Captive portal

Last updated April 16, 2024

A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a landing or log-in page which may require authentication, payment, acceptance of an end-user license agreement, acceptable use policy, survey completion, or other valid credentials that both the host and user agree to adhere by.^[1] Captive portals are used for a broad range of mobile and pedestrian broadband services – including cable and commercially provided Wi-Fi and home hotspots. A captive portal can also be used to provide access to enterprise or residential wired networks, such as apartment houses, hotel rooms, and business centers.

The captive portal is presented to the client and is stored either at the gateway or on a web server hosting the web page. Depending on the feature set of the gateway, websites or TCP ports can be allow-listed so that the user would not have to interact with the captive portal in order to use them. The MAC address of attached clients can also be used to bypass the login process for specified devices.

WISPr refers to this web browser-based authentication method as the Universal Access Method (UAM).^[2]

Uses

Captive portals are primarily used in open wireless networks where the users are shown a welcome message informing them of the conditions of access (allowed ports, liability, etc.). Administrators tend to do this so that their own users take responsibility for their actions and to avoid any legal responsibility.^[3] Whether this delegation of responsibility is legally valid is a matter of debate.^[4]^[5] Some networks may also require entering the user's cell phone number or identity information so that administrators can provide information to authorities in case there was illegal activity on the network.

Often captive portals are used for marketing and commercial communication purposes. Access to the Internet over open Wi-Fi is prohibited until the user exchanges personal data by filling out a web-based registration form in a web browser. The web-based form either automatically opens in a web browser, or appears when the user opens a web browser and tries to visit any web page. In other words, the user is "captive" - unable to access the Internet freely until the user is granted access to the Internet and has "completed" the captive portal. This allows the provider of this service to display or send advertisements to users who connect to the Wi-Fi access point. This type of service is also sometimes known as "social Wi-Fi", as they may ask for a social network account to login (such as Facebook). Over the past few years, such social Wi-Fi captive portals have become commonplace with various companies offering marketing centered around Wi-Fi data collection.^[6]

The user can find many types of content in the captive portal, and it's frequent to allow access to the Internet in exchange for viewing content or performing a certain action (often, providing personal data to enable commercial contact); thus, the marketing use of the captive portal is a tool for lead generation (business contacts or potential clients).^[7]

Implementation

There are various ways to implement a captive portal.

HTTP redirect

A common method is to direct all World Wide Web traffic to a web server, which returns an HTTP redirect to a captive portal.^[8] When a modern, Internet-enabled device first connects to a network, it sends out an HTTP request to a detection URL predefined by its vendor and expects an HTTP status code 200 OK or 204 No Content. If the device receives a HTTP 2xx status code, it assumes it has unlimited internet access. Captive portal prompts are displayed when you are able to manipulate this first HTTP message to return a HTTP status code of 302 (redirect) to the captive portal of your choice.^[9]^[10] RFC 6585 specifies the 511 Network Authentication Required status code.

ICMP redirect

Client traffic can also be redirected using ICMP redirect on the layer 3 level.

Redirect by DNS

When a client requests a resource on a remote host by name, DNS is queried to resolve that hostname. In a captive portal, the firewall will make sure that only the DNS server(s) provided by the network's DHCP can be used by unauthenticated clients (or, alternatively, it will forward all DNS requests by unauthenticated clients to that DNS server). This DNS server will return the IP address of the captive portal page as a result of all DNS lookups.

In order to perform redirection by DNS the captive portal uses DNS hijacking to perform an action similar to a man-in-the-middle attack. To limit the impact of DNS poisoning, a TTL of 0 is typically used.

Detection

Captive portal detection URLs typically return a minimal, standardized response when not behind a captive portal. When the device receives the expected response, it concludes that it has direct internet access. If the response is different, the device assumes it is behind a captive portal and triggers the captive portal login process.

