How to Automatically Detect a Captive Portal

Asked

Viewed 425 times

4

I’m making a hotspot on a server with Centos 6 and would like to have mobile phones (android and iOS) automatically recognize that they need authentication as soon as they connect to the network, to redirect to login.

In my firewall I have the rule:

iptables -t nat -A NET_DHCP -i eth1 -s 172.16.0.0/16 -p tcp --dport 80 -j DNAT --to 172.16.0.1:80

In apache (httpd.conf):

<VirtualHost *:80>
        ErrorDocument 400 /var/www/dhcpauth/index.php
        ErrorDocument 404 /var/www/dhcpauth/index.php
        ServerPath /var/www/dhcpauth
        DocumentRoot /var/www/dhcpauth/
        <Directory /var/www/dhcpauth>
            AllowOverride All
            DirectoryIndex index.html index.html
            Options Indexes FollowSymLinks
            Order allow,deny
            Allow from all
        </Directory>
</VirtualHost>

In other answers to similar questions I found the following code, but it did not work the way I used:

<!--
<?xml version="1.0" encoding="UTF-8"?>
<WISPAccessGatewayParam xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.wballiance.net/wispr_2_0.xsd">
<Redirect>
<MessageType>100</MessageType>
<ResponseCode>0</ResponseCode>
<VersionHigh>2.0</VersionHigh>
<VersionLow>1.0</VersionLow>
<AccessProcedure>1.0</AccessProcedure>
<AccessLocation>Andrew Wippler is awesome</AccessLocation>
<LocationName>MyOpenAP</LocationName>
<LoginURL>http://hotspot.localnet/</LoginURL>
</Redirect>
</WISPAccessGatewayParam>
-->

The hostpot (login and access release) works normally when we access the login page directly by dns or ip, but I needed that message "This network needs authentication" to appear. Does anyone have any idea how I can do that?

linux apache shell-script iptables

1 answer

1


As far as I know the OS’s (Android, IOS, Windows, etc), have mechanisms that check if a certain access is being redirected to an IP that should not, if this is true the OS presents an alert recommending Login Network, I did it in Freebsd using Packet Filter(pf), but the logic should be the same with iptables

rdr  on {$int_wireless} inet proto {tcp} from !<logados> to any port 443 -> 192.168.99.1 port 443
rdr  on {$int_wireless} inet proto {tcp} from !<logados> to any port 80 -> 192.168.99.1 port 80

When an outfit wins IP via DHCP on the Wifi network the two rules above come into action, if the IP is not registered in the table logados it redirects any attempt to access any IP/Planet Address to my Login page (192.168.99.1), when the client logs into the networkThese two rules become invalid for the logged-in client, these two rules are responsible for the OS being able to display a message from Login.

  • Is that just the redirect? Why I did this is apparently already worked, because when the mobile I tried to open a page any chorme she was redirected to the page of

  • Yes is the firewall redirecting everything to port 443 and 80 that makes the login message appears in the OS, apache has nothing to do with the story

  • I tested exactly as you mentioned: iptables -t nat -I PREROUTING_DHCP -p tcp --dport 80 -j REDIRECT --to-port 80 iptables -t nat -I PREROUTING_DHCP -p tcp --dport 443 -j REDIRECT --to-port 443 Only instead of appearing that the network needs login. Appears the message that the network seems to be unavailable. Although redirect has worked because when I try to open a page in the browse it redirects to the login page.

  • Everything else is locked down, right? cannot have any other output port opened in the firewall, everything on the wifi network must be in block, only must be released the ip of your apache and the redirection of port 80 and 443

  • Yes, The default policy of my firewall is DROP. Even so by guarantee now I include a DROP in the FORWARD for the wifi network. The only ACCEPT you have is to the server where apache is located

  • Customers who connect on Wifi, are connecting on AP’s or Routers ? I think it only works right on AP’s...

  • I was able to solve it but it has to do with Apache yes. For resolution I needed an apache redirect with code 302 to the login screen. Only this redirect tells the devices you need to log in. But thanks for the help

Show 2 more comments

Browser other questions tagged linux apache shell-script iptables

You are not signed in. Login or sign up in order to post.