In this article
This article explains how the DNSFilter Roaming Client works with captive portals (e.g., airport, hotel, or coffee shop Wi-Fi login pages) and provides troubleshooting tips if the portal doesn’t load or connect.
Version 2.3.8 of the macOS Roaming Client introduced Travel Wi-Fi Mode, a feature that helps macOS devices load captive portals on networks such as airplanes, hotels, and airports while maintaining DNS protection. We recommend testing this agent version feature to resolve captive portal issues.
- Normal Behavior: In most cases, no action is needed. The Roaming Client automatically opens the captive portal login window
- Standards: Captive portals are covered under RFC 8908, though implementation varies
-
Potential Issues:
- Some networks (commonly hotels or airlines) allow DNS through before login. In these cases, the agent may not trigger the portal
- The Roaming Client can redirect DNS away from the network’s DHCP server, preventing the HTTP redirection to the login page
- This may leave users unable to access the captive portal or connect to the internet
- We recommend testing agent version 2.3.8's Travel Wi-Fi Mode to resolve connection issues
Captive Portal login page doesn't appear automatically
Sometimes the login page for the captive portal doesn't appear automatically.
If working with agent version 2.2.0 or older, try these troubleshooting steps to resolve the issue. Any of these methods can prompt the captive portal login window to open, but we recommend trying to in order when applicable:
- Disable any active VPN
- Re-establish the network connection
- Remove/forget the network
- Turn off and on the device's Wi-Fi
- Re-add the network
- Reopen a browser window and browse to any domain (e.g. https://www.dnsfilter.com/)
- Disable Wi-Fi automations Ask to Join Networks and/or Ask to Join Hotspots
🚨 Important: If these settings are used at home or work, turn them back on once you’re done traveling. Disabling them can prevent auto-joining trusted networks.
- Remove unknown Wi-Fi networks from the device
- Restart the device
- Open the DNSFilter status menu icon and select Access Captive Network
Add domain suffix to Local Domains
If there are issues connecting to the network, adding the domain suffix to the Local Domains list on the DNSFilter dashboard will resolve this issue.
Agent v1.8.6 and older. Add IPs for local resolvers that are not public DNS servers (like Google's 8.8.8.8). Add IPs for the DNS server provided by DHCP.
Agent v2.2.0 - v2.3.0. Adding a public DNS server like Google's 8.8.8.8 can help trigger the captive portal for some Wi-Fi sources.
Agent v2.3.8 or higher. Enable Travel Wi-Fi Mode to adjust DNS resolution to allow captive portal access. Adding domains suffixes to Local Domains is not necessary for Travel Wi-Fi Mode to work.
If you add known airline or hotel portals to your Local Domains and Resolvers list before the user travels in advance, this can prevent this issue from arising.
Captive Portal List
We comprised this list of domains used for hotels or airline Wi-Fi which can be added to your Local Domains. This may not be a complete list, as this is a work-in-progress.
🚨Important: Many airlines and hotels provide Wi-Fi services through Viasat, which is a known conflict with our Roaming Client. We recommend adding their common domains for any Organization with frequent travel.
- viasat.com
- portal.viasat.com
- wifi.viasat.com
- airborne.gogoinflight.com
- airbornet.gogoinflight.com
- edge.viasat.com
- viasatwifi.com
Airlines & Transportation
| Air France | connect.airfrance.com |
| Alaska Airlines | alaskawifi.com |
| American Airlines | aainflight.com |
| Amtrak | amtrakconnect.com |
| Breeze Airways | breezewifi.com |
| Calgary Airport | login.yyc.com |
| Delta Airlines | deltawifi.com |
| Denver Airport | login.attwifi.com |
| JetBlue Airlines | flyfi.com |
| Multiple Airlines | gogoinflight.com |
| via.boingohotspot.net | |
| Southwest Airlines | southwestwifi.com |
| United Airlines | guestwifi.united.com |
| wifi.united.com | |
| unitedwifi.com | |
| Virgin Atlantic | virgin-atlantic-wifi.com |
Hotels
| Hilton Hotels | secure.guestinternet.com |
| Hilton Dana Point Hotel | snap.selectnetworx.com |
| Hyatt Hotels | globalsuite.net |
| bap.aws.opennetworkexchange.net | |
| Marriott Hotels | marriott.com |
| cloud5.com | |
| Montage Hotels | splash.skyadmin.io |
| Multiple Hotels | hotelwifi.com |
| registerforhsia.com | |
| danmagi.com | |
| redwoodsystemsgroup.com |
Miscellaneous Connectivity Checks
| Comcast Xfinity Hotspots | xfinity.com/wifi |
| Apple devices | captive.apple.com |
|
Google |
connectivitycheck.gstatic.com |
| clients3.google.com | |
|
Microsoft |
msftncsi.com |
| msftconnecttest.com | |
| Independent Community Project | neverssl.com |
Comments
18 comments
Please add the captive portal for Delta, DeltaWiFi.com, to this list.
Source: https://www.delta.com/us/en/onboard/inflight-entertainment/onboard-wifi (Step 3)
Thanks for the suggestion, Brian Zick —added to the list!
Thank you!
Please add captive.apple.com for Apple devices.
Thanks for the suggestion, Amanda Hunt —added to the list!
How about removing the hyperlink from the local domains so we don't accidentally click through while trying to copy.
Great suggestion, Karik Hill ! Thanks for helping make our documentation better 💖
Thank you for this list!
