Wireless Access

Hi, first of all sorry if I posted this in the wrong forum. I was just wondering how samsung detects captive portals? We have a media server with a captive portal without internet and all phones and laptops aside from samsung phones get a portal popup. On samsung, it outright says internet may not be available and does not give the user the captive portal. Does samsung ping an IP to decide about the availability of the internet? If so what IP or host is this? Because then maybe we can have a workaround on our server so that samsung phones wont detect our SSID as not having internet and direct users to the captive portal. We are doing this on an instant AP btw but i dont think it matters

May want to capture the packets from the client perspective to identify what the Samsung device is trying to communicate with to determine it has Internet access.

 

Another way, is from the IAP, run the following command "show datapath session" when the client connects. Look at the entries for the IP of the client to see what's being denied and add to a whitelist for the Guest.

Thanks for the suggestion mnarine. I ran show datapath session on the IAP and I saw amazonaws IP's. So samsung phones might be relying on this to determine internet connectivity. Now I am stuck on how to trick these phones of thinking that they can reach amazonaws specially since amazonaws has a ton of IP's and each phone I tested sent requests to different amazonaws IP's. Our media server is running on an ubuntu machine, might have to go to a linux forum now for more answers :)

from my S6 with Android 7, non rooted, it will try to reach the following

http://connectivitycheck.gstatic.com/generate_204

and it expects to get an empty but valid 204 response, e.g.

 

root@kali:~# curl --verbose http://connectivitycheck.gstatic.com/generate_204
*   Trying 172.217.27.99...
* Connected to connectivitycheck.gstatic.com (172.217.27.99) port 80 (#0)
> GET /generate_204 HTTP/1.1
> Host: connectivitycheck.gstatic.com
> User-Agent: curl/7.56.1
> Accept: */*
> 
< HTTP/1.1 204 No Content
< Content-Length: 0
< Date: Wed, 21 Mar 2018 14:06:19 GMT
< 
* Connection #0 to host connectivitycheck.gstatic.com left intact
root@kali:~# 

but if there is a captive portal in the middle it will receive some sort of 200/OK instead. In the case of aruba, that would look like the below  - the important thing is that its not an empty 204 response, which is how it knows to pop up the mini browser thing

 

 

 

HTTP/1.1 200 Ok 
Date: Wed, 21 Mar 2018 14:01:23 GMT 
Server: Apache 
X-Frame-Options: SAMEORIGIN 
X-UA-Compatible: IE=edge;IE=11;IE=10;IE=9 
Expires: 0 
Content-Length: 168 
Connection: close 
Content-Type: text/html 
<html>
<head>
<meta http-equiv='refresh' content='1; url=http://connectivitycheck.gstatic.com/generate_204&arubalp=68a501fb-e8af-4f54-bce2-73a1dc7577'>
</head>
</html>

[edit: I just saw you're on IAP, I don't know if IAP can do this, the below would be true for a controller, leaving it here for completeness]

 

if you wanted to do something with this, create a named netdestination and acl to use it as you see fit (the IP to name will be filled by dns snooping)

 

netdestination connectivitycheck
   name connectivitycheck.gstatic.com
!

ip access-list session android_cp_thing
   user  alias  connectivitycheck svc-http  <whatever>
   user  alias  connectivitycheck svc-https <whatever>
!

hth

 

 

 

Hi dugem2016,

Thanks for your reply, if that's the case, that the phone is waiting for a response like a 204/200 then it might not be possible for us to trigger the portal using a vlan with no internet for the SSID. Out of curiosity how were you able to obtain those logs? That will definitely come in handy in the future.

 

hi Dejavu989 

I think if there is no internet available you will get other complaints about limited connectivity and the like.

 

The logs for the aruba captive portal were made with the "packet-capture datapath" command, the steps were roughly

 

1. create a quick default captive portal (aaa profile, vap and ssid)

2. set the destination "packet-capture destination local-filesystem"

3. start the capture "packet-capture datapath <mac of client> all"

4. connect the client, let it do its thing

5. stop the capture (not necessary to do) using no <command in 2. above>

6. move the capture to flash using "packet-capture copy-to-flash datapath-pcap"

7.  extract the flash: datapath-pcap.tar.gz file to my laptop and open it in wireshark

 

 

Thanks for the procedure dugem2016

Yeah but its what the phone says when it connects to an ssid without internet with a portal, really weird. On the other hand when the ssid has internet portal popup works fine. This is a problem for us since our ssid is simply used for a media server to share content, which basically means that samsung users will have to force the portal on the browser instead of it popping up normally like what iphones and other android devices do even for ssid's without internet. I guess this is the end of this, thanks everyone for helping

Hi there!

I've been messing around with captive portals and mobile devices and I have experienced the same issues as you guys. By doing some research and lots of hours, I found out that  after they try to get the generate_204, Samsung devices send a request to the port 5094 of an ip. When I nmaped this port of this ip, I found out that it's a sentinel-lm service, which it's a kind of license service. I suppose Samsung checks for the generate_204 file and, if it's not available, it checks for this kind of license maybe to know if there is actual connection behind the captive portal or it's just an off line fake access point.

Anyway, this post helped me so much when I was starting with this thing of captive portals and I didn't understand anything so I wanted to give back what I found. Good luck!

HI dugem2016

Do you know the version of Android 7 or higher?

It doesn't seem to work in the Android 8 version.

Http://connectivitycheck.gstatic.com/generate_204

hi ken.jhuang

What doesnt work specifically ? You can follow the steps outlined in the post above to make a "packet-capture datapath' of the user and inspect it in wireshark (or post the pcap file here for others to assist).