|This article needs additional citations for verification. (February 2011) (Learn how and when to remove this template message)|
A captive portal is a 'Landing' web page, presented by a Layer 3 brand or Layer 2 Operator and shown to users before they gain more-broad access to URL or http-based Internet services. Often used to present a Landing or Log-In page, the portal intercepts observed packets until such time as the user is authorized to launch browser sessions. After being redirected to a web page which may require authentication, payment, acceptance of EULA/acceptable use policies or other valid credentials that the host and user agree to, the user is granted conditional Internet access. Captive portals are used for a broad range of Mobile and Pedestrian Broadband services, including Cable and Commercially provided Wi-Fi, home-hotspots and others, and can also be used to provide access to Enterprise and Residential wired networks (e.g. apartment houses, hotel rooms, business centers, etc.).
The login page itself must be presented to the client, and is stored either locally at the gateway, or at the web server hosting that page (requiring access to an approved access list, or "white-list" an essential feature of the secure enterprise). Depending on the feature set of the gateway, multiple web servers can be white-listed (say for iframes or links within the login page). In addition to white-listing the URLs of web hosts, some gateways can white-list TCP ports. The MAC address of attached clients can also be set to bypass the login process. Setting up the features of the Captive Portal are intuitive and fairly straightforward.
This technique has occasionally been referred to as UAM (Universal Access Method) in implementations and standards forums.
Captive portals are mainly used in wireless open networks, where the users are shown a welcome message informing them of the conditions of access (allowed ports, liability, etc.). Administrators tend to do this so that the own users take responsibility for their actions and to avoid any major problems. It is discussed whether this delegation of responsibility is legally valid.
Usually captive portals are used for marketing and commercial communication purposes. In order to do this, access to Internet is done via WIFI as an incentive to exchange personal data that the own user provides by filling out a registration form. This online form opens directly in a navigator configured from factory in the devices Internet access (smartphone, tablet, computer) or it appears when the user opens the navigator and tries to visit any webpage. In other words, the user is captive unable to navigate freely until he accepts the terms, legal conditions or sees the displayed advertisements that are shown in the registry form or welcome page. This allows the provider of this service to display or send advertisements to the users who connect to the WIFI access point, this type of service is also known as social WIFI, as it usually asks for a social network account to login (Facebook), in order to disseminate the visit to a particular physical space in the digital world of social networks.
The user can find all types of content in the captive portal, and it's frequent to allow access to the Internet in exchange for viewing content or performing a previous action (data collection for commercial contact). In short, the marketing use of the captive portal is a tool for the lead generation (business contacts or potential clients).
There is more than one way to implement a captive portal.
Client traffic can also be redirected using ICMP redirect on the layer 3 level.
Redirection by DNS
When a client requests a website, DNS is queried by the browser. The firewall will make sure that only the DNS server(s) provided by DHCP can be used by unauthenticated clients (or, alternatively, it will forward all DNS requests by unauthenticated clients to that DNS server). This DNS server will return the IP address of the Captive Portal page as a result of all DNS lookups.
Circumvention of captive portals
Captive portals have been known to have incomplete firewall rule sets. In some deployments the rule set will route DNS requests from clients to the Internet, or the provided DNS server will fulfill arbitrary DNS requests from the client. This allows a client to bypass the captive portal and access the open Internet by tunneling arbitrary traffic within DNS packets.
Some captive portals may be configured to allow appropriately equipped user agents to detect the captive portal and automatically authenticate. User agents and supplemental applications such as Apple's Captive Portal Assistant can sometimes transparently bypass the display of captive portal content against the wishes of the service operator as long as they have access to correct credentials, or they may attempt to authenticate with incorrect or obsolete credentials, resulting in unintentional consequences such as accidental account locking.
A captive portal that uses MAC addresses to track connected devices can sometimes be circumvented by connecting via hard-wire a router that allows setting of the router MAC address. Many router firmwares call this MAC cloning. Once a computer or tablet has been authenticated to the captive portal using a valid username and valid password, the MAC address of that computer or tablet can be entered into the router which will often continue to be connected through the captive portal as it shows to have the same MAC address as the computer or tablet that was previously connected.
Some of these implementations merely require users to pass an SSL encrypted login page, after which their IP and MAC address are allowed to pass through the gateway. This has been shown to be exploitable with a simple packet sniffer. Once the IP and MAC addresses of other connecting computers are found to be authenticated, any machine can spoof the MAC address and IP of the authenticated target, and be allowed a route through the gateway. For this reason some captive portal solutions created extended authentication mechanisms to limit the risk for usurpation.
Captive portals require the use of a browser; this is usually the first application that users start, but users who first use an email client or other will find the connection not working without explanation, and will need to open a browser to validate. A similar problem can occur if the client uses AJAX or joins the network with pages already loaded into its browser, causing undefined behavior when such a page tries HTTP requests to its origin server.
Platforms that have Wi-Fi and a TCP/IP stack but do not have a web browser that supports HTTPS cannot use many captive portals. Such platforms include the Nintendo DS running a game that uses Nintendo Wi-Fi Connection. Non-browser authentication is possible using WISPr, an XML-based authentication protocol for this purpose, or MAC-based authentication or authentications based on other protocols.
It is also possible for a platform vendor to enter into a service contract with the operator of a large number of captive portal hotspots to allow free or discounted access to the platform vendor's servers via the hotspot's walled garden. One such example is the 2005 deal between Nintendo and Wayport to provide free WiFi access to Nintendo DS users at certain McDonald's restaurants. Also, VoIP SIP ports could be allowed to bypass the gateway to allow phones to work.
- "Comcast Business | Configure the landing page for your Business WiFi Pro network". businesshelp.comcast.com. Retrieved 2016-05-16.
- "Nintendo And Wayport Join Forces To Bring Free U.S. Wi-Fi Access To Nintendo DS Users". gamesindustry.biz. Retrieved 24 November 2015.