Introduction We are a national Wi-Fi provider in Luxembourg and we provide public Wi-Fi hostpots all around the country (~20K users / day). Few weeks ago, we tried to activate Capport RFC on our Wi-Fi infrastructure and we faced some issues with iOS users. These one complained about seeing the captive portal to much times. After analysing our logs, it seems that the devices launches the captive portal pop-up for no reasons (see logs below)
Logs analysis # The device requests capport API that was provided by DHCP attribute Jun 30 12:31:35 2a0b:c700:xxx nginx: 100.81.162.155 - - [30/Jun/2022:12:31:35 +0200] "GET https://portal.hotcity.lu/wifi/api/capport/a10d07a5-9258-4fb9-8b4f-3276deab4970 HTTP/2.0" 200 102 "-" "CaptiveNetworkSupport-428.120.3" "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384" "portal.hotcity.lu" "application/captive+json" "0.029" "0.029" # As the result of the API gives "captive=true", the device decides to open the captive portal pop-up Jun 30 12:31:35 2a0b:c700:xxx nginx: 100.81.162.155 - - [30/Jun/2022:12:31:35 +0200] "GET https://portal.hotcity.lu/wifi/api/portals/a10d07a5-9258-4fb9-8b4f-3276deab4970 HTTP/2.0" 200 1094 "https://portal.hotcity.lu/a10d07a5-9258-4fb9-8b4f-3276deab4970"; "Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384" "portal.hotcity.lu" "application/json" "0.022" "0.022" Jun 30 12:31:49 2a0b:c700:xxx nginx: 100.81.162.155 - - [30/Jun/2022:12:31:49 +0200] "GET https://portal.hotcity.lu/a10d07a5-9258-4fb9-8b4f-3276deab4970 HTTP/1.0" 200 1996 "-" "CaptiveNetworkSupport-428.120.3 wispr" "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384" "portal.hotcity.lu" "text/html" "0.002" "0.001" # The user activates his Wi-Fi session on the captive portal Jun 30 12:31:54 2a0b:c700:xxx nginx: 100.81.162.155 - - [30/Jun/2022:12:31:54 +0200] "POST https://portal.hotcity.lu/auth/api/configurations/wifi/tokens HTTP/2.0" 201 989 "https://portal.hotcity.lu/a10d07a5-9258-4fb9-8b4f-3276deab4970"; "Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384" "portal.hotcity.lu" "application/json" "0.039" "0.038" Jun 30 12:31:54 2a0b:c700:xxx nginx: 100.81.162.155 - - [30/Jun/2022:12:31:54 +0200] "POST https://portal.hotcity.lu/wifi/api/portals/a10d07a5-9258-4fb9-8b4f-3276deab4970/users/xxxxxxx...@citywifi.lu/connections HTTP/2.0" 201 109 "https://portal.hotcity.lu/a10d07a5-9258-4fb9-8b4f-3276deab4970"; "Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384" "portal.hotcity.lu" "application/json" "0.050" "0.050" # The user is redirected on captive portal success page Jun 30 12:31:54 2a0b:c700:xxx nginx: 100.81.162.155 - - [30/Jun/2022:12:31:54 +0200] "GET https://portal.hotcity.lu/a10d07a5-9258-4fb9-8b4f-3276deab4970/citywifi HTTP/2.0" 200 674 "https://portal.hotcity.lu/a10d07a5-9258-4fb9-8b4f-3276deab4970"; "Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384" "portal.hotcity.lu" "text/html" "0.001" "0.002" Jun 30 12:31:54 2a0b:c700:xxx nginx: 100.81.162.155 - - [30/Jun/2022:12:31:54 +0200] "GET https://portal.hotcity.lu/wifi/api/portals/a10d07a5-9258-4fb9-8b4f-3276deab4970 HTTP/2.0" 200 1094 "https://portal.hotcity.lu/a10d07a5-9258-4fb9-8b4f-3276deab4970/citywifi"; "Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384" "portal.hotcity.lu" "application/json" "0.025" "0.025" Jun 30 12:31:54 2a0b:c700:xxx nginx: 100.81.162.155 - - [30/Jun/2022:12:31:54 +0200] "GET https://portal.hotcity.lu/wifi/api/realms/citywifi/users/xxxxxxx...