About ios7 about wifidog-gateway HOT 21 CLOSED

Yes it can.

Since ios7 you must now block multiple FQDN requests from your ios device in order for it to popup. In previous versions, you only had to block access to "www.apple.com/library/test/success.html".

You must now block access to the following FQDN's for the ios captive portal login to appear.

www.appleiphonecell.com
captive.apple.com
www.apple.com
www.itools.info
www.ibook.info
www.airport.us
www.thinkdifferent.us

More information: http://stackoverflow.com/questions/19055502/facebook-com-and-the-ios7-captive-portal-detection

from wifidog-gateway.

@wangyonghe please provide more details, like wifidog version, system running it, ...
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html

from wifidog-gateway.

@missionrulz my configration of wifidog below, but the captive portal cannot be opened yet. The version of wifidog is lastest

GatewayID 16v4uKK0YAjn997tzqLF|00:0C:43:41:46:32
ExternalInterface vlan2
GatewayInterface br-lan
GatewayPort 2060
HTTPDMaxConn 10
HTTPDName WiFiDog
CheckInterval 60
ClientTimeout 2
TrustedMACList

AuthServer {
Hostname portal.liukebao.com
SSLAvailable no
SSLPort 443
HTTPPort 80
Path /
}
FirewallRuleSet validating-users {
FirewallRule allow to 0.0.0.0/0
}
FirewallRuleSet known-users {
FirewallRule allow to 0.0.0.0/0
}
FirewallRuleSet unknown-users {
FirewallRule allow udp port 53
FirewallRule allow tcp port 53
FirewallRule allow udp port 67
FirewallRule allow tcp port 67
FirewallRule block to www.appleiphonecell.com
FirewallRule block to captive.apple.com
FirewallRule block to www.apple.com
FirewallRule block to www.itools.info
FirewallRule block to www.ibook.info
FirewallRule block to www.airport.us
FirewallRule block to www.thinkdifferent.us
}
FirewallRuleSet locked-users {
FirewallRule block to 0.0.0.0/0
}

from wifidog-gateway.

Just a guess, can you try without the | and : and in the GatewayID? (only letters and numbers)
The GatewayID is part of the redirect adress, maybe it's not urlencode (| -> %7C and : -> %3A),
or maybe i'm totally wrong.

from wifidog-gateway.

i capture the packet of iphone 5s, but no http request sended.

from wifidog-gateway.

@wangyonghe You cannot block the apple websites using the Firewall block as it only allows IP addresses no FQDNs.

To get around this problem, I created a shell script and set it up to run under cron every 5 minutes in case the IPs change because of load balancing and geo location.

Create an executable shell script with the following lines of code in it for every apple website that you wish to block.

iptables -t nat -D WiFiDog_br-lan_AuthServers -d captive.apple.com -j DROP
iptables -t filter -D WiFiDog_br-lan_AuthServers -d captive.apple.com -j DROP

Then have a cron job running every 5 minutes that executes that script.

from wifidog-gateway.

@missionrulz The command cannot be executed successfully.

iptables -t nat -D WiFiDog_br-lan_AuthServers -d captive.apple.com -j DROP
iptables v1.4.19.1:
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.

I should append the rules of iptables for block "cpative.apple.com", not delete rule. Could you give me the whole shell script that can be executed successfully.

from wifidog-gateway.

@wongyonghe, can you be more precise about what the iphone is doing and the captive portal answers?

also you haven't told us your wifidog version.

from wifidog-gateway.

iptables -t filter -A WiFiDog_br-lan_AuthServers -d www.appleiphonecell.com -j DROP
iptables -t filter -A WiFiDog_br-lan_AuthServers -d captive.apple.com -j DROP
iptables -t filter -A WiFiDog_br-lan_AuthServers -d www.apple.com -j DROP
iptables -t filter -A WiFiDog_br-lan_AuthServers -d www.itools.info -j DROP
iptables -t filter -A WiFiDog_br-lan_AuthServers -d www.ibook.info -j DROP
iptables -t filter -A WiFiDog_br-lan_AuthServers -d www.airport.us -j DROP
iptables -t filter -A WiFiDog_br-lan_AuthServers -d www.thinkdifferent.us -j DROP

I have execute above command, but the captive portal cannot be opened automatically yet.

from wifidog-gateway.

iptables v1.4.19.1
This is WiFiDog version 20090925

from wifidog-gateway.

