IOS 6 and Captive Portals
I support a wifi hotspot for one of my clients and have issues with IOS 6 users reaching the guest captive portal.
1) Private ip addresses are used, 192.168.x.x
2) Captive portals were working before they upgraded. I tested with my own device before and after the IOS upgrade. Worked before, fails now.
3) The iphone/ipad times out without reaching the captive portal.
4) I do not see any attempts on the wifi network to authenticate.
In the past, the ipad would have a popup screen asking for my credentials. The device never actually showed the captive portal page (like a traditinal laptop). Now it just clocks until it times out.
Anyone else having this problem? All of my users that have IOS 6 are failing.
Thanks in advance for any thoughts and suggestions.
-Kurt
Comments
I believe I have resolved this. After spending days on it, and trying just about everything, I happened upon a missing piece of information from my network admin, and after that, had it working in about 5 min.
I fixed it
After multiple attempts to trick ios6 to allow for local wifi connectivity, I have come upon a solution.
The problem: trying to get ios6 to connect to wifi, behind a captive portal and a websense filter, while keeping external access offline.
We use the captive portal to setup billing for internet usage, and didn't want to open a huge hole in it to allow 'free' internet to the iphones.
We use websense to do content filtering, and any hole I opened on the captive portal, ended up with a websense authentication pop up on my iPhone when I tried to log in.
When attempting to join a wifi in ios6 (ipad,ipod,iphone), you would get a captive portal, or a websense authentication login. If you did NOT login, you would not join your wifi, if you DID login, your entire house could be online and using the internet.
Bigger problem:
-captive portal pass through is not enough, websense does not filter properly, even with an unblock filter in place.
Failed solutions:
-created fake apple.com domain and fake web server with Success! message
-created proxy server
-created captive portal mac and ip and hostname throughputs
-created websense unblocked filters
WORKING SOLUTION: (our captive portal is PFSENSE)
-you have to create a combination of things. In the end, you're allowing access to a limited set of locations so the iphone can activate the wifi, but keeping the rest of the internet closed. The iphone will go through these holes, and onto the internet, but the holes are too small to allow anything else through.
Step 1:
on each captive portal, (we have multiple, one for each network, you may have only 1), create a allowed 'hostnames' and allowed 'ips' to match the following locations
17.173.254.222/32
96.16.237.15/32
gsp1.apple.com
( I derived this information by reading forums but also by doing a packet capture on PFSENSE while trying to connect to wifi with my iphone, which gave me the ip addresses. With just the ip addresses I believe it will work. I also tried adding *.akamaitechnologies.com (which the ip's resolve to) and that also worked but I didn't want THAT large of a hole in my fw).
Step 2:
on each firewall, create a rule allowing ANY to those locations as well, making sure it nats, and all of that. This rule needs to be active BEFORE your websense filtering rule, otherwise websense authentication pop ups will continue.
As a result, the iphone now logs in, but web pages are still blocked, so folks still have to login to the captive portal and submit billing information before going online.
-Gimpel
in case anyone cares.
to clarify, when I say 'FAKE apple.com' domain, I mean, an internal dns domain, on my test network.... totally legit, and never public... I wanted to see if I could get my iphone to see 'Success!' via an internal web page, and I couldn't.
I believe the reason it wouldn't redirect is because the packet capture showed that it was looking for ip's not hostnames. If I'm right, (and I rarely am) Apple hard coded ip's into their IOS.
no wonder people were having major issues when their servers went down... they put all of 2 locations in there and used ip's instead of hostnames? I consider that a tad short sited (pun intended).
Hi Gimpel,
I am facing a similar issue wherein after upgrading my ipad 2 to iOS 6, I cannot connect to the internet. My internet service provide is a company called Hathway.They provide a cable modem which I have connected to a Belkin Wi-Fi router. Through my ipad, I can discover the wifi n/w but when I try to connect to any website through the browser, the "login" and success.html page comes up.
My ISP requires me to login to their portal before actually being able to connect to the web and hence I think I have the problem of the captive portal.
Of all the solutions I found on your web, I think the one you have listed above seems the most likely to work at my end. However, I am not sure whether this means that there are changes I need to do at my end (on my wi-fi router) or does the ISP need to make the changes?
Looking forward to your reply.
Any luck with a solution,I am having the same issues with hathway as you are - please let me know if you have found a solution
Gimpel if you have a solution to this please help
Best
Quote:
Originally Posted by gimpel
Step 1:
on each captive portal, (we have multiple, one for each network, you may have only 1), create a allowed 'hostnames' and allowed 'ips' to match the following locations
17.173.254.222/32
96.16.237.15/32
gsp1.apple.com
gimpel, I have exactly the same problem with PFSENSE, but I'm not sure exactly where in PFSENSE, you did the step 1.
Can you help me with that?
Where do you create the Allowed 'hostnames' ?
Thanks a lot
I actually answered my own question and figured that I needed to do Allowed IP addresses only for one IP:
23.1.173.15
To allow this: http://www.apple.com/library/test/success.html
(I'm not sure exactly why IPAD need to use this to keep the wifi alive)
This IP then is allowed to go through the portal with no authentication, and the wifi never disconnect.
I upgraded to iOS 6.1 and my issue is resolved.
The solutions provided seems to be working only with IOS 6.1.2.