Date: Sat, 29 Oct 2022 16:05:17 -0500 From: Andrew Gould <andrewlylegould@gmail.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: accessing guest wireless networks Message-ID: <CAFKhKgohh19fgKVMp8SJXyB3ibDYaBhL-u1EdD-JM_m24ScouA@mail.gmail.com> In-Reply-To: <20221028105804250197522@bob.proulx.com> References: <CAFKhKgqZAv27FFrOM_LWUQAQjpcYN71a5pme_6NOc=02sp9TrA@mail.gmail.com> <20221028105804250197522@bob.proulx.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000e4c76905ec32bbfa
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
On Fri, Oct 28, 2022 at 12:22 PM Bob Proulx <bob@proulx.com> wrote:
> Andrew Gould wrote:
> > I have wpa_supplicant.conf configured to successfully access two
> different
> > home networks; but I can=E2=80=99t seem to figure out how to access gu=
est
> networks
> > (is this the right term?) at places like Starbucks.
> >
> > network=3D{
> > ssid=3D=E2=80=9CStarbucks WiFi=E2=80=9D
> ^ ^
> ! !
> > bssid=3Dany
> > key_mgmt=3DNONE
> > scan_ssid=3D1
> > priority=3D4
> > }
> >
> > What else do I need?
>
> Those quotation marks are UTF-8 and not ASCII. Change those to the
> traditional ASCII double quotes.
>
> I have only exactly this following in my wpa_supplicant.conf file and
> this works for me.
>
> network=3D{
> ssid=3D"Starbucks WiFi"
> key_mgmt=3DNONE
> }
>
> Note that with the Starbucks captured portal one must open a web page
> in a compatible browser, allow it to be attacked with a MITM attack,
> land on the Starbucks authentication page, and click through their
> agreement. I am using Firefox and Firefox automatically recognizes
> many captured portals and will emit a dialog line with a button just
> above the page body content. Clicking that Firefox dialog button
> works for me.
>
> This captured portal access can be problematic if using a local DNSSEC
> validating nameserver such as unbound because captured portals like
> Starbucks are MITM attacks for which DNSSEC is designed to stop.
>
> Also DNS over HTTP DoH being enabled in the browser may prevent the
> captured portal from the MITM attack needed to open the portal.
>
> Before attempting to authenticate with the captured portal disable DoH
> in the web browser and stop any local caching nameserver. Inspect
> /etc/resolv.conf to ensure that the Starbucks captured portal DHCP
> assigned nameservers are in use and NOT "safe" ones like 8.8.8.8 or
> any of the other similar ones. Since you must to allow yourself to be
> DNS attacked in order to gain access through the router you need to
> use the DHCP provided nameservers. Attempting to go to any URL name
> the DNS will resolve to a captured portal router which will issue an
> http redirect causing the browser to visit the portal page. That's
> the MITM that must be allowed to gain access.
>
> Then after completing the captured portal handshake and getting on the
> network don't forget to return to a normal network configuration.
> Start up unbound if using unbound. Enable DoH in the web browser
> again if using DoH.
>
> Background reference.
>
> https://en.wikipedia.org/wiki/Captive_portal
>
> Bob
>
> Thank you for the help. I changed the security settings in Firefox so it
wouldn=E2=80=99t block popups; but I didn=E2=80=99t know what else to chang=
e. I=E2=80=99m not
running any DNS services, and I=E2=80=99m using the standard firefox pkg fo=
r
FreeBSD 13.1. I did the OS installation last week.
After I checked everything, I restarted netif. The output showed the
correct ssid and status of associated. However, it also showed inet
0.0.0.0 . Restarting Firefox and trying to access the internet failed.
Redirection to a login webpage did not occur.