Hi @wangyonghe,
If you can, you should update to latest version because of b9a330f, b5c4fc6 and e4fd161

what the iphone is doing, sending icmp echo (ping)?

The less you give details, the less we can help you ...

from wifidog-gateway.

@wangyonghe Can you please supply us with the debug information that is display when running. wifidog -f -d 7

Please also be aware, that IOS7 currently has a problem with its Captive Network Assistant. Take this into consideration for your current implementation as it may effect you if you are using an external OAuth authenticator service such as facebook, twitter, gmail etc.

More Information: http://stackoverflow.com/questions/19055502/facebook-com-and-the-ios7-captive-portal-detection

from wifidog-gateway.

The wifidog redirection lack of wispr information.
void http_send_redirect(request r, const char *url, const char *text)
{
char *message = NULL;
char *header = NULL;
char *response = NULL;
/ Re-direct them to auth server */
debug(LOG_DEBUG, "Redirecting client browser to %s", url);
safe_asprintf(&header, "Location: %s", url);
safe_asprintf(&response, "302 Moved Temporarily");
httpdSetResponse(r, response);
httpdAddHeader(r, header);
free(response);
free(header);
safe_asprintf(&message, "Please click here."
"", url);
send_http_page(r, text ? text : "Redirection to message", message);
free(message);
}

from wifidog-gateway.

hi @wangyonghe,

I think you don't need wispr or blocking domain, you just need a 302 redirect. please update your wifidog version, the one you're using send 307 instead of 302

from wifidog-gateway.

This bug has been solved, the wispr protocol is required.

from wifidog-gateway.

Hi @wangyonghe,
I've just tried with ios 7.0.2/7.0.3 (iphone 4s), wifidog 20130917, and auth.wireless-fr.org (wifidog server)
and IOS CNA (Captive network assistant) is working if i'm not using SSL (SSLAvailable no).

As your not using SSL (SSLAvailable no), please try to update wifidog (for this commit e4fd161). 20090925 isn't the latest version, 20130917 is.
Don't block apple's domains, else you will not get the 302 redirect, so no CNA
Please try what @missionrulz said (running wifidog -f -d 7)

For the SSL part, the problem come from redirecting to an https captive portal, ios 7 is now very strict about where he is being redirected, see:
http://www.reddit.com/r/networking/comments/1p6wxg/apple_cna_struggles_and_fixes/

So you need (for an ssl captive portal)

1. TLS 1.2 (server side upgrade/configuration)
2. to be able to check the validity of the certificate of the captive portal with crl/oscp ( allow access to rapidssl-crl.geotrust.com and rapidssl-ocsp.geotrust.com, and maybe rapidssl-aia.geotrust.com for the auth.wireless-fr.org certificate ). For this add for exemple "FirewallRule allow to ips" in "FirewallRuleSet global" (multiples lines)
3. don't block apple's domains, else you will not get the redirect, so no CNA

You DON'T NEED WISPR for the captive portal/CNA to pop up in IOS.

from wifidog-gateway.

@wangyonghe 请问如何实现自动弹出

from wifidog-gateway.

Is this still a problem or can the issue be closed?

from wifidog-gateway.

Duplicate of #14

from wifidog-gateway.

I have the same problem with all ios recent version. I have already tried to add "iptables -t filter -A WiFiDog_br-lan_AuthServers -d xxxx -j DROP " and with add this to firewall conf setting:
FirewallRule allow tcp to apple.com
FirewallRule allow tcp to icloud.com

but nothing

no one was able to solve the same problem ??

from wifidog-gateway.

@paolo279, have you found a solution? I also have this issue recently (actually since last a few months). I tried both openwrt 14.07 and 15.05.1 with wifidog 1.2.1 and 1.3.0. It doesn't work for most of the iPhones (for example iPhone 6 with iOS 9.3). When an iPhone connects to our wifi, it doesn't popup the login page. However the same wifi works perfectly for iPad, Macbook and Android.

Any suggestions?

from wifidog-gateway.