a portal popup. On samsung, it outright says internet may not be available and does not give the user the captive portal. Does samsung ping an IP to decide about the availability of the internet? If so what IP or host is this? Because then maybe we can have a workaround on our server so that samsung phones wont detect our SSID as not having internet and direct users to the captive portal. We are doing this on an instant AP btw but i dont think it matters
May want to capture the packets from the client perspective to identify what the Samsung device is trying to communicate with to determine it has Internet access.
Another way, is from the IAP, run the following command "show datapath session" when the client connects. Look at the entries for the IP of the client to see what's being denied and add to a whitelist for the Guest.
from my S6 with Android 7, non rooted, it will try to reach the following
and it expects to get an empty but valid 204 response, e.g.
root@kali:~# curl --verbose http://connectivitycheck.gstatic.com/generate_204
* Trying 22.214.171.124...
* Connected to connectivitycheck.gstatic.com (126.96.36.199) port 80 (#0)
> GET /generate_204 HTTP/1.1
> Host: connectivitycheck.gstatic.com
> User-Agent: curl/7.56.1
> Accept: */*
< HTTP/1.1 204 No Content
< Content-Length: 0
< Date: Wed, 21 Mar 2018 14:06:19 GMT
* Connection #0 to host connectivitycheck.gstatic.com left intact
but if there is a captive portal in the middle it will receive some sort of 200/OK instead. In the case of aruba, that would look like the below - the important thing is that its not an empty 204 response, which is how it knows to pop up the mini browser thing
HTTP/1.1 200 Ok
Date: Wed, 21 Mar 2018 14:01:23 GMT
<meta http-equiv='refresh' content='1; url=http://connectivitycheck.gstatic.com/generate_204&arubalp=68a501fb-e8af-4f54-bce2-73a1dc7577'>
[edit: I just saw you're on IAP, I don't know if IAP can do this, the below would be true for a controller, leaving it here for completeness]
if you wanted to do something with this, create a named netdestination and acl to use it as you see fit (the IP to name will be filled by dns snooping)
ip access-list session android_cp_thing
user alias connectivitycheck svc-http <whatever> user alias connectivitycheck svc-https <whatever>
I think if there is no internet available you will get other complaints about limited connectivity and the like.
The logs for the aruba captive portal were made with the "packet-capture datapath" command, the steps were roughly
1. create a quick default captive portal (aaa profile, vap and ssid)
2. set the destination "packet-capture destination local-filesystem"
3. start the capture "packet-capture datapath <mac of client> all"
4. connect the client, let it do its thing
5. stop the capture (not necessary to do) using no <command in 2. above>
6. move the capture to flash using "packet-capture copy-to-flash datapath-pcap"
7. extract the flash: datapath-pcap.tar.gz file to my laptop and open it in wireshark
I've been messing around with captive portals and mobile devices and I have experienced the same issues as you guys. By doing some research and lots of hours, I found out that after they try to get the generate_204, Samsung devices send a request to the port 5094 of an ip. When I nmaped this port of this ip, I found out that it's a sentinel-lm service, which it's a kind of license service. I suppose Samsung checks for the generate_204 file and, if it's not available, it checks for this kind of license maybe to know if there is actual connection behind the captive portal or it's just an off line fake access point.
Anyway, this post helped me so much when I was starting with this thing of captive portals and I didn't understand anything so I wanted to give back what I found. Good luck!
Do you know the version of Android 7 or higher?
It doesn't seem to work in the Android 8 version.
What doesnt work specifically ? You can follow the steps outlined in the post above to make a "packet-capture datapath' of the user and inspect it in wireshark (or post the pcap file here for others to assist).
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.