Android phones unable to access web captive portal (DHCP issue?)

  • 4
  • Question
  • Updated 12 months ago
I have started receiveing recently complains from few Android users who access the wireless guest network. After investigating the problem I have discovered that IP addresses showing in hivemanager are different than the ones from the DHCP IP pool. One of the access point (AP121) is the DHCP server which gives IP addresses on VLAN20 between 10.10.10.60 and 10.10.11.254 (mask 255.255.254.0). Hivemanager reports IP addresses for problematic clients as 10.145.x.x, 10.66.x.x, 10.67.x.x, etc. When I look at the phone itself it reports different IP address from 10.10.10.x/23 range and I am able to ping gateway fine. The problem on theses phones is that they do not get web captive portal and therefore no Internet access. I have used this system foe about 6 months and it was only reported by users recently.
Photo of Dariusz Chorzepa

Dariusz Chorzepa

  • 49 Posts
  • 1 Reply Like

Posted 4 years ago

  • 4
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The IPv4 address shown in HiveManager is not necessarily 'accurate' (depending on your perspective) as HiveOS does not currently treat the DHCP acquired address as being authoritative over any static or self-assigned addresses a client may be also be using.

We have seen issues with Android phones where HiveOS, and therefore HiveManager, report an IPv4 address in the 10.0.0.0/8 range for the client. This happens because the device is also using that 10.0.0/8 address and, in certain circumstances, it overwrites the DHCP acquired address that HiveOS considers that client to have.

A fix for this is apparently coming in a future HiveOS release, hopefully before the end of the year.

It should not, however, affect network access in any way. As far as I am aware, the issue only impacts upon reporting and any logging that occurs. The Android device will still browse from the DHCP acquired address.

I suspect that the issue your Android phones are experiencing is an unrelated, incidental one therefore. Please can you explain the troubleshooting steps you have gone though and your setup in more detail?
(Edited)
Photo of Dariusz Chorzepa

Dariusz Chorzepa

  • 49 Posts
  • 1 Reply Like

You're probably right that the IP address shown in hivemanager is just the way the information is displayed because when I physically check the IP address on the phone it is correct and I can ping the gateway.

This problem is difficult to troubleshoot because it only happens on few android devices. I have got Nexus 4 and never experience it and my colleague who sits opposite me (Nexus 5) has had issues most of last week and also today.

This must be related to web captive portal because when he gets message that he needs to sign in, Chrome browser opens and redirects him to web captive portal. 6 out of 10 times he is redirected to captive web portal fine (2 times the browser hangs on loading the page and CPU on the phone goes through the roof) and when he types in the registration details and click on Register he gets 404 error and he is not authenticated and therefore unable to browse the internet.

The setup is quite simple. open SSID on VLAN 20 with self-registration web captive portal. I use one AP as the DHCP server for IP address distribution for clients. The IP address lease time is 12 hours.

I have checked DHCP allocation and all looks good, the signal strength is good to the client and I have also checked if changing the band from 2.4GHz to 5GHz makes any difference but it doesn't. Ping from the client is OK as well. I have cleared the cache for the client who has the problem. My next step will be to reboot AP so I'll let you know if that makes any difference.


Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Is the version of HiveOS that you are using up-to-date? (Currently 6.2r1 is the latest.)

There are certainly CWP issues with Apple devices on the older releases.
(Edited)
Photo of Dariusz Chorzepa

Dariusz Chorzepa

  • 49 Posts
  • 1 Reply Like
Yes, I am running the latest version.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
There are CWP issues with certain devices and Web domains because of increasing HTTPS, certificate pinning and HSTS usage.

HTTPS is inherently incompatible with a CWP in a Web browser. (It is one of the many reasons that I never deploy them...)

The issue is sidestepped where there is out-of-band CWP detection by an OS, but it does mean they are very unreliable.

