The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Captive Portal Device Selective Deauthentication Behaviour

Captive Portal Device Selective Deauthentication Behaviour

A Captive Portal “splash page” is a commonly used wireless feature for guest networks, especially in the “bring your own device” (BYOD) age. When a user connects with any device, their network traffic is held captive with a Network Access Control (NAC) address and all web traffic (HTTP) is redirected to a splash page. From there, the user is prompted to log in with their credentials which will give them the appropriate level of network access. As part of the Layer 7 Device/OS Fingerprinting feature, vWLAN introduced a Selective Deauthentication mechanism to address devices that have trouble recognizing and working within a Captive Portal. This document explains this behavior.

Sections Included in this Document


BYOD Issues

Expected Captive Portal Operation

Device Issues with DHCP Operation

Selective Deauthentication

  • Operating System Selective Deauthentication Applies to

Useful Links



BYOD Issues


The BYOD age has highlighted inconsistencies in how devices treat captive portals when they connect. Mobile phones widely range in how they detect and react to a captive portal because they have a fallback to a cellular data network. One common issue is the failure to pull a DHCP address correctly after authenticating to a captive portal.

Expected Captive Portal Operation


When a device associates to an SSID with a captive portal configured, it will receive a temporary NAC IP address (by default in vWLAN this is 10.253.X.X/16). The client will then transmit HTTP traffic which is intercepted by the associated AP and is then proxied to vWLAN for receipt of the splash page for proper authentication.

Once successful authentication takes place, the connecting device will be placed onto a local VLAN.  The device will then recognize it has been authenticated and should release its current IP address from the NAC range and then request a new one via a new DHCP discover. The DHCP server on that network will then respond with an OFFER and once the device obtains the proper IP address, it can then transmit traffic on the VLAN.

Device issues with DHCP operation


While most every computer properly performs this, there are many mobile devices that do not detect the captive portal authentication properly. When this happens, the device will receive the new role, be placed onto a local VLAN,  but never release its NAC IP address. Though the device has the proper network and role in vWLAN, without a proper IP address it will be stranded until the device releases its IP address and discovers a new one.

Most devices will eventually do this if they sit on the network long enough (in the case of many Apple devices, its 30+ seconds for example), but in many cases the device will not detect network activity and immediately attempt to connect to another wireless network or cellular connection if one is available.

Selective Deauthentication


To assist with the proper transition of devices from the NAC location to the proper one associated with their authenticated role, ADTRAN BlueSocket has developed a Selective Deauthentication feature. This is based upon known offending operating systems.

Using this ability, once a device authenticates through a captive portal, vWLAN will alert the associated AP to deauthenticate the client. When this happens, the client devices will detect it has lost connection to the AP and attempt to reconnect. At this point, the AP will have the correct role and network for the device from vWLAN ready. When the device reconnects, it will be placed into that role immediately and receive a correct IP address when it attempts to discover one.

  • Operating Systems Selective Deauthentication applies to


The following is the current list of Operating Systems this applies to as of vWLAN version 2.6.0-24. This list may grow with each release:

  • Android( Android version 4.2)
    • Android 2.x
    • Android 2.x.x
    • Android 3.x
    • Android 3.x.x
    • Android 4.0.x
    • Android 4.1.x
  • Custom Android Distributions
    • CyanogenMod 6.1 (Android 2.2.1)
    • CyanogenMod 7 (Android 2.3.x)
    • CyanogenMod 7.0.3 (Android 2.3.3)
    • CyanogenMod 7.0.3-N1 (Android 2.3.3)
    • CyanogenMod 9.0.x (Android 4.0.3)
    • Kindle System Version 7.2.3 (Android 4.0.3)
    • Kindle System Version 10.2.4 (Android 4.0.3 (or 4.0.4 ?))
  • IOS ( iOS 3.2.1 and 6.1)
    • Apple iOS 2.x.x
    • Apple iOS 3.x.x
    • Apple iOS 4.x.x
    • Apple iOS 5.x.x
    • Apple iOS 6.0
    • Apple iOS 6.1.x
  • MAC OS (Fixed version is Mac OS X 10.6)
  • Based on Device Type
    • Nexus 5
    • Nexus 7


Useful Links

  • For more information on Layer 7 Device/OS Fingerprinting, please see
  • For information‌ on device-specific behavior when using Layer 7 Device/OS Fingerprinting, please see
  • For general information about vWLAN, please see the


Version history
Last update:
‎06-11-2015 04:09 PM
Updated by:
Anonymous
Contributors