Platform	Test URL	Expected response
Apple (MacOS/IOS Family)	Current: http://captive.apple.com/hotspot-detect.html	"Success" (plain text)
Apple (MacOS/IOS Family)	Legacy: http://www.apple.com/library/test/success.html	"Success" (plain text)
Google^[11] (Android/ChromeOS)	http://connectivitycheck.gstatic.com/generate_204	HTTP status code 204 with an empty body
Google^[11] (Android/ChromeOS)	http://clients3.google.com/generate_204	HTTP status code 204 with an empty body
Windows^[12]	Current (Windows 10 1607 and later): http://www.msftconnecttest.com/connecttest.txt	"Microsoft Connect Test" (plain text)
Windows^[12]	Legacy (Prior to Windows 10 1607): http://www.msftncsi.com/ncsi.txt	"Microsoft NCSI" (plain text)
NetworkManager	http://nmcheck.gnome.org/check_network_status.txt	"NetworkManager is online" (plain text)

Limitations

Security

Captive portals have been known to have incomplete firewall rule sets—such as outbound ports being left open—that allow clients to circumvent the portal.^[13]

DNS tunneling

In some deployments, the rule set will route DNS requests from clients to the Internet, or the provided DNS server will fulfill arbitrary DNS requests from the client. This allows a client to bypass the captive portal and access the open Internet by tunneling arbitrary traffic within DNS packets.

Automatic submission

Some captive portals may be configured to allow appropriately equipped user agents to detect the captive portal and automatically authenticate. User agents and supplemental applications such as Apple's Captive Portal Assistant can sometimes transparently bypass the display of captive portal content against the wishes of the service operator as long as they have access to correct credentials, or they may attempt to authenticate with incorrect or obsolete credentials, resulting in unintentional consequences such as accidental account locking.

MAC spoofing

A captive portal that uses MAC addresses to track connected devices can sometimes be circumvented by re-using the MAC address of a previously authenticated device. Once a device has been authenticated to the captive portal using valid credentials, the gateway adds that device's MAC address to its allowlist; since MAC addresses can easily be spoofed, any other device can pretend to be the authenticated device and bypass the captive portal. Once the IP and MAC addresses of other connecting computers are found to be authenticated, any machine can spoof the MAC address and Internet Protocol (IP) address of the authenticated target, and be allowed a route through the gateway. For this reason some captive portal solutions created extended authentication mechanisms to limit the risk for usurpation.

Require Web Browser

Captive portals often require the use of a web browser; users who first use an email client or other application that relies on the Internet may find the connection not working without explanation, and will then need to open a web browser to validate. This may be problematic for users who do not have any web browser installed on their operating system. It is however sometimes possible to use email and other facilities that do not rely on DNS (e.g. if the application specifies the connection IP address rather than the hostname). A similar problem can occur if the client uses AJAX or joins the network with pages already loaded into its web browser, causing undefined behavior (for example, corrupt messages appear) when such a page tries HTTP requests to its origin server.

Similarly, as HTTPS connections cannot be redirected (at least not without triggering security warnings), a web browser that only attempts to access secure websites before being authorized by the captive portal will see those attempts fail without explanation (the usual symptom is that the intended website appears to be down or inaccessible).

Platforms that have Wi-Fi and a TCP/IP stack but do not have a web browser that supports HTTPS cannot use many captive portals. Such platforms include the Nintendo DS running a game that uses Nintendo Wi-Fi Connection. Non-browser authentication is possible using WISPr, an XML-based authentication protocol for this purpose, or MAC-based authentication or authentications based on other protocols.

It is also possible for a platform vendor to enter into a service contract with the operator of a large number of captive portal hotspots to allow free or discounted access to the platform vendor's servers via the hotspot's walled garden. For example, in 2005 Nintendo and Wayport partnered to provide free Wi-Fi access to Nintendo DS users at certain McDonald's restaurants.^[14] Also, VoIP and SIP ports could be allowed to bypass the gateway to allow phones to make and receive calls.

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and performance in the process.

