Onnowpurbo: New page: The '''captive portal''' technique forces an HTTP client on a network to see a special web page (usually for authentication purposes) before using the Internet normally. A '''c...

2010-04-07T03:14:21Z

New page: The '''captive portal''' technique forces an HTTP client on a network to see a special web page (usually for authentication purposes) before using the Internet normally. A '''c...

New page

The '''captive portal''' technique forces an [[HTTP]] client on a network to see a special web page (usually for [[authentication]] purposes) before using the [[Internet]] normally. A '''captive portal''' turns a [[Web browser]] into an authentication device.This is done by intercepting all [[Packet (information technology)|packet]]s, regardless of address or port, until the user opens a browser and tries to access the Internet. At that time the browser is redirected to a web page which may require authentication and/or [[Payment gateway|payment]], or simply display an [[acceptable use policy]] and require the user to agree. Captive portals are used at most [[Wi-Fi]] [[Hotspot (Wi-Fi)|hotspots]], and it can be used to control wired access (e.g. apartment houses, hotel rooms, business centers, "open" [[Ethernet]] jacks) as well.

Since the [[Logging (computer security)|login page]] itself must be presented to the client, either that login page is locally stored in the [[Gateway (computer networking)|gateway]], or the [[web server]] hosting that page must be "[[whitelist]]ed" via a [[walled garden (media)|walled garden]] to bypass the authentication process. Depending on the feature set of the gateway, multiple web servers can be whitelisted (say for [[iframe]]s or [[HTML element#Links and anchors|links]] within the login page). In addition to whitelisting the [[Uniform Resource Locator|URL]]s of web hosts, some gateways can whitelist [[TCP ports]]. The [[MAC address]] of attached clients can also be set to bypass the login process.

==Implementation==

There is more than one way to implement a captive portal.

===Redirection by HTTP===

If an unauthenticated client requests a website, [[Domain name system|DNS]] is queried by the browser and the appropriate IP resolved as usual. The browser then sends an [[HTTP]] request to that [[IP address]]. This request, however, is intercepted by a [[Firewall (computing)|firewall]] and forwarded to a redirect server. This redirect server responds with a regular HTTP response which contains [[List_of_HTTP_status_codes#3xx_Redirection|HTTP status code 302]] to redirect the client to the Captive Portal. To the client, this process is totally transparent. The client assumes that the website actually responded to the initial request and sent the redirect.

===IP Redirect===

Client traffic can also be redirected using IP redirect on the layer 3 level. This has the disadvantage that content served to the client does not match the URL.

===Redirection by DNS===

When a client requests a website, [[Domain name system|DNS]] is queried by the browser. The firewall will make sure that only the DNS server(s) provided by DHCP can be used by unauthenticated clients (or, alternatively, it will forward all DNS requests by unauthenticated clients to that DNS server). This DNS server will return the IP address of the Captive Portal page as a result of all DNS lookups.

The [[DNS poisoning]] technique used here, when not considering answers with a [[Time_to_live|TTL]] of 0, may negatively affect post-authenticated internet use when the client machine references non-authentic data in its local resolver cache.

Some naive implementations don't block outgoing DNS requests from clients, and therefore are very easy to bypass; a user simply needs to configure their computer to use another, public, DNS server. Implementing a firewall or [[Access_control_list|ACL]] that ensures no inside clients can use an outside DNS server is critical.

==Software captive portals==
*[[AirMarshal|Air Marshal]], software based for [[Linux]] platform (commercial)
*[http://www.amazingports.com/ AmazingPorts], Linux based, free and commercial - founded 2001.
*[[ChilliSpot]], open source [[Linux]] daemon [abandoned]
*[http://coova.org/ CoovaSpot], open source [[Linux]] daemon based on [[ChilliSpot]]
*[http://patronsoft.com/firstspot FirstSpot], software based for [[Windows]] platform (commercial)
*[http://www.dnsredirector.com DNS Redirector], software based for [[Windows]] platform (commercial)
*[http://www.hotspotpa.com HotSpotPA], open source [[Linux]] daemon based on [[OpenWRT]], [[OpenVPN]], and [[ChilliSpot]]
*[http://pepperspot.sourceforge.net/ PepperSpot], open source [[Linux]]
*[[m0n0wall]], [[FreeBSD]] based firewall distribution
*[[PacketFence]], [[Linux]] based [[Network Access Control]] software featuring a captive portal (open source)
*[[pfSense]], [[FreeBSD]] based firewall software derived from [[m0n0wall]]
*[http://www.untangle.com/captive-portal Untangle Captive Portal], Firewall featuring Captive Portal
*[[WiFiDog Captive Portal|WiFiDog Captive Portal Suite]], small C based kernel solution (embeddable)
*[[Wilmagate]], C++ based and is executable both in [[Linux]] and Windows/Cygwin environments
*[[Zeroshell]], [[Linux]] based network services distribution
*[http://talweg.univ-metz.fr/en:start NoTalweg], open source captive portal based on [[netfilter]] queue
*[http://www.openit.it/index.php?option=com_content&view=section&id=6&Itemid=63&lang=en Kattive], captive portal based on [[Linux]] using [[Shorewall]]

The webpage [http://www.andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal here] details how to create your own captive portal using [[Linux]] with [[iptables]] and [[PHP]].

Captive portals are gaining increasing use on free open wireless networks where instead of authenticating users, they often display a message from the provider along with the terms of use. Although the legal standing is still unclear (especially in the USA) common thinking is that by forcing users to click through a page that displays terms of use and explicitly releases the provider from any liability, any potential problems are mitigated. They also allow enforcement of payment structures.

==Limitations==
Most of these implementations merely require users to pass an [[Secure Sockets Layer|SSL]] encrypted login page, after which their [[Internet Protocol|IP]] and [[MAC address]] are allowed to pass through the [[Gateway (computer networking)|gateway]]. This has been shown to be exploitable with a simple [[packet sniffer]]. Once the IP and MAC addresses of other connecting computers are found to be authenticated, any machine can spoof the MAC address and IP of the authenticated target, and be allowed a route through the gateway. For this reason some captive portal solutions created extended authentication mechanisms to limit the risk for usurpation.

Captive portals require the use of a browser; this is usually the first application that users start, but users who first use an email client or other will find the connection not working without explanation, and will need to open a browser to validate.

Platforms that have [[Wi-Fi]] and a [[TCP/IP stack]] but do not have a web browser that supports [[HTTPS]] cannot use many captive portals. Such platforms include the [[Nintendo DS]] running a game that uses [[Nintendo Wi-Fi Connection]]. Non browser authentication is possible using [[WISPr]], an [[XML]]-based authentication protocol for this purpose, or MAC-based authentication or authentications based on other protocols.

There also exists the option of the platform vendor entering into a service contract with the operator of a large number of captive portal hotspots to allow free or discounted access to the platform vendor's servers via the hotspot's [[Walled garden (media)|walled garden]], such as the deal between Nintendo and [[Wayport, Inc.|Wayport]]. For example, [[Voice over IP|VoIP]] [[Session Initiation Protocol|SIP]] ports could be allowed to bypass the gateway to allow phones to work.

== See also ==
* [[HTTP proxy]]
* [[Service oriented provisining|Service Oriented Provisioning]]

Captive portal - Revision history

Onnowpurbo: New page: The '''captive portal''' technique forces an HTTP client on a network to see a special web page (usually for authentication purposes) before using the Internet normally. A '''c...