Pfsense captive portal does not show on IPhone !!

d21spike

@johnpoz said in Pfsense captive portal does not show on IPhone !!:

But really what should happen is - soon as connect to this wifi I should get the portal login popped up.. Via iphone captive portal check, etc.. Vs it just saying no internet access in the wifi screen.

Yeah similar to what I was seeing, the device receives an IP but displays no prompt. Which from my understanding is a mini version of safari. I read up on where it tries to get an apple page and if it doesn't get "success" then it believes it's behind a captive portal.

Curious do you have the general base "Allow All" rule on the Captive Portal network? Of course adding rules of blocking there-after.

While looking at your screenshot, I do want to point out a bug though. If you select both First Auth method and Second Auth method. I've found no way to get rid of the Second method other than recreating the Captive Portal.

johnpoz

@d21spike yeah I allow this network, and even edited my dns rule to allow vs limited to my other dns on a different vlan.

And yeah I thought it worked that way too - phone should look for whatever captive portal dns its trying to ask for - and if fails should assume captive portal, etc.

But from my quick test - there is something going on that is not quite right with iphones running 15.1 atleast and just popping up the login portal page.

edit: yeah got rid of that - just deleted and redid the captive portal

But its still not popping up unless I try and just go to an IP.

I wouldn't have an issue with that - have seen issues with captive portals popping up at other wifi spots where they use a captive port.. It really should be common knowledge to try just http or IP, etc. But does seems I have duplicated the OP issue, I am thinking more some setting changed on ios to be honest.. But again not a captive portal user - so maybe it never worked correctly going back multiple ios versions, etc..

Might have to do some digging into troubleshooting no captive portal popup on iphones to see what is misfiring in what should be a click and go setup..

edit: I wonder if something in the iphone and the network not being "open" I have a psk set on me... Let me check that - brb.

johnpoz

@johnpoz said in Pfsense captive portal does not show on IPhone !!:

edit: I wonder if something in the iphone and the network not being "open" I have a psk set on me.

Well what do you know ;)

I changed that wifi to just be open.. Forgot it on the iphone and then reconnected and bam got the popup

Possible iphone doesn't even attempt the captive portal check if the network is secured with psk?

Ok forget that - I just set the guest network to be psk again. I forget the network on the phone - and reconnected using the psk.. And bam got the login page again.. So something was odd with phone and having that network saved from before.

@sparktcs I would suggest you try forgetting this network on your ios device and reconnecting..

d21spike

@johnpoz can confirm I've had to have iPhone forget network after changes to avoid unwanted behavior.

johnpoz

@d21spike ok seems this has been answered pretty well then. I was able to duplicate the OP issue. But after just forgetting the network on the iphone and reconnecting it seems to be work as it should with iphone popping up the log in portal page.

This worked with just an open network, and with one set to psk.

This is just using default captive portal settings - enable and click interface, select local database for auth.

d21spike

@johnpoz agreed.

johnpoz

@d21spike so I wonder if your base64 images would work if you forget the network?

d21spike

@johnpoz Just tried with an iPhone 11
base64 images: no prompt
png images: prompt

All source code the same, just images replaced.

Gertjan

@d21spike @johnpoz

Your findings scare me ;)

I don't have an iPhone 13 to test, I do have an iPhone X, with the latest 15.1.

When I connect to captive portal - the one I use for a hotel so it better works or ...., the login pages pops up within a second or two.
I didn't need to "forget" the SSID, to make it work.
I can de activate the "private (MAC) address", or activate it. Both work. On re connect, the IP will change of course.
Or the auto connect switch.
The DNS of the captive portal is pfSense (unbound).
The captive portal is my OPT2 interface, using 192.168.2.1/24, and I use a bunch of AP's to cover the entire building. The AP's are, for the moment, ancient E1200 Linksys devices, as I have only 25 Mbytes to share. That will change in the near future, fiber is in front of the door.
I use FreeRadius for the authentication, but the build in User manager would work also.
I use my own made html/php login page, with some GIF's or PNG's (have to check).
The network is open, as a captive portal should be open.

When I logging, I do see a brief :

and that's new. The message lasts for a second or so. That message isn't wrong, as initially, when the device isn't authenticated, the connection is blocked. After authentication, that changes. Before 15.x, I never saw this message.
Afterwards, the classic black text :" Non secured network" shows up, as it should as a captive portal is normally an "open" connection.

I'm pretty sure Apple still uses the classic portal detection method : when it's wifi interface comes up, after DHCP negotiates, it throws out a http:// request ( see here a list ) and if the returned page isn't "Success". Check here then a scaled down mini browser (a sub part of Safari I guess ) and the request is repeated. The page being shown will be our login page.

But ..... the recent iOS '15' does more. I've seen the URL requests that indicate that this process is also used.

For me, the captive portal has to function 24/24h, as unknown users with unknown devices must be able to connect. And they do :

it's 11h00 AM, most hotel client left hours ago, the soft time time out is set to 4 hours.
Btw : user "x", that's my iPhone.

When iOS 15.x came out, I was 'sacred' as new things have the trend of breaking 'old' things, but it didn't.

My captive portal settings are straight forward, with one addition : Freeradius in stead of the local User Manager. But that one isn't involved in the "show the login page" process.

johnpoz

@gertjan My guess is why I was not seeing the login popup is my phone already knew about that network and there was no captive portal on it before.

I don't use the captive portal, so don't really have a lot of experience with it. But yeah until I forgot the network. I couldn't get it to pop up automatic, I had to actually just try and go to an IP.. A normal browser page load was not popping it up either.

