A captive portal is a web page accessed with a

web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used o ...

that is displayed to newly connected users of a

Wi-Fi Wi-Fi () is a family of wireless network protocols, based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio wav ...

or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a landing or log-in page which may require

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...

payment A payment is the voluntary tender of money or its equivalent or of things of value by one party (such as a person or company) to another in exchange for goods, or services provided by them, or to fulfill a legal obligation. The party making the ...

, acceptance of an

end-user license agreement An end-user license agreement or EULA () is a legal contract between a software supplier and a customer or end-user, generally made available to the customer via a retailer acting as an intermediary. A EULA specifies in detail the rights and rest ...

acceptable use policy An acceptable use policy (AUP), acceptable usage policy or fair use policy is a set of rules applied by the owner, creator or administrator of a computer network website, or service. That restricts the ways in which the network, website or system m ...

, survey completion, or other valid credentials that both the host and user agree to adhere by. Captive portals are used for a broad range of mobile and pedestrian broadband services – including cable and commercially provided Wi-Fi and home hotspots. A captive portal can also be used to provide access to enterprise or residential wired networks, such as apartment houses, hotel rooms, and business centers. The captive portal is presented to the client and is stored either at the gateway or on a web server hosting the web page. Depending on the feature set of the gateway, websites or TCP ports can be white-listed so that the user would not have to interact with the captive portal in order to use them. The

MAC address A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking tec ...

of attached clients can also be used to bypass the login process for specified devices. WISPr refers to this web browser-based authentication method as the Universal Access Method (UAM).

Uses

Captive portals are primarily used in open wireless networks where the users are shown a welcome message informing them of the conditions of access (allowed ports, liability, etc.). Administrators tend to do this so that their own users take responsibility for their actions and to avoid any legal responsibility. Whether this delegation of responsibility is legally valid is a matter of debate. Often captive portals are used for marketing and commercial communication purposes. Access to the

Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...

over open Wi-Fi is prohibited until the user exchanges personal data by filling out a web-based registration form in a web browser. The web-based form either automatically opens in a web browser, or appears when the user opens a web browser and tries to visit any web page. In other words, the user is "captive" - unable to access the Internet freely until the user is granted access to the Internet and has "completed" the captive portal. This allows the provider of this service to display or send advertisements to users who connect to the Wi-Fi access point. This type of service is also sometimes known as "social Wi-Fi", as they may ask for a

social network A social network is a social structure made up of a set of social actors (such as individuals or organizations), sets of dyadic ties, and other social interactions between actors. The social network perspective provides a set of methods for ...

account to login (such as

Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin Mosk ...

). Over the past few years, such social Wi-Fi captive portals have become commonplace with various companies offering marketing centered around Wi-Fi data collection. The user can find many types of content in the captive portal, and it's frequent to allow access to the Internet in exchange for viewing content or performing a certain action (often, providing personal data to enable commercial contact); thus, the marketing use of the captive portal is a tool for lead generation (business contacts or potential clients).

Implementation

There are various ways to implement a captive portal.

HTTP redirect

A common method is to direct all

World Wide Web The World Wide Web (WWW), commonly known as the Web, is an information system enabling documents and other web resources to be accessed over the Internet. Documents and downloadable media are made available to the network through web ...

traffic to a web server, which returns an

HTTP redirect URL redirection, also called URL forwarding, is a World Wide Web technique for making a web page available under more than one URL address. When a web browser attempts to open a URL that has been redirected, a page with a different URL is opened ...

to a captive portal. When a modern, Internet-enabled device first connects to a network, it sends out an HTTP request to a detection URL predefined by its vendor and expects an

HTTP status code This is a list of Hypertext Transfer Protocol (HTTP) response status codes. Status codes are issued by a server in response to a client's request made to the server. It includes codes from IETF Request for Comments (RFCs), other specifications, ...

200 OK or 204 No Content. If the device receives a HTTP 200 status code, it assumes it has unlimited internet access. Captive portal prompts are displayed when you are able to manipulate this first HTTP message to return a HTTP status code of 302 (redirect) to the captive portal of your choice. specifies 511 Network Authentication Required code.

ICMP redirect

Client traffic can also be redirected using ICMP redirect on the layer 3 level.

Redirect by DNS

When a client requests a resource on a remote host by name, DNS is queried to resolve that hostname. In a captive portal, the

firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spr ...

will make sure that only the DNS server(s) provided by the network's DHCP can be used by unauthenticated clients (or, alternatively, it will forward all DNS requests by unauthenticated clients to that DNS server). This DNS server will return the IP address of the captive portal page as a result of all DNS lookups. In order to perform redirection by DNS the captive portal uses

DNS hijacking DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server unde ...

to perform an action similar to a

man-in-the-middle attack In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...

