Captive portal
Encyclopedia
The captive portal technique forces an HTTP client on a network to see a special web page (usually for authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

 purposes) before using the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...

 normally. A captive portal turns a Web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...

 into an authentication device. This is done by intercepting all packets, regardless of address or port, until the user opens a browser and tries to access the Internet. At that time the browser is redirected to a web page which may require authentication and/or payment
Payment gateway
A payment gateway is an e-commerce application service provider service that authorizes payments for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. It is the equivalent of a physical point of sale terminal located in most retail outlets...

, or simply display an acceptable use policy
Acceptable use policy
An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network site or system may be used...

 and require the user to agree. Captive portals are used at most Wi-Fi
Wi-Fi
Wi-Fi or Wifi, is a mechanism for wirelessly connecting electronic devices. A device enabled with Wi-Fi, such as a personal computer, video game console, smartphone, or digital audio player, can connect to the Internet via a wireless network access point. An access point has a range of about 20...

 hotspots
Hotspot (Wi-Fi)
A hotspot is a site that offers Internet access over a wireless local area network through the use of a router connected to a link to an Internet service provider...

, and it can be used to control wired access (e.g. apartment houses, hotel rooms, business centers, "open" Ethernet
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....

 jacks) as well.

Since the login page
Logging (computer security)
In computer security, a login or logon is the process by which individual access to a computer system is controlled by identifying and authentifying the user referring to credentials presented by the user.A user can log in to a system to obtain access and can then log out or log off In computer...

 itself must be presented to the client, either that login page is locally stored in the gateway, or the web server
Web server
Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....

 hosting that page must be "whitelisted" via a walled garden
Walled garden (media)
A walled garden is an analogy used in various senses in information technology. In the telecommunications and media industries, a "walled garden" refers to a carrier or service provider's control over applications, content, and media on platforms and restriction of convenient access to...

 to bypass the authentication process. Depending on the feature set of the gateway, multiple web servers can be whitelisted (say for iframe
IFrame
iFrame can be:* I-frames, in video compression; see video compression picture types* iFrame * The HTML iframe element....

s or links within the login page). In addition to whitelisting the URL
Uniform Resource Locator
In computing, a uniform resource locator or universal resource locator is a specific character string that constitutes a reference to an Internet resource....

s of web hosts, some gateways can whitelist TCP ports. The MAC address
MAC address
A Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...

 of attached clients can also be set to bypass the login process.

Redirection by HTTP

If an unauthenticated client requests a website, DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...

 is queried by the browser and the appropriate IP resolved as usual. The browser then sends an HTTP request to that IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...

. This request, however, is intercepted by a firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....

 and forwarded to a redirect server. This redirect server responds with a regular HTTP response which contains HTTP status code 302 to redirect the client to the Captive Portal. To the client, this process is totally transparent. The client assumes that the website actually responded to the initial request and sent the redirect.

IP Redirect

Client traffic can also be redirected using IP redirect on the layer 3 level. This has the disadvantage that content served to the client does not match the URL.

Redirection by DNS

When a client requests a website, DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...

 is queried by the browser. The firewall will make sure that only the DNS server(s) provided by DHCP can be used by unauthenticated clients (or, alternatively, it will forward all DNS requests by unauthenticated clients to that DNS server). This DNS server will return the IP address of the Captive Portal page as a result of all DNS lookups.

The DNS poisoning technique used here, when not considering answers with a TTL
Time to live
Time to live is a mechanism that limits the lifespan of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timespan has elapsed, data is discarded. In computer networking, TTL prevents a data...

 of 0, may negatively affect post-authenticated internet use when the client machine references non-authentic data in its local resolver cache.

Some naive implementations don't block outgoing DNS requests from clients, and therefore are very easy to bypass; a user simply needs to configure their computer to use another, public, DNS server. Implementing a firewall or ACL
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...

 that ensures no inside clients can use an outside DNS server is critical.

Software captive portals

  • Air Marshal
    AirMarshal
    AirMarshal is a web based authentication server or captive portal for ethernet based networks. Similar technology is in use popularly to control access to many of today's Internet HotSpots...

    , software based for Linux
    Linux
    Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...

     platform (commercial)
  • Amazingports
    Amazingports
    AmazingPorts is a Linux-based firewall customised for use as a firewall, captive portal and billing system . The project started in 2001 with the purpose of creating a scalable solution for commercial and free networks.-Common Deployments:...

    , Linux based software with integrated billing and payment implementing service-oriented provisioning, free and commercial
  • Captive::Portal - open source, Perl and Linux based software solution
  • ChilliSpot
    Chillispot
    ChilliSpot is an open source captive portal or wireless LAN access point controller. It is used for authenticating users of a wireless LAN. It supports web based login, which is today's standard for public HotSpots, WISP "smart-client" authentication, and it supports Wi-Fi Protected Access...