Are you sure that the issue is not related to this somehow?
(Edited)
Photo of Dariusz Chorzepa

Dariusz Chorzepa

  • 49 Posts
  • 1 Reply Like
I can't see it to be related to that because the phone was connecting fine to the guest network for the previous 4 months and only started having issues recently. There were only two things I have done within 4 weeks - update the firmware to 6.2r1 and install the bash vulnerability fix.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Unless somebody else has a bright idea, I think we will need more data to troubleshoot this. Things like a client monitor log of an affected session and a packet capture from another associated device in promiscuous mode.
(Edited)
Photo of Dariusz Chorzepa

Dariusz Chorzepa

  • 49 Posts
  • 1 Reply Like

That is what I am getting from the client monitoring log:


       Time        Client MAC Addr     BSSID     Device Name   Level   Description

==================================================================================

10/20/2014 12:43:30 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (165)Rx auth <open> (frame 1, rssi 49dB)
10/20/2014 12:43:30 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (166)Tx auth <open> (frame 2, status 0, pwr 10dBm)
10/20/2014 12:43:30 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (167)Rx assoc req (rssi 49dB)
10/20/2014 12:43:30 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (168)Tx assoc resp <accept> (status 0, pwr 10dBm)
10/20/2014 12:43:30 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  INFO    (169)Open auth is starting (at if=wifi1.4)
10/20/2014 12:43:30 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (170)Authentication is successfully finished (at if=wifi1.4)
10/20/2014 12:43:31 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  INFO    (171)station sent out DHCP REQUEST message
10/20/2014 12:43:31 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  INFO    (172)DHCP server sent out DHCP ACKNOWLEDGE message to station
10/20/2014 12:43:31 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (173)DHCP session completed for station
10/20/2014 12:43:31 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (174)IP 10.10.10.134 assigned for station
10/20/2014 12:43:37 PM  C4438FF6708B  4018B1F59095  121ap-b25-1a  BASIC   (692)Sta(at if=wifi0.2) is de-authenticated because of notification of driver
10/20/2014 12:45:09 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (398)Sta(at if=wifi1.4) is de-authenticated because of notification of driver
10/20/2014 12:45:16 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (488)Rx auth <open> (frame 1, rssi 47dB)
10/20/2014 12:45:16 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (489)Tx auth <open> (frame 2, status 0, pwr 10dBm)
10/20/2014 12:45:16 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (490)Rx assoc req (rssi 48dB)
10/20/2014 12:45:16 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (491)Tx assoc resp <accept> (status 0, pwr 10dBm)
10/20/2014 12:45:16 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  INFO    (492)Open auth is starting (at if=wifi1.4)
10/20/2014 12:45:16 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (493)Authentication is successfully finished (at if=wifi1.4)
10/20/2014 12:45:16 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  INFO    (494)station sent out DHCP REQUEST message
10/20/2014 12:45:16 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  INFO    (495)DHCP server sent out DHCP ACKNOWLEDGE message to station
10/20/2014 12:45:16 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (496)DHCP session completed for station
10/20/2014 12:45:16 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (497)IP 10.10.10.134 assigned for station
10/20/2014 12:45:17 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  INFO    (576)IP 10.67.246.66 detected in ARP packets for station
10/20/2014 12:45:17 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (577)ARP packets detected from/to station, IP 10.67.246.66 assigned for station
10/20/2014 12:45:17 PM  C4438FF6708B  0019779D62AB  120ap-ITTest  BASIC   (578)IP 10.67.246.66 assigned for station

Photo of Matt Cramer

Matt Cramer

  • 4 Posts
  • 0 Reply Likes
I am seeing the same thing here with one guest client. Sony C6902 running Android 4.4.4

CWP loads but throws a 404 - Not Found error after "Accept."

