As a accomplice of GovWare 2025, Cisco was tasked with offering a “click-through” captive portal (splash web page). Cisco and GovWare supplied a wi-fi community for attendees for the primary time within the historical past of the convention, and due to this, the convention requested for assist from Cisco to serve attendees with a phrases of service settlement to affix the convention Wi-Fi.
This proved to be a way more monumental effort than anticipated, as we supplied Community Operations Centre companies from the Safety Operations Centre, with out the flexibility to deploy {hardware} or software program into the Marina Bay Sands (MBS) infrastructure. Within the beneath assertion, I can inform you why we do the issues we do as engineers:
“We do this stuff not as a result of they’re simple, however as a result of we thought they had been going to be simple”
We initially thought that we may do the captive portal utilizing the Firewall, however as a result of the variety of potential attendees may drown the potential on the firewall, we pivoted to utilizing the Id Companies Engine (ISE). ISE requires integration with a Wi-fi LAN Controller (WLC) to serve a captive portal, however after working with the MBS group to do that, they bumped into their very own issues round this… aka, handcuffs referred to as compliance. They had been unable to accommodate us due to their must be compliant with sure requirements… although they did need to make it occur.
We understood their predicament and began wanting into alternate options. As I used to be looking the net for various open-source captive portal instruments, I discovered one which talked about there’s a broadcast that may be executed to inform computer systems on the community there’s a captive portal that must be accessed. This led me to the revelation of DHCP choice 114. In a nutshell, this selection permits us to promote the captive portal within the DHCP lease we hand out. You’ll be able to learn extra about it.
With this newfound data, I made a decision to code up a v1 captive portal that met the RFC 8910 and RFC 8908 necessities for the request sort, API endpoints, and responses.
Creating the Captive Portal Web page
Initially, I used ngrok to permit us to serve the captive portal by way of HTTPS, which is a typical OS requirement to attach.
One of many first endpoints wanted to make a captive portal work was this one: www.instance.com/.well-known/captive-portal
This endpoint wanted to reply with JSON explaining that there was a captive portal wanted and would current the captive portal URL. Right here’s an instance response from my server:
{“captive”:true,”user-portal-url”:”http://www.instance.com/portal”}
Ideally, the “captive:true” will change to false if the consumer has accepted the phrases. This is a matter for later, and I’ll speak about it after we resolve another issues that got here up earlier than it.
As quickly because the consumer obtained the JSON response, they had been then directed to that captive portal web page. For GovWare 2025, the captive portal web page appeared like this:
Configuring the DHCP Server
As soon as I arrange this captive portal, I took to my DHCP server and set choice 114 to level to www.instance.com/.well-known/captive-portal.
I examined my iPhone first, and it labored flawlessly. What didn’t work flawlessly was Mac, Linux, Android, Samsung, and Linux.
When you have a look at RFC Part 2 Paragraph 2, there may be wording there that claims shoppers “SHOULD” request choice 114 in the event that they assist it. In DHCP world, a consumer broadcasts that they’re in search of a server and what they need from that server. If the consumer doesn’t request an choice, then the server almost certainly gained’t ship that choice.
Troubleshooting OS-Particular Points
Many of the OSs requested choice 114 however didn’t honor going to the captive portal. It is because they did extra exams to see if going to the portal was required to permit web entry. If it isn’t, then they skip the portal. A few of the OSs would have their very own necessities that wanted to be added to the captive portal API for them to work. Home windows didn’t ask for the choice in any respect although it helps captive portals.
Forcing Home windows to Get Captive Portal
The very first thing I wanted to determine was methods to pressure Home windows to get the captive portal choice within the DHCP lease. After some looking, most DHCP servers provide an choice to “force-send” or “always-send” a DHCP choice. We used the Kea DHCP server, and it makes use of the “always-send” setting to forcefully ship the choice to shoppers.
This resolved the Home windows downside (and stuck it for sure distributions of Linux too).
Stopping Bypass of the Captive Portal
We all know that Android, Samsung, and Linux carry out checks to see if they’ll bypass the portals. To repair this, we would have liked to configure DNS sinkholing on the firewall to ship a number of domains into the ether. As soon as we did that and people checks had been failing, we began to see all three OSs deliver up the captive portal.
Accommodating Completely different Variations of MacOS
This left Mac OS, which displayed totally different habits between variations. The captive portal labored positive on the latest model (Mac OS 26) however not on older variations. These older variations anticipated this webpage to be accessible for the captive portal: ‘/hotspot-detect.html‘
After including that and having it ship a SUCCESS within the HTML, older variations of Mac began accessing the captive portal as effectively.
Guaranteeing the Captive Portal Was Hit Simply As soon as
After getting all of the totally different OSs to attach efficiently, I then needed to stop them from hitting the captive portal repeatedly. The captive portal was hosted in AWS, which signifies that we didn’t have their MAC addresses to examine whether or not they had hit the portal earlier than or not.
I solved this challenge by utilizing fingerprintJs, a JavaScript library that may fingerprint a browser and which ensures that every fingerprint can be distinctive. Utilizing this library, I added a fingerprint of every consumer that hit the captive portal to an area database. I might change the “captive:true” to “captive:false” if I had seen them earlier than. This solved the problem of repeatedly going to the captive portal on subsequent DHCP leases or reconnecting to the community.
Right here is how I saved the fingerprints in my native database for later cross-referencing:
In the end, we efficiently deployed the captive portal for GovWare, with nearly 1700 attendees hitting the captive portal to entry the convention Wi-Fi. As a first-time endeavor, GovWare was thrilled to have the captive portal and safety operations heart assist from Cisco.
You’ll be able to see the supply code for this venture on my GitHub. Within the README, you may get extra data on what domains must be sinkholed and any endpoints that must be created to get all of the OSs to work correctly.
Try the different blogs by my colleagues within the GovWare SOC.
About GovWare
GovWare Convention and Exhibition is the area’s premier cyber info and connectivity platform, providing multi-channel touchpoints to drive neighborhood intel sharing, coaching, and strategic collaborations.
A trusted nexus for over three a long time, GovWare unites policymakers, tech innovators, and end-users throughout Asia and past, driving pertinent dialogues on the most recent tendencies and significant info movement. It empowers progress and innovation by way of collective insights and partnerships.
Its success lies within the belief and assist from the cybersecurity and broader cyber neighborhood that it has had the privilege to serve over time, in addition to organisational companions who share the identical values and mission to complement the cyber ecosystem.
We’d love to listen to what you assume! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media
