Captive portal
From Wikipedia, the free encyclopedia
The captive portal technique forces an HTTP client on a network to see a special web page (usually for authentication purposes) before surfing the Internet normally. This is done by intercepting all packets, regardless of address or port, until the user opens a browser and tries to access the Internet. At that time the browser is redirected to a web page which may require authentication or simply display an acceptable use policy and require the user to agree. You will see captive portals in use at most Wi-Fi hotspots. It can be used to control wired access (e.g. apartment houses, business centers, "open" Ethernet jacks) as well.
Contents |
[edit] Software Captive Portals
Examples of captive portal software packages running on PC hardware are:
For Linux
- AirMarshal
- Aradial Captive Portal
- Captivator-gw
- chillispot
- Coova's Chilli and firmware
- sweetspot (like chillispot, but no MAC required)
- Hotspot Express
- Milkeyway Italian Captive Portal Project
- NoCatAuth
- Public IP, based on NoCatAuth
- sweetspot (OSI layer-3 packet mangler)
- WifiDog Captive Portal Suite (embedded Linux - OpenWRT, Linux)
- PacketFence Uses ARP Spoofing instead of MAC/IP Address Filtering. Can also be used to detect/isolate worms. Also uses Snort for IDS.
- Gateway / Centralized central server solution
- talweg (more secure than standard MAC/IP authentication)
- Wilmagate
For Windows
- 2hotspot (MAC not required)
- Antamedia (MAC not required)
- Aradial
- DNS Redirector
- FirstSpot
- myWIFIzone Captive Portal Services
- Spotngo Hotspot Software and Payment System
Other
- WorldSpot.net (chillispot based hosted portal solution. Free for free hotspots)
- pointHotspot.com (Web-based Portal)
- Other wiki list of captive portals
- FON
[edit] Hardware Captive Portals
Examples of router hardware whose firmware includes a captive portal :
- ANTlabs Service Gateway/InnGate
- ANTlabs Municipal Wifi/Service Selection Gateway (SSG)
- Cisco BBSM-Hotspot
- Cisco Site Selection Gateway (SSG) / Subscriber Edge Services (SESM)
- Pronto Networks OSS/BSS
- Sinaptica Networks PayBridge
- Nomadix Gateway
- Aptilo Access Gateway
- IP3 Networks NetAccess
- Lok Technology LokBox
- Demarc Reliawave
- Trapeze Networks Trapeze Mobility System
- Vernier Networks Vernier EdgeWall Network Access Control
Captive portals are gaining increasing use on free open wireless networks where instead of authenticating users, they often display a message from the provider along with the terms of use. Although the legal standing is still unclear (especially in the USA) common thinking is that by forcing users to click through a page that displays terms of use and explicitly releases the provider from any liability, any potential problems are mitigated. They also allow enforcement of payment structures.
[edit] Limitations
Most of these implementations merely require users to pass an SSL encrypted login page, after which their IP and MAC address are allowed to pass through the gateway. This has been shown to be exploitable with a simple packet sniffer. Once the IP and MAC addresses of other connecting computers are found to be authenticated, any machine can spoof the MAC address and IP of the authenticated target, and be allowed a route through the gateway.
Platforms that have Wi-Fi and a TCP/IP stack but do not have a web browser that supports HTTPS cannot use most captive portals. Such platforms include the Nintendo DS running a game that uses Nintendo Wi-Fi Connection. (The Nintendo DS Browser does function with captive portals, as it functions as a normal mobile web browser, connecting only through port 80.) There exists the option, however, of the platform vendor entering into a service contract with the operator of a large number of captive portal hotspots to allow free or discounted access to the platform vendor's walled garden, such as the deal between Nintendo and Wayport.
