Date: Wed, 2 Nov 2022 09:19:50 -0500 From: Andrew Gould <andrewlylegould@gmail.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: SOLVED: Re: accessing guest wireless networks Message-ID: <CAFKhKgpY=vNNM%2B=YONdocLGu5way=zg1vNNzdKJBf=N72w7GbA@mail.gmail.com> In-Reply-To: <CAFKhKgohh19fgKVMp8SJXyB3ibDYaBhL-u1EdD-JM_m24ScouA@mail.gmail.com> References: <CAFKhKgqZAv27FFrOM_LWUQAQjpcYN71a5pme_6NOc=02sp9TrA@mail.gmail.com> <20221028105804250197522@bob.proulx.com> <CAFKhKgohh19fgKVMp8SJXyB3ibDYaBhL-u1EdD-JM_m24ScouA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--00000000000049efcf05ec7d8933 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Replacing =E2=80=9CWPA DHCP=E2=80=9D with =E2=80=9CSYNCDHCP=E2=80=9D (pleas= e excuse the UTF-8 characters - I=E2=80=99m typing on an iphone) in rc.conf did the trick. I just have to = add WPA back in to use the home networks. Andrew On Sat, Oct 29, 2022 at 4:05 PM Andrew Gould <andrewlylegould@gmail.com> wrote: > > > On Fri, Oct 28, 2022 at 12:22 PM Bob Proulx <bob@proulx.com> wrote: > >> Andrew Gould wrote: >> > I have wpa_supplicant.conf configured to successfully access two >> different >> > home networks; but I can=E2=80=99t seem to figure out how to access g= uest >> networks >> > (is this the right term?) at places like Starbucks. >> > >> > network=3D{ >> > ssid=3D=E2=80=9CStarbucks WiFi=E2=80=9D >> ^ ^ >> ! ! >> > bssid=3Dany >> > key_mgmt=3DNONE >> > scan_ssid=3D1 >> > priority=3D4 >> > } >> > >> > What else do I need? >> >> Those quotation marks are UTF-8 and not ASCII. Change those to the >> traditional ASCII double quotes. >> >> I have only exactly this following in my wpa_supplicant.conf file and >> this works for me. >> >> network=3D{ >> ssid=3D"Starbucks WiFi" >> key_mgmt=3DNONE >> } >> >> Note that with the Starbucks captured portal one must open a web page >> in a compatible browser, allow it to be attacked with a MITM attack, >> land on the Starbucks authentication page, and click through their >> agreement. I am using Firefox and Firefox automatically recognizes >> many captured portals and will emit a dialog line with a button just >> above the page body content. Clicking that Firefox dialog button >> works for me. >> >> This captured portal access can be problematic if using a local DNSSEC >> validating nameserver such as unbound because captured portals like >> Starbucks are MITM attacks for which DNSSEC is designed to stop. >> >> Also DNS over HTTP DoH being enabled in the browser may prevent the >> captured portal from the MITM attack needed to open the portal. >> >> Before attempting to authenticate with the captured portal disable DoH >> in the web browser and stop any local caching nameserver. Inspect >> /etc/resolv.conf to ensure that the Starbucks captured portal DHCP >> assigned nameservers are in use and NOT "safe" ones like 8.8.8.8 or >> any of the other similar ones. Since you must to allow yourself to be >> DNS attacked in order to gain access through the router you need to >> use the DHCP provided nameservers. Attempting to go to any URL name >> the DNS will resolve to a captured portal router which will issue an >> http redirect causing the browser to visit the portal page. That's >> the MITM that must be allowed to gain access. >> >> Then after completing the captured portal handshake and getting on the >> network don't forget to return to a normal network configuration. >> Start up unbound if using unbound. Enable DoH in the web browser >> again if using DoH. >> >> Background reference. >> >> https://en.wikipedia.org/wiki/Captive_portal >> >> Bob >> >> Thank you for the help. I changed the security settings in Firefox so i= t > wouldn=E2=80=99t block popups; but I didn=E2=80=99t know what else to cha= nge. I=E2=80=99m not > running any DNS services, and I=E2=80=99m using the standard firefox pkg = for > FreeBSD 13.1. I did the OS installation last week. > > After I checked everything, I restarted netif. The output showed the > correct ssid and status of associated. However, it also showed inet > 0.0.0.0 . Restarting Firefox and trying to access the internet failed. > Redirection to a login webpage did not occur. > > Andrew > > > > --00000000000049efcf05ec7d8933 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"auto">Replacing =E2=80=9CWPA DHCP=E2=80=9D with =E2=80=9CSYNCDH= CP=E2=80=9D (please excuse the UTF-8 characters - I=E2=80=99m typing on an = iphone) in rc.conf did the trick.=C2=A0 I just have to add WPA back in to u= se the home networks.