Skip to main content

What is Captive Portal?

Nowadays, public and private sites are progressively providing free Internet access to customers, providing convenience, linking organizations and people, and supporting a range of goals. Airports, clinics, hotels, restaurants, shopping malls, and even public transportation provides their clients free wireless Internet access.

The majority of customers want to connect to these free Wi-Fi services as quickly as possible. However, free Internet access in public and private places should adhere to a set of security principles aimed at preventing harmful people from using it for illegal purposes.

A captive portal is the most common method of providing free wireless connections to guests. It is a security solution that monitors the traffic on LAN or most commonly WLAN and forces users who want to use it to go via a web page where they are told of the procedures they must take to connect to the network and gain internet access.

All HTTP and/or HTTPS traffic is intercepted by the captive portal, which then redirects all queries to the establishment's website. It can also be used to:

  • Manage the amount of bandwidth available to customers.
  • Control when a user's session must end.
  • Keep track of the websites that visitors visit.
  • Personalize the page and use it to promote your promotions and services as a marketing tool.

One of the major benefits of using a captive portal is that users will accept the terms of service for your WiFi network before connecting, and you will be able to send them commercial notifications while adhering to all data protection laws. You can also use the software as a marketing tool, which will help you understand the type of customers you have, how they behave and will provide a new channel for the entry of leads for your business strategy.

As a result, if your company provides free Wi-Fi to its clients, it's critical and beneficial that you have a captive gateway installed in your Wi-Fi Hotspot.

In this article, the following topics will be outlined:

  • What does Captive Portal mean?
  • What Does a Captive Portal Do?
  • How does it Work Captive Portal?
  • What are Captive Portal Benefits?
  • What is the Purpose of a Captive Portal?
  • Is Captive Portal Safe?
  • What are OPNsense Captive Portal Templates?
  • How to Configure Captive Portal on OPNsense?

What does Captive Portal Mean?

The captive portal is an application that automates the control and management of users' access to public and private networks. For guest access management, captive portals are often used in open-access networks, such as those found in clinics, airports, stores, malls, and corporate networks. However, the advantages that a captive gateway provides can be used by any organization. It's a sophisticated two-in-one solution for improved security and marketing. It is used by a service provider for a variety of reasons, including user verification, authentication, bandwidth control, reducing liability in the event of illegal or otherwise inappropriate online behavior, and confirming that users have agreed to terms of service before accessing the internet.

Types of WiFi captive portals include:

1. Authentication

No communication beyond the captive portal gateway is allowed until the user inputs correct credentials.

2. Disclaimer and Authentication

After successful authentication, the portal displays the disclaimer page, which includes an acceptable usage policy or other legal statements to which the user must consent before proceeding.

3. Disclaimer Only

Before proceeding, the portal displays a disclaimer page, which includes an acceptable use policy or other legal declaration to which the user must agree. The authentication page isn't shown to the user.

4. Data Collection

The portal displays a page that asks for the user's information such as an email address in order to contact them in the future. Businesses that offer free WiFi to their clients frequently employ this method. The authentication page isn't shown to guests.

Administrators can also utilize captive portals as marketing tools by forcing users to complete a survey as part of their experience, showing adverts, or highlighting promotions held by the host business.

What Does a Captive Portal Do?

Network administrators can use Captive Portal to prevent users from accessing the network until they complete a set of tasks. Administrators can force users to view or adopt an Acceptable Use Policy before they access the network, commonly Internet (e.g. public WiFi), using Captive Portal. They can also set Captive Portal to only show up at specified times. Additionally, from acknowledging Acceptable Use Policies (AUP) to receiving money for Wi-Fi hotspot usage, bespoke integrations can be enabled.

Captive Portal may provide the following features:

  • Before using the Internet, users must read and agree with an Acceptable Use Policy.
  • Use Captive Portal Local Database, RADIUS, or Microsoft Active Directory to authenticate users
  • Directly authenticate individuals using their social media accounts such as Google, Facebook, or Office 365 credentials.
  • Captive Portal can be configured to only be visible to a subset of your network.
  • For BYOD (Bring Your Own Device) situations, assign mobile devices to a distinct rack with different regulations.
  • Customization of the Captive Portal page's appearance and feel.
  • The operating system and/or device type can be used to show captive pages.
  • Wireless and wired users may see separate captive gateway pages.
  • In order to maintain a basic level of security, most captive portals preserve an idle and hard time out, i.e. a minimum amount of time that a user has to interact or use services.
  • Users may be subjected to bandwidth constraints.
  • When a user exceeds their quota or performs bad behavior, a warning page is displayed.
  • The network is only accessible to certain MAC or IP addresses.
  • MAC addresses can be used to track devices and eliminate the need to re-authenticate them.

