Date: Wed, 2 Nov 2022 09:19:50 -0500 From: Andrew Gould <andrewlylegould@gmail.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: SOLVED: Re: accessing guest wireless networks Message-ID: <CAFKhKgpY=vNNM%2B=YONdocLGu5way=zg1vNNzdKJBf=N72w7GbA@mail.gmail.com> In-Reply-To: <CAFKhKgohh19fgKVMp8SJXyB3ibDYaBhL-u1EdD-JM_m24ScouA@mail.gmail.com> References: <CAFKhKgqZAv27FFrOM_LWUQAQjpcYN71a5pme_6NOc=02sp9TrA@mail.gmail.com> <20221028105804250197522@bob.proulx.com> <CAFKhKgohh19fgKVMp8SJXyB3ibDYaBhL-u1EdD-JM_m24ScouA@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
Replacing “WPA DHCP” with “SYNCDHCP” (please excuse the UTF-8 characters -
I’m typing on an iphone) in rc.conf did the trick. I just have to add WPA
back in to use the home networks.
Andrew
On Sat, Oct 29, 2022 at 4:05 PM Andrew Gould <andrewlylegould@gmail.com>
wrote:
>
>
> On Fri, Oct 28, 2022 at 12:22 PM Bob Proulx <bob@proulx.com> wrote:
>
>> Andrew Gould wrote:
>> > I have wpa_supplicant.conf configured to successfully access two
>> different
>> > home networks; but I can’t seem to figure out how to access guest
>> networks
>> > (is this the right term?) at places like Starbucks.
>> >
>> > network={
>> > ssid=“Starbucks WiFi”
>> ^ ^
>> ! !
>> > bssid=any
>> > key_mgmt=NONE
>> > scan_ssid=1
>> > priority=4
>> > }
>> >
>> > What else do I need?
>>
>> Those quotation marks are UTF-8 and not ASCII. Change those to the
>> traditional ASCII double quotes.
>>
>> I have only exactly this following in my wpa_supplicant.conf file and
>> this works for me.
>>
>> network={
>> ssid="Starbucks WiFi"
>> key_mgmt=NONE
>> }
>>
>> Note that with the Starbucks captured portal one must open a web page
>> in a compatible browser, allow it to be attacked with a MITM attack,
>> land on the Starbucks authentication page, and click through their
>> agreement. I am using Firefox and Firefox automatically recognizes
>> many captured portals and will emit a dialog line with a button just
>> above the page body content. Clicking that Firefox dialog button
>> works for me.
>>
>> This captured portal access can be problematic if using a local DNSSEC
>> validating nameserver such as unbound because captured portals like
>> Starbucks are MITM attacks for which DNSSEC is designed to stop.
>>
>> Also DNS over HTTP DoH being enabled in the browser may prevent the
>> captured portal from the MITM attack needed to open the portal.
>>
>> Before attempting to authenticate with the captured portal disable DoH
>> in the web browser and stop any local caching nameserver. Inspect
>> /etc/resolv.conf to ensure that the Starbucks captured portal DHCP
>> assigned nameservers are in use and NOT "safe" ones like 8.8.8.8 or
>> any of the other similar ones. Since you must to allow yourself to be
>> DNS attacked in order to gain access through the router you need to
>> use the DHCP provided nameservers. Attempting to go to any URL name
>> the DNS will resolve to a captured portal router which will issue an
>> http redirect causing the browser to visit the portal page. That's
>> the MITM that must be allowed to gain access.
>>
>> Then after completing the captured portal handshake and getting on the
>> network don't forget to return to a normal network configuration.
>> Start up unbound if using unbound. Enable DoH in the web browser
>> again if using DoH.
>>
>> Background reference.
>>
>> https://en.wikipedia.org/wiki/Captive_portal
>>
>> Bob
>>
>> Thank you for the help. I changed the security settings in Firefox so it
> wouldn’t block popups; but I didn’t know what else to change. I’m not
> running any DNS services, and I’m using the standard firefox pkg for
> FreeBSD 13.1. I did the OS installation last week.
>
> After I checked everything, I restarted netif. The output showed the
> correct ssid and status of associated. However, it also showed inet
> 0.0.0.0 . Restarting Firefox and trying to access the internet failed.