</div><div dir=3D"auto"><br></div><div dir=3D"auto">An= drew</div><div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gma= il_attr">On Sat, Oct 29, 2022 at 4:05 PM Andrew Gould <<a href=3D"mailto= :andrewlylegould@gmail.com">andrewlylegould@gmail.com</a>> wrote:<br></d= iv><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bord= er-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-colo= r:rgb(204,204,204)"><div><br></div><div><br><div class=3D"gmail_quote"><div= dir=3D"ltr" class=3D"gmail_attr">On Fri, Oct 28, 2022 at 12:22 PM Bob Prou= lx <<a href=3D"mailto:bob@proulx.com" target=3D"_blank">bob@proulx.com</= a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0p= x 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:= 1ex;border-left-color:rgb(204,204,204)">Andrew Gould wrote:<br> > I have wpa_supplicant.conf configured to successfully access two diffe= rent<br> > home networks;=C2=A0 but I can=E2=80=99t seem to figure out how to acc= ess guest networks<br> > (is this the right term?) at places like Starbucks.<br> ><br> > network=3D{<br> >=C2=A0 =C2=A0 ssid=3D=E2=80=9CStarbucks WiFi=E2=80=9D<br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ^=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 ^<br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 !=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 !<br> >=C2=A0 =C2=A0 bssid=3Dany<br> >=C2=A0 =C2=A0 key_mgmt=3DNONE<br> >=C2=A0 =C2=A0 scan_ssid=3D1<br> >=C2=A0 =C2=A0 priority=3D4<br> > }<br> ><br> > What else do I need?<br> <br> Those quotation marks are UTF-8 and not ASCII.=C2=A0 Change those to the<br= > traditional ASCII double quotes.<br> <br> I have only exactly this following in my wpa_supplicant.conf file and<br> this works for me.<br> <br> =C2=A0 =C2=A0 network=3D{<br> =C2=A0 =C2=A0 =C2=A0 =C2=A0ssid=3D"Starbucks WiFi"<br> =C2=A0 =C2=A0 =C2=A0 =C2=A0key_mgmt=3DNONE<br> =C2=A0 =C2=A0 }<br> <br> Note that with the Starbucks captured portal one must open a web page<br> in a compatible browser, allow it to be attacked with a MITM attack,<br> land on the Starbucks authentication page, and click through their<br> agreement.=C2=A0 I am using Firefox and Firefox automatically recognizes<br= > many captured portals and will emit a dialog line with a button just<br> above the page body content.=C2=A0 Clicking that Firefox dialog button<br> works for me.<br> <br> This captured portal access can be problematic if using a local DNSSEC<br> validating nameserver such as unbound because captured portals like<br> Starbucks are MITM attacks for which DNSSEC is designed to stop.<br> <br> Also DNS over HTTP DoH being enabled in the browser may prevent the<br> captured portal from the MITM attack needed to open the portal.<br> <br> Before attempting to authenticate with the captured portal disable DoH<br> in the web browser and stop any local caching nameserver.=C2=A0 Inspect<br> /etc/resolv.conf to ensure that the Starbucks captured portal DHCP<br> assigned nameservers are in use and NOT "safe" ones like 8.8.8.8 = or<br> any of the other similar ones.=C2=A0 Since you must to allow yourself to be= <br> DNS attacked in order to gain access through the router you need to<br> use the DHCP provided nameservers.=C2=A0 Attempting to go to any URL name<b= r> the DNS will resolve to a captured portal router which will issue an<br> http redirect causing the browser to visit the portal page.=C2=A0 That'= s<br> the MITM that must be allowed to gain access.<br> <br> Then after completing the captured portal handshake and getting on the<br> network don't forget to return to a normal network configuration.<br> Start up unbound if using unbound.=C2=A0 Enable DoH in the web browser<br> again if using DoH.<br> <br> Background reference.<br> <br> =C2=A0 =C2=A0 <a href=3D"https://en.wikipedia.org/wiki/Captive_portal" rel= =3D"noreferrer" target=3D"_blank">https://en.wikipedia.org/wiki/Captive_por= tal</a><br> <br> Bob<br> <br> </blockquote></div></div>Thank you for the help.=C2=A0 I changed the securi= ty settings in Firefox so it wouldn=E2=80=99t block popups; but I didn=E2= =80=99t know what else to change.=C2=A0 I=E2=80=99m not running any DNS ser= vices, and I=E2=80=99m using the standard firefox pkg for FreeBSD 13.1.=C2= =A0 I did the OS installation last week.<div dir=3D"auto"><br></div><div di= r=3D"auto">After I checked everything, I restarted netif.=C2=A0 The output = showed the correct ssid and status of associated.=C2=A0 However, it also sh= owed inet 0.0.0.0 .=C2=A0 Restarting Firefox and trying to access the inter= net failed.=C2=A0 Redirection to a login webpage did not occur.</div><div d= ir=3D"auto"><br></div><div dir=3D"auto">Andrew</div><div dir=3D"auto"><br><= /div><div dir=3D"auto"><br></div><div dir=3D"auto"><br></div> </blockquote></div></div> --00000000000049efcf05ec7d8933--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFKhKgpY=vNNM%2B=YONdocLGu5way=zg1vNNzdKJBf=N72w7GbA>