    , open source Linux
    Linux
    Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...

     daemon [abandoned]
  • CoovaChilli, open source Linux
    Linux
    Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...

     daemon based on ChilliSpot
    Chillispot
    ChilliSpot is an open source captive portal or wireless LAN access point controller. It is used for authenticating users of a wireless LAN. It supports web based login, which is today's standard for public HotSpots, WISP "smart-client" authentication, and it supports Wi-Fi Protected Access...

  • DNS Redirector, Windows based software solution (commercial)
  • FirstSpot, Windows based software solution (commercial)
  • Hotspot Engine, Modified Linux OS, paid or a 30 day trial by request.
  • HotSpotPA, open source Linux
    Linux
    Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...

     daemon based on OpenWrt
    OpenWrt
    OpenWrt is a Linux distribution primarily targeted at routing on embedded devices. It comprises a set of about 2000 software packages, installed and uninstalled via the opkg package management system. OpenWrt can be configured using the command-line interface of BusyBox ash, or the web interface...

    , OpenVPN
    OpenVPN
    OpenVPN is a free and open source software application that implements virtual private network techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for...

    , and ChilliSpot
    Chillispot
    ChilliSpot is an open source captive portal or wireless LAN access point controller. It is used for authenticating users of a wireless LAN. It supports web based login, which is today's standard for public HotSpots, WISP "smart-client" authentication, and it supports Wi-Fi Protected Access...

  • Kattive Linux based under GPL, easily authenticated with samba, LDAP or other methods
  • LogiSense, Billing & OSS / Network Access Control
  • m0n0wall
    M0n0wall
    m0n0wall is an embedded firewall distribution of FreeBSD, one of the BSD operating system descendants. It provides a small image which can be put on Compact Flash cards as well as on CDROMs and hard disks. It runs on a number of embedded platforms and generic PCs...

    , FreeBSD
    FreeBSD
    FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...

     based firewall distribution
  • MyHotSpot, Windows based (freeware)
  • NoCatAuth, Linux
    Linux
    Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...

     based
  • PacketFence
    PacketFence
    PacketFence is an open-source network access control system which provides the following features: registration, detection of abnormal network activities, proactive vulnerability scans, isolation of problematic devices, remediation through a captive portal, 802.1X, wireless integration and...

    , Linux
    Linux
    Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...

     based Network Access Control
    Network Access Control
    Network Access Control is an approach to computer network security that attempts to unify endpoint security technology , user or system authentication and network security enforcement.-Background:Network Access Control is a computer networking solution that uses a set of protocols to define and...

     software featuring a captive portal (open source)
  • pfSense
    PfSense
    pfSense is an open source firewall/router distribution based on FreeBSD. pfSense is meant to be installed on a personal computer and is noted for its reliability and offering features often only found in expensive commercial firewalls. It can be configured and upgraded through a web-based...

    , FreeBSD
    FreeBSD
    FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...

     based firewall software derived from m0n0wall
    M0n0wall
    m0n0wall is an embedded firewall distribution of FreeBSD, one of the BSD operating system descendants. It provides a small image which can be put on Compact Flash cards as well as on CDROMs and hard disks. It runs on a number of embedded platforms and generic PCs...

  • pointHotspot a web-based Hotspot Solution, for any Chillispot or Mikrotik router
  • SilverSplash, an open source ad serving captive portal for Linux platforms
  • Sputnik, Software as a service
    Software as a Service
    Software as a service , sometimes referred to as "on-demand software," is a software delivery model in which software and its associated data are hosted centrally and are typically accessed by users using a thin client, normally using a web browser over the Internet.SaaS has become a common...

     solution (commercial)
  • Untangle
    Untangle
    Untangle is a privately held company based in Sunnyvale, California. The company provides an open source network gateway for small businesses, schools, and non-profit organizations. Untangle provides multiple gateway applications installed at the edge of a network.-History:Untangle was founded in...

     Captive Portal, Firewall featuring Captive Portal (Linux-based, free basic functionality, commercial directory integration)
  • WiFiDog Captive Portal Suite
    WiFiDog Captive Portal
    WiFiDog is an open source embeddable captive portal solution used to build wireless hotspots.WiFiDog consists of two components: the gateway and the authentication server. WiFiDog was created and conceived of by the technical team of Île Sans Fil....

    , small C based kernel solution (embeddable)
  • Wilmagate
    Wilmagate
    WilmaGate is a collection of open source tools for Authentication, Authorization and Accounting on an Open Access Network. It has been initially developed by theComputer Networks and Mobility Group at the University of Trento ....

