Differences between revisions 10 and 11
Revision 10 as of 2020-02-04 15:55:56
Size: 2480
Editor: ?MartinMonperrus
Comment: add link to captive-browser
Revision 11 as of 2020-02-05 01:52:24
Size: 2477
Editor: PaulWise
Comment: general cleanup
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
Line 3: Line 4:
Line 5: Line 7:
Typical applications are: hotel, airport, park free wifi. Typical applications are: hotel, airport, park free WiFi.
Line 11: Line 13:
WPA/RADIUS based authentication is much better but is often seen as more complicated for the end-user compared to captive portals, and require pre-arranged authentification. WPA/RADIUS based authentication is much better but is often seen as more complicated for the end-user compared to captive portals, and require pre-arranged authentication.
Line 15: Line 17:
Line 17: Line 20:
This is not implemented in Debian GNU/Linux (to my knowledge). So, just after connecting to the wireless network, you should not immediately use e-mail, SSH or other application software requiring a full Internet connection, but you should launch a web browser and access the captive portal login page. However that login page's URL is usually unknown. In general, it is sufficient to start your Web browser and enter any non HTTPS URL, which will be redirected to the HTTP or HTTPS captive portal login page. You can also enter any IP address, in general. This is not implemented in Debian (to my knowledge). So, just after connecting to the wireless network, you should not immediately use e-mail, SSH or other application software requiring a full Internet connection, but you should launch a web browser and access the captive portal login page. However that login page's URL is usually unknown. In general, it is sufficient to start your Web browser and enter any non HTTPS URL, which will be redirected to the HTTP or HTTPS captive portal login page. You can also enter any IP address, in general.
Line 19: Line 22:
In some cases, the browser window must be kept open (but will work minimized), so that the access token can be refreshed e.g. through background Javascript code. In some cases, the browser window must be kept open (but will work minimized), so that the access token can be refreshed e.g. through background JavaScript code.
Line 23: Line 26:
* [[https://github.com/FiloSottile/captive-browser/|captive-browser]] is a standalone solution for accessing captive portals  * [[https://github.com/FiloSottile/captive-browser/|captive-browser]] is a stand-alone solution for accessing captive portals
Line 31: Line 34:
 3. http://www.rfc-editor.org/rfc/rfc7710.txt  3. https://www.rfc-editor.org/rfc/rfc7710.txt

Captive portal

Definition

A captive portal is, for example, a public WiFi network name (ESS) which leads to an Internet connection which redirects all traffic to a specific login pages, until you log in the system.

Typical applications are: hotel, airport, park free WiFi.

Captive portals disadvantages are:

  • messing up with networking transparency through redirecting DNS and HTTP
  • all users can usually see your unencrypted traffic and possibly redirect your login, too

WPA/RADIUS based authentication is much better but is often seen as more complicated for the end-user compared to captive portals, and require pre-arranged authentication. There is work in progress for standardizing the captive portal protocols[3][4].

How the captive portal's login is activated

Mobile phones (Android, iOS) will detect that the captive portal exists and automatically open a browser for the login.

This is not implemented in Debian (to my knowledge). So, just after connecting to the wireless network, you should not immediately use e-mail, SSH or other application software requiring a full Internet connection, but you should launch a web browser and access the captive portal login page. However that login page's URL is usually unknown. In general, it is sufficient to start your Web browser and enter any non HTTPS URL, which will be redirected to the HTTP or HTTPS captive portal login page. You can also enter any IP address, in general.

In some cases, the browser window must be kept open (but will work minimized), so that the access token can be refreshed e.g. through background ?JavaScript code.

Tools

Troubleshooting

With recent browsers such as Firefox, which support the HSTS[1] local cache and will prevent any HTTP access if the site is to be accessed by HTTPS, a bug might happen: you type "google.com" in the web browser URL bar, and you get a security error. The work-around is to use any HTTP URL which is guaranteed to not use HSTS nor DNSSEC, or an IP address (such as the one from the default route as seen in netstat -rn | grep default)

  1. https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

  2. https://lists.debian.org/debian-user/2017/04/msg00041.html

  3. https://www.rfc-editor.org/rfc/rfc7710.txt

  4. https://en.wikipedia.org/wiki/WISPr