Connecting to 'XFINITY' (secure wifi point)

Greetings All,

In this thread I am trying to get information about connecting to the secure xfinity wifi spots, with SSID "XFINITY" with my ubiquiti nanostation M5 with openWRT

Specifically, I can connect using my ubuntu linux laptop with the following security settings:

WPA2-Enterprise
EAP
TTLS
EAP-GTC

certificate:
anon-identity:
identity:
password:

(after connecting, I still have to follow the weird inner redirect thing in a browser and sign in again like many access points make you do)

Using these settings on the openWRT device, I was able to associate with the access point, but I was never able to receive a DHCP IP address or get any sort of response from the default gateway. I am not sure why this is but I would like to find out. Trying to use a static address similar to the one I received on the ubuntu laptop also did not fetch any success either. I feel like it has something to do with the "inner sign in" (the thing where you have to open a browser to sign into the access point, not sure what the official name of it is)

I would really like to get this working, because I get much better signal with the ubiquiti device than the laptop, and I am sure a few others have the same type of experience.

Appreciate your time reading my post!

Did you install the full wpad package? The default wpad-mini does not support Enterprise authentication.

You have to have an IP before a browser can do anything. Being "bounced" to a sign in page instead of the website you want is called a captive portal.

Hi mk24,

Thanks for providing the term for me

yes, I have the full wpad package installed. Not sure what would cause it to associate but not get an IP, while the ubuntu laptop does, unless I am just reading the status wrong. Is there any way to manually get to the captive portal page when behind openWRT bridge mode? Getting to the correct page is sometimes tricky even on a regular laptop without the bridge, so I appreciate any tricks you might know. The only old standby I have used in this case was to use an http:// site instead of https:// , which causes the certificate issues for captive portals.

Are you trying to make the openwrt device into a bridge rather than routing and masquerading, because that probably won't work.

I am interested in having the openwrt device connect to wifi for internet access, and bridge this to the LAN port. It should either directly bridge the connection (so that the device connected to lan would get the ip address directly from the wi-fi access point) or do its own routing with NAT. In both cases I would expect the device connected to LAN should be able to obtain an ip address with DHCP.

I have made a bridge between the WLAN and LAN ports in the openWRT configuration, because this configuration worked correctly when using other access points at the internet provider. However, I am no openWRT expert, so if there is another configuration which would be more ideal for this use case, I would certainly like to know about it!

I think it's much more likely to work if you revert to default settings and then alter WAN to be a WLAN client. Your devices will connect to the Openwrt device and get LAN IPs, then OpenWrt will masquerade these and appear to be just one device to the Xfinity access point.

The settings I am using are barely different from default. I have just click the check box for the LAN connection under the bridged devices in the WLAN config page.

Can you let me know specifically what you should choose when you say "alter WAN to be a WLAN client?"

Secondly, no matter if additional routing is done or not, I am still not sure how to correctly get to the captive portal page to grant access to my device.

A regular STA cannot be in a bridge. You have to treat it as a WAN and NAT it.

1 Like

Yes, you have to treat it like a WAN and do routing, but you don't always have to NAT it on your router, it depends.

@sona1111 Revert to factory default settings, then set up a wireless client/STA mode network. Then go to the WAN and set the physical settings to use the wireless STA as your WAN. By default now it will route through the XFINITY and it will NAT, which in this case is probably what you want.

Hi All,

As a follow up, I wanted to present my findings. At first I tried to do what was suggested here ; remove the bridge connection (the default configuration that is applied when I reset to default settings), then, change the 'wan' and 'wan6' interfaces to use the radio device as their interface. From my perspective, this seemed to provide similar functionality to the bridge for other wireless networks. I was still able to access the internet elsewhere, but not using the secure XFINITY point. I was also receiving messages on the wan and wan6 interfaces that said I needed additional packages to allow them to connect, even though the packages that they showed needed to be installed were already installed. I am not sure. I ended up resetting again after a while and got back to the Bridge configuration.

What ended up working, which is unrelated to openWRT but still a useful resource if anyone else comes looking for it, it to go to a specific URL manually:

comcast.optimumwifi.com

which then, sometimes, redirects to:

wifilogin.xfinity.com

Either way, after this, you will be asked to provide credentials again in a captive portal, and after you do that it will say that you need to install a security certificate / app or something. Click the button that says proceed, but don't actually install the certificate / app or anything, after clicking that button, the open internet should start working! I managed to find that specific URL to go to buried in a forum post in xfinity forums - I have no idea how one can find these captive portal redirect-urls-that-don't-work in a general manner, so I guess I will be screwed if they ever change it. :angry: I also found that when turning the router on and off, and possibly after waiting enough time, you will have to log in again.

