511 Network Authentication Required

Written by Evert Pot - - Aggregated on Tuesday September 10, 2019

511 Network Authentication Required is a status that can be used by for example captive portals to signal to computers that they need to go through some kind of sign-in after connecting to a WiFi network.

You might see these kind of sign-in screens when for example connecting to the WiFi at a coffee shop.

Most operating systems and browsers detect this log in screen by making a HTTP request to a standard url. These are some real examples:

Browsers and operating systems will do an HTTP request to one of those urls, and expect a string like success to appear. If it doesn’t appear, it means a router might be blocking it and a pop-up will appear to log into the network.

One of the issues with this approach is that it might not be possible to for a client to distingish a ‘correct’ response, vs. a HTTP response that was intercepted by the network and a captive portal being served instead.

It is a type of man-in-the-middle attack, so returning a captive portal interface instead of the real response might cause systems to malfunction and caches to be primed with bad data.

The 511 Network Authentication Required status code was invented as a default status code for captive portals to return when intercepting a HTTP request. This status signals that it was returned by an intermediate.

The full HTTP response should contain a link to where the user may log in.

The example given from the RFC is as follows:

HTTP/1.1 511 Network Authentication Required
Content-Type: text/html

<html>
  <head>
     <title>Network Authentication Required</title>
     <meta http-equiv="refresh"
           content="0; url=https://login.example.net/">
  </head>
  <body>
     <p>You need to <a href="https://login.example.net/">
     authenticate with the local network</a> in order to gain
     access.</p>
  </body>
</html>

References


« Farewell, Happy Camper - Signal vs. Noise

Bram.us - Secrets in Serverless »