I know or atleast think how it works is looking for specific url to load and then if not it pops that login browser I have found a list that says its this ios

https://captivebehavior.wballiance.com/

Apple iOS

    www.apple.com
    www.appleiphonecell.com
    captive.apple.com
    www.airport.us
    www.ibook.info
    www.itools.info
    www.thinkdifferent.us
    apple.com

I will do a bit more playing with it.. But if you look around the net there are plenty of talk of ios not auto popping up the login.. CNA (Captive Network Assistant) is what it uses.. I will have to do a bit more research, and some sniffing ;)

I found an article here about helping it work with a dhcp or ra setup.

https://developer.apple.com/news/?id=q78sq5rv
How to modernize your captive network

But for this thread - right off the box with my client already having joined that network before, and me just turning on captive portal it wasn't auto popping up that network. But once I forgot the network on the device, it then instantly auto popped up the login and loaded the portal page for auth.

My captive portal settings were always just default, pick the interface to run the captive portal on, and pick the local database - those were the only settings selected.

Gertjan

@johnpoz

I'm using a centralized syslogger, and have pfSense send all the logs to it.
When it's an Apple device, I see :

..... http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html .....

and you'll recognize right away the :
http://captive.apple.com/hotspot-detect.html

This is the Apple's captive portal detection URL that I've been seeing the last several years.

It's a http (it has to be !) - port 80 request, so it can get redirected. The ipfw firewall will redirect it to the captive portal web server, listening on 127.0.0.1 port "8002" (or close to 8000).

edit : my portal redirects the http port 80 to the https port 8003 web server portal instance, as I'm using https portal login with a certificate signed by a trusted source (Letenscrypt). Just to make sure that there will be no warnings or other alarm bells going off on the user's device.

The fact that I've never seen people using iDevices (iPhone, iPad, etc) that also use 'firewalls' or 'antiviruses' helps. Android devices (users) are quiet different. As people have more control and choice, they can install apps that actually create the "shoot in de foot" situation. Like "not accepting "not known wifi networks" (and they just forgot that maybe our wifi network is actually member of the "not known" list).
But I can always show them the list with already connected devices, Apple, Android, Microsoft, etc, so they accept that 'it might be their own device'.
Anyway, our wifi access is free with just one condition : you're welcome if you are able to use it. If not, it's also fine for me. I never 'touch' some one else's device.
The last several years : Plan B is has become Plan A : 4G and 5G coverage is quiet good, everybody has close-to-unlimited data traffic. So, our free wifi access lost some of it's importance.

edit : Regularly, I'm being told that our Wifi is "open" and that I should not do that.
It's good news, actually, the fact that people understand that radio waves can get intercepted.
Without being technical (Remember, I'm a hotel owner, right - so what do I know ;) ) I recall my clients that de login phase was using https - so it's ok.
Then I ask the client : what web pages do they visit that are NOT https - the sites without the padlock ?
They say .... after some thoughts : none.
I'll ask them : how do you retrieve and send your mails ?
They say .... most often : that they don't know. Very views will answer. So I tell them : you're using port "25 110 143" : not ok. Port 993 995 465 : you're fine.
Apps ? If it's an iPhone then app to app server communication is TLS for 99,9999%
So, yeah ......
My encrypted WPS2/3-PSK-AES, + their VPN (why not) + their TLS traffic ..... => completely hilarious. If users need to protect their data, they can, after opening the portal, activate their VPN.
The good news is that more and more people understand what I'm explaining. Some of them even ask : "but do I need these NrdNetVPN, SurfShrkVPN and other *XpressVPN then ?"
I'll say " Because they you're watching to many Youtube commercials, these guys are after your $|€ and have little to do with security".

johnpoz

@gertjan said in Pfsense captive portal does not show on IPhone !!:

So, our free wifi access lost some of it's importance.

So true - I always wonder why people these days care if there is wifi at some public type of location, hotel I get it.. Laptops and stuff. But anymore with a cell phone their cell connection is prob faster.. Only time it would make sense to me is if there is bad cell coverage at the location.

Gertjan

@johnpoz said in Pfsense captive portal does not show on IPhone !!:

I always wonder why people these days care

Don't wonder - you know why.
First category : you can give kids unlimited bandwidth, they will still burn it. New social media (toktok, istagram etc) video gaming and streaming.
These days, parental control over the data carrier consumption is possible. Data over wifi is lest controllable, so kids go for wifi.

Another category : "local wifi" doesn't need a phone-of-the-company device. Close to 90 % of all our clients are visiting our hotel for professional reasons. They don't care about de local castle from the 14 century.

Our 4G/5G is a rural setup : no micro cell technology : the operators just want to show their name and 4G or even 5G on the customers phone's display. When the customers actually use the data carrier, they find out quickly that commercial promises are probably valid in high density cities, not where they are now, 'lost in the middle of France' in a rural area.

edit : another group : not everybody knows that phones with a data connection can share that connection, using the phone as an AP. As most people have a phone, pad and portable PC, only the phone will use the 4G, the other devices have to use the local wifi.

johnpoz

@gertjan said in Pfsense captive portal does not show on IPhone !!:

They don't care about de local castle from the 14 century.

heheh - I don't know when I was on business trips my favorite part was taking in the local history and stuff to do. This was mostly the local tavern ;) But still - hehehe

I spent a bit of time in Tulle on multiple occasions.. I had a couple of fav watering holes there.. One of my favorite spots was a little place tucked away on a side street, loved to sit outside and just watch the people going about their business and enjoy a few beers..

It was across from the cathedral there, and believe that was from the 14th century ;)

Chiransmith34

This post is deleted!