Captive Portal

Since the Login Page itself must be presented to the client, either that login page is locally stored in the Gateway , or the Web Server hosting that page must be " Whitelist ed" via a Walled Garden to bypass the authentication process. Depending on the feature set of the gateway, multiple web servers can be whitelisted (say for Iframe s or Links within the login page). In addition to whitelisting the URL s of web hosts, some gateways can whitelist TCP Ports . The MAC Address of attached clients can also be set to bypass the login process.

IMPLEMENTATION

There is more than one way to implement a captive portal.

Redirection by HTTP

If an unauthenticated client requests a website, DNS is queried by the browser and the appropriate IP resolved as usual. The browser then sends an HTTP request to that IP Address . This request, however, is intercepted by a Firewall and forwarded to a redirect server. This redirect server responds with a regular HTTP response which contains HTTP Status Code 302 to redirect the client to the Captive Portal. To the client, this process is totally transparent. The client assumes that the website actually responded to the initial request and sent the redirect.

IP Redirect

Client traffic can also be redirected using IP redirect on the layer 3 level. This not recommended as the content served to the client does not match the URL

Redirection by DNS

When a client requests a website, DNS is queried by the browser.
The firewall will make sure that only the DNS provided by DHCP can be used
by unauthenticated clients (or, alternatively, it will forward all DNS requests
by unauthenticated clients to that DNS server).
This DNS server will return the IP address of the Captive Portal as a result
of all DNS lookups.

Some naive implementations don't block outgoing DNS requests by unauthenticated
clients. Instead, the DHCP server uses as a DNS server a server that returns
the IP address of the Captive Portal to unauthenticated clients. These
implementations are very easy to bypass: a user simply needs to configure his
computer to use an external DNS. This is why it is important to implement a firewall that ensures no inside clients can specify or use an outside DNS server.

SOFTWARE CAPTIVE PORTALS

ChilliSpot - linksys firmware (open source)

FON - commercial AP/router based solution

WiFiDog Captive Portal Suite - small C based kernel solution (embeddable)

Wilmagate - C++ based and is executable both in Linux and Windows/Cygwin environments

PfSense - FreeBSD 6.1 based firewall software derived from M0n0wall

SweetSpot - Linux user-space, layer-3 daemon (open source)

Air Marshal - software based for Linux platform (commercial)

Captive portals are gaining increasing use on free open wireless networks where instead of authenticating users, they often display a message from the provider along with the terms of use. Although the legal standing is still unclear (especially in the USA) common thinking is that by forcing users to click through a page that displays terms of use and explicitly releases the provider from any liability, any potential problems are mitigated. They also allow enforcement of payment structures.

LIMITATIONS

Most of these implementations merely require users to pass an SSL encrypted login page, after which their IP and MAC Address are allowed to pass through the Gateway . This has been shown to be exploitable with a simple Packet Sniffer . Once the IP and MAC addresses of other connecting computers are found to be authenticated, any machine can spoof the MAC address and IP of the authenticated target, and be allowed a route through the gateway. For this reason some captive portal solutions created extended authentication mechanisms to limit the risk for usurpation.

Platforms that have Wi-Fi and a TCP/IP Stack but do not have a web browser that supports HTTPS cannot use many captive portals. Such platforms include the Nintendo DS running a game that uses Nintendo Wi-Fi Connection . Non browser authentication is possible using WISPr , an XML -based authentication protocol for this purpose, or MAC-based authentication or authentications based on other protocols.

There also exists the option of the platform vendor entering into a service contract with the operator of a large number of captive portal hotspots to allow free or discounted access to the platform vendor's servers via the hotspot's Walled Garden , such as the deal between Nintendo and Wayport . For example, VoIP SIP ports could be allowed to bypass the gateway to allow phones to work.

SEE ALSO

HTTP Proxy

Service Oriented Provisioning

REFERENCES

	APPAREL
	BABY
	BEAUTY
	BOOKS
	CAR TOYS
	CELL PHONES
	DVD'S
	ELECTRONICS
	GOURMET FOOD
	GROCERIES
	HEALTH & PERSONAL
	HOME & GARDEN
	JEWELRY
	MUSIC
	MUSIC INSTRUMENTS
	OFFICE PRODUCTS
	SOFTWARE
	SPORTING GOODS
	TOOLS & HARDWARE
	TOYS
	VIDEO GAMES
	SHOPPING HOME

	MORE SHOPPING...

	CATEGORIES ABOUT CAPTIVE PORTAL

	authentication methods

Information About

Captive Portal