. To limit the impact of DNS poisoning, a

TTL TTL may refer to: Photography * Through-the-lens metering, a camera feature * Zenit TTL, an SLR film camera named for its TTL metering capability Technology * Time to live, a computer data lifespan-limiting mechanism * Transistor–transistor lo ...

of 0 is typically used.

Limitations

Security

Captive portals have been known to have incomplete firewall rule sets.

DNS tunneling

In some deployments, the rule set will route DNS requests from clients to the Internet, or the provided DNS server will fulfill arbitrary DNS requests from the client. This allows a client to bypass the captive portal and access the open Internet by tunneling arbitrary traffic within DNS packets.

Automatic submission

Some captive portals may be configured to allow appropriately equipped user agents to detect the captive portal and automatically authenticate. User agents and supplemental applications such as Apple's Captive Portal Assistant can sometimes transparently bypass the display of captive portal content against the wishes of the service operator as long as they have access to correct credentials, or they may attempt to authenticate with incorrect or obsolete credentials, resulting in unintentional consequences such as accidental account locking.

MAC spoofing

A captive portal that uses MAC addresses to track connected devices can sometimes be circumvented by re-using the MAC address of a previously authenticated device. Once a device has been authenticated to the captive portal using valid credentials, the gateway adds that device's MAC address to its allowlist; since MAC addresses can easily be spoofed, any other device can pretend to be the authenticated device and bypass the captive portal. Once the IP and MAC addresses of other connecting computers are found to be authenticated, any machine can spoof the MAC address and Internet Protocol (IP) address of the authenticated target, and be allowed a route through the gateway. For this reason some captive portal solutions created extended authentication mechanisms to limit the risk for usurpation.

Require Web Browser

Captive portals often require the use of a web browser; users who first use an email client or other application that relies on the Internet may find the connection not working without explanation, and will then need to open a web browser to validate. This may be problematic for users who do not have any web browser installed on their

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also i ...

. It is however sometimes possible to use email and other facilities that do not rely on DNS (e.g. if the application specifies the connection IP address rather than the hostname). A similar problem can occur if the client uses

AJAX Ajax may refer to: Greek mythology and tragedy * Ajax the Great, a Greek mythological hero, son of King Telamon and Periboea * Ajax the Lesser, a Greek mythological hero, son of Oileus, the king of Locris * ''Ajax'' (play), by the ancient Gree ...

or joins the network with pages already loaded into its web browser, causing

undefined behavior In computer programming, undefined behavior (UB) is the result of executing a program whose behavior is prescribed to be unpredictable, in the language specification to which the computer code adheres. This is different from unspecified behavior ...

(for example, corrupt messages appear) when such a page tries HTTP requests to its origin server. Similarly, as HTTPS connections cannot be redirected (at least not without triggering security warnings), a web browser that only attempts to access secure websites before being authorized by the captive portal will see those attempts fail without explanation (the usual symptom is that the intended website appears to be down or inaccessible). Platforms that have

and a

TCP/IP stack The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...

but do not have a web browser that supports

HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...

cannot use many captive portals. Such platforms include the Nintendo DS running a game that uses

Nintendo Wi-Fi Connection Nintendo Wi-Fi Connection (WFC) was an online multiplayer gaming service run by Nintendo to provide free online play in compatible Nintendo DS and Wii games. The service included the company's Wii Shop Channel and DSi Shop game download ...

. Non-browser authentication is possible using WISPr, an

XML Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing arbitrary data. It defines a set of rules for encoding documents in a format that is both human-readable and machine-readable ...

-based authentication protocol for this purpose, or MAC-based authentication or authentications based on other protocols. It is also possible for a platform vendor to enter into a service contract with the operator of a large number of captive portal hotspots to allow free or discounted access to the platform vendor's servers via the hotspot's

walled garden A walled garden is a garden enclosed by high walls, especially when this is done for horticultural rather than security purposes, although originally all gardens may have been enclosed for protection from animal or human intruders. In temperate ...

. For example, in 2005 Nintendo and Wayport partnered to provide free Wi-Fi access to Nintendo DS users at certain

McDonald's McDonald's Corporation is an American multinational fast food chain, founded in 1940 as a restaurant operated by Richard and Maurice McDonald, in San Bernardino, California, United States. They rechristened their business as a hambur ...

restaurants. Also,

VoIP Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. The terms Internet t ...

SIP ports could be allowed to bypass the gateway to allow phones to work.

References

External links

Android Captive Portal Setup
* {{IETF RFC, 7710 Captive-Portal Identification Using DHCP or Router Advertisements (RAs) Computer network security Web technology Wireless access points