So the simple idea is that we have a RADIUS server setup to allow users to authenticate with our Ruckus controller via user credentials. On authentication the user should be redirected to a page that allows them to manage MAC authenticated devices.
简单的想法是,我们有一个RADIUS服务器设置,允许用户通过用户凭证对Ruckus控制器进行身份验证。在认证时,用户应该被重定向到允许他们管理MAC认证设备的页面。
On everything we have tested so far, including "older" Android devices this seems to be no issue and things run as they should. However with Lollipop (5.0+) versions of Android the captive portal has changed quite a bit, and part of that change is to automatically close the captive portal that launches when you join the network. Because we want them to be redirected to a MAC device management page after authentication so they can add the device they currently logged in with and avoid having to log in again, this is bad.
到目前为止,我们所测试的所有设备,包括“旧”的Android设备,似乎都没有问题,一切都按正常运行。然而,使用Lollipop(5.0+)版本的Android,捕获门户已经发生了相当大的变化,其中的一部分变化是在加入网络时自动关闭捕获门户。因为我们希望它们在认证后被重定向到MAC设备管理页面,这样它们就可以添加当前登录的设备,避免再次登录,这很糟糕。
What I have tried:
我已经尝试:
-
Detecting if the browser is being launched in a mobile device and popping an alert in onbeforeunload that attempts to keep the browser open.
检测浏览器是否在移动设备中启动,并在onbeforeunload弹出警告,试图保持浏览器打开。
-
Opening a new browser window, pointing to the redirection URL, when successful authentication is detected (essentially managing the redirect ourselves).
打开一个新的浏览器窗口,指向重定向URL,当检测到成功的身份验证时(本质上是管理重定向)。
-
Performing Option 2, and then Option 1 on the redirected URL
执行选项2,然后在重定向URL上选择1。
What won't work:
什么不工作:
-
Asking users to disable the captive portal option on their device. Not trying to point general users to advanced controls.
要求用户禁用其设备上的捕获门户选项。不要试图将普通用户指向高级控件。
-
Creating an open network to access the MAC manager, it must be behind some authentication.
创建一个开放的网络来访问MAC管理器,它必须在某些身份验证的后面。
Solution For Now:
解决方案:
We are unhappy with this solution, but for now we are simply asking users to authenticate with the network and then open their browser and go to the basic login portal page (non-network authentication) that users use to manually add devices they can't connect with (like printers, gaming devices, etc.). Though this works, it is a pain for users to have to login, open a browser, manually enter a url, and login again.
我们对这个解决方案不满意,但目前我们只是要求用户对网络进行身份验证,然后打开浏览器,进入基本的登录门户页面(非网络身份验证),用户使用该页面手动添加无法连接的设备(如打印机、游戏设备等)。虽然这是可行的,但是对于用户来说,登录、打开浏览器、手动输入url并再次登录都是一件痛苦的事情。
This isn't a problem that people haven't run into, see here, I just haven't been able to find a solution from anyone that has run into the problem. Certainly there is some way of utilizing javascript or something to keep the browser open in this situation. If not, anyone have any better ideas for managing things?
这不是人们没有遇到过的问题,看这里,我只是没能从任何遇到这个问题的人那里找到解决方案。当然,在这种情况下,使用javascript或其他东西来保持浏览器的开放是有一定的方法的。如果没有的话,谁有更好的管理方法?
3 个解决方案
#1
6
We have managed to keep the UAM Browser / captive portal browser open on lollipop by adding firewall rules blocking :
我们已经设法保持UAM浏览器/捕获门户浏览器在棒棒糖上打开通过增加防火墙规则阻塞:
- clients3.google.com
- clients3.google.com
- clients1.google.com ,
- clients1.google.com,
- android.clients.google.com
- android.clients.google.com
- connectivitycheck.android.com
- connectivitycheck.android.com
- connectivitycheck.gstatic.com
- connectivitycheck.gstatic.com
Thus after the user is authenticated the UAM / Captive Browser stays open.
因此,在用户通过身份验证后,UAM /专属浏览器将保持打开状态。
You can keep UAM open as long as you need, you can close it by invoking a reverse proxied 204 redirect to google's connectivity page.
您可以在需要时保持UAM打开,您可以通过调用反向proxied 204重定向到谷歌的连接性页面来关闭它。
#2
3
This appears to be new Captive Portal behavior in Android devices since the release of Lollipop (5.0).
