Re: accessing guest wireless networks
- Reply: Andrew Gould : "SOLVED: Re: accessing guest wireless networks"
- In reply to: Bob Proulx : "Re: accessing guest wireless networks"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 29 Oct 2022 21:05:17 UTC
On Fri, Oct 28, 2022 at 12:22 PM Bob Proulx <bob@proulx.com> wrote: > Andrew Gould wrote: > > I have wpa_supplicant.conf configured to successfully access two > different > > home networks; but I can’t seem to figure out how to access guest > networks > > (is this the right term?) at places like Starbucks. > > > > network={ > > ssid=“Starbucks WiFi” > ^ ^ > ! ! > > bssid=any > > key_mgmt=NONE > > scan_ssid=1 > > priority=4 > > } > > > > What else do I need? > > Those quotation marks are UTF-8 and not ASCII. Change those to the > traditional ASCII double quotes. > > I have only exactly this following in my wpa_supplicant.conf file and > this works for me. > > network={ > ssid="Starbucks WiFi" > key_mgmt=NONE > } > > Note that with the Starbucks captured portal one must open a web page > in a compatible browser, allow it to be attacked with a MITM attack, > land on the Starbucks authentication page, and click through their > agreement. I am using Firefox and Firefox automatically recognizes > many captured portals and will emit a dialog line with a button just > above the page body content. Clicking that Firefox dialog button > works for me. > > This captured portal access can be problematic if using a local DNSSEC > validating nameserver such as unbound because captured portals like > Starbucks are MITM attacks for which DNSSEC is designed to stop. > > Also DNS over HTTP DoH being enabled in the browser may prevent the > captured portal from the MITM attack needed to open the portal. > > Before attempting to authenticate with the captured portal disable DoH > in the web browser and stop any local caching nameserver. Inspect > /etc/resolv.conf to ensure that the Starbucks captured portal DHCP > assigned nameservers are in use and NOT "safe" ones like 8.8.8.8 or > any of the other similar ones. Since you must to allow yourself to be > DNS attacked in order to gain access through the router you need to > use the DHCP provided nameservers. Attempting to go to any URL name > the DNS will resolve to a captured portal router which will issue an > http redirect causing the browser to visit the portal page. That's > the MITM that must be allowed to gain access. > > Then after completing the captured portal handshake and getting on the > network don't forget to return to a normal network configuration. > Start up unbound if using unbound. Enable DoH in the web browser > again if using DoH. > > Background reference. > > https://en.wikipedia.org/wiki/Captive_portal > > Bob > > Thank you for the help. I changed the security settings in Firefox so it wouldn’t block popups; but I didn’t know what else to change. I’m not running any DNS services, and I’m using the standard firefox pkg for FreeBSD 13.1. I did the OS installation last week. After I checked everything, I restarted netif. The output showed the correct ssid and status of associated. However, it also showed inet 0.0.0.0 . Restarting Firefox and trying to access the internet failed. Redirection to a login webpage did not occur. Andrew