> Redirection to a login webpage did not occur.
>
> Andrew
>
>
>
>
[-- Attachment #2 --]
<div dir="auto">Replacing “WPA DHCP” with “SYNCDHCP” (please excuse the UTF-8 characters - I’m typing on an iphone) in rc.conf did the trick. I just have to add WPA back in to use the home networks.</div><div dir="auto"><br></div><div dir="auto">Andrew</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Oct 29, 2022 at 4:05 PM Andrew Gould <<a href="mailto:andrewlylegould@gmail.com">andrewlylegould@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)"><div><br></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Oct 28, 2022 at 12:22 PM Bob Proulx <<a href="mailto:bob@proulx.com" target="_blank">bob@proulx.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">Andrew Gould wrote:<br>
> I have wpa_supplicant.conf configured to successfully access two different<br>
> home networks; but I can’t seem to figure out how to access guest networks<br>
> (is this the right term?) at places like Starbucks.<br>
><br>
> network={<br>
> ssid=“Starbucks WiFi”<br>
^ ^<br>
! !<br>
> bssid=any<br>
> key_mgmt=NONE<br>
> scan_ssid=1<br>
> priority=4<br>
> }<br>
><br>
> What else do I need?<br>
<br>
Those quotation marks are UTF-8 and not ASCII. Change those to the<br>
traditional ASCII double quotes.<br>
<br>
I have only exactly this following in my wpa_supplicant.conf file and<br>
this works for me.<br>
<br>
network={<br>
ssid="Starbucks WiFi"<br>
key_mgmt=NONE<br>
}<br>
<br>
Note that with the Starbucks captured portal one must open a web page<br>
in a compatible browser, allow it to be attacked with a MITM attack,<br>
land on the Starbucks authentication page, and click through their<br>
agreement. I am using Firefox and Firefox automatically recognizes<br>
many captured portals and will emit a dialog line with a button just<br>
above the page body content. Clicking that Firefox dialog button<br>
works for me.<br>
<br>
This captured portal access can be problematic if using a local DNSSEC<br>
validating nameserver such as unbound because captured portals like<br>
Starbucks are MITM attacks for which DNSSEC is designed to stop.<br>
<br>
Also DNS over HTTP DoH being enabled in the browser may prevent the<br>
captured portal from the MITM attack needed to open the portal.<br>
<br>
Before attempting to authenticate with the captured portal disable DoH<br>
in the web browser and stop any local caching nameserver. Inspect<br>
/etc/resolv.conf to ensure that the Starbucks captured portal DHCP<br>
assigned nameservers are in use and NOT "safe" ones like 8.8.8.8 or<br>
any of the other similar ones. Since you must to allow yourself to be<br>
DNS attacked in order to gain access through the router you need to<br>
use the DHCP provided nameservers. Attempting to go to any URL name<br>
the DNS will resolve to a captured portal router which will issue an<br>
http redirect causing the browser to visit the portal page. That's<br>
the MITM that must be allowed to gain access.<br>
<br>
Then after completing the captured portal handshake and getting on the<br>
network don't forget to return to a normal network configuration.<br>
Start up unbound if using unbound. Enable DoH in the web browser<br>
again if using DoH.<br>
<br>
Background reference.<br>
<br>
<a href="https://en.wikipedia.org/wiki/Captive_portal" rel="noreferrer" target="_blank">https://en.wikipedia.org/wiki/Captive_portal</a><br>;
<br>
Bob<br>
<br>
</blockquote></div></div>Thank you for the help. I changed the security settings in Firefox so it wouldn’t block popups; but I didn’t know what else to change. I’m not running any DNS services, and I’m using the standard firefox pkg for FreeBSD 13.1. I did the OS installation last week.<div dir="auto"><br></div><div dir="auto">After I checked everything, I restarted netif. The output showed the correct ssid and status of associated. However, it also showed inet 0.0.0.0 . Restarting Firefox and trying to access the internet failed. Redirection to a login webpage did not occur.</div><div dir="auto"><br></div><div dir="auto">Andrew</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><br></div>
</blockquote></div></div>
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFKhKgpY=vNNM%2B=YONdocLGu5way=zg1vNNzdKJBf=N72w7GbA>