Why is Google login disabled for UniFi implementations?

Configuring Social WiFi service requires appropriate settings to be available for particular network setup. Sometimes, when some of those features are not supported by hardware’s manufacturer, Social WiFi might work in unexpected ways or not work at all.

How does captive portal hotspot work?

Usually, the first thing your device does after it connects to any WiFi network is checking whether that network works – as in, can you get internet access.

Various manufacturer’s devices do so in a number of ways, usually by connecting to a specific web address established by manufacturer or third party as part of device’s firmware – if that connection is successful, the device will call it a day and consider internet access as granted.

Most devices we use nowadays are pretty smart. If a phone does not manage to connect to the website, it will check whether it needs to do something else in order to get that access – like display a captive portal and authorize! This is exactly what we are doing here. Your device should not be able to access the internet verification address and should display Social WiFi login page instead. We limit that access using a feature called “Walled Garden”, which only allows the device to access some specific addresses (such as those belonging Facebook, Google or Twitter for login purposes), but not the verification one.

After you authenticate within our service, your device will check again and realise that it now does have internet access.

What does that have to do with UniFi and Google login?

Unfortunately UniFi does not provide an option to include hostnames (“human friendly” ways of telling what website you want to go to, e.g. facebook.com) within its Walled Garden settings – or Pre-Authorization Settings, as they are called within UniFi dashboard. Those hostnames would normally be converted into an IP address that your device can understand by something called DNS.

The problem here is that those IP addresses are subject to constant change. While typing in facebook.com in your browser will always resolve that hostname to proper corresponding IP address at that time, typing in the same IP address as you did yesterday might not necessarily allow you to access that page, as businesses frequently utilize a whole spectrum of thousands of addresses.

Since UniFi only allows you to specify which IP addresses you want to be able to access, and not hostnames, we had to make the IP ranges quite broad in order to give your setup some leeway in accomodating any changes this particular social media portal makes, so that you can always log in with it without constantly modifying your Walled Garden settings.

However, since Android system is primarily developed by Google, most Android devices (but not all!) will check for internet access by accessing a Google-owned website: http://clients3.google.com/generate_204 Unfortunately, that website’s address is located within the same IP spectrum as Google login addresses that are necessary to authenticate within Social WiFi.

What does that mean for us? Well, if we try to allow Google login option using UniFi’s IP-range only Walled Garden, we will need to also unlock access to http://clients3.google.com/generate_204. This will make your device believe that id does indeed have internet access and is not currently within a captive portal – as such, our captive portal will not appear automatically on those devices.

Given the scale of the problem, we decided to remove Google login addresses from our Walled Garden list for UniFi implementations until a solution is provided by UniFi.

Adding them to Pre-Authorization (Walled Garden) settings is almost certain to cause numerous issues for a vast majority of clients, and since we care about experience with our service, we do not want to cause any unnecessary disturbances.

Last updated