511 Network Authentication Required
511 Network Authentication Required is a status that can be used by
for example captive portals to signal to computers that they need to go
through some kind of sign-in after connecting to a WiFi network.
You might see these kind of sign-in screens when for example connecting to the WiFi at a coffee shop.
Most operating systems and browsers detect this log in screen by making a HTTP request to a standard url. These are some real examples:
Browsers and operating systems will do an HTTP request to one of those urls,
and expect a string like
success to appear. If it doesn’t appear, it means
a router might be blocking it and a pop-up will appear to log into the network.
One of the issues with this approach is that it might not be possible to for a client to distingish a ‘correct’ response, vs. a HTTP response that was intercepted by the network and a captive portal being served instead.
It is a type of man-in-the-middle attack, so returning a captive portal interface instead of the real response might cause systems to malfunction and caches to be primed with bad data.
511 Network Authentication Required status code was invented as a
default status code for captive portals to return when intercepting a HTTP
request. This status signals that it was returned by an intermediate.
The full HTTP response should contain a link to where the user may log in.
The example given from the RFC is as follows:
HTTP/1.1 511 Network Authentication Required
<title>Network Authentication Required</title>
<p>You need to <a href="https://login.example.net/">
authenticate with the local network</a> in order to gain
- RFC6585, Section 6.1 - 511 Network Authentication Required