Captive Portal Packets Dropped for Android Devices

Captive Portal Packets Dropped for Android Devices

39456
Created On 09/25/18 19:47 PM - Last Modified 06/09/23 03:01 AM


Symptom


Symptoms

Users are prompted to refresh the page several times to get the Captive Portal login page, in all versions of Android OS, including Lollipop and Marshmallow.  This behavior is seen only for the first instance, when they connect to the new wifi network, or when they forget an exisiting network, and rejoin as a new user.

Diagnosis

Whenever the Android device establishes a connection to the wifi network, it automatically tries to visit a particualr site and tries to get a file name "generate_204". If it fails to get this information, it will generate a exclamation symbol next to the wifi icon identifying there is no internet connectivity.

 

This is expected behavior and it is hard coded in the Android OS. The sites differ for different Android OS versions.

 

This is a code that is used to detect if there is a Captive Portal configured somewhere in the network, and it will prompt to redirect to use a browser to complete the CP authentication process.

 

See the link below for the codes used in Marshmallow , Lollipop and KitKat:

 

1. KitKat

http://androidxref.com/4.4.4_r1/xref/frameworks/base/core/java/android/net/CaptivePortalTracker.java

 

2. Lollipop http://androidxref.com/5.1.1_r6/xref/frameworks/base/packages/CaptivePortalLogin/src/com/android/captiveportallogin/CaptivePortalLoginActivity.java

 

3. MarshMallow http://androidxref.com/6.0.0_r1/xref/frameworks/base/packages/CaptivePortalLogin/src/com/android/captiveportallogin/CaptivePortalLoginActivity.java

 

See the example screenshots below:

 

IMG-20161013-WA0005.jpg

 

IMG-20161013-WA0007.jpg

 

 

This results in overburdening the captive portal service on the Palo Alto Networks firewall, the Palo Alto Networks firewall will wait for the request to timeout, and then post the login page to the user. The default timeout value configured in the Android OS is 10.000 milliseconds.

Resolution


The solution for this is to create a custom URL category and include the following sites, and exclude from captive portal authentication. 

 

KitKat Version:

clients3.google.com/

clients3.google.com/generate_204

 

Lollipop Version:

connectivitycheck.android.com

connectivitycheck.android.com/generate_204

 

MarshMallow Version:

connectivitycheck.gstatic.com

connectivitycheck.gstatic.com/generate_204

 

 

Custom Url.jpg

 

 

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldSCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language