[placatedmayhem]

Every time I have to interact with a "captive portal", I'm annoyed at the hack implemented through DNS hijacking, rather than implementing and extending 802.1X and/or another layer-2 authentication scheme. The idea seems to have been tossed aside entirely. Instead, every device has to have a web browser. There's not even a way to do surrogate registration for devices that don't have browsers, with Apple TV and Nintendo Switch at launch (added later) being prime examples. IoT and headless gear is also a pain. On trips, I end up bringing my own travel router and using my laptop to auth it by proxy, but it's another thing to remember to bring.

[sandworm101]

I have a work laptop (government) that hates captive portals. It has a security system that won't let it connect using the local DNS. So it doesn't get captured. Those of us with such laptops all have tricks for getting to a hotel's wifi login page using IP addresses. But we have to do it fast, before the security software fully wakes up and blocks the hack.

We used to just login on our phones, then tether the work laptop to the phone over USB. The security people caught up to that a couple years ago and disabled USB tethering. So now I alter my laptop's MAC to be the same as that from the work laptop. That tricks about 90% of hotel wifi into allowing the work laptop to connect without need of a splash page. But for the other 10%...

(Not a joke, I do this) I sometimes login to the hotel wifi on my personal phone, tether that phone to my personal laptop, then setup that laptop as a router. The work computer can then connect to the wifi from the personal laptop, which tethers into the phone, which is on the hotel wifi. All of this just avoid another ridiculous wifi login page.

[hkchad]

Why not just get a travel router and be done with all the “hacks”. They are so small these days they take up very little space. With mine I get connected to hotel WiFi then all my family devices just connect to it, just like they are at home. I even tunnel all hectic traffic back home though a Tailscale exit node.

[throw0101b]

> I have a work laptop (government) that hates captive portals. It has a security system that won't let it connect using the local DNS.

Does the OS not pay attention to DHCP option 114:

    This document describes a DHCP option (and a Router Advertisement
    (RA) extension) to inform clients that they are behind some sort of
    captive-portal device and that they will need to authenticate to get
    Internet access.  It is not a full solution to address all of the
    issues that clients may have with captive portals; it is designed to
    be used in larger solutions.  The method of authenticating to and
    interacting with the captive portal is out of scope for this
    document.

* https://datatracker.ietf.org/doc/html/rfc8910

* https://developer.apple.com/news/?id=q78sq5rv

[sandworm101]

It is more layered than that. The work machine initiates a VPN automatically at login. Once that VPN is up, all traffic goes through the VPN, including DNS. It will actively ignore/block anything that isn't coming from the VPN. So we do tricks to get to the hotel splash page before the VPN software wakes up. These are corporately-managed windows machines. The boot/login process isn't exactly quick.

[jemmyw]

Why do you try to solve the problem at all? Wouldn't it be better to say "sorry I can't do any work from this location because of our IT policy" and let your organisation sort it out if they need you to work from a hotel?

[thaumasiotes]

> I sometimes login to the hotel wifi on my personal phone, tether that phone to my personal laptop, then setup that laptop as a router. The work computer can then connect to the wifi from the personal laptop

Why go through a laptop? Isn't this exactly what generating a hotspot from the phone does?

[nunez]

This was the reason why I bought a travel router/wifi repeater. You connect your corp laptop to the travel router then use your phone to log into the hotspot. Hotels are now using Meraki Air Marshal to block them on 2.4Ghz networks though

[yodon]

I wasn't familiar with Air Marshall. I understand it complicates your work-around, but I'd probably pay extra to stay in a hotel that cared enough about security to deploy it

[nunez]

No, i think it's a great feature. Definitely increases security. I don't believe it works on 5GHz networks though.

[breakingcups]

I've been reading up on it. Seems like it sends spoofed de-Auth packets to AP's it deems "rogue". That sounds highly illegal.

[mdorazio]

Does the laptop also prevent wireless tethering to your phone? Turning your phone into a hotspot is pretty trivial, at least on iOS. I often have to do it due to similarly arcane security configuration settings on my work laptop.

[sandworm101]

Yes, but unless you have a phone with two wifi connections then you will have to use your cellphone's data plan rather than the hotel wifi. When traveling, doing a teleconference or having your work laptop perform a windows update over your cellphone data connection isn't cheap. We used to just tether to our work phones, but they locked that down after seeing the international roaming bills.

[mendelmaleh]

Connecting to wifi and enableing the hotspot at the same time works on my phone (pixel 5), it probably just uses different bands. It's pretty useful to avoid typing passwords twice.

[pests]

Android on certain phones can hotspot a WiFi connection both over wireless and USB.

[fragmede]

I don't know if it's more or less ridiculous, but I bring a small travel router running OpenWrt to do said bridging so I don't need to have my laptop running so I can use my Chromecast on the hotel TV.

[chimeracoder]

> Nintendo Switch at launch (added later)

The Nintendo Switch actually had a browser either at launch or close to it, then removed it in an update, and didn't add it back until about 3 years later.

It's really hilarious that a device that touted its portability from the beginning was literally incompatible with most public Wi-Fi for years.

[throw0101b]

> Every time I have to interact with a "captive portal", I'm annoyed at the hack implemented through DNS hijacking, rather than implementing and extending 802.1X and/or another layer-2 authentication scheme. The idea seems to have been tossed aside entirely.

It has not: it's simply easier (less infrastructure) to not implement 802.1X.

Basically every corporate / enterprise-y password where you use your AD/LDAP credentials to log into Wifi has gone through the effort. Not everyone wants (or needs) to do that. (Source: recently implement 802.1X as IT when we moved to a new work office.)

[spr-alex]

neverssl.com