Captive portal from Network Filtering Extension (Mac)

Does anybody know a Mac API that could be of any help ?

I do not.

Regarding:

I'm trying to detect a captive session from NEFilterDataProvider to make sure the portal traffic is allowed accordingly.

Are you able to detect these flows at all in NEFilterDataProvider? If you further review the flow as it passes through handleOutboundDataFromFlow and handleInboundDataFromFlow, are you able to pickup any indication that this is from your captive network portal?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi Matt,

Thank you for looking at this topic.

My concern is not for a specific portal I can whitelist explicitly. I’m looking to support any portal (hotels, transportation, restaurants, etc).

Regards,

Jerome Tarantino

I’m looking to support any portal (hotels, transportation, restaurants, etc).

Are you able to see the SNI come through during the handshake in handleOutboundDataFromFlow? If this is available, this can be seen by examining the bytes handed over in this callback before a verdict is applied.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

If my understanding is good you suggest :

• Using RFC7710 to grab captive URL
• Get SNI during handshake and compare with portal host
• Drop handshake flow if they don’t match

This limit to a subset of portals implementing the RFC but could be a good start. I’ll try that.

Hi an update on this topic.

Using SNI using handleOutboundDataFromFlow fails because near all traffic is encrypted and no headers or metadata can be fetched for that purpose.

I tried as B-plan to replicate capture.apple.com behaviour to detect redirects and allow them. This is a tricky job because the Firewall rules need to be updated live to follow redirects but on the paper (i.e simulating with Safari) it works.

However in captive-portal tests I face another problem: Captive Portal Assistant seems to block all traffic out if his own session (not sure how this is done). For Example Safari or curl won't get a response while the CPA is opened, as they do under the same SSID if CPA is closed.

Is some way this could be an helpful solution for my use-case if I was able to confirm that CPA session is ongoing. CNCopySupportedInterfaces seems to be dedicated to that and is available on Mac.

However it always returns null. I know that some (obsolete) CN API require some specific entitlements on iOS but I've found nothing about Mac requirements.

Any hint ?

Using SNI using handleOutboundDataFromFlow fails because near all traffic is encrypted and no headers or metadata can be fetched for that purpose.

Right, typically all traffic is encrypted except for the SNI so it can be tricky to filter this data out of the handshake.

Regarding:

Is some way this could be an helpful solution for my use-case if I was able to confirm that CPA session is ongoing. CNCopySupportedInterfaces seems to be dedicated to that and is available on Mac. However it always returns null. I know that some (obsolete) CN API require some specific entitlements on iOS but I've found nothing about Mac requirements.

I have not looked into using this API in a long time, but you should also try receiving CoreLocation updates if you are wanting to use this API.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Waiting for NEHotspotHelper on Mac, I've been able to implement a (somehow) working solution relying on NSRunningApplication.runningApplications.

When looking at CNMarkPortalOnline documentation:

Captive Network Support will notify the rest of the system that WiFi is now a viable interface.

How does this notification occurs ? Is there an event or notification such as 'Captive Portal is now Online' ?

Sorry for the typo I meant NSWorkspace.runningApplications.