超级管理员 发布的文章

IOS系统Wi-Fi图标无法点亮及Portal弹出慢问题

近期,部分客户反馈,少量的 IOS 或 OS X 终端,在使用 Portal 认证的情况下,会出现认证卡住、Portal 页面弹出慢、Wi-Fi 图标点不亮等问题,且其他 Wi-Fi 厂商客户也爆出了一样的问题。

通过对这些问题做了详细的分析,目前得出以下结果,简要描述为:最近苹果终端的 Wi-Fi 功能,在某些认证方式的场景下出现了一些问题,通过技术研究分析,发现这些问题和 Wi-Fi 设备本身没有关系,导致的原因是苹果服务器和苹果终端延迟发包。目前我司设备已经有了规避措施,第一时间联系了 Apple 公司的400和技术支持中心,暂时还未取得相关的技术解决回复。

上述内容是分析后的结论,可能有人还是没有感觉。如果你想了解更为详细的分析过程,下面的内容足够满足你,准备好了吗?

【正常iOS系统点亮WiFi图标过程】
1、连上WiFi后iOS会自动发起探测帧:http://captive.apple.com/hotspot-detect.html
2、首先DNS解析该域名,然后自动发送一个HTTP/1.0的探测帧请求到http://captive.apple.com/hotspot-detect.html
3、终端接收到苹果服务器探测回应,如果回应报文头部为success,那么认为网络是通的,同时,状态栏的WIFI图标出现,流程结束。
966e11927d70aaf0da3b25a3d4a090fd.jpg
【正常iOS系统自动弹出portal流程】
1、连上WiFi后iOS会自动发起探测帧:http://captive.apple.com/hotspot-detect.htm
2、首先DNS解析该域名,然后自动发送一个HTTP/1.0的探测帧请求到 http://captive.apple.com/hotspot-detect.html
3、终端接收到探测回应,回应报文头部不是success,不点亮WiFi图标。
050e22cd381938496b892bb3e6808546.jpg
4、终端会自动打开一个页面,在这个页面中再请求一次http://captive.apple.com/hotspot-detect.html,这一次,使用的是HTTP/1.1。
5、此时我们控制器会使用苹果服务器IP给终端回复一个302 moved跳转到http://auth.wifi.com
9e33ad7a3ed6df1782ecc5a7e8061937.jpg
6、接下来便进入到portal页面及认证流程并点亮WiFi图标,流程结束。

【部分iOS WiFi图标无法点亮、portal页面弹出缓慢原因】
目前出现的苹果终端WiFi图标无法点亮、portal页面弹出缓慢的问题,从问题终端抓包分析,该终端在走到正常流程第三步后,没有再继续下面的流程,发HTTP/1.1的GET包。(也没有发其他数据包,除了探测网关欺骗的ARP包外),一直等到几十秒或几分钟后,才开始继续接下来的流程。
从上面问题终端的数据包截图可以看到,终端在19:26:03收到HTTP/1.0 200 ok包之后,一直等到19:26:47才发出HTTP/1.1 GET包,才开始继续后面的流程。
在这持续的44s时间中,WiFi图标未点亮、portal页面也不会弹出,造成WiFi图标无法点亮、portal页面弹出缓慢,客户认为WiFi连接不上的情况。
从目前部分区域问题终端抓包分析,均为终端自身不再继续发包(除了探测网关欺骗的ARP包外)导致无法重定向,和Wi-Fi设备无关。

【规避措施】
针对以上终端自身不发包行为,从无线上无更多的方法让终端继续发包。出现这种情况时,我司无线设备目前通过规避措施,在SSID中勾选iOS不自动弹出portal页面,用户手动访问网页来解决。或者,可以暂时新建其他的认证方式。
请输入图片描述
勾选不自动弹portal,用户手动打开浏览器弹出portal页面流程如下:
用户打开浏览器,手动访问任意网页(以下数据包为访问百度新闻),此时终端在GET百度新闻时,控制器使用百度新闻的IP给终端回复302 moved temporarily跳转到http://auth.wifi.com弹出portal页面,进入认证过程。
cfef7c0ae873c0752c522ccffe0b5a89.jpg
本文只写了 Portal 页面弹出慢的问题,其他问题欢迎后续和我们的技术人员一起交流。

OpenWRT 配置nodogsplash和限制用户上传和下载速度

一)配置nodogsplash

opkg update
opkg install nodogsplash

----------------打开/etc/config/wireless文件,加入-----------
config wifi-iface
option device 'radio1' #如果你没有USB网卡,请改成radio0
option ifname 'ath1'
option mode 'ap'
option ssid 'AIR-FOR-YOU'
option encryption 'none'
option network 'lan1'

config wifi-iface
option device 'radio0' #从内置无线中虚拟一个ap
option ifname 'ath6'
option mode 'ap'
option ssid 'AIR-4-YOU'
option encryption 'none'
option network 'lan1'

------------------打开/etc/config/dhcp文件,加入--------
config dhcp lan1
option interface lan1
option start 10
option limit 150
option leasetime 12h

------------------打开/etc/config/network文件,加入--------
config interface 'lan1'
option proto 'static'
option macaddr '00:1B:24:1c:BF:B7'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option _orig_ifname 'ath1'
option type 'bridge'

-----------/etc/nodogsplash/nodogsplash.conf--------------

GatewayInterface br-lan 改成 GatewayInterface br-lan1

ClientForceTimeout 360 这里验证过期的时间,我给他们上一分钟,就是 ClientForceTimeout 1,一分钟后重新回到验证页。
RedirectURL 这里是登陆后的强制跳转的地址


