Security

Good afternoon.

 

I have a captive portal configured with virtual mobility controller + clearpass. With windows it works correctly, once connected it prompts browser with captive portal login.

 

In andorid it stays in "connectivitycheck.gstatic.com/generate_204" and wont open browser.

I applied, reading other posts, redirect dns to IP address inactive but it happens the same.

It seems that android checks connectivity when connects to wifi to certain domains as it says here https://socifi-doc.atlassian.net/wiki/spaces/SC/pages/94371841/DNS+Fix+to+keep+Android+Splash+Page+and+the+Captive+Portal+Notification+active

 

In fact, I did a packet capture with the controller (.pcap) and the android devices do dns requests to certain google domains.

 

When I white listed these domains and connect to guest wifi, it says I have internet but when I browse a non-google-domain it shows captive portal correctly.

 

DHCP Server gives as DNS ip the controller IP, as it should be.

I don't have proxy dns in this case.

 

Is there any workaround to this issue?

 

Thanks in advance.

Best regards.

Gonzalo.

Gonzalo,

 

For the captive portal popup, you will need to redirect the requests to the test URLs, not allow them. In order for a redirect to happen, DNS must work (which I assume is working). What you did is exactly what needs to be done to prevent the captive portal popup.

 

If you captured traffic, please check if you see successful DNS queries for the URLs you found and that when the client connects that the controller intercepts and sends an HTTP redirect to get the client to the captive portal. That should trigger the pop up on most platforms.

 

Does the captive portal work for non-Android devices?

Hi Herman.

Indeed, yesterday reading a little bit more about this i've found that if I
allow google sites the captive portal won't pop up so today I deleted this
urls from white list. DNS redirect only allows me to redirect a certain
domain to an IP address but then, that IP address must resolve the domain.
We don't have proxy DNS so I don't know what to do.

With android, I tested with Android one over two Xiaomi phones.
With no white liste, the only thing that appears is the mobile trying to
check connectivitycheck.gstatic.com/generate_204

The captive portal works ok with non-android devices.

Any advice?

Thanks for your response.

I downloaded termux and installed nslookup in mobile device (android).

I disabled 4G communications and checked IP address received by controller.

 

I did a lookup to several sites and they are all resolved with server 8.8.8.8. This means that android hardcoded their dns server and even without 4G or WiFi communication they are able to resolve everything o.O

 

See the next screenshots:

 

 

Thanks.

Gonzalo.

Ok, summarizing it looks like that your Android picks 8.8.8.8 as DNS server for the captive portal, regardless of what the DNS is provided by the DHCP.

 

Your captive portal URL that is redirected to is available in your local DNS, not in the public DNS which makes that the redirect works for clients that obey the DHCP provided DNS, not the ones using the Google DNS.

 

In such cases in general, it may work to add your external captive portal FQDN in the public DNS, so it can be resolved through Google as well and if DNS happens to go over 4G or is cached by the phone that will work as well. I found many people think that you cannot put A records to private IP space in a public DNS which is not true. For this purpose, I did similar for many customers.

 

What you could try as well, is in the pre-authentication role do a redirect of DNS traffic going to 8.8.8.8 and destination NAT that to your local DNS server. That does not cover the 4G DNS lookup but should work in your case.

Hi Herman.

 

Finally I could solve this redirect thing with android users.

I had to upload a signed, public and valid certificate to ClearPass in order to android users redirect to url.

 

I couldn't find any other way.

 

Thanks for the tips anyway.

 

Best regards.

Gonzalo