sfw/fix
511 low

511 Network Authentication Required

Not your site, the Wi-Fi network is intercepting traffic behind a captive portal until you log in or accept terms.

What you see

511 Network Authentication Required

You need to log in to this network before you can access the internet.

(or the browser's own banner) Sign in to network

What’s actually happening

Pages won't load on hotel, airport, or cafe Wi-Fi, or they redirect to a "Sign in to continue" / "Accept the terms" page that has nothing to do with the site you typed. This isn't coming from the origin server. The network's gateway is holding your traffic hostage until you authenticate. RFC 6585 defined 511 as the clean way for a captive portal to announce itself, though in practice most portals just fire a 302 redirect to their login page instead of actually returning 511, the status is more useful to non-browser clients that would otherwise hang.

Common causes

  • A captive portal on public Wi-Fi that requires sign-in, a room number, or clicking "I agree" before it opens internet access.
  • You haven't completed the portal login yet, or the session expired and the gateway dropped you back into the captive state.
  • The site you tried first is HTTPS with HSTS, so the browser refuses the portal's redirect and you never see the login page (you just get a cert/security error instead).
  • Your OS captive-portal probe (Apple's captive.apple.com, Android's generate_204, Firefox's detectportal) got blocked or cached a stale "online" result, so the login prompt never auto-popped.
  • A corporate or guest network whose proxy demands authentication for outbound traffic.

How to fix it

  1. Open any plain HTTP page to trigger the portalBrowse to a known http:// (not https://) URL like http://neverssl.com or http://example.com. The gateway intercepts it and serves the login screen. HTTPS sites won't work here because the portal can't transparently intercept TLS.
  2. Use the OS captive-portal helperOn macOS/iOS, toggle Wi-Fi off and back on, the system reprobes captive.apple.com and pops the login sheet. Android shows a "Sign in to network" notification; tap it. Windows opens the page automatically when it detects the portal.
  3. Finish the login, then retry your siteEnter the credentials / room number / accept the terms. Once the portal releases you, your original HTTPS request works normally. If it expired, you'll just repeat the sign-in.
  4. Bypass a stuck portal probe via DNS or a fixed URLIf the login never appears, manually hit http://1.1.1.1 or the network's gateway IP in the address bar to force the redirect. Clearing the browser's HSTS state for the portal domain (chrome://net-internals/#hsts) can also unstick an HTTPS-first failure.

Stop it recurring

Reach for an http:// URL (not https://) the moment public Wi-Fi misbehaves, it's the reliable way to surface a captive portal.

Related errors

404 Not Found

high

A 404 means the page the visitor requested doesn’t exist at that URL. Here’s why it happens and how to fix it for good.

500 Internal Server Error

critical

A 500 is the server’s way of saying "something broke on my end." Generic by design — here’s how to find the real cause.

502 Bad Gateway

critical

A 502 means one server got an invalid response from another upstream server. The fix depends on which link in the chain failed.

503 Service Unavailable

critical

A 503 says the server is temporarily unable to handle the request — usually overload or maintenance. Here’s how to clear it.