What is a captive portal?
A captive portal is a webpage that the user of a public network is required to view and interact with before they can access the network. It is typically used by business centers, airports, hotel lobbies, coffee shops and other public venues that offer free Wi-Fi hotspots for internet users.
Why captive portals are used
A captive portal is a customized login page that users must address before connecting to a public (or free) Wi-Fi network. Once a user is authenticated, they must be validated against a database of authorized users before they can access the network. This allows the business to show users the terms of service to use the Wi-Fi hotspot. They must agree to the terms in order to access the hotspot.
Some captive portals ask for a username and password. A business may provide the password to verified customers, for instance, on paying for its product or service (e.g., a room, a cup of coffee, a meal, etc.). This gives the business control over who uses its Wi-Fi hotspot. The terms of service page (which is essentially a list of dos and don'ts to use the network) also protects them from possible legal liability.
A captive portal also gives businesses increased control over their internet bandwidth since they can limit usage. Some businesses use captive portals to collect sales lead information (e.g., by asking users to fill out a form), collect user feedback (e.g., via a survey), display an advertisement or highlight a new promotion.
How a captive portal works
When a user logs on to a network with a captive portal, they see a webpage requiring them to perform certain actions before access is granted. A simple captive portal expects the user to look at (if not read and accept) an acceptable use policy (AUP) page, and then click on a button consenting to the terms of the policy.
The AUP page and policy are meant to absolve the provider from liability in case the user, or a threat actor, conducts criminal or destructive activity while logged onto the provider's Wi-Fi network. In some captive portals, advertisements for the provider's sponsors are displayed, requiring the user to click through them or close those windows before accessing the internet.
Some captive portals require the entry of a preassigned user ID and password before accessing the network. Such authentication is designed to discourage the use of the wireless hotspot for illegal activities.
Traffic mechanism for captive portals
The main purpose of a captive portal is to block users from accessing the Wi-Fi hotspot before they are validated and verified (authenticated) by the system. Usually, authentication servers for captive portals support both HTTP and HTTPS (HTTP-secure) web connections. Captive portals can also be configured to use an optional HTTP port -- in addition to the standard HTTP port 80 -- and support HTTP proxy networks.
For wired interfaces, users who are directly connected to the switch are authenticated via the captive portal before they can access the network. The wired physical port is set in a captive-portal-enabled state so that all network traffic coming to it from the unauthenticated user (client) is dropped except for ARP, DHCP, DNS and NETBIOS packets. These packets are forwarded by the switch, and unauthenticated users get an IP address and resolve the hostname. Then their data traffic goes through, and the dropping rules do not apply.
When the unauthenticated user tries to connect to the network, their HTTP/HTTPS traffic is redirected to the authenticating server on the switch. The user then sees the captive portal webpage where they can authenticate their login. If authentication is successful, they are given access to the port and network. Every client connected to the captive portal interface must be authenticated before they can access the network.
Mechanism to set up a captive portal
Before setting up a Wi-Fi hotspot's captive portal, organizations must check the network setup, confirm that all the firmware is up to date and confirm that the network's access point supports the captive portal feature. The setup process is on the access point's web-based setup page.
1. Enter the access point's setup menu and look for the heading Captive Portal or Global Configuration.
2. Go to Portal Profiles or Portal Settings to customize the portal's settings, with respect to its name, password protection, and redirection (e.g., to an existing webpage).
4. Associate the portal with a wireless radio band and service set identifier (SSID).
Depending on the network and access point setup, businesses can create multiple captive portal configuration instances, with each configuration containing flags and definitions to control user access and to customize the verification page. A configuration can be applied to multiple interfaces, where each interface is a physical port on the switch.
Challenges with captive portals
Some users may repeatedly connect to the captive portal, using the network on a continuous basis to download music, videos or other large files. Some of these download activities may be illegal (e.g., if the files are copyright-protected). This activity is known as bandwidth hogging.
Additional programming in the captive portal can minimize the problem. Such programming can control the speed at which large files are downloaded, limit the size (in kilobytes or megabytes) of files that can be downloaded, restrict the number of downloads that can occur in a single session and block a user from connecting to the websites commonly used for downloading large files. This method is called bandwidth throttling or traffic shaping.