The captive portal technique forces an HTTP client on a network to see a special web page (usually for authentication purposes) before surfing the Internet normally. This is done by intercepting all HTTP traffic, regardless of address, until the user is allowed to exit the portal. You will see captive portals in use at most Wi-Fi hotspots. It can be used to control wired access (e.g. apartment houses, business centers, "open" Ethernet jacks) as well.

Software Captive Portals

---

Examples of captive portal software packages running on PC hardware are:

For FreeBSD/OpenBSD

• m0n0wall
• OpenSplash
• PfSense
• wicap

For Linux

• AirMarshal
• Captivator-gw
• chillispot
• Hotspot Express
• Milkeyway Italian Captive Portal Project
• NoCatAuth
• Public IP, based on NoCatAuth
• sweetspot (OSI layer-3 packet mangler)
• WifiDog Captive Portal Suite (embedded Linux - OpenWRT, Linux)
  • Gateway / Centralized central server solution

For Windows

• FirstSpot
• myWIFIzone Captive Portal Services

Other

• pointHotspot.com (Web-based Portal)
• Other wiki list of captive portals

Hardware Captive Portals

---

Examples of router hardware whose firmware includes a captive portal include:

• Cisco BBSM-Hotspot
• Cisco Site Selection Gateway (SSG) / Subscriber Edge Services (SESM)
• Nomadix Gateway
• Aptilo Access Gateway
• IP3 Networks NetAccess

Captive portals are gaining increasing use on free open wireless networks where instead of authenticating users, they often display a message from the provider along with the terms of use. Although the legal standing is still unclear (especially in the USA) common thinking is that by forcing users to click through a page that displays terms of use and explicitly releases the provider from any liability, any potential problems are mitigated. They also allow enforcement of payment structures.

Limitations

---

Most of these implementations merely require users to pass an SSL encrypted login page, after which their IP and MAC address are allowed to pass through the gateway. This has been shown to be exploitable with a simple packet sniffer. Once the IP and MAC addresses of other connecting computers are found to be authenticated, any machine can spoof the MAC address and IP of the authenticated target, and be allowed a route through the gateway.

Platforms that have Wi-Fi and a TCP/IP stack but do not have a web browser that supports HTTPS cannot use most captive portals. Such platforms include the Nintendo DS running a game that uses Nintendo Wi-Fi Connection. There exists the option, however, of the platform vendor entering into a service contract with the operator of a large number of captive portal hotspots to allow free or discounted access to the platform vendor's walled garden, such as the deal between Nintendo and Wayport.

See also

---

• HTTP proxy

Portal cautivo

Authentication methods