Requirements for a high-quality captive portal are summarized below.

Most importantly, the use of captive portals should be simple. This can be accomplished by designing a user interface that is straightforward, clear, and appealing, as well as providing complete access in the quickest time possible.

Secondly, it should be able to acquire information. In order to provide the best customer experience, a modern captive portal should be able to collect as much information from clients as possible while remaining compliant with local data protection rules.

Additionally, it should be able to integrate seamlessly with a back-end data store. To keep all of this data to be examined, you'll need a dependable data store.

Lastly, it should be able to tailor the quality of service provided to customers.

How does Captive Portal Work?

Captive portal allows managers to construct a wired or WLAN guest network for guests, visitors, contractors, and other non-employee users who can access the company Wi-Fi network using Captive portal authentication. It prevents clients from accessing a network until user verification is established. Verification can be set up to enable both guests and authenticated users access. Before access is provided, authenticated users must be checked against a database of approved user details. Until the host has established verification, the Splash Page feature prevents users from being granted greater access to the network they are attempting to connect to. Registration forms or allowing sign-in with social media or email accounts can be used to collect user information. Administrators can also establish guest accounts and personalize the Captive portal page with their company's logo, conditions, and usage policy.

  1. When an unauthenticated user connects to a Wi-Fi network,
  2. A captive portal redirects all HTTP and HTTPS traffic to an authenticating server on the router or access point.
  3. The unauthenticated client receives a captive gateway web page.
  4. After successfully authenticating with his credentials,
  5. the user is permitted internet access. After successful identification, the user is automatically routed to the website they previously entered.

How Captive Portal Works

Figure 1. How Captive Portal Works

In most solutions, user behavior is monitored to ensure that the session is correctly expired, either due to inactivity or by surpassing the configured time limit.

There are other deployment options, but the most basic operation entails forwarding the initial traffic after connecting to the wireless network to an identity page in order to obtain the bare minimum of information from the user who wants to use the service.

The administrators can also limit which resources guest users have access to, as well as how much bandwidth or air time they can use at any given time. For instance, in a hotel setting, unauthenticated users are permitted to access a specific login page (for example, a hotel website) and all of its contents. Users who do not register for Internet access can only access the "authorized" websites (typically hotel property Websites).

Using a whitelist and blacklist, administrators can allow or deny access to specified URLs. Users are sent to the login page when they attempt to navigate to other Websites that are not in the whitelist of the captive portal profile. The requested URL is prohibited if it is on the blacklist.

Captive Portal solutions may be implemented in two different ways:

  • Cloud-based
  • Controller-based

Using a cloud-based captive portal, you may remotely manage your guest networks. The captive portal, on the other hand, must be controlled on the premises via controller-based solutions.

Network administrators can use cloud-based portals to manage the Guest network, verify the portal's status, and even troubleshoot remotely. When difficulties develop, administrators will be able to react quickly thanks to the cloud. As a result, IT managers will be able to simplify and streamline their Guest operations. Cloud-based solutions also enable more scalable growth while lowering the cost of deploying and operating captive portals.

The main steps for implementing the captive portal solution are outlined below:

1. Set up Your Captive Portal

Install a captive portal solution you chose for a network. For example, you may use a captive portal provided by the OPNsense firewall. Please read How to Configure Captive Portal on OPNsense for more information.

You can have access to more capabilities and customizations when you use Captive Portals. To avoid crowding the system, you can set the connection time of each device, for example. You can also configure a device's bandwidth limit, which limits the amount of data it can utilize in a given time frame.

2. Create Your Own Splash Page

When it comes to setting up your Captive Portal, this is a crucial step. This can be accomplished using the integrated builder that comes with your solution. Splash Page builders are more advanced in certain solutions than in others.

You can add a consent message, enable automatic translation, and even add a paid access button if you want to monetize your internet connection while designing your Login Screen.

You may add your company logo or any text you wish. Depending on your company or organization, many themes can be employed to make it look more appealing and professional.

3. Choose an Authentication Process

Modern captive portal solutions offer a variety of ways to log in and gain access to the internet.

Email address, SMS, Active Directory, and social login are the most used kinds of login authentication nowadays. The final option is to connect to the Guest Network utilizing a visitor's social media accounts as a single sign-on. Facebook, LinkedIn, and Twitter are some of the most popular social media platforms.