Universal Plug and Play (UPnP) is a set of networking protocols on the Internet Protocol (IP) that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices, to seamlessly discover each other's presence on the network and establish functional network services. UPnP is intended primarily for residential networks without enterprise-class devices.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

A hotspot is a physical location where people can obtain Internet access, typically using Wi-Fi technology, via a wireless local-area network (WLAN) using a router connected to an Internet service provider.

A network access server (NAS) is a group of components that provides remote users with a point of access to a network.

A hotspot gateway is a device that provides authentication, authorization and accounting for a wireless network. This can keep malicious users off of a private network even in the event that they are able to break the encryption. A wireless hotspot gateway helps solve guest user connectivity problems by offering instant Internet access without the need for configuration changes to the client computer or any resident client-side software. This means that even if client configuration such as network IP address or HTTP Proxy settings are different from that of the provided network, the client can still get access to the network instantly with their existing network configuration.

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

IEEE 802.11u-2011 is an amendment to the IEEE 802.11-2007 standard to add features that improve interworking with external networks.

A home network or home area network (HAN) is a type of computer network that facilitates communication among devices within the close vicinity of a home. Devices capable of participating in this network, for example, smart devices such as network printers and handheld mobile computers, often gain enhanced emergent capabilities through their ability to interact. These additional capabilities can be used to increase the quality of life inside the home in a variety of ways, such as automation of repetitive tasks, increased personal productivity, enhanced home security, and easier access to entertainment.

A proxy auto-config (PAC) file defines how web browsers and other user agents can automatically choose the appropriate proxy server for fetching a given URL.

In computer science, session hijacking, sometimes also known as cookie hijacking, is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many websites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer. After successfully stealing appropriate session cookies an adversary might use the Pass the Cookie technique to perform session hijacking. Cookie hijacking is commonly used against client authentication on the internet. Modern web browsers use cookie protection mechanisms to protect the web from being attacked.

WISPr or Wireless Internet Service Provider roaming is a draft protocol submitted to the Wi-Fi Alliance that allows users to roam between wireless internet service providers in a fashion similar to that which allows cellphone users to roam between carriers. A RADIUS server is used to authenticate the subscriber's credentials.

WiFiDog was an open source embeddable captive portal solution used to build wireless hotspots. It is no longer an active project after not being updated for several years.

Network access control (NAC) is an approach to computer security that attempts to unify endpoint security technology, user or system authentication and network security enforcement.

<span class="mw-page-title-main">Zeroshell</span> Linux distribution

Zeroshell is a small open-source Linux distribution for servers and embedded systems which aims to provide network services. Its administration relies on a web-based graphical interface; no shell is needed to administer and configure it. Zeroshell is available as Live CD and CompactFlash images, and VMware virtual machines.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

A Visitor-based network (VBN) is a computer network intended for mobile users in need of temporary Internet access. A visitor-based network is most commonly established in hotels, airports, convention centers, universities, and business offices. It gives the on-the-go user a quick and painless way to temporarily connect a device to networks and broadband Internet connections. A visitor-based network usually includes hardware, telecommunications, and service.

A virtual private network (VPN) service provides a proxy server to help users bypass Internet censorship such as geoblocking and users who want to protect their communications against data profiling or MitM attacks on hostile networks.