这似乎是自Lollipop(5.0)发布以来Android设备中新的垄断门户行为。
We have not yet discovered a workaround. If there is an explicit way to disable the auto-dismissal it is probably only documented in the Android codebase available here (I've been looking, but haven't found anything definitive yet):
我们还没有找到解决办法。如果有一种明确的方法可以禁用自动取消功能,那么它很可能只存在于这里的Android代码库中(我一直在寻找,但还没有找到任何确定的方法):
https://android.googlesource.com/platform/frameworks/base
https://android.googlesource.com/platform/frameworks/base
FYI, we've also noticed Android uses CloudFront CDN for its captive network detection. Our captive portal solution originally used CloudFront for assets, so we had to whitelist CloudFront subnets in pre-auth ACLs. Whitelisting CloudFront subsequently caused captive network detection to fail on recent Android devices. We had to abandon CloudFront CDN to restore captive portal functionality for Android devices.
顺便提一下,我们也注意到Android使用CloudFront CDN进行捕获网络检测。我们的专属门户解决方案最初将CloudFront用于资产,因此我们必须在前auth acl中对CloudFront子网进行白名单。Whitelisting CloudFront随后导致捕获网络检测在最近的Android设备上失败。我们不得不放弃CloudFront CDN以恢复Android设备的自主门户功能。
#3
0
Why don't you just hold captive portal opened after authentication? You can always allow access to every site except captive checking sites.
为什么不让独占门户在认证后打开?您总是可以允许访问每个站点,除了强制检查站点。
Tested and working both Android and iOS in all versions. If you need to access cookies/shared storage from default browser (not captive ios/android sandboxed browser), you gotta hop out it before authentication.
在所有版本中测试和运行Android和iOS。如果您需要从默认浏览器(而不是专属的ios/android沙箱浏览器)访问cookie /共享存储,那么您必须在进行身份验证之前跳过它。
#1
6
We have managed to keep the UAM Browser / captive portal browser open on lollipop by adding firewall rules blocking :
我们已经设法保持UAM浏览器/捕获门户浏览器在棒棒糖上打开通过增加防火墙规则阻塞:
- clients3.google.com
- clients3.google.com
- clients1.google.com ,
- clients1.google.com,
- android.clients.google.com
- android.clients.google.com
- connectivitycheck.android.com
- connectivitycheck.android.com
- connectivitycheck.gstatic.com
- connectivitycheck.gstatic.com
Thus after the user is authenticated the UAM / Captive Browser stays open.
因此,在用户通过身份验证后,UAM /专属浏览器将保持打开状态。
You can keep UAM open as long as you need, you can close it by invoking a reverse proxied 204 redirect to google's connectivity page.
您可以在需要时保持UAM打开,您可以通过调用反向proxied 204重定向到谷歌的连接性页面来关闭它。
#2
3
This appears to be new Captive Portal behavior in Android devices since the release of Lollipop (5.0).
这似乎是自Lollipop(5.0)发布以来Android设备中新的垄断门户行为。
We have not yet discovered a workaround. If there is an explicit way to disable the auto-dismissal it is probably only documented in the Android codebase available here (I've been looking, but haven't found anything definitive yet):
我们还没有找到解决办法。如果有一种明确的方法可以禁用自动取消功能,那么它很可能只存在于这里的Android代码库中(我一直在寻找,但还没有找到任何确定的方法):
https://android.googlesource.com/platform/frameworks/base
https://android.googlesource.com/platform/frameworks/base
FYI, we've also noticed Android uses CloudFront CDN for its captive network detection. Our captive portal solution originally used CloudFront for assets, so we had to whitelist CloudFront subnets in pre-auth ACLs. Whitelisting CloudFront subsequently caused captive network detection to fail on recent Android devices. We had to abandon CloudFront CDN to restore captive portal functionality for Android devices.
顺便提一下,我们也注意到Android使用CloudFront CDN进行捕获网络检测。我们的专属门户解决方案最初将CloudFront用于资产,因此我们必须在前auth acl中对CloudFront子网进行白名单。Whitelisting CloudFront随后导致捕获网络检测在最近的Android设备上失败。我们不得不放弃CloudFront CDN以恢复Android设备的自主门户功能。
#3
0
Why don't you just hold captive portal opened after authentication? You can always allow access to every site except captive checking sites.
为什么不让独占门户在认证后打开?您总是可以允许访问每个站点,除了强制检查站点。
Tested and working both Android and iOS in all versions. If you need to access cookies/shared storage from default browser (not captive ios/android sandboxed browser), you gotta hop out it before authentication.
在所有版本中测试和运行Android和iOS。如果您需要从默认浏览器(而不是专属的ios/android沙箱浏览器)访问cookie /共享存储,那么您必须在进行身份验证之前跳过它。