Tricking iPhone CaptiveNetAssistant (CNA)

iPhone or iMac defaults comes with CNA, eg. once an iPhone is associated to an SSID (after getting IP address), CNA will launch a mini browser and automatically trigger HotSpot Gateway (HSG) login page. After authentication successful (or accept T&C), user gets full Internet access (the status on the iPhone portal page will change from "cancel" to "done").

But sometimes it may be desirable to disable this behavior. For example, when we want to ask users to download an apps from the login page before authentication, this default behavior will cause problem. Because if the device is not authenticated (connection not authorized), while the user tries to download the apps or launch other apps (basically navigate away from the splash page), iPhone will automatically cut off the Wi-Fi connection "thinking" this SSID connection is unusable, or in the newer iOS version you will be asked to choose "Use Without Internet"/"User Other Network" etc.

Our HSG has a special command "hotspot-cna", which is to "trick" iPhone default behavior to work around with such situation.


---------------------------------------------------------mbox(config)# security hotspot <LANIF>........hotspot-cna <on/off> <delaytimer> This enables/disables iPhone Captive Network Assistant (CNA) feature.---------------------------------------------------------

When "hotspot-cna on" is configured, after iPhone is associated to SSID, HSG will trick iPhone to "think" that this connection is authorized with full Internet access, so no login splash page is triggered. iPhone will show connected status immediately, and this allows you to launch other application without being cut off the Wi-Fi connection (similar to "Use Without Internet" option).

However, when CNA trick is on, iPhone will not auto launch the login splash page, users will need to manually initiate a browsing request via Safari/Chrome, in order to trigger the login page. This can be a problem if a user is unaware of this need, "thinking" he's already connected, and tries to use apps or email without any success.

The <delaytimer> is an optional setting to overcome such situation.

When hotspot-cna is on with <delaytimer>, HSG will delay enforcing the trick, so that iPhone will still auto trigger splash portal as per normal, after <delaytimer> seconds, HSG will "spoof" iPhone to think the connection is authenticated (status will auto change from "cancel" to "done"), so that users can continue to launch apps download from splash page without Wi-Fi connection being cut off. And if your apps has WISPr support, user can authenticate via apps to HSG instead of the usual splash login page.