References

↑ "What is a captive portal? – TechTarget Definition". Mobile Computing. Retrieved 2023-12-19.
↑ Wiederkehr, Patrick (2009). Approaches for simplified hotspot logins with Wi-Fi devices (Master Thesis). ETH, Swiss Federal Institute of Technology, Computer Science Department. doi:10.3929/ethz-a-005899210. Archived from the original on 2022-11-20. Retrieved 2022-11-20.
↑ "What Is a Captive Portal? | Linksys: US". www.linksys.com. Retrieved 2023-12-19.
↑ "Wi-Fi Hotspots and Liability Concerns". Maiello Brungo & Maiello. April 9, 2007. Archived from the original on 2019-05-04. Retrieved 2019-03-06.
↑ "Myths and Facts: Running Open Wireless and liability for what others do". Open Wireless Movement. August 7, 2012. Archived from the original on 2019-02-14. Retrieved 2019-03-06.
↑ "Understand the Evolution of Captive Portal to Cloud Authentication Solutions". 2023-05-23. Archived from the original on 2023-07-02. Retrieved 2023-07-08.
↑ YEC. "Council Post: Why Leverage Captive Portals To Uncover Hidden Customers". Forbes. Archived from the original on 2022-03-18. Retrieved 2022-03-18.
↑ Wippler, Andrew J. (April 7, 2017). "Captive Portal Overview". Andrew Wippler's Sketchpad. Archived from the original on 2019-05-04. Retrieved 2019-03-06.
↑ Wippler, Andrew J. (March 11, 2016). "WiFi Captive Portal". Andrew Wippler's Sketchpad. Archived from the original on 2019-05-04. Retrieved 2019-03-06.
↑ "Network Portal Detection". Chromium. Archived from the original on 2019-03-03. Retrieved 2019-03-06.
↑ "Network Portal Detection". Google. Retrieved 6 March 2024.
↑ "Answers To Common Questions About NCSI". Microsoft. Retrieved 6 March 2024.
↑ Laliberte, Marc (August 26, 2016). "Lessons from DEFCON 2016 – Bypassing Captive Portals". Archived from the original on 2019-02-04. Retrieved 2019-03-06.
↑ "Nintendo And Wayport Join Forces To Bring Free U.S. Wi-Fi Access To Nintendo DS Users". 2005-10-18. Archived from the original on 2019-05-04. Retrieved 2019-03-06.

External links

Android Captive Portal Setup
RFC 8910 Captive-Portal Identification in DHCP and Router Advertisements (RAs)
Captive Portal Solutions Captive WiFi

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "What is a captive portal? – TechTarget Definition". Mobile Computing. Retrieved 2023-12-19.

[2] Wiederkehr, Patrick (2009). Approaches for simplified hotspot logins with Wi-Fi devices (Master Thesis). ETH, Swiss Federal Institute of Technology, Computer Science Department. doi:10.3929/ethz-a-005899210. Archived from the original on 2022-11-20. Retrieved 2022-11-20.

[3] "What Is a Captive Portal? | Linksys: US". www.linksys.com. Retrieved 2023-12-19.

[4] "Wi-Fi Hotspots and Liability Concerns". Maiello Brungo & Maiello. April 9, 2007. Archived from the original on 2019-05-04. Retrieved 2019-03-06.

[5] "Myths and Facts: Running Open Wireless and liability for what others do". Open Wireless Movement. August 7, 2012. Archived from the original on 2019-02-14. Retrieved 2019-03-06.

[6] "Understand the Evolution of Captive Portal to Cloud Authentication Solutions". 2023-05-23. Archived from the original on 2023-07-02. Retrieved 2023-07-08.

[7] YEC. "Council Post: Why Leverage Captive Portals To Uncover Hidden Customers". Forbes. Archived from the original on 2022-03-18. Retrieved 2022-03-18.

[8] Wippler, Andrew J. (April 7, 2017). "Captive Portal Overview". Andrew Wippler's Sketchpad. Archived from the original on 2019-05-04. Retrieved 2019-03-06.

[9] Wippler, Andrew J. (March 11, 2016). "WiFi Captive Portal". Andrew Wippler's Sketchpad. Archived from the original on 2019-05-04. Retrieved 2019-03-06.

[10] "Network Portal Detection". Chromium. Archived from the original on 2019-03-03. Retrieved 2019-03-06.

[11] "Network Portal Detection". Google. Retrieved 6 March 2024.

[12] "Answers To Common Questions About NCSI". Microsoft. Retrieved 6 March 2024.

[13] Laliberte, Marc (August 26, 2016). "Lessons from DEFCON 2016 – Bypassing Captive Portals". Archived from the original on 2019-02-04. Retrieved 2019-03-06.

[14] "Nintendo And Wayport Join Forces To Bring Free U.S. Wi-Fi Access To Nintendo DS Users". 2005-10-18. Archived from the original on 2019-05-04. Retrieved 2019-03-06.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]