HTTP 511 Network Authentication Required
HTTP 511 Network Authentication Required means the client must authenticate to the network itself before any request can reach its destination. Unlike 401 Unauthorized, which requires authentication to a specific application, 511 is issued by a network intermediary โ a captive portal โ that intercepts all traffic before it reaches the internet.
Quick reference
| Code | 511 |
|---|---|
| Name | Network Authentication Required |
| Category | 5xx Server Errors |
| Specification | RFC 6585 ยง6 |
| IANA status | Assigned |
| Cacheable | No |
| Client action | Open a browser and complete the captive portal login. Mobile users: check for a system notification prompting network login. |
| In-depth guide | HTTP 511 full guide โ |
What HTTP 511 means
RFC 6585 defines 511 as indicating that the client needs to authenticate to gain network access. The response representation should contain a link to a resource that allows the user to submit credentials. 511 responses must not be generated by origin servers โ only network intermediaries (captive portals) should return 511.
Before 511 was defined, captive portals returned a login HTML page with a 200 OK status, intercepting all HTTP requests. This broke automated clients, monitoring systems, and applications that assumed a 200 meant the request reached its intended destination. 511 provides a standards-compliant signal that distinguishes network authentication from application-level success.
A 511 response body should contain a link to the captive portal login page. The client was never connected to the intended server โ the portal intercepted the request before it left the local network.
How captive portals work
A captive portal intercepts all outgoing HTTP requests from a newly connected client and serves a login or terms-of-service page instead of the requested content. Common environments: hotel and airport Wi-Fi, corporate guest networks, university networks, and paid hotspots.
The portal intercepts at the network level: all HTTP traffic is redirected to the portal's web server before reaching the broader internet. Once the user authenticates (or accepts terms), the portal opens network access and HTTP requests reach their intended destinations.
HTTPS requests cannot be intercepted for MITM injection (certificates would fail), so modern captive portals typically rely on the device detecting the lack of internet access (using a connectivity check to a known URL) and triggering a redirect to the portal page through a DNS or TCP-level intercept.
Common causes
Hotel, airport, or coffee shop Wi-Fi
Guest networks require authentication or terms acceptance before internet access is granted. All HTTP requests are intercepted by the portal until the user completes the login.
Corporate network authentication gateway
Many organizations require network-level authentication separate from VPN โ employees must log in to gain internet access from the corporate network.
Campus or educational network
University and school networks often use captive portals requiring student or staff login before granting access.
Monitoring agents behind captive portals
Application health checks or monitoring agents running on hosts behind unauthenticated captive portals receive 511 instead of responses from monitored services, causing false positive alerts.
511 vs 401 vs 407
| Code | Issued by | What needs to authenticate |
|---|---|---|
| 511 | Network intermediary (captive portal) | Network access โ before any request reaches the internet |
| 401 | Origin server / application | Application account โ the server rejected this specific request |
| 407 | Proxy server | Proxy credentials โ the proxy requires auth before forwarding |
| 403 | Origin server | No auth helps โ access is denied regardless of credentials |
How to handle 511
As an end user: open a web browser and navigate to any plain HTTP URL. Browsers detect captive portals and redirect to the login page automatically. On mobile devices, look for a system notification that appeared when you joined the network โ it typically prompts you to complete network login. Complete the authentication or accept the terms of service on the captive portal page, then retry the original request.
As a developer: detect 511 separately from 401. A 511 means you cannot reach your intended server at all โ not that the server rejected you. Extract the portal URL from the 511 response body and present it to the user for authentication. Consider implementing captive portal detection by probing a known URL before critical requests.
FAQ
What does HTTP 511 Network Authentication Required mean?
HTTP 511 means you are connected to a network (like hotel Wi-Fi) that requires you to log in or accept terms before your internet requests can proceed. The response comes from the network's captive portal, not from the server you were trying to reach.
Why do I see 511 in my application logs?
Your application server or monitoring agent is running on a host behind a captive portal that requires network authentication. The host cannot reach the internet until network-level authentication is completed.
Should my application server ever return 511?
No. RFC 6585 explicitly states that 511 must not be generated by origin servers. Only network intermediaries (captive portals) should return 511. If your application is returning 511, that is a misconfiguration.
How is 511 different from 401?
401 is about application-level authentication โ the server you are trying to reach rejected your credentials. 511 is about network-level authentication โ a portal intercepted your request before it even reached the intended server. The fix for 511 is to authenticate to the network, not to provide application credentials.
Related resources
On this site: HTTP 511 Network Authentication Required โ full guide ยท HTTP 401 Unauthorized ยท HTTP 407 Proxy Authentication Required ยท HTTP 403 Forbidden ยท All 5xx server errors
Standards: RFC 6585 ยง6 ยท IANA HTTP Status Code Registry ยท MDN Web Docs: 511