If you ever attach to a WiFi system outside your home or office, you often see a portal page. This page may ask you to accept terms of service or some other agreement to get access. But what happens when you can’t connect through this kind of portal? This article shows you how to use NetworkManager on Fedora to deal with some failure cases so you can still access the internet.
How captive portals work
Captive portals are web pages offered when a new device is connected to a network. When the user first accesses the Internet, the portal captures all web page requests and redirects them to a single portal page.
The page then asks the user to take some action, typically agreeing to a usage policy. Once the user agrees, they may authenticate to a RADIUS or other type of authentication system. In simple terms, the captive portal registers and authorizes a device based on the device’s MAC address and end user acceptance of terms. (The MAC address is a hardware-based value attached to any network interface, like a WiFi chip or card.)
Sometimes a device doesn’t load the captive portal to authenticate and authorize the device to use the location’s WiFi access. Examples of this situation include mobile devices and gaming consoles (Switch, Playstation, etc.). They usually won’t launch a captive portal page when connecting to the Internet. You may see this situation when connecting to hotel or public WiFi access points.
You can use NetworkManager on Fedora to resolve these issues, though. Fedora will let you temporarily clone the connecting device’s MAC address and authenticate to the captive portal on the device’s behalf. You’ll need the MAC address of the device you want to connect. Typically this is printed somewhere on the device and labeled. It’s a six-byte hexadecimal value, so it might look like 4A:1A:4C:B0:38:1F. You can also usually find it through the device’s built-in menus.
Cloning with NetworkManager
First, open nm-connection-editor, or open the WiFI settings via the Settings applet. You can then use NetworkManager to clone as follows:
- For Ethernet – Select the connected Ethernet connection. Then select the Ethernet tab. Note or copy the current MAC address. Enter the MAC address of the console or other device in the Cloned MAC address field.
- For WiFi – Select the WiFi profile name. Then select the WiFi tab. Note or copy the current MAC address. Enter the MAC address of the console or other device in the Cloned MAC address field.
Bringing up the desired device
Once the Fedora system connects with the Ethernet or WiFi profile, the cloned MAC address is used to request an IP address, and the captive portal loads. Enter the credentials needed and/or select the user agreement. The MAC address will then get authorized.
Now, disconnect the WiFi or Ethernet profile, and change the Fedora system’s MAC address back to its original value. Then boot up the console or other device. The device should now be able to access the Internet, because its network interface has been authorized via your Fedora system.
This isn’t all that NetworkManager can do, though. For instance, check out this article on randomizing your system’s hardware address for better privacy.
Good article, but can you please edit it to say that you absolutely must change the Fedora system’s MAC address back before you put the cloned system and the Fedora system on the same network? Ethernet (including Wi-Fi) really doesn’t like duplicate MACs on the same network.
Paul W. Frields
Good point — the article’s been edited to add the need to note down current MAC address, and restore it after authorization.
I think, if your traffic is 100% UDP, then it doesn’t/cannot care, provided it’s going through the same radio. This might open up some possibilites getting a headless Pi on a hotel network if combined with a UDP vpn.
It’s a very good article, but I have question. There’s someway to build a captive portal in a open wireless network on Fedora?
You can try and do something with Unbound DNS or dnsmasq . There are also several open source captive portal options available.
You could roll your own solution (see CoovaChilli) but probably the easiest way is to use a firewall-centric distribution, like IPFire or OpnSense.
And no playing with aircrack-ng on public Wifi networks.
Also, another workaround might be to open a browser and manually enter the IP address of the gateway into the URL, i.e. http://xxx.xxx.xxx.xxx and force the device to open the captive portal page that way.
This has worked for me most times when my Linux laptop or iOs devices wouldn’t pull up the portal page automatically
For a Linux laptop or IOS device that could work. This article addresses the issue when a device will not load the captive portal. Devices like the Switch, PS4, and other gaming consoles do not always load the portal page and need a little help. A Fedora system can provide that help.
Vernon Van Steenkist
If your device can’t load a portal web page it probably shouldn’t be directly connected to a portal in the first place due to security reasons. What you need is a travel router. Flash OpenWrt Linux on the travel router, set up the travel router WiFi as AP+STA (WiFi Access Point and Wi-Fi client). connect the travel router WiFi to the portal, connect a device with a web browser (phone, laptop ect.) via WiFi to the travel router and authenticate to the portal. Now you can connect any device to the travel router and it will have Internet access and be protected by the travel router’s firewall since the portal only sees the travel router MAC address, You can add OpenVPN to the travel router and give all your devices VPN access as well. The device I use is the HooToo TM03 which fits in the palm of your hand, has an Ethernet port, and contains a battery which will either charge your phone or power the router for 15 hours. Zsun makes the smallest one. It fits on your key chain. The main drawbacks are that it doesn’t have a battery (You plug it in to any USB A port for power) and it is so small I lost it somewhere in my house.