4. Protection

After providing your customers or employees a free Internet, you should also protect them against cyber attacks. Applying a security solution that allows application control and web content filtering to secure your networks from harmful internet dangers is highly advised. Zenarmor which allows user-based filtering is one of the best solutions for safeguarding the captive portal users if you are using the OPNsense firewall on your infrastructure. It also supports FreeBSD, pfSense software, and Linux platforms, such as Ubuntu 20.04, Centos ?. Alma Linux 1, Debian 10.

5. Collect Data

In this stage, the clients' information is collected and analyzed. Businesses can use this information to generate qualified leads for their marketing campaigns, as well as quality data to create more tailored campaigns.

What are Captive Portal Benefits?

From the perspective of service providers, the following are the most significant advantages of a captive portal:

1. Unauthorized Internet access is guarded against

The Internet is not a safe environment. The service providers who supply connectivity services are liable for how that access is used: unlawful content downloads, information piracy, and so on. Before being granted access, users must accept the terms and conditions of use of the services, which are published in the captive portal, in order to be immune from legal liability for the conduct of users. In some cases, the captive portal may ask for a password that you can give to verified customers. Measures like this help shield you from liability in the event of illegal or otherwise harmful online behavior, while similar security features protect company assets.

2. The connection that can be controlled

Some users abuse these services by, for example, remaining online for hours at a time, accessing at different times of the day, or connecting via many terminals at the same time. In addition, depending on the type of activity they undertake on their connection, they can occupy an indefinite amount of bandwidth.

A captive portal also gives you more control over your bandwidth by allowing you to set time limits for how long each user can stay connected to your network. It can regulate connection time, the number of terminals per user, bandwidth consumption and/or per-session download speed, and even the sort of traffic that is allowed.

You can allow or deny certain public network content, such as competitor visits. They can, however, offer your own products/services through your private network in addition to Internet access. You can establish traffic restrictions to prevent users from accessing other firm resources, which could jeopardize their security and privacy.

3. Obtaining information

Accepting the terms and conditions, utilizing social login (Twitter, Facebook, LinkedIn, etc.), filling out a form, and other methods are all available through a captive portal.

These technologies allow a captive portal to track user connections and collect data such as which users visit the most frequently (customer loyalty), which customers are no longer frequent visitors, how many people are using the service, and so on. In addition, if users fill out a form, the portal receives their personal information, such as name, gender, age, email address, phone number, and location.

In other words, it contains enough data to construct a client database, which delivers incredibly useful information to a corporate CRM.

4. Brand awareness and marketing

Captive portals offer an excellent opportunity for seamless marketing because they facilitate user engagement at a critical point during their Internet experience and are a very powerful medium that can be used for a variety of business needs. Use a captive portal to ask users to complete a survey, watch a sponsored advertisement, or learn about current promotions.

A captive portal is a simple way to present company information while also catching the attention of users. Your own branded photos, adverts, events, or promotions can be shown. The portal, when effectively built, becomes an extension of your business's image and voice, strengthening brand identification.

Not to mention that the social network login or registration form provides enough information about clients for us to develop a personalized welcome page for them based on several aspects (age, sex, interests or location, etc.). As a result, the advertising impact is no longer impersonal and is now targeted at a specific audience.

5. Boost your marketing outcomes.

You may segment your customer contact database by demographics and behavior data if you know who your clients are and how they behave when in your establishment. This enables you to send more customized marketing messages to each segment, resulting in higher ROI and customer engagement. Customers who are at a high risk of churning can be identified via captive portals. By identifying these consumers, you may give them a special offer or a discount to entice them to return to your business.

6. Generate revenue

Captive portals can be used to generate revenue directly. Some businesses, for example, charge clients when they log in or use the portal as a billboard selling ad space to other businesses.

7. Protect customer privacy

By creating a fake wireless network, hackers can take advantage of the security flaws in guest WiFi connections. Customers may connect to their own networks rather than yours. It's known as phishing. It's also lethal.

What is the Purpose of a Captive Portal?

It's critical to have a captive portal placed in your Wi-Fi hotspot if you offer free Wi-Fi to your clients. For security reasons, it is not a good idea to share your Wi-Fi password with all clients. Since you have no idea who is connecting if you give up your Wi-Fi password. You will just know the devices' MAC addresses, which provide no information about their owners.

Use a captive portal to identify everyone who connects to your Wi-Fi to protect yourself. If any of these persons misuse your network, you'll be able to show the authorities who were connected at the time of a reportable occurrence from your IP this manner.

Furthermore, before joining your guest network, users will acknowledge the terms of service. The permitted ports or liabilities may be among the conditions. Your guests are unable to use internet services until they agree to the terms and conditions.

