The system might be looking at the TTL on the packets, and know they have been through a hop already, if NAT isn't working.

The switch port is most likely in access mode so have you tried connecting an access point to the faceplate with a PoE injector?  Configure the access point to get an IP address via DHCP, have a single SSID and send all traffic untagged.

There is nothing wrong with making a bit of cash on the side :-)

Crowdie:

 

The switch port is most likely in access mode so have you tried connecting an access point to the faceplate with a PoE injector?  Configure the access point to get an IP address via DHCP, have a single SSID and send all traffic untagged.

 

Not sure I understand that. Why do you need PoE injector?

I think that the switch port or access router is enforcing a logon (some sort of backend authentication) and then possibly storing the MAC address. No idea if it's check TTL hops - that would seem overkill.

So going to try the following

Logon with the PC

Disconnect PC and connect router with spoofed MAC address same as the PC. Theoretically it still think the PC is still logged on unless the disconnect to connect the router shows a session has ended.

The Pi as an AP looks like a good idea but I need software on the Pi that can present the logon credentials.

lchiu7:

 

Crowdie:

 

The switch port is most likely in access mode so have you tried connecting an access point to the faceplate with a PoE injector?  Configure the access point to get an IP address via DHCP, have a single SSID and send all traffic untagged.

 

 

Not sure I understand that. Why do you need PoE injector?

 

The PoE injector is to supply power to the access point.  It is unlikely that this is enabled on the switch port in your room.

When you connect your laptop directly to the network how are you challenged for credentials?  Does a web page "pop up" with terms and conditions or just a requestor appear in the bottom right hand corner (by the date/time) with username and password fields?

I do this all the time in Hotels, especially if theres a better wired network connection than Wifi. 

My travel router is a basic $50 Mikrotik, with NAT, DHCP, Firewall, (along with VPN but that's not important). Then the first client that connects to the wifi network from the mikrotik has go authenticate through the captive portal, after that none of my other devices have to authenticate.

Tried a few more things but not successful. To confirm that the router was checking MAC addresses, got him to change the MAC address on his PC and connect. He was challenged with a logon screen and once credentials entered, able to access the Internet.

Cloned that MAC address on the router, set the WAN side to be static wired, used the IP addressed assigned by DHCP to the PC in the router, and the gateway and DNS servers. Still unable to access the Internet from the PC now connected to the router but able to ping the gateway.

Hard to diagnose remotely via phone but can't think what else to do. Tried to find out if Gargoyle has some utilities that can check the connectivity on the WAN side but can't find any.

So it's back to use Internet sharing on Windows which is a bit slow for WiFi

And now he's not trying to sell WiFi to anybody!  Just wants to use his phone, tablet PC and Amazon Dot.

lchiu7:

So it's back to use Internet sharing on Windows which is a bit slow for WiFi

I'm not really sure why this is proving do difficult.

The switchport is presumably allowing on a single MAC address at a time plugged into Ethernet. All you should simply need to do is plug in a WiFi router and connect your devices to this. The first time you do this you'll need to authenticate yourself however as all devices behind the router are being a NAT firewall they'll all present the same MAC address. Depending on the captive portal timeout rules you may need to authenticate regularly, but this can happen on any device.

I wouldn't have though it was either since when I first helped him set it up, it worked perfectly as you described. Not it's stop working so perhaps the university has done something?

Going to try again but as I said it's hard over the phone.

Based on this manual try setting the WAN port on the router to DHCP

https://www.gargoyle-router.com/wiki/doku.php?id=basic

Let the university switch/router assign an appropriate IP and log the MAC address.

Then connect the PC to a LAN port and let the router do DHCP also. Then see if the university logon screen presents itself.

Not sure where else to go if that fails.

The days of universities just deploying switches are long gone.  If you are at a major university the following is likely to be deployed:

• Layer 2 switch (what you are connecting to)
• A policy server (Cisco Identity Services, Aruba ClearPass, etc.)
• An application aware firewall
• A machine learning analysis server (Aruba Introspect, etc.) - these are starting to be deployed now.

When you connect to the switch port the policy server analyses your authentication data and categories you - as a student connecting using a Windows device, for example.  The policy server applies settings to your switch port and the application aware firewall.

As you communicate over the network the machine learning analysis server analyses your traffic and compares it to the expected student traffic.  Minor differences are logged and major differences will result in the policy server making network changes (shutting down your switch port, changing the firewall rules applied to you, etc.) to mitigate the risk. 

You have to remember that these machine learning systems are designed for governments, Fortune 500 companies, etc.  Residential and SOHO products are not even going to get close to conning these systems.