启动项加入
/etc/init.d/nodogsplash start
重启,连SSID,随便打开任何一个网页,看效果。
自定义WEB验证目录在/etc/nodogsplash/htdocs
页面也很简单,,在你页面随便给条链接a href="$authtarget" 就可以点击登陆。。
以后你有多余的无线网卡,只要系统能认得出来,把他的SSID在接口LAN1上桥接起来,就能为你拓展热点。

二)对WEB用户进行速度限制

打开nodogsplash.conf 里的 TrafficControl ,调整好downloadlimit和uploadlimit

本文章由 http://www.wifidog.pro/2015/05/06/OpenWRT-%E9%85%8D%E7%BD%AEnodogsplash%E5%92%8C%E9%99%90%E5%88%B6%E7%94%A8%E6%88%B7%E4%B8%8A%E4%BC%A0%E5%92%8C%E4%B8%8B%E8%BD%BD%E9%80%9F%E5%BA%A6.html 整理编辑,转载请注明出处

WiFiDog Project History

Wifidog was designed as a replacement to existing captive portal solutions which we felt didn't fit the needs of next generation community groups. Specifically, we wanted both personalized and community wide content for each hotspot, no pop ups, no client software and centralized management. Mainly as a replacement for portals currently using NoCat. A lot of other vendors use WiFiDog (especially the client) as a base for their solutions.
Wifidog’s Features
Main Features

Captive portal which lets hotspot owners communicate with their users (through the Content Distribution System).
Wifidog gateway was designed for and runs on GNU/Linux servers and embedded linux devices, e.g. Linksys WRT54G with OpenWRT. For a current list of supported devices and installation instructions please click Here.
Multilingual support (through browser detection and user selection) with the ability to add more languages using a .po editor (please see Language Translation for more details).Current implemented languages are:
    English
    French
    German
    Spanish
    Italian
    Greek
    Portuguese (also Brazilian)
    Swedish
    Bulgarian
    Japanese
    Catalan 
Maintain the client (hotspot users) connection by checking network activity through a ping command, instead of a javascript window (like used in NoCat). This allows PDAs and cellphones and other devices without javascript support to connect.
Support for differing types of hotspots:
    Splash Only mode: Users are redirected to the portal, but do not have to login in order to use services
    Normal Mode: Users are unique and must have a valid email address in order to open an account. 
Users are able to create a working account directly from any hotspot. New users sign on from any hotspot, create their account and are granted access for 15 minutes to confirm an email. If they don't, they are disconnected and have to sign up again.
Hotspot/node monitoring by two way heart beating, so the central server always knows which hotspots/nodes are up, regardless of dynamic DNS, firewalls, etc.
Reports and Statistics including:
    10 highest bandwidth consumers
    10 most frequent users
    10 most mobile users
    Anoymised SQL data export (for academic research)
    Breakdown of how many users actually use the network
    Connection log
    Content display and click through report
    Graph on network use (per hour, weekday and month)
    Individual user report, most popular nodes (by visit)
    Network status information
    Node status information
    Registration log
    User registration report 
Automatic node creation (if the person creating the node has the relevant permissions and the feature is enabled). 

Please see the Road Map for new features currently in development.
Most awaited features are:

User classes
Bandwidth limiting per class
Bandwidth limiting per router
Port blocking per class
Apply policies based on time of day 

Auth server (Current)

Node-specific content features. Wifidog-auth has a very cool local content architecture.
    RSS feed support (optional, with magpierss), one feed per node (url stored in the database, works great, but no gui to edit it yet) and one network-wide RSS feed. 
Configuration and integration
    No need to set any path in the web server config files
    All paths are editable from the config file
    Quick setup: the network name, url, default RSS, and similar data are set from the config file, and will be displayed as needed throughout the system.
    Can import all users and passwords from a NoCat password file [WWW] More info]. 
Development
    Demo page to let people to hack on it more easily
    Database abstraction layer with very nice debugging features (just append true at the end of the call and you'll see the query, the results, the query plan, and the number of affected rows. Porting to another database only requires porting one file. Currently uses Postgres.) 
User management (end user)
    Users can create and activate accounts without admin intervention. The user will be granted a 15 minute grace period after signing up in order to retrieve and validate his email.
    Users can request that the server re-send the validation email
    Users can change their passwords
    Users who forget their username can have it mailed to them.
    Users who lose their password can ask the system to generate a new one and mail it to them.
    Email must be valid but isn't displayed in order to preserve user privacy.
    Users can login using either email or username
    Enforces (politely) that duplicate email addresses are not allowed in the database 
Logging and monitoring
    MAC address logging (in case it is a legal requirement in your country)
    Sends the original url before redirecting to the central server in order to allow linking on the portal page
    Multi-language support
    Script and sql execution time breakdown. Already implemented, just needs to be packaged to be usable by the templates. 
Reports and Statistics 

Gateway (Current)

Supports using backup auth servers if the primary one doesn't respond.
Runtime query interface
One rule to jump in, one to jump out rejects, one to jump out accepts
Detects the IP address of a network interface automatically, instead of specifying it separately in the configuration file. 

Sourceforge
You can also take a look at Sourceforge Feature Requests page or add your own new requests.

本文章由 http://www.wifidog.pro/2014/12/08/5.html 整理编辑,转载请注明出处