World Library  
Flag as Inappropriate
Email this Article

Captive portal

Article Id: WHEBN0000536539
Reproduction Date:

Title: Captive portal  
Author: World Heritage Encyclopedia
Language: English
Subject: WiFiDog Captive Portal, LogiSense, PfSense, OpenWrt, Portal
Collection: Computer Network Security, Web Technology, Wireless Access Points
Publisher: World Heritage Encyclopedia

Captive portal

A captive portal is a special web page that is shown before using the Internet normally. The portal is often used to present a login page.[1] This is done by intercepting most packets, regardless of address or port, until the user opens a browser and tries to access the web. At that time the browser is redirected to a web page which may require authentication and/or payment, or simply display an acceptable use policy and require the user to agree. Captive portals are used at many Wi-Fi hotspots, and can be used to control wired access (e.g. apartment houses, hotel rooms, business centers, "open" Ethernet jacks) as well.

Since the login page itself must be presented to the client, either that login page is locally stored in the gateway, or the web server hosting that page must be "whitelisted" via a closed platform to bypass the authentication process. Depending on the feature set of the gateway, multiple web servers can be whitelisted (say for iframes or links within the login page). In addition to whitelisting the URLs of web hosts, some gateways can whitelist TCP ports. The MAC address of attached clients can also be set to bypass the login process.

This technique has occasionally been referred to as UAM (Universal Access Method) in implementations and standards forums.


  • Implementation 1
    • ICMP redirect 1.1
    • Redirection by DNS 1.2
    • Circumvention of captive portals 1.3
  • Use cases 2
  • Limitations 3
  • See also 4
  • References 5


There is more than one way to implement a captive portal.

ICMP redirect

Client traffic can also be redirected using ICMP redirect on the layer 3 level.

Redirection by DNS

When a client requests a website, DNS is queried by the browser. The firewall will make sure that only the DNS server(s) provided by DHCP can be used by unauthenticated clients (or, alternatively, it will forward all DNS requests by unauthenticated clients to that DNS server). This DNS server will return the IP address of the Captive Portal page as a result of all DNS lookups.

In order to perform redirection by DNS the captive portal is using DNS hijacking to perform a man-in-the-middle attack. To limit the impact of DNS poisoning typically a TTL of 0 is used.

Circumvention of captive portals

Captive portals have been known to have incomplete firewall rule sets. In some deployments the rule set will route DNS requests from clients to the Internet, or the provided DNS server will fulfill arbitrary DNS requests from the client. This allows a client to bypass the captive portal and access the open Internet by tunneling arbitrary traffic within DNS packets.

Some captive portals may be configured to allow appropriately equipped user agents to detect the captive portal and automatically authenticate. User agents and supplemental applications such as Apple's Captive Portal Assistant can sometimes transparently bypass the display of captive portal content against the wishes of the service operator as long as they have access to correct credentials, or they may attempt to authenticate with incorrect or obsolete credentials, resulting in unintentional consequences such as accidental account locking.

A captive portal that uses MAC addresses to track connected devices can sometimes be circumvented by connecting via hard-wire a router that allows setting of the router MAC address. Many router firmwares call this MAC cloning. Once a computer or tablet has been authenticated to the captive portal using a valid username and valid password, the MAC address of that computer or tablet can be entered into the router which will often continue to be connected through the captive portal as it shows to have the same MAC address as the computer or tablet that was previously connected.

Use cases

The prevalent use of captive portals is for user authentication, however captive portals are gaining increasing use on free open wireless networks where instead of authenticating users, they often display a message from the provider along with the terms of use. Although the legal standing is unclear, a click through a page may display terms of use and release the provider from any liability. Institutions will often require acknowledgement of an Acceptable use policy in addition to authentication.

Captive portals are sometimes used to enforce payment or negotiate the level and duration of authorization with a prospective user. Emergency notification systems may use captive portals to interrupt users' browsing experience until they have acknowledged receipt of an emergency bulletin.

Institutions implementing NAC often use captive portals to collect machine information, to supply software assessment agents which the supplicant user must run before gaining admission to the network, to provide online assistance for self-remediation of security problems, and to inform quarantined users when their network access has been revoked.

Delivery of advertising content via captive portals is not uncommon.


Some of these implementations merely require users to pass an SSL encrypted login page, after which their IP and MAC address are allowed to pass through the gateway. This has been shown to be exploitable with a simple packet sniffer. Once the IP and MAC addresses of other connecting computers are found to be authenticated, any machine can spoof the MAC address and IP of the authenticated target, and be allowed a route through the gateway. For this reason some captive portal solutions created extended authentication mechanisms to limit the risk for usurpation.

Captive portals require the use of a browser; this is usually the first application that users start, but users who first use an email client or other will find the connection not working without explanation, and will need to open a browser to validate. A similar problem can occur if the client joins the network with pages already loaded into its browser, causing undefined behavior when such a page tries HTTP requests to its origin server.

Platforms that have Wi-Fi and a TCP/IP stack but do not have a web browser that supports HTTPS cannot use many captive portals. Such platforms include the Nintendo DS running a game that uses Nintendo Wi-Fi Connection. Non-browser authentication is possible using WISPr, an XML-based authentication protocol for this purpose, or MAC-based authentication or authentications based on other protocols.

There also exists the option of the platform vendor entering into a service contract with the operator of a large number of captive portal hotspots to allow free or discounted access to the platform vendor's servers via the hotspot's walled garden, such as the deal between Nintendo and Wayport. For example, VoIP SIP ports could be allowed to bypass the gateway to allow phones to work.

See also


  1. ^ CaptivePortal
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from World eBook Library are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.