Sorry if that was a useless answer for some, but I hope it helps someone else trying to accomplish the same thing!

Are you saying that you bridge a WLAN client with your LAN and then on a computer connected to your LAN go to your particular URL and then everything just works?

Because that's completely counter to anything I understand. You can't bridge a wifi station with LAN and have it work. It has to do with the fact that WiFi clients send their own MAC address not the MAC address of the device originating the request.

Are you sure you didn't still have the WAN as a routed / masqueraded WWAN?

I would love to get to the bottom of this mystery too. Let me amend my statement slightly. It seems that the default config after a reset makes a bridge over LAN - but there are not actually any other interfaces in the bridge, so I am sure something more is going on. The wan and wan6 by default seem to be doing nothing in the fact that they both start out assigned to eth1 and not eth0. (eth0 is the 'primary' POE/network port on the nanostation, eth1 is the 'secondary' , which has no ethernet cable plugged into it). What happens is that I am served a DHCP ip when connecting my laptop directly to the ethernet port. It is in the expected 192.168.1.0/24 range, while the IP served by the xfinity access point is 172.x.x.x, so clearly openwrt is doing some kind of routing itself. Here is the main outer interfaces status - let me know if I can provide pics of any other pages or files in the ssh shell that might help to identify exactly what is going on!

It sounds like you have two devices plugged in by ethernet: one is your laptop and one is a Nanostation. Both devices are plugged into LAN ports on your OpenWrt router.

So, perhaps the Nanostation is acting as the router, and the OpenWrt device is acting as a "dumb AP" in this setup?

EDIT: No, sorry I think I misunderstood. I think you've got exactly the situation that we recommended here. Your WWAN is a client of XFINITY, it gets a 172.20.20.20 IP address and your LAN gets 192.168.1.1 and so you are routing between LAN on 192.168.1.0/24 and WWAN 172.20.20.0/24 on the wireless station.

I don't know about xfinity but on optimum passpoint to connect using openwrt first you have to register your router mac address or overwrite the mac address of the wwan interface with a mac address of a device already registered , also there is a rebind-protection settings,uncheck that before you connect to repeater.

dlakelan I guess thats it? I did not manually do any of the things that you said, so I guess that is why it was confusing.

jeff1: that sounds like useful information - where can I find the rebind settings?

In DHCP and DNS---General Settings

Just wanted to mention that I tried unchecking the box as part of the process, and over the past week I have still had to manually navigate to the aforementioned URL and manually log in at least once a day, so it does not seem to have helped. I may look into running some kind of looping process on the device to automatically enter these credentials if it is lightweight enough to fit. I will come back with more info if I am successful in the development!

thank you so much for posting this! I have been trying to get this working for like 2 months (and still haven't been able to)!
at first i was using a broadcom based router, which i now think may not be able to handle the eap encryption properly (and there is no luci on it so i used ddwrt).

recently i bought a nanostation m5 (xw version), and i've gotten the public unsecure hotspot to work on it, but haven't yet been able to get the secure one to work.

could you send more info on how you did it? where did you enter the “secure.aaa.wifi.comcast.com” domain? how did you configure wpa-supplicant? what packages "exactly" did you install (the device has very little space so i have to be conservative with which minimal and full packages to install)?

sorry for all the questions, this is just been taking to much time for me and i'm bothered i can't get it to work. any help would be very much appreciated!

thank you so much for what you have written so far (and for the information of knowing it can be done on my device, the nanostation)!

if with your help (if you will help), i still can't get it to work, would it be possible to send a backup file of your settings (without the mac address, login credentials, personal settings, etc.)?

(and yes, i'm a comcast customer. i can log in perfectly from my phone and laptop directly. when i visit my parents, who don't have internet, i can only log in from one corner of one room, and thus can't get a lot done there...)

similar to the poster above me I have never been able to figure out how to connect to the secure hotspot. Does anyone have any clear instructions?

You need a user certificate that is issued from Comcast for accessing the secure AP network.

:warning: I do not know how to obtain this certificate for installation/use on a third-party device. :wink:

You can see at this link - that when using their app, the certificates are automatically installed to the device: https://www.xfinity.com/support/articles/download-xfinity-wifi-app-prioritize-home-network