TLDR;

  • Force a captive portal to appear be going to a any HTTP not HTTPS website like http://canireachthe.net
  • OS’s use HTTP probes to check Internet connectivity (this could break from time to time)
  • Consider using DHCP Option 114 for better Captive Portal redirection, read more at #Advanced Captive Portal Detection

Captive Portal Detection

Different Operating Systems and some Applications have similar but distinct methods to detect if a network is using a Splash page or Captive Portal. In general upon connection to a network different tests / checks will be performed to see if captive portal is present.

  • Overall after connecting to a new network the OS will use an HTTP GET request and look for a specific known response. If the response is different than expected, it is assumed a Captive Portal is present.

  • Quick note on terms, I use ‘Captive Portal’ and ‘Splash Page’ interchangeably.

Forcing the opening of a Captive Portal

From time to time for many different reasons Captive Portals may not automatic come up / be detected by the operating system. It is the responsibility of the OS to detect a captive portal, if a portal does not automatically appear this is typically and issue with OS not the network / splash page host All that needs to be done to force the captive portal to come up is to go to any HTTP not HTTPS website.

  • Note HTTP redirects only work for HTTP traffic (not HTTPS) this is can be a common reason why a splash page is not presented. Alway be sure to go to an HTTP non-secure website, for redirecton to properly occur.

Go to http://canireachthe.net

Operating Systems

Each OS has slightly differnet Internet Connectivity Tests / Captive Portal Detection.

macOS and iOS

  • Upon Connection to an SSID the OS will do a HTTP Connection to http://captive.apple.com/hotspot-detect.html
    • Any response other than a HTTP 200 Okay WITH the Success message in the body will bring up the Captive Portal box in macOS.
    • Use captive Wi-Fi networks on your iPhone or iPad
    • Apples Says captive.apple.com over TCP 443 and 80 is used by: iOS, iPadOS, macOS, tvOS, watchOS, and visionOS for “Internet connectivity validation for networks that use captive portals”

Windows

  • Windows uses the processes called Network Connection Status Indicator (NCSI) to determine if there is Internet Connectivity, and if there is a captive portal.
  • On Windows 10 or later, the OS will perform a HTTP connection to http://www.msftconnecttest.com/connecttest.txt
    • Any response other than a HTTP 200 Okay WITH the Microsoft Connect Test message in the body will bring up the Captive Portal box in Windows.
    • For Windows 8 or earlier the URL used was http://www.msftncsi.com/ncsi.txt and the expected text was Microsoft NCSI

Android

Firefox

Walled Gardens

Walled Garden config allows clients to access certain resources (subnets / URLs) BEFORE going through the Captive Portal.

In some cases you want users to access some websites or resources before they have authenticated to the Captive Portal. This includes DNS, DHCP, Posture Servers (ISE), and whatever will actually host the Captive Portal itself. Importantly Do NOT allow any of the above internet connectivity tests as apart of your Walled Garden configs. This will cause the captive portal detection to not work on devices.

Advanced Captive Portal Detection

packet-beta
  title DHCP Option 114
  0-7: "DHCP Code"
  8-13: "URI Length"
  14-31: "URI (variable length)"
  • IPv6 DHCP Option 103
  • RA (IPv6 Route Advertisment) Type 37

Common Types of Splash Pages

  • Click Through (Starbucks)
  • Sign-In
  • Sponsor Guest