- Captive portal
The captive portal technique forces an
HTTPclient on a network to see a special web page (usually for authenticationpurposes) before surfing the Internetnormally. A captive portal turns a Web browserinto an authentication device. [http://wiki.personaltelco.net/index.cgi/CaptivePortal CaptivePortal] ] This is done by intercepting all packets, regardless of address or port, until the user opens a browser and tries to access the Internet. At that time the browser is redirected to a web page which may require authentication and/or payment, or simply display an acceptable use policyand require the user to agree. Captive portals are used at most Wi-Fihotspots, and it can be used to control wired access (e.g. apartment houses, hotel rooms, business centers, "open" Ethernetjacks) as well.
Since the login page itself must be presented to the client, either that login page is locally stored in the gateway, or the
web serverhosting that page must be " whitelisted" via a walled garden to bypass the authentication process. Depending on the feature set of the gateway, multiple web servers can be whitelisted (say for iframes or links within the login page). In addition to whitelisting the URLs of web hosts, some gateways can whitelist TCP ports. The MAC addressof attached clients can also be set to bypass the login process.
There is more than one way to implement a captive portal.
Redirection by HTTP
If an unauthenticated client requests a website, DNS is queried by the browser and the appropriate IP resolved as usual. The browser then sends an
HTTPrequest to that IP address. This request, however, is intercepted by a firewalland forwarded to a redirect server. This redirect server responds with a regular HTTP response which contains HTTP status code 302 to redirect the client to the Captive Portal. To the client, this process is totally transparent. The client assumes that the website actually responded to the initial request and sent the redirect.
Client traffic can also be redirected using IP redirect on the layer 3 level. This is not recommended as the content served to the client does not match the URL
Redirection by DNS
When a client requests a website, DNS is queried by the browser. The firewall will make sure that only the DNS server(s) provided by DHCP can be used by unauthenticated clients (or, alternatively, it will forward all DNS requests by unauthenticated clients to that DNS server). This DNS server will return the IP address of the Captive Portal page as a result of all DNS lookups.
Some naive implementations don't block outgoing DNS requests from clients, and therefore are very easy to bypass; a user simply needs to configure their computer to use another, public, DNS server. Implementing a firewall or ACL that ensures no inside clients can use an outside DNS server is critical.
oftware Captive Portals
Hotspot Studio- Commercial Windows based captive portal for South Africa only
* Air Marshal - software based for Linux platform (commercial)
ChilliSpot- open source Linux daemon [abandoned]
* [http://www.dnsredirector.com/ DNS Redirector] - Free or commercially licensed Windows based captive portal
* [http://patronsoft.com/firstspot FirstSpot] - commercial Windows based captive portal with numerous hotspot management features
pfSense- FreeBSD6.2 based firewall software derived from m0n0wall
SweetSpot- Linux user-space, layer-3 daemon (open source)
* WiFiDog Captive Portal Suite - small C based kernel solution (embeddable)
Wilmagate- C++ based and is executable both in Linux and Windows/Cygwin environments
Hardware Captive Portals
* [http://www.sinaptica.cl/PayBridge.htm PayBridge] is a carrier-class captive portal appliance developed by [http://www.sinaptica.cl Sinaptica] (acquired in 2005 by [http://www.antica.cl Antica] ). This platform is used for 3G/Wimax prepaid internet.
Most of these implementations merely require users to pass an SSL encrypted login page, after which their IP and
MAC addressare allowed to pass through the gateway. This has been shown to be exploitable with a simple packet sniffer. Once the IP and MAC addresses of other connecting computers are found to be authenticated, any machine can spoof the MAC address and IP of the authenticated target, and be allowed a route through the gateway. For this reason some captive portal solutions created extended authentication mechanisms to limit the risk for usurpation.
Platforms that have
Wi-Fiand a TCP/IP stackbut do not have a web browser that supports HTTPScannot use many captive portals. Such platforms include the Nintendo DSrunning a game that uses Nintendo Wi-Fi Connection. Non browser authentication is possible using WISPr, an XML-based authentication protocol for this purpose, or MAC-based authentication or authentications based on other protocols.
There also exists the option of the platform vendor entering into a service contract with the operator of a large number of captive portal hotspots to allow free or discounted access to the platform vendor's servers via the hotspot's walled garden, such as the deal between Nintendo and Wayport. For example, VoIP SIP ports could be allowed to bypass the gateway to allow phones to work.
* Service Oriented Provisioning
Wikimedia Foundation. 2010.
Look at other dictionaries:
Captive Portal — La technique captive portal force un client HTTP sur un réseau à afficher une page web spéciale (le plus souvent dans un but d authentification) avant d accéder à Internet normalement. Cela est obtenu en interceptant tous les paquets quelles que… … Wikipédia en Français
Captive Portal — Ein Captive Portal leitet einen HTTP Client in einem Netzwerk auf eine spezielle Webseite um, bevor dieser sich normal in das Internet verbinden kann. So wird üblicherweise eine Authentifizierung oder die Annahme der Nutzungsbedingungen erzwungen … Deutsch Wikipedia
Captive portal — La technique des portails captifs (captive portal) consiste à forcer les clients HTTP d un réseau de consultation à afficher une page web spéciale (le plus souvent dans un but d authentification) avant d accéder à Internet normalement. Cela est… … Wikipédia en Français
WiFiDog Captive Portal — WiFiDog is an open source embeddable captive portal solution used to build wireless hotspots.WiFiDog consists of two components: the gateway and the authentication server . WiFiDog was created and conceived of by the technical team of Île Sans… … Wikipedia
Portal cautivo — Saltar a navegación, búsqueda Un portal cautivo (o captivo) es un programa o máquina de una red informática que vigila el tráfico HTTP y fuerza a los usuarios a pasar por una página especial si quieren navegar por Internet de forma normal. A… … Wikipedia Español
Portal:United States — Wikipedia portals: Culture Geography Health History Mathematics Natural sciences People Philosophy Religion Society Technology … Wikipedia
Portail captif — Captive portal La technique captive portal force un client HTTP sur un réseau à afficher une page web spéciale (le plus souvent dans un but d authentification) avant d accéder à Internet normalement. Cela est obtenu en interceptant tous les… … Wikipédia en Français
Linksys WRT54G series — Linksys WRT54G (and variants WRT54GS, WRT54GL, and WRTSL54GS) is a Wi Fi capable residential gateway from Linksys. The device is capable of sharing Internet connections among several computers via 802.3 Ethernet and 802.11b/g wireless data… … Wikipedia
ZoneCD — is a Linux distribution to easily set up Wifi hotspots, distributed as a Live CD.It is derived from Knoppix (in this case, through, the Morphix variant.) Design The ZoneCD, utilizing a captive portal, allows hotspot operators to require a… … Wikipedia
Network Access Control — (NAC) is an approach to computer network security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security… … Wikipedia