Captive Portal issue with Chrome on Android
Turns out this is a bug in Chrome.
See Issue 662150
Umbrella issue is 335933.
****Update:
We really needed this to work. Google isn't going anywhere fast on coming up with a solution. My new S7E has a captive portal app built in.
I'm guessing other manufactures will still have problems. I did see one patient come in with a Lenovo tablet that experienced this. An employee had the same with her older Samsung device.
I see quite a number of people suffer captive portal pain. I was finally able to resolve this by sinkholing the DNS traffic for the captive portal test FQDNs.
I did try first at my ASA dropping traffic based on FQDN, but as the traffic is sourced from the WLC, I couldn't deny based on VLAN.
So, a DNS hack.
On the WLC, I setup 3 virtual interfaces. 1 is internal. 2 is vendor and 3 is public. Each has their own DHCP scope so I can set all their specific options for their unique situation. 3 has a WLAN with the captive portal associated to it.
I configured my vendor WLAN to use public DNS servers - not a lot of use on that WLAN.
I have two public caching DNS servers running CentOS with BIND 9; I locked them down to a minimize the attack surface. They are VMs on ESXi hosts with a copper NIC installed in each that connects to an isolated virtual switch and my DMZ network. Didn't cost me a dime.
I did this because some users (visiting doctors) using their personal devices and we connect them to the vendor without the captive portal (they connect once and stay connected - Guest have a time limit and need to accept the Acceptable Use Policy).
Added to /etc/named.conf
zone "connectivitycheck.android.com" IN { type master; file "sinkhole.db"; };
zone "clients3.google.com" IN { type master; file "sinkhole.db"; };
/var/named/sinkhole.db
$TTL 600
@ IN SOA localhost root (
5 ; serial
3h ; refresh
1h ; retry
1w ; expire
1h ) ; min TTL
;
IN NS ns.
* IN A 127.0.0.1
connectivitycheck.android.com. IN A 127.0.0.1
clients3.google.com. IN A 127.0.0.1
It's not beautiful, but it works very well. I hope this helps someone else.
Related videos on Youtube
04 : 19
01 : 26
03 : 12
02 : 39
01 : 09
05 : 41
Dacid Salin
Network Engineer, working with Cisco routers/switches/Nexus, Windows/Linux servers on vCenter servers (VMware) and some Cisco Call Manager. Worked with all versions of Windows except pre 3.1. Started with DOS several decades ago (before Windows 3.1 was mainstream), worked my way through Netware (was a Netware 3.12 CNE and just 2 tests away from MCNE). Working at an MSP again after taking a break to work in corporate IT at a hospital (small one with 80 guest servers on 3 VMware hosts - Converged Network Adapters connected to Cisco Nexus switches, and setup FC on to EMC VNX SAN that I implemented. Fast, rock solid and amazing. Now back to customers that don't want to do things the corporate way, but go as inexpensively as they can, yet expecting the world (oh and no server backups, just some of there data - that's so common it makes me nuts...). ShoreTel UCSI and soon UCSE. A+ Server+ Lenovo Workstation, desktop, laptop, low end and midrange server warranty certified. Manager of 7. I'm a river that is mile wide and a foot deep, not specialized with anything, but a generalist with many things.
Updated on September 18, 2022Comments
-
Dacid Salin almost 2 years
I have setup WebAuth on our public Wi-Fi. We have a Cisco WLC 5508 and when using iOS, Apple, Windows devices or some Android devices, the page loads correctly, however when I am using a device with Chrome 53.0.2785.124 as the default browser on Marshmallow 6.0.1, I get an error page indicating a possible MTM attack. It reads "Your connection is not private" followed by some other text and NET::ERR_CERT_COMMON_NAME_INVALID. Here is a screenshot of the error.
From what I understand, this is due to the browser attempting to reach a URL and is expecting a specific result, however the cert on the requested google.com home page does not match the cert for the host on the returned wlc.mydomain.com SSL certificate.
One section of www.google.com/chrome/browser/privacy/whitepaper.html reads:
In the event that Chrome detects SSL connection timeouts, certificate errors, or other network issues that might be caused by a captive portal (a hotel's WiFi network, for instance), Chrome will make a cookieless request to http:// www.gstatic.com/generate_204 and check the response code. If that request is redirected, Chrome will open the redirect target in a new tab on the assumption that it's a login page. Requests to the captive portal detection page are not logged.
It's actually sending a request to http:// connectivitycheck.android.com/generate_204. The issue I see is in the response from the WLC, the status code is HTTP 1.1 200 OK. I would either expect to see an error due to the page being blocked or a 300 response to indicate a redirection. Based on the text above from Google, it sounds like the browser will enter it's Captive Portal mode (and open a new tab for authentication) WHEN it receives a redirection.
I'm thinking this may be an issue with the WLC configuration, but perhaps it's an issue with Chrome 53 on Android.
If anyone has a recommended solution, I would appreciate it.
Regards, D
-
Admin over 7 yearsThat's the correct URL for Android, which does the check as soon as the device connects to a Wi-Fi network. The desktop version of Chrome uses the other URL.
-
