Endpoint Blocking Public WiFi Splash Pages

Hi Burdett MacLean,

Can you share the Sophos Block message details? Maybe a screenshot would help.

One of our user had the same issue. Had to disabled the Sophos endpoint to enable the hotel Internet.

I could not upload the screen shot because it is over the size limitation.

Hi Philip,

Could you check if this  work around would work by adding IP/URL of the spash Page. to web protection exceptions. 

If you did not know the Spash page URL , Disable Web Protection and the URL will be revealed on your Hotspot. 

Could you let us know which Specific Product and Version was affected so we would investigate the issue. Kindly let us know the OS and Version on your machine.

We experience this as well with our instance of Sophos Endpoint (Cloud)

Issue: Splash login opens i.e. the Captive Network Assistant app and displays "A problem occurred. The webpage couldn't be loaded." 

URL: Initially: http://captive.apple.com/hotspot-detect.html then redirects to nXX.network-auth.com

OS: macOS 10.14 & 10.14.1 - High Sierra(10.13) and Sierra(10.12) are not effected nor are Windows 10 clients.

Meraki wireless APs

Backstory: This issue has been plaguing me for two weeks and the culprit was found yesterday after I temporarily moved all of the Sophos launch agents and daemons on a test client so they would't start. The issue went away immediately then returned after the Sophos plists were returned to those two directories. The splash login we have for this particular SSID doesn't allow http traffic through until signing in unless I add it to the walled garden list. While I've added the Sophos url's I know of to this list let me also point out that another SSID was created without blocking http traffic turned on and this issue still occurs.

I've turned off everything I saw with a checkbox or switch in the base policies to no avail. If I could leave the endpoint client installed/enabled and simply exclude the computer from all policies I'd know if it was a policy setting and not the client itself, but .... doesn't appear as though you can. Someone correct me if I'm wrong.

Until this issue is resolved I've halted deployment and or uninstalled Sophos on clients that have 10.14 and above.

We are using Endpoint Advanced on MacOS 10.14.1. Always using the latest update, now is on 9.8.1.

Hi Philip , 

Workaround.  

*Option 1*. Ask the client to use an https website e.g. https://Google.com on another Browser besides Safari and there should be a security Error which is normal as the client machine does not have that certificate .Make sure the Safari page is closed before attempting on another browser as the Server/Router will expect the same connection and by doing so with another browser a new connection request is sent.
*Option 2*. If the URL hostspot URL is known , ask to try to connect using a Mobile device and check URL/IPaddress of the first page it pops up and add that to Web Protection Exclusions. Only the Domain/IP would suffice as that would only be considered for an exclusion to take Place.
*Option 3*. If the path is Unknown ask the customer to run the command in terminal -> *sudo tcpdump -vv | grep href* and when the splash page fails to load close the tab and check the output on the terminal . It will give the redirect URL which should be added in Web Exception in this case 10.255.0.1 or domain only. <Attached Snapshot>
*KIndly Note* , Any web exceptions will only work if the system is connected to the internet . If You have only safari , copy the link from the output in the terminal and run the command *open <URL>* and it will open in Safari. in this example use command-> *open 10.255.0.1:4501/index.cgi* to make it simpler run the command *sudo tcpdump -vv | grep href* first exit the dump using ctrl +c and type *open <paste the URL>* ENTER or use the same URL in the Safari Browser directly.
*Option 4:* Open Terminal run the command > *open http://google.com* and captive portal will show on Safari .

I tried all those options but all not work.

So far the only way to make the connect through is disabling the Sopho Services, not only the Web Control, but especially the Real Time Scanning.

It is not acceptable because we have to disable the Temper protection also.

I tried all those options but all not work.

So far the only way to make the connect through is disabling the Sopho Services, not only the Web Control, but especially the Real Time Scanning.

It is not acceptable because we have to disable the Temper protection also.