Client monitor:
11/03/2014 01:05:48 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     BASIC   (256)Rx auth <open> (frame 1, rssi 9dB)
11/03/2014 01:05:48 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     BASIC   (257)Tx auth <open> (frame 2, status 0, pwr 10dBm)
11/03/2014 01:05:48 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     BASIC   (258)Rx assoc req (rssi 20dB)
11/03/2014 01:05:48 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     BASIC   (259)Tx assoc resp <accept> (status 0, pwr 10dBm)
11/03/2014 01:05:48 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (260)WPA-PSK auth is starting (at if=wifi0.2)
11/03/2014 01:05:48 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (261)Sending 1/4 msg of 4-Way Handshake (at if=wifi0.2)
11/03/2014 01:05:48 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (262)Received 2/4 msg of 4-Way Handshake (at if=wifi0.2)
11/03/2014 01:05:48 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (263)Sending 3/4 msg of 4-Way Handshake (at if=wifi0.2)
11/03/2014 01:05:48 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (264)Received 4/4 msg of 4-Way Handshake (at if=wifi0.2)
11/03/2014 01:05:48 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (265)PTK is set (at if=wifi0.2)
11/03/2014 01:05:48 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     BASIC   (266)Authentication is successfully finished (at if=wifi0.2)
11/03/2014 01:05:48 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (267)station sent out DHCP REQUEST message
11/03/2014 01:05:49 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (268)DHCP server sent out DHCP OFFER message to station
11/03/2014 01:05:49 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (269)station sent out DHCP REQUEST message
11/03/2014 01:05:49 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (270)DHCP server sent out DHCP ACKNOWLEDGE message to station
11/03/2014 01:05:49 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     BASIC   (271)DHCP session completed for station
11/03/2014 01:05:49 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     BASIC   (272)IP 1.1.2.4 assigned for station
11/03/2014 01:05:55 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (273)station sent out DHCP REQUEST message
11/03/2014 01:05:55 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (274)DHCP server sent out DHCP ACKNOWLEDGE message to station
11/03/2014 01:05:55 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     BASIC   (275)DHCP session completed for station
11/03/2014 01:05:55 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     BASIC   (276)IP 1.1.2.4 assigned for station
11/03/2014 01:06:00 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (277)station sent out DHCP REQUEST message
11/03/2014 01:06:00 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (278)DHCP server sent out DHCP ACKNOWLEDGE message to station
11/03/2014 01:06:00 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     BASIC   (279)DHCP session completed for station
11/03/2014 01:06:00 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     BASIC   (280)IP 1.1.2.4 assigned for station
11/03/2014 01:06:05 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (299)station sent out DHCP REQUEST message
11/03/2014 01:06:05 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     INFO    (300)DHCP server sent out DHCP ACKNOWLEDGE message to station
11/03/2014 01:06:05 PM  1C7B2156683F  E01C416F6BD5  HAP330-LibraryNorth     BASIC   (301)DHCP session completed for station

 
Photo of Dariusz Chorzepa

Dariusz Chorzepa

  • 49 Posts
  • 1 Reply Like

So far this has happened on three different devices: Nexus 5, Moto G and Samsung Galaxy 3. All of the devices had latest Chrome installed and the only workaround my third party support company could come up was to install another browser (in my case I tried Opera (not the Opera Mini)) and that workaround worked for me.

I cannot tell why all of the sudden some phones started to have this problem and there is no easy explanation. My plan is to use another device to provide CWP so this should not be a problem for me in the future but it would be good to know what is causing this issue.

Another suggestion the support guy asked me to try was to enable HTTPS on CWP and see if that works Ok. I have not tried that because I do not like the idea of copying the certificate to each mobile device to avoid the warning message. 

Photo of Dariusz Chorzepa

Dariusz Chorzepa

  • 49 Posts
  • 1 Reply Like

Just to let you know this has been resolved by enabling the web server under 'Service Settings'

In HM go to: Configuration -> Netowrk Policies -> 'PolicyName' -> Additional Settings -> Service Settings -> Tick 'Enable the web server'

After that push the delta config to all APs.

Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Thanks for coming back and letting us know the resolution of your problem!
Photo of Matt Cramer

Matt Cramer

  • 4 Posts
  • 0 Reply Likes
Glad that worked for you Dariusz.

I have the web server enabled in my configs and still having the problem. Curious to get some other thoughts on the matter. Only seems to affect Chrome browsers and Android devices here.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2438 Posts
  • 445 Reply Likes
Matt, are you able get a packet capture in monitor mode of the exchange and post it somewhere for us to look at?
Photo of Kyle Johnson

Kyle Johnson

  • 2 Posts
  • 0 Reply Likes
I am still having this issue as Matt was with that box checked, anyone else able to fix this?
Photo of robert korn

robert korn

  • 13 Posts
  • 1 Reply Like
I had something similar...  in the CWP setup, there is a setting for "DHCP Lease" that is only for the "fake" address (1.1.3.x)  used to get the device up on the CWP page... Mine were set to the default ( 5 seconds) and just last week random BYOD issues.  

I changed that lease to 30 seconds, trouble went away.
Configuration
 / Advanced
  / Authentication
   / Captive Web Portals
     / Optional Advanced
       / DHCP and DNS settings
         / Use Internal..Ahive device   - that is the Lease I am discussing.

I believe my users were getting the 5 second lease, trying to get the CWP, then lease expired and repeating.   ONLY affected Androids.  Just a possibility.