Captive Portal not working with Android devices

[StP]

It seems the general discussion forum is not (regularly) visited by OPNsense developers. So I'm reposting here...
------

We did set up a guest WIFI access point following

https://docs.opnsense.org/manual/how-tos/guestnet.html?highlight=captive%20portal

It works fine for Windows PCs and iOS devices.
But Android devices do not show the login screen.
Neither automatically (as my iPhone does) nor after opening a browser and entering an arbitrary URL.

Any ideas?

Stefan

[wifimasters]

Hi there, do you have updates on this one?

Mine displays fine on old and new androids but after authentication that's where the the re-direction of external website doesn't work.

Good on your topic.

[StP]

No answer yet.
Problem still not solved.

StP

[jschellevis]

@StP I think it has to do with Android devices detecting the captive portal. It is unrelated to the Captive Portal feature itself. I'll look into it later.

[StP]

Thanks.
Hopefully you will find something...

Stefan

[jschellevis]

Ok, finally got round to test this and found it is best to have Android detect the captive portal upon wifi connection. Then the user will be logged in already before requesting any page, this is specically needed when requesting https pages as when not logged in it may not work at all or produce an error about an invalid certificate.

What you need to do to make this work is simple, google checks for a page on the clients3.domain google.com to automatically have the user presented with the login page, simply configure your dns forwarder/server to have that domain point to the ip of your login page.

In my case the captive portal is on 192.168.1.10 and this is how my overwrite looks like:



Also note that is easier to have the Captive Portal in http mode, when using https the CP need to have a vlid certificate otherwise it will show a certificate error.

[StP]

Thanks for your efforts.
Unfortunately it does not work.
I will try to capture a connection attempt and see what's in there.

Regards
  StP

[jschellevis]

I have tested it with 2 different Android devices, iphone and a macbook pro. With all of these devices everything works as expected. Not much more I can do.

The way it should work on the Android devices is that upon connection to the wifi network it will prompt you to login, this solves the ssl issue you may have when capturing a connection not intended for the firewall and protected with ssl. So first you login and then open the connection to the page you want.

Best to try with the captive portal in http mode and add the https layer later so you are not testing two different issues at the same time.

When you are not able to solve the issue, just start with a clean install, upgrade to latest version and then do a simple setup like in the docs and nothing else. So only WAN, LAN and put the captive portal on your LAN.

Test if that works by visiting a http page (not https!), the login page should popup and after login you will be redirected. If that works then you can connect a wifi access point to your LAN and add the host overwrite as I suggested. Try connecting to the wifi with your android device and if the host overwrite works then you will be prompted with the login question. (make sure the DNS is set to the ip of OPNsense so the resolve will happen there, otherwise the host overwrite won't work).

Login and then try to access any page, http or https.

Again if you do not first login and try to access a https page, then your browser will not allow it due to the ssl certificate mismatch (man in the middle).

[wifimasters]

Hey J, thanks for the useful update.

I tried browsing http sites (also modified the DNS overide thing) and I can see it's reaching to the sites BUT it's a weird because each http URL has suffix of "?refresh" just stalled and keep refreshing.

I heard there's some updates coming up, i hope fix is included.

thanks!

[StP]

Problem solved!!! But I don't understand why...

During the very first installation of the system (16 months ago) I defined a list of DNS servers under "System/Settings/General".
And the first entry was our local domain's DNS server.
The one that is used by all domain members.
The public DNS servers follow after that internal one.
Maybe this is not a clever configuration but it always worked.

Removing our internal DNS server from the list lets Android clients log into Captive Portal.
I do understand that a WIFI client cannot access that internal DNS server as this is blocked by the firewall.
But:
- Why is no other public DNS server used?
- Why did it work for iOS and Windows clients?

One other thing: I just installed 16.7.5 over 16.7.4. Any possible influence?

Best regards
  StP

[franco]

- Why is no other public DNS server used?

All DNS servers are written into the dhcpd config and should materialise to the clients. Maybe Android simply ignores all but the first?

- Why did it work for iOS and Windows clients?

See above.

I don't see any code that could have affected this from 16.7.4 to 16.7.5.


Cheers,
Franco

[StP]

Franco,

thanks for the clarification.

I'm fine now 

Best regards
  StP