Fixing the iPhone OS WiFi auto-login problem

Some time ago, shortly after iPhone OS 3.0 was released, we received a number of reports from users that our VPN-based wireless service had become unusable. For those not familiar with this service, OWL is one of our local wireless networks that permits VPN access for university members whilst providing a captive-portal for visitors. Normally the dual-use works quite well: university members start the VPN client and visitors start a web browser to log in.

Not so for OS 3.0 users though, who joined the wireless service only to be automatically shown the visitor login page, and then when they closed that down the iPhone or iPod Touch would just disconnect from OWL in a huff. There was no opportunity to start the VPN client.

A mail list post by James Hooper, a Network Specialist at Bristol University, explained all: it seems the device tests for Internet connectivity by attempting to retrieve a specific web page. So all we need to do is trick OS 3.0 into thinking this page is accessible.

According to James, the page in question lives at http://www.apple.com/library/test/success.html and should return the following, to be considered a success:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>Success</TITLE>
</HEAD>
<BODY>
Success
</BODY>
</HTML>

We know that all clients attempting HTTP requests on OWL will hit our captive portal web servers. These servers are already configured to capture URLs and redirect clients to the Visitor Network login page. All we need do is configure those servers to first check for a request to success.html and return the fake content instead. The excellent mod_rewrite Apache module comes to our rescue, and we end up configuring something like the following:

# apple captive portal detection
RewriteRule    ^/library/test/success.html$    -    [L]

The above line tells Apache that if the request matches this text, then it should stop processing and serve the file locally (a copy of success.html is saved on the server). Just after that instruction, we capture every other request and issue a 302 redirect to the captive portal login page.

I’m told that Apple did acknowledge this bug, and perhaps even fixed it in OS 3.1, although brief tests were not conclusive. Regardless, it’s better for us to leave this monkeypatching in place to avoid users having further difficulties in connecting.

Posted in VPN, Wireless | 4 Comments

4 Responses to “Fixing the iPhone OS WiFi auto-login problem”

  1. Jeanette Shirk says:

    It won’t open on App Store . Or network not work or what?

  2. S. M. Ripley says:

    SUCCESSSuccess

    This is the message I recieve when trying to connect to my home router on my iPod Touch.mOnly this device of mine is doing it, and it was working fine 5 minutes ago. As a consumer, I’d hate for this problem to ruin potential business from, say, all the people with this error, since there’s no fix!!!!!

    Please Fix It.

  3. Jason Kennerly says:

    Apple *still* hasn’t fixed this bug.

    Because I have blocked access to apple, microsoft, google, and those 6 others as part of a boycott directed against the NSA sell-outs who do not value the 4th amendment enough to tell the NSA to “bugger off”, I had to fix this problem myself, in 2013, in order that my wife still be able browse websites of companies not directly involved in such fascist tactics.

    Basically, you can’t normally use an Apple-tablet device unless it can first phone home, and get you permission by generating server logs for Apple, likely including your Apple ID. This itself is huge issue, I think, even if the government weren’t currently in the business of spying on its own citizens!

    In the time since then, Apple has also taken other user-hostile steps, such as making its entire development series only available over their “iTunes” system. Again, more tracking. My own macintosh no longer has any connection to the internet at all. The signed binaries that are its OS 10.6 interior simply can’t be trusted, Apple has been doing business in an immoral fashion for simply far too long.

    My idealistic, perhaps unachievable, goal is for every machine allowed a net-facing presence to be open source by the end of the year: If you can’t debug it, deplug it!

    • emma says:

      may i ask how you fixed it? i can’t connect to wifi at home and i need it =[