    , C++ based and is executable both in Linux
    Linux
    Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...

     and Windows/Cygwin environments
  • Zeroshell
    Zeroshell
    Zeroshell is a small Linux distribution for servers and embedded systems which aims to provide network services. As its name implies, its administration relies on a web based graphical interface...

    , Linux
    Linux
    Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...

     based network services distribution
  • Sweetspot, free and open source Linux daemon operating at the IP layer


Captive portals are gaining increasing use on free open wireless networks where instead of authenticating users, they often display a message from the provider along with the terms of use. Although the legal standing is still unclear (especially in the USA) common thinking is that by forcing users to click through a page that displays terms of use and explicitly releases the provider from any liability, any potential problems are mitigated. They also allow enforcement of payment structures.

Limitations

Some of these implementations merely require users to pass an SSL encrypted login page, after which their IP
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...

 and MAC address
MAC address
A Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...

 are allowed to pass through the gateway. This has been shown to be exploitable with a simple packet sniffer
Packet sniffer
A packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network...

. Once the IP and MAC addresses of other connecting computers are found to be authenticated, any machine can spoof the MAC address and IP of the authenticated target, and be allowed a route through the gateway. For this reason some captive portal solutions created extended authentication mechanisms to limit the risk for usurpation.

Captive portals require the use of a browser; this is usually the first application that users start, but users who first use an email client or other will find the connection not working without explanation, and will need to open a browser to validate. A similar problem can occur if the client joins the network with pages already loaded into its browser, causing undefined behavior when such a page tries HTTP requests to its origin server.

Platforms that have Wi-Fi
Wi-Fi
Wi-Fi or Wifi, is a mechanism for wirelessly connecting electronic devices. A device enabled with Wi-Fi, such as a personal computer, video game console, smartphone, or digital audio player, can connect to the Internet via a wireless network access point. An access point has a range of about 20...

 and a TCP/IP stack but do not have a web browser that supports HTTPS
Https
Hypertext Transfer Protocol Secure is a combination of the Hypertext Transfer Protocol with SSL/TLS protocol to provide encrypted communication and secure identification of a network web server...

 cannot use many captive portals. Such platforms include the Nintendo DS
Nintendo DS
The is a portable game console produced by Nintendo, first released on November 21, 2004. A distinctive feature of the system is the presence of two separate LCD screens, the lower of which is a touchscreen, encompassed within a clamshell design, similar to the Game Boy Advance SP...

 running a game that uses Nintendo Wi-Fi Connection
Nintendo Wi-Fi Connection
The is an online multiplayer gaming service run by Nintendo to provide free online play in compatible Nintendo DS, Nintendo 3DS and Wii games. The service includes the company's Wii Shop Channel, DSi Shop, and Nintendo eShop game download services...

. Non browser authentication is possible using WISPr
WISPr
WISPr or Wireless Internet Service Provider roaming - Pronounced "whisper," WISPr is a draft protocol submitted to the Wi-Fi Alliance that allows users to roam between wireless internet service providers, in a fashion similar to that used to allow cellphone users to roam between carriers...

, an XML
XML
Extensible Markup Language is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications, all gratis open standards....

-based authentication protocol for this purpose, or MAC-based authentication or authentications based on other protocols.

There also exists the option of the platform vendor entering into a service contract with the operator of a large number of captive portal hotspots to allow free or discounted access to the platform vendor's servers via the hotspot's walled garden
Walled garden (media)
A walled garden is an analogy used in various senses in information technology. In the telecommunications and media industries, a "walled garden" refers to a carrier or service provider's control over applications, content, and media on platforms and restriction of convenient access to...

, such as the deal between Nintendo and Wayport
Wayport, Inc.
Founded in 1996, Wayport, Inc. is a Wi-Fi broadband internet access provider, based in Austin, Texas. Wayport provides hotspots in approximately 28,000 locations throughout the United States. Venues include hotels, airports, sports venues, retail chain stores, McDonald's restaurants and...

. For example, VoIP
Voice over IP
Voice over Internet Protocol is a family of technologies, methodologies, communication protocols, and transmission techniques for the delivery of voice communications and multimedia sessions over Internet Protocol networks, such as the Internet...

 SIP
Session Initiation Protocol
The Session Initiation Protocol is an IETF-defined signaling protocol widely used for controlling communication sessions such as voice and video calls over Internet Protocol . The protocol can be used for creating, modifying and terminating two-party or multiparty sessions...

ports could be allowed to bypass the gateway to allow phones to work.
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK