This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint Blocking Public WiFi Splash Pages

Apologies if I'm posting to the wrong group - my question is about Endpoint Advanced, managed by cloud-based Central Admin.

We’ve been having an ongoing problem with Sophos on laptops for people who travel.  A lot of free public wifi networks, like you’d find at a hotel, restaurant, or airport, at first can only connect to a splash page where one must accept disclaimers, before the network will let the device connect to the rest of the internet.  Without accepting the terms on the splash page, the internet cannot be accessed.  And it seems that with many of these wireless network splash pages, Sophos completely blocks the disclaimers/terms/conditions page, thus preventing any and all internet access. 

I’m looking for an easy way to loosen up the Sophos policy that is restricting access these splash pages, without punching too much of a hole in the general network security that Sophos provides.  Thanks!



This thread was automatically locked due to age.
Parents
  • Hi Burdett MacLean,

    Can you share the Sophos Block message details? Maybe a screenshot would help.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • One of our user had the same issue. Had to disabled the Sophos endpoint to enable the hotel Internet.

    I could not upload the screen shot because it is over the size limitation.

  • Hi Philip,

    Could you check if this  work around would work by adding IP/URL of the spash Page. to web protection exceptions. 

    If you did not know the Spash page URL , Disable Web Protection and the URL will be revealed on your Hotspot. 

    Could you let us know which Specific Product and Version was affected so we would investigate the issue. Kindly let us know the OS and Version on your machine.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • We experience this as well with our instance of Sophos Endpoint (Cloud)

    Issue: Splash login opens i.e. the Captive Network Assistant app and displays "A problem occurred. The webpage couldn't be loaded." 

    URL: Initially: http://captive.apple.com/hotspot-detect.html then redirects to nXX.network-auth.com

    OS: macOS 10.14 & 10.14.1 - High Sierra(10.13) and Sierra(10.12) are not effected nor are Windows 10 clients.

    Meraki wireless APs

    Backstory: This issue has been plaguing me for two weeks and the culprit was found yesterday after I temporarily moved all of the Sophos launch agents and daemons on a test client so they would't start. The issue went away immediately then returned after the Sophos plists were returned to those two directories. The splash login we have for this particular SSID doesn't allow http traffic through until signing in unless I add it to the walled garden list. While I've added the Sophos url's I know of to this list let me also point out that another SSID was created without blocking http traffic turned on and this issue still occurs.

    I've turned off everything I saw with a checkbox or switch in the base policies to no avail. If I could leave the endpoint client installed/enabled and simply exclude the computer from all policies I'd know if it was a policy setting and not the client itself, but .... doesn't appear as though you can. Someone correct me if I'm wrong.

     

    Until this issue is resolved I've halted deployment and or uninstalled Sophos on clients that have 10.14 and above.

  • We are using Endpoint Advanced on MacOS 10.14.1. Always using the latest update, now is on 9.8.1.

  • Hi Philip , 

     

    Workaround.  

    *Option 1*. Ask the client to use an https website e.g. https://Google.com on another Browser besides Safari and there should be a security Error which is normal as the client machine does not have that certificate .Make sure the Safari page is closed before attempting on another browser as the Server/Router will expect the same connection and by doing so with another browser a new connection request is sent.
    *Option 2*. If the URL hostspot URL is known , ask to try to connect using a Mobile device and check URL/IPaddress of the first page it pops up and add that to Web Protection Exclusions. Only the Domain/IP would suffice as that would only be considered for an exclusion to take Place.
    *Option 3*. If the path is Unknown ask the customer to run the command in terminal -> *sudo tcpdump -vv | grep href* and when the splash page fails to load close the tab and check the output on the terminal . It will give the redirect URL which should be added in Web Exception in this case 10.255.0.1 or domain only. <Attached Snapshot>
    *KIndly Note* , Any web exceptions will only work if the system is connected to the internet . If You have only safari , copy the link from the output in the terminal and run the command *open <URL>* and it will open in Safari. in this example use command-> *open 10.255.0.1:4501/index.cgi* to make it simpler run the command *sudo tcpdump -vv | grep href* first exit the dump using ctrl +c and type *open <paste the URL>* ENTER or use the same URL in the Safari Browser directly.
    *Option 4:* Open Terminal run the command > *open http://google.com* and captive portal will show on Safari .

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Reply
  • Hi Philip , 

     

    Workaround.  

    *Option 1*. Ask the client to use an https website e.g. https://Google.com on another Browser besides Safari and there should be a security Error which is normal as the client machine does not have that certificate .Make sure the Safari page is closed before attempting on another browser as the Server/Router will expect the same connection and by doing so with another browser a new connection request is sent.
    *Option 2*. If the URL hostspot URL is known , ask to try to connect using a Mobile device and check URL/IPaddress of the first page it pops up and add that to Web Protection Exclusions. Only the Domain/IP would suffice as that would only be considered for an exclusion to take Place.
    *Option 3*. If the path is Unknown ask the customer to run the command in terminal -> *sudo tcpdump -vv | grep href* and when the splash page fails to load close the tab and check the output on the terminal . It will give the redirect URL which should be added in Web Exception in this case 10.255.0.1 or domain only. <Attached Snapshot>
    *KIndly Note* , Any web exceptions will only work if the system is connected to the internet . If You have only safari , copy the link from the output in the terminal and run the command *open <URL>* and it will open in Safari. in this example use command-> *open 10.255.0.1:4501/index.cgi* to make it simpler run the command *sudo tcpdump -vv | grep href* first exit the dump using ctrl +c and type *open <paste the URL>* ENTER or use the same URL in the Safari Browser directly.
    *Option 4:* Open Terminal run the command > *open http://google.com* and captive portal will show on Safari .

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Children