We have a client end-user who is traveling and discovered they can't connect to the Hilton URL “secure.guestinternet.com”. Will adding the URL to the Allow List of their assigned filter policy function the same way as adding it to the Local Domains? And will they need to connect to a different internet to pull down the new setting changes before it will start working?
Hi Kyle Murphy thanks for reaching out!
Adding "secure.guestinternet.com" to the Allow List is not the same as adding it to Local Domains. The Allow List lets DNS traffic to that domain through DNSFilter, but Local Domains ensures DNS queries for that domain are handled by the local network’s DNS (often needed for captive portals like Hilton’s).
We recommend following this article's suggestions in order. Start by having the user:
If none of these local steps work, add "secure.guestinternet.com" as a Local Domain in the DNSFilter dashboard. This allows the device to bypass DNSFilter to reach the captive portal login properly.
If the user is already unable to connect, they may need to join another network temporarily to sync the updated Local Domains setting with their Roaming Client. After syncing, they can reconnect to the Hilton Wi-Fi.
Let us know if the issue persists and we can look into some different troubleshooting steps!
Now that 2.3.12 for Mac will be available soon, and it will offer “MDM support of Travel Wi-Fi Mode” (announced Jan 21 here), Can you point me to your docs on how to configure Travel Wi-Fi Mode in MDMs such as Jamf Pro?
Will Travel Wi-fi Mode be managed via a MDM profile scoped to domain com.dnsfilter.agent.macos or perhaps written to a flat text config file (/Library/Application Support/DNSFilter Agent/daemon.conf) or will it be managed elsewhere?
Hey Daniel Stranathan, happy to help out.
Travel Wi-Fi Mode is not managed via a separate MDM profile and doesn’t require manual edits to
daemon.conf.It’s configured through the deployment script. You simply add
allowExtensionBypass=trueto the temporary config section of the installer script, as outlined in the Travel Wi-Fi Mode article's silent install section. The setting is written during installation and applied by the agent.So from an MDM perspective, this is handled as part of your scripted deployment—not via a managed profile payload.
Install script is fine for new deployments, but we have 400 Macs with DNSFilter 2.2.0 and 2.3.8 installed already. Why run a monolithic script when the allowExtensionBypass key could be managed in a modern, dynamic MDM profile?
What is the recommended method for existing Macs that will (eventually) get auto-updated to 2.3.12?
Daniel Stranathan If the agent is already installed, you can push a script via MDM to update the config file in place. Our Engineering team tested the following and confirmed it works in their test environment:
If you’re running a Whitelabel deployment, the file path will differ slightly to match the Whitelabel agent name.
After modifying the config, you’ll need to either:
That said, since we don’t know all the other controls, profiles, or security tools in your environment, we strongly recommend testing this on a small subset of machines first and adjusting as needed before broad rollout.
Let us know if this works for you or if anything else comes up!
Thanks - this works well for me. I had something similar in a testing group.
1 I was under the idea that Wi-Fi Travel Mode would improve in 2.3.12 (i.e.; be a native setting that could be toggled in MDM, not require additional scripts etc.
2 Is there any difference in how Wi-Fi Travel Mode works in 2.3.8 compared to 2.3.12? My leadership was hoping that end-users wouldn't need to be trained on initialing this mode when traveling.
Dashboard / native toggle support
Dashboard-based controls for Travel Wi-Fi Mode are planned, but that work is not currently in progress. At this time, the setting still needs to be managed via a script update.
We also don’t currently plan to make Travel Wi-Fi Mode automatically enabled by default, as we intentionally give customers control over how and when end users can initiate it.
Behavior in 2.3.8 vs 2.3.12
There are no functional changes to how Travel Wi-Fi Mode operates between 2.3.8 and 2.3.12, other than MDM controls where introduced in 2.3.9. The core behavior remains the same.
Hi all,
We are testing version 2.3.12 with Travel WiFi mode, but it doesn’t appear to be working as expected. It’s possible our testing scenario may not fully match the root issue.
Here’s what we did:
allowExtensionBypass=trueflag enabled.Our goal was to replicate the real-world scenario where a user arrives at an airport with their Mac not connected to any WiFi network and attempts to join an airline or airport network that uses a captive portal.
After rebooting:
The only way to resolve this was to connect to a WiFi network which provides internet access (not a captive portal). Once connected:
The issue we’re seeing is this:
If the Mac is not connected to the internet when booted, Travel WiFi mode cannot be enabled because the agent displays "Fix Installation Issues". However, due to the captive portal issue, the user cannot connect to the internet. This creates a catch-22 situation.
Please let us know if our testing approach is incorrect or if there’s a recommended way to handle this scenario.
I guess Im not following
We went from 2.3.8 to 2.3.12 - there was no 2.3.9 as we discussed (it rolled into 2.3.12) I dont see any difference in Travel Wi-Fi Mode between 2.3.8 and 2.3.12… What exactly are “MDM controls” are new since 2.3.8? I have looked at the notes and dont see any changes.
Brian Coyne I asked Casey to escalate your existing Support Request to the engineers for review. You'll be working with Tate now, so he should have you all set soon!
Daniel Stranathan See our release notes for more detail, but v2.3.9 was the Beta release that enabled silent configuration (via MDM) of Travel Wi-Fi Mode as an option. Version 2.3.8 could only be configured on the device.
Please sign in to leave a comment.