@citywifi.lu HTTP/2.0" 200 167 "https://portal.hotcity.lu/a10d07a5-9258-4fb9-8b4f-3276deab4970/citywifi"; "Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384" "portal.hotcity.lu" "application/json" "0.029" "0.030" # The user requested captive portal landing page Jun 30 12:31:56 2a0b:c700:xxx nginx: 100.81.162.155 - - [30/Jun/2022:12:31:56 +0200] "GET https://portal.hotcity.lu/a10d07a5-9258-4fb9-8b4f-3276deab4970 HTTP/2.0" 200 698 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384" "portal.hotcity.lu" "text/html" "0.003" "0.003" # The device requested 2 times the captive portal landing page too # Notes : # * The user has just activated his wi-fi session (his state passes from captive=true to captive=false) # * The device decided to open again the captive portal pop-up without checking for the captivity current state Jun 30 12:31:56 2a0b:c700:xxx nginx: 100.81.162.155 - - [30/Jun/2022:12:31:56 +0200] "GET https://portal.hotcity.lu/a10d07a5-9258-4fb9-8b4f-3276deab4970 HTTP/1.0" 200 1996 "-" "CaptiveNetworkSupport-428.120.3 wispr" "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384" "portal.hotcity.lu" "text/html" "0.011" "0.010" Jun 30 12:31:57 2a0b:c700:xxx nginx: 100.81.162.155 - - [30/Jun/2022:12:31:57 +0200] "GET https://portal.hotcity.lu/wifi/api/portals/a10d07a5-9258-4fb9-8b4f-3276deab4970 HTTP/2.0" 200 1094 "https://portal.hotcity.lu/a10d07a5-9258-4fb9-8b4f-3276deab4970"; "Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384" "portal.hotcity.lu" "application/json" "0.031" "0.032" Jun 30 12:31:57 2a0b:c700:xxx nginx: 100.81.162.155 - - [30/Jun/2022:12:31:57 +0200] "GET https://portal.hotcity.lu/a10d07a5-9258-4fb9-8b4f-3276deab4970 HTTP/1.0" 200 1996 "-" "CaptiveNetworkSupport-428.120.3 wispr" "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384" "portal.hotcity.lu" "text/html" "0.002" "0.001" # The user tried again to activate his Wi-Fi session on the captive portal Jun 30 12:32:14 2a0b:c700:xxx nginx: 100.81.162.155 - - [30/Jun/2022:12:32:14 +0200] "POST https://portal.hotcity.lu/auth/api/configurations/wifi/tokens HTTP/2.0" 201 989 "https://portal.hotcity.lu/a10d07a5-9258-4fb9-8b4f-3276deab4970"; "Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384" "portal.hotcity.lu" "application/json" "0.026" "0.027" # Session activation failed on captive portal due to "Simultaneous-Use" RADIUS settings Jun 30 12:32:14 2a0b:c700:xxx nginx: 100.81.162.155 - - [30/Jun/2022:12:32:14 +0200] "POST https://portal.hotcity.lu/wifi/api/portals/a10d07a5-9258-4fb9-8b4f-3276deab4970/users/xxxxxxx...@citywifi.lu/connections HTTP/2.0" 400 125 "https://portal.hotcity.lu/a10d07a5-9258-4fb9-8b4f-3276deab4970"; "Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384" "portal.hotcity.lu" "application/json" "0.113" "0.113" Conclusion According our logs, it seems that, in some situations, the device does not check for the captivity state before opening the captive portal pop-up. We have no trace in our logs about device asking what is the status of Capport before reloading the popup on the device. Are there any things to do for avoiding such a situation ? Unfortunatly we decided to stop support of capport on our national network until we are able to fix a workaround about this. Kind regards, Xavier -- Xavier Beaudouin | System & Network Engineer 11, Avenue Guillaume <https://maps.google.com/?q=11,+Avenue+Guillaume&entry=gmail&source=g> | L-1651 Luxembourg Phone: (+352) 2663 2661 <>| Fax: (+352) 2663 2665 <> Facebook <https://www.facebook.com/hotcity.lu> | Twitter <https://twitter.com/hotcity_wifi>
_______________________________________________ Captive-portals mailing list Captive-portals@ietf.org https://www.ietf.org/mailman/listinfo/captive-portals
