A Captive Portal “splash page” is a commonly used wireless feature for guest networks, especially in the “bring your own device” (BYOD) age. When a user connects with any device, their network traffic is held captive with a Network Access Control (NAC) address and all web traffic (HTTP) is redirected to a splash page. From there, the user is prompted to log in with their credentials which will give them the appropriate level of network access. As part of the Layer 7 Device/OS Fingerprinting feature, vWLAN introduced a Selective Deauthentication mechanism to address devices that have trouble recognizing and working within a Captive Portal. This document explains this behavior.
The BYOD age has highlighted inconsistencies in how devices treat captive portals when they connect. Mobile phones widely range in how they detect and react to a captive portal because they have a fallback to a cellular data network. One common issue is the failure to pull a DHCP address correctly after authenticating to a captive portal.
Expected Captive Portal Operation
When a device associates to an SSID with a captive portal configured, it will receive a temporary NAC IP address (by default in vWLAN this is 10.253.X.X/16). The client will then transmit HTTP traffic which is intercepted by the associated AP and is then proxied to vWLAN for receipt of the splash page for proper authentication.
Once successful authentication takes place, the connecting device will be placed onto a local VLAN. The device will then recognize it has been authenticated and should release its current IP address from the NAC range and then request a new one via a new DHCP discover. The DHCP server on that network will then respond with an OFFER and once the device obtains the proper IP address, it can then transmit traffic on the VLAN.
Device issues with DHCP operation
While most every computer properly performs this, there are many mobile devices that do not detect the captive portal authentication properly. When this happens, the device will receive the new role, be placed onto a local VLAN, but never release its NAC IP address. Though the device has the proper network and role in vWLAN, without a proper IP address it will be stranded until the device releases its IP address and discovers a new one.
Most devices will eventually do this if they sit on the network long enough (in the case of many Apple devices, its 30+ seconds for example), but in many cases the device will not detect network activity and immediately attempt to connect to another wireless network or cellular connection if one is available.
To assist with the proper transition of devices from the NAC location to the proper one associated with their authenticated role, ADTRAN BlueSocket has developed a Selective Deauthentication feature. This is based upon known offending operating systems.
Using this ability, once a device authenticates through a captive portal, vWLAN will alert the associated AP to deauthenticate the client. When this happens, the client devices will detect it has lost connection to the AP and attempt to reconnect. At this point, the AP will have the correct role and network for the device from vWLAN ready. When the device reconnects, it will be placed into that role immediately and receive a correct IP address when it attempts to discover one.
Operating Systems Selective Deauthentication applies to
The following is the current list of Operating Systems this applies to as of vWLAN version 2.6.0-24. This list may grow with each release:
Android( Android version 4.2)
Custom Android Distributions
CyanogenMod 6.1 (Android 2.2.1)
CyanogenMod 7 (Android 2.3.x)
CyanogenMod 7.0.3 (Android 2.3.3)
CyanogenMod 7.0.3-N1 (Android 2.3.3)
CyanogenMod 9.0.x (Android 4.0.3)
Kindle System Version 7.2.3 (Android 4.0.3)
Kindle System Version 10.2.4 (Android 4.0.3 (or 4.0.4 ?))