Andrew
--000000000000e4c76905ec32bbfa
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div><br></div><div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=
=3D"gmail_attr">On Fri, Oct 28, 2022 at 12:22 PM Bob Proulx <<a href=3D"=
mailto:bob@proulx.com">bob@proulx.com</a>> wrote:<br></div><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1p=
x;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,20=
4)">Andrew Gould wrote:<br>
> I have wpa_supplicant.conf configured to successfully access two diffe=
rent<br>
> home networks;=C2=A0 but I can=E2=80=99t seem to figure out how to acc=
ess guest networks<br>
> (is this the right term?) at places like Starbucks.<br>
><br>
> network=3D{<br>
>=C2=A0 =C2=A0 ssid=3D=E2=80=9CStarbucks WiFi=E2=80=9D<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ^=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 ^<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 !=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 !<br>
>=C2=A0 =C2=A0 bssid=3Dany<br>
>=C2=A0 =C2=A0 key_mgmt=3DNONE<br>
>=C2=A0 =C2=A0 scan_ssid=3D1<br>
>=C2=A0 =C2=A0 priority=3D4<br>
> }<br>
><br>
> What else do I need?<br>
<br>
Those quotation marks are UTF-8 and not ASCII.=C2=A0 Change those to the<br=
>
traditional ASCII double quotes.<br>
<br>
I have only exactly this following in my wpa_supplicant.conf file and<br>
this works for me.<br>
<br>
=C2=A0 =C2=A0 network=3D{<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0ssid=3D"Starbucks WiFi"<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0key_mgmt=3DNONE<br>
=C2=A0 =C2=A0 }<br>
<br>
Note that with the Starbucks captured portal one must open a web page<br>
in a compatible browser, allow it to be attacked with a MITM attack,<br>
land on the Starbucks authentication page, and click through their<br>
agreement.=C2=A0 I am using Firefox and Firefox automatically recognizes<br=
>
many captured portals and will emit a dialog line with a button just<br>
above the page body content.=C2=A0 Clicking that Firefox dialog button<br>
works for me.<br>
<br>
This captured portal access can be problematic if using a local DNSSEC<br>
validating nameserver such as unbound because captured portals like<br>
Starbucks are MITM attacks for which DNSSEC is designed to stop.<br>
<br>
Also DNS over HTTP DoH being enabled in the browser may prevent the<br>
captured portal from the MITM attack needed to open the portal.<br>
<br>
Before attempting to authenticate with the captured portal disable DoH<br>
in the web browser and stop any local caching nameserver.=C2=A0 Inspect<br>
/etc/resolv.conf to ensure that the Starbucks captured portal DHCP<br>
assigned nameservers are in use and NOT "safe" ones like 8.8.8.8 =
or<br>
any of the other similar ones.=C2=A0 Since you must to allow yourself to be=
<br>
DNS attacked in order to gain access through the router you need to<br>
use the DHCP provided nameservers.=C2=A0 Attempting to go to any URL name<b=
r>
the DNS will resolve to a captured portal router which will issue an<br>
http redirect causing the browser to visit the portal page.=C2=A0 That'=
s<br>
the MITM that must be allowed to gain access.<br>
<br>
Then after completing the captured portal handshake and getting on the<br>
network don't forget to return to a normal network configuration.<br>
Start up unbound if using unbound.=C2=A0 Enable DoH in the web browser<br>
again if using DoH.<br>
<br>
Background reference.<br>
<br>
=C2=A0 =C2=A0 <a href=3D"https://en.wikipedia.org/wiki/Captive_portal" rel=
=3D"noreferrer" target=3D"_blank">https://en.wikipedia.org/wiki/Captive_por=
tal</a><br>
<br>
Bob<br>
<br>
</blockquote></div></div>Thank you for the help.=C2=A0 I changed the securi=
ty settings in Firefox so it wouldn=E2=80=99t block popups; but I didn=E2=
=80=99t know what else to change.=C2=A0 I=E2=80=99m not running any DNS ser=
vices, and I=E2=80=99m using the standard firefox pkg for FreeBSD 13.1.=C2=
=A0 I did the OS installation last week.<div dir=3D"auto"><br></div><div di=
r=3D"auto">After I checked everything, I restarted netif.=C2=A0 The output =
showed the correct ssid and status of associated.=C2=A0 However, it also sh=
owed inet 0.0.0.0 .=C2=A0 Restarting Firefox and trying to access the inter=
net failed.=C2=A0 Redirection to a login webpage did not occur.</div><div d=
ir=3D"auto"><br></div><div dir=3D"auto">Andrew</div><div dir=3D"auto"><br><=
/div><div dir=3D"auto"><br></div><div dir=3D"auto"><br></div>
--000000000000e4c76905ec32bbfa--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFKhKgohh19fgKVMp8SJXyB3ibDYaBhL-u1EdD-JM_m24ScouA>