starred/uspot
1
0
Fork 0
mirror of https://github.com/f00b4r0/uspot.git synced 2026-04-26 06:35:54 +03:00
Code Issues 6 Projects Releases Packages Wiki Activity

[GH-ISSUE #13] MAC authentication still performing captive portal popup #9

New issue
Closed
opened 2026-03-04 14:52:19 +03:00 by kerem · 3 comments
kerem commented 2026-03-04 14:52:19 +03:00
Owner
Copy link

Originally created by @PWJW on GitHub (Apr 23, 2024).
Original GitHub issue: https://github.com/f00b4r0/uspot/issues/13

We are testing the MAC authentication option within uspot and although it's working and the user is successfully authenticated from our RADIUS server, they still receive the captive portal popup window (which then briefly disappears on Android or the window changes to "Done" on iOS). They are fully online and can browse by dismissing the portal popup and show "Authenticated" when querying via the captive clients CLI script.

I've followed the instructions to have dnsmasq handle this via the custom script (as per readme) and then auth the device using ubus but they still get the popup.

"hotspot" is the uspot name/interface
$MACADDR and $IPADDR comes through via the dhcp script

ubus call uspot client_auth "{ \"uspot\":\"hotspot\", \"address\":\"$MACADDR\", \"client_ip\":\"$IPADDR\" }" > /dev/null
ubus call uspot client_enable "{ \"uspot\":\"hotspot\", \"address\":\"$MACADDR\" }" 2>/dev/null

Is this expected behaviour or am I missing something? It's like we need the mac authentication to happen before the client device tries to check for Internet connectivity and this is what redirects to the CPD code and shows the portal page...

Thanks

Originally created by @PWJW on GitHub (Apr 23, 2024). Original GitHub issue: https://github.com/f00b4r0/uspot/issues/13 We are testing the MAC authentication option within uspot and although it's working and the user is successfully authenticated from our RADIUS server, they still receive the captive portal popup window (which then briefly disappears on Android or the window changes to "Done" on iOS). They are fully online and can browse by dismissing the portal popup and show "Authenticated" when querying via the `captive clients` CLI script. I've followed the instructions to have dnsmasq handle this via the custom script (as per readme) and then auth the device using ubus but they still get the popup. "hotspot" is the uspot name/interface `$MACADDR` and `$IPADDR` comes through via the dhcp script ``` ubus call uspot client_auth "{ \"uspot\":\"hotspot\", \"address\":\"$MACADDR\", \"client_ip\":\"$IPADDR\" }" > /dev/null ubus call uspot client_enable "{ \"uspot\":\"hotspot\", \"address\":\"$MACADDR\" }" 2>/dev/null ``` Is this expected behaviour or am I missing something? It's like we need the mac authentication to happen before the client device tries to check for Internet connectivity and this is what redirects to the CPD code and shows the portal page... Thanks
kerem closed this issue 2026-03-04 14:52:19 +03:00
kerem commented 2026-03-04 14:52:20 +03:00
Author
Owner
Copy link

@f00b4r0 commented on GitHub (Apr 23, 2024):

if you remove the /dev/null redirections after each call you'll see in the logs whether or not the clients are authenticated via this mechanism. It may happen that some clients are "too quick" in testing connectivity and do show a popup anyway, this is outside of uspot control (you'll notice the popups display device-generated messages without showing the uspot pages) and so not an uspot issue.

The DHCP-based auth bypass is more a hack than a proper feature anyway so your mileage may vary anyway. MAC-auth is supported by uspot via the web interface (without the bypass script), where a uspot-generated message would be displayed.

<!-- gh-comment-id:2072842555 --> @f00b4r0 commented on GitHub (Apr 23, 2024): if you remove the `/dev/null` redirections after each call you'll see in the logs whether or not the clients are authenticated via this mechanism. It may happen that some clients are "too quick" in testing connectivity and do show a popup anyway, this is outside of uspot control (you'll notice the popups display device-generated messages without showing the uspot pages) and so not an uspot issue. The DHCP-based auth bypass is more a hack than a proper feature anyway so your mileage may vary anyway. MAC-auth is supported by uspot via the web interface (without the bypass script), where a uspot-generated message would be displayed.
kerem commented 2026-03-04 14:52:20 +03:00
Author
Owner
Copy link

@PWJW commented on GitHub (Apr 23, 2024):

The auth was successful as the logs show it :)

MAC auth works "properly" with coovachilli and all other wifi vendors I've used like Cisco, Meraki, Ruckus, Aruba etc, so I don't think its an issue with the client. On all of these other types of implementations, the client never sees any popup or redirect and is immediately online when the RADIUS replies with Access-Accept (before the client tries to call a URL).

The traditional purpose of MAC auth is to authenticate a device before a captive portal is involved so I feel the current implementation isn't really usable as a true MAC auth solution in the current way it's implemented. It will work for some use cases though!

Is there any plan to revisit how this is implemented at all?

Thanks again.

<!-- gh-comment-id:2073126351 --> @PWJW commented on GitHub (Apr 23, 2024): The auth was successful as the logs show it :) MAC auth works "properly" with coovachilli and all other wifi vendors I've used like Cisco, Meraki, Ruckus, Aruba etc, so I don't think its an issue with the client. On all of these other types of implementations, the client never sees any popup or redirect and is immediately online when the RADIUS replies with Access-Accept (before the client tries to call a URL). The traditional purpose of MAC auth is to authenticate a device before a captive portal is involved so I feel the current implementation isn't really usable as a true MAC auth solution in the current way it's implemented. It will work for some use cases though! Is there any plan to revisit how this is implemented at all? Thanks again.
kerem commented 2026-03-04 14:52:20 +03:00
Author
Owner
Copy link

@f00b4r0 commented on GitHub (Apr 23, 2024):

Is there any plan to revisit how this is implemented at all?

No, but this is opensource: patches are always welcome.

<!-- gh-comment-id:2073135069 --> @f00b4r0 commented on GitHub (Apr 23, 2024): > Is there any plan to revisit how this is implemented at all? No, but this is opensource: patches are always welcome.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
next
TIP
No results found.
Labels
Clear labels   
bug

   
enhancement

   
invalid

   
invalid

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
wontfix
No labels
bug
enhancement
invalid
invalid
pull-request
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/uspot#9
No description provided.