Captive portal redirection issues at 5.9.2

  • 0
  • 1
  • Question
  • Updated 3 months ago
  • Answered
Hi all,

Recently upgraded some sites to 5.9.2. Clients started complaining they are unable to login in the captive portal.

Captive portals being used are hosted on the APs. Some are using customized, some are running external pages.

Looks like it's a problem only with certain devices, mostly newer Androids. Clients are getting either timeouts or SSL protocol errors during redirection.

I'm seeing clients captive portal assistants trying to open http://1.1.1.1:880 which now gets redirected to https://1.1.1.1:880 by CloudFlare and that explains the SSL error and also the timeouts because there's nothing at that location.

Anyhow, did not see anything in the release notes but did notice article https://extremeportal.force.com/ExtrArticleDetail?n=000034307

I've set a virtual hostname for all captive portals which solves the issue, but do we need to change some setting for the new 1.1.1.2 redirection IP address to take effect? Recreate the captive portal?

Thanks.

Best regards.
Photo of Vedran Jurak

Vedran Jurak

  • 1,018 Points 1k badge 2x thumb

Posted 3 months ago

  • 0
  • 1
Photo of Ondrej Lepa

Ondrej Lepa, Employee

  • 5,604 Points 5k badge 2x thumb
Hello Vedran,

as you upgrade to 5.9.2 it should automatically re-assing the IP to 1.1.1.2 instead of .1.
However, I did not notice this is behaves differently when no virtual hostname is used.

Could you give me some more details so I can edit the article?

Regards,
Ondrej
Photo of Vedran Jurak

Vedran Jurak

  • 1,018 Points 1k badge 2x thumb
Hi Ondrej,

I've created a new, test CP on 5.9.2, tried several clients so far, three Androids running versions 6, 7 and 8 and one Win 10 PC.

All of them were redirected to 1.1.1.1 so the new redirect IP is definitely no working.

Logs:

client:mu_mac: 04-D6-AA-XX-XX-XX redirect url: http://1.1.1.1:880/CP-DS/agreement.html?hs_server=1.1.1.1&Qv=it_q
client:mu_mac: B4-52-7E-XX-XX-XX redirect url: http://1.1.1.1:880/CP-DS/agreement.html?hs_server=1.1.1.1&Qv=it_q
client:mu_mac: 40-B8-37-XX-XX-XX redirect url: http://1.1.1.1:880/CP-DS/agreement.html?hs_server=1.1.1.1&Qv=it_q
client:mu_mac: D8-FC-93-XX-XX-XX redirect url: http://1.1.1.1:880/CP-DS/agreement.html?hs_server=1.1.1.1&Qv=it_q

None of the Androids were able to authorize, all show SSL error and / or timeout. Win 10 PC opened the CP page without issues.

Regarding the article, I suggest adding a workaround to use a virtual hostname or a proper hostname, depending on the scenario.

Also from the article, small typo, https://1.1.1.2:880/cgi-bin/hslogin.cgi should actually be http because it's port 880.

I've tried using a secure CP, redirect IP is the same:

client:mu_mac: 04-D6-AA-XX-XX-XX redirect url: https://1.1.1.1:444/CP-DS/agreement.html?hs_server=1.1.1.1&Qv=it_q

When I accepted the SSL certificate, the CP page opened I was able to authorize all Androids.

In any case please check with the engineers regarding 1.1.1.1 still being used.

Best regards.
Photo of Ondrej Lepa

Ondrej Lepa, Employee

  • 5,604 Points 5k badge 2x thumb
Vedran,

when you just change the config adding server host captive.test instead of keeping this on defaul values, does it work (redirect to 1.1.1.2)?

Regards,
Ondrej
Photo of Vedran Jurak

Vedran Jurak

  • 1,018 Points 1k badge 2x thumb
There is a cpstats ip 1.1.1.2 but In the CP debug I don't see redirect 1.1.1.2 just captive.test. so I did some packet capture:

Internet Protocol Version 4, Src: 192.168.150.101, Dst: 1.1.1.1
Transmission Control Protocol, Src Port: 49228, Dst Port: 880, Seq: 1, Ack: 1, Len: 626
Hypertext Transfer Protocol
[Full request URI: http://captive.test:880/CP-DS/agreement.html?
Photo of Andrew Blomley

Andrew Blomley, Employee

  • 862 Points 500 badge 2x thumb
please add a non resolvable RFQN to resolve the problemĀ 
Photo of Andrew Blomley

Andrew Blomley, Employee

  • 862 Points 500 badge 2x thumb