Windows Firewall and captive portal addresses

Thomas Gusset 36 Reputation points
2021-04-19T13:53:58.12+00:00

Hi
when you create a new rule you can use 'predefined set of computers' for remote IP address.
There is one set called 'captive portal addresses' (in management console) or 'CaptivePortal' (in Powershell).
It would be very helpful to use CaptivePortal in a rule that allows access to captive portals for WiFi authentication.
I couldn't find any information about this.
Does anybody know how Windows 10 detects the IP address of a captive portal?
When I create such a rule and set RemoteAddress = CaptivePortal to rule has a primaryStatus = Inactive

PrimaryStatus         : Inactive
Status                : The rule was parsed successfully from the store. (65536)
EnforcementStatus     : {ProfileInactive, NoRemoteAddress, NoRemoteAddress, NoRemoteAddress}

Thomas

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,362 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Sunny Qi 11,046 Reputation points Microsoft Vendor
    2021-04-20T06:17:57.24+00:00

    Hi,

    Thanks for posting in Q&A platform.

    Please refer to the captive portal authentication process described in the following link:

    https://www.arubanetworks.com/vrd/GuestAccessAppNote/wwhelp/wwhimpl/js/html/wwhelp.htm

    Captive portal is a Layer 3 authentication, which requires that the devices connect to the network and obtain an IP address and related DNS information before authenticating through the captive portal. The following steps explain the entire captive portal process:

    1.The device that is associating to the guest SSID is assigned an initial role (guest-logon role in the example configuration). This initial role allows DHCP, so the user gets an IP address.

    2.The user opens a browser and makes an HTTP (or HTTPS) request to some destination (for example, www.bbc.com).

    3.The resolver in the device sends a DNS request to resolve the www.bbc.com. The initial role (guest-logon role) permits DNS services, so the resolver can communicate with the DNS server.

    4.The DNS server replies with the correct address to www.bbc.com.

    5.The resolver tells the browser which IP address to use based on the DNS reply.

    6.The browser initiates a TCP connection to port 80 of the www.bbc.com address.

    7.The controller intercepts the connection and spoofs the initial TCP handshakes of the HTTP process. At this moment, the client browser thinks it is communicating with the bbc.com server.

    8.When the browser sends the HTTP GET request for the web page, the controller replies saying that bbc.com has “temporarily moved” to <https://securelogin.arubanetworks.com/[string that identifies client]>.

    9.The browser closes the connection.

    10.The browser attempts to connect with <https://securelogin.arubanetworks.com/[string that identifies client]>, but it first needs to send a DNS request for the address.

    11.The actual DNS server responds that it cannot resolve
    <https://securelogin.arubanetworks.com>, but the controller intercepts that reply and changes the packet to say that securelogin.arubanetworks.com is at the IP address of the controller itself. Remember that it is critical that the DNS server sends back a reply to the query. It is only then that the controller can spoof the reply back from the DNS server. Sending a DNS request without receiving a reply is not sufficient, since without a reply the controller will never help the client resolve securelogin.arubanetworks.com.

    12.The browser initiates an HTTPS connection to address of controller, which responds with the captive portal login page, where the guest authenticates.

    13.After successful authentication, the user is assigned the post authentication role (auth-guest role in the example configuration). This is the default role in the captive portal profile.

    14.After authentication, the browser is redirected to bbc.com at the address originally resolved by the DNS. Alternatively, if a welcome page is configured, the browser is redirected to the welcome page.

    15.To successfully redirect to the original web page the controller spoofs a reply from bbc.com to tell the client that bbc.com has “permanently moved” to bbc.com. This step corrects the “temporary relocation” that occurred as part of the captive portal login.

    16.This causes the client to re-query DNS for the address of www.bbc.com.

    17.The browser starts to communicate with the actual bbc.com server.

    For more details regarding of captive portal, please refer to the following article and similar thread:

    Captive portals

    How do captive portal network connections work?
    Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,
    Sunny


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Thomas Gusset 36 Reputation points
    2021-05-06T13:30:43.907+00:00

    Hi Sunny
    thanks a lot for your answer and the description, how captive portals work.
    But my question is about Windows Firewall Rules to allow access to captive portals.
    We built a secure client that connects to the company network with Always On VPN as soon the computer has Internet connection.
    All traffic will be routed trough the VPN tunnel.
    Therefore we configured the Windows Firewall to block all direct connections to the Internet (exceptions: DHCP, DNS, VPN gateway).
    When using a public WLAN to access Internet often authentication on a captive portal is necessary. But access to the captive portal is blocked by the firewall (as descripted above).
    What we need is a firewall rule that allows outbound HTTP/HTTPS to the captive portal. Because the captive portal can be on any IP address we cannot use a static IP as remote address.
    And this is where the dynamic address 'CaptivePortal' comes into play. One would expect this address to reflect that of the captive portal.
    But that does not seem to be the case. The question now is where the problem might lie.

    Best Regards
    Thomas

    0 comments No comments

  3. Brian Moss 1 Reputation point
    2021-09-09T21:16:38.897+00:00

    @Sunny Qi and @Thomas Gusset

    We have a Unified Support case for the same issue. This is the response:

    The way captive portals work within Windows:

    1. The Windows client performs the DNS query for the name www.msftconnecttest.com
    2. We expect to get a response back of 13.107.4.52
    3. The Windows client then performs a HTTP GET request for connecttext.txt at the webserver www.msftconnecttest.com
    4. The captive portal provides a redirect to this request, upon redirect, the IP address of the redirection is that of the captive portal.

    But there is a bug in Windows and the rule is written with the incorrect byte order.

    So unfortunately this doesnt work


  4. Aaron Smith 0 Reputation points
    2024-03-04T16:05:08.14+00:00

    Random question onto the back of this topic, were looking to play with this feature, but i cant seem to set this as a Group Policy configured setting, its not in the GUI when editing on a Server 2022 server with the latest windows 10 ADMX files imported.

    Anyone else centrally deployed this via policy.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.