Captive Portals are mostly used for marketing and communication. Because clients may be asked to connect using their social media accounts such as Facebook or LinkedIn, the service is sometimes referred to as social WiFi. As a result, it's an effective marketing technique. Typically, access to the internet via open WiFi is restricted until the customer completes a registration form. They are exchanging personal information in the process. Anymore, you are allowed to send them commercial alerts while adhering to the GDPR, or European data protection regulation.

Captive portals can also be used for data collection. They have the ability to collect a large amount of data. The host can use custom fields to build a more detailed profile of the client, allowing them to collect more information. This creates a foundation for more targeted marketing.

They're an excellent approach to prevent bandwidth hoarding. Some people may jam the internet by downloading large amounts of data, making it slow even for normal use. Captive portals can assist prevent this by providing clients with a personalized plan that restricts the size of data they can download in a single session.

They provide new avenues for revenue generation. Clients may be charged to access the internet service, similar to how airlines do, or they may be asked to pay for advertisement space so that future clients can see their adverts, making captive portals a lucrative business.

They assist firms in comprehending customer behavior. The host can use analytics to track the demands of clients and adapt adverts accordingly.

Is Captive Portal Safe?

Users may mistakenly feel that wireless networks with captive portals are safer than those without due to the illusion of security provided by a log-in window. In fact, captive portals are not safe places when they are not protected as carefully as corporate networks. Malicious actors trying to acquire access to a guest user's device and, through that, the broader corporate network, can employ captive portal authentication as a point of entry.

Users are effectively leaving their security in the hands of the network administrators that operate that particular public Wi-Fi network because their devices must automatically load the captive portal web page and the related javascript before accessing the internet.

However, when you visit the captive portal login web page, you may be providing hackers direct access to your laptop, tablet, or smartphone if the network has already been compromised or they're running susceptible firewalls or other network equipment. Man-in-the-Middle (MitM) attacks can be carried out using this type of access point.

For example, malicious actors have hacked into hotel chains' networks to gain access to the wireless networks the hotels provide. This makes it simple for them to gain access to hotel guests' devices. The malicious actors are waiting for the guest to join the network. They'll still need to find a known exploit or zero-day, but they won't need to employ a VPN or a firewall because none of that is in place yet.

Furthermore, hackers can easily establish their own Wi-Fi hotspots that imitate legal captive portals. These bogus pages, dubbed "evil twins," deceive visitors into connecting to them, then route traffic through their networks, allowing the malicious actor to intercept authentication credentials and gain access to sensitive data and company conversations. It is reported that Russian state-sponsored hackers attempted to do just that in order to obtain access to a variety of targets related to the 2016 and 2018 Olympic Games. They can also drive consumers to a redirect URL where they can carry out more harmful operations.

In another scenario, X-Force IRIS researchers discovered a campaign in the fall of 2019 in which attackers utilized Magecart 5 to deploy JavaScript injection attacks to routers often used with captive portals. The behavior appears to be geared at stealing payment information from users.

Hackers are frequently more interested in gaining access to the resources to which the user is linked, including data on the corporate network, than in the user's laptop or personal information.

Despite this, there are various reasons for corporations and organizations to adopt captive portals. The most important of these is user authentication, which informs managers about who is using the wireless network and when. Captive portals that ask for personal information link your online activity to a single login or identity. In addition to network surveillance, this can assist an organization in harvesting emails for marketing campaigns or collecting social media information to sell to third parties, all in exchange for network access and user privacy. To protect consumers and brand reputation, businesses must ensure that customer data, or any other type of data, is stored safely and with restricted access.

Captive portals are at fault for a slew of security problems, particularly with HTTPS websites. HTTPS is designed to prevent a third party from intercepting, altering, or impersonating your traffic. Captive portals, on the other hand, work by intercepting and altering the user's connection to the site they're trying to view. The user would not detect this on an unencrypted HTTP connection. However, for HTTPS-secured sites, the web browser detects something or someone attempting to hijack the connection (similar to a man-in-the-middle attack). This results in "untrusted connection" alerts concerning bogus certificates for websites that consumers might otherwise trust.

On a network with captive portals, the numerous unexplained "untrusted connection" warnings, essentially false-positive warnings about websites that are actually safe, can encourage users to ignore security warnings, which is a harmful habit.

How do you Fix a Captive Portal?

Enterprise IT teams may force employees to transit through the gateway before connecting to their corporate network in specific instances.

A captive portal is the most likely explanation if your device can connect to your network and acquire an IP address but cannot access the Internet. For fixing the captive portal problem in such cases a whitelisting feature can be helpful. White-listing the client MAC address on the network device that is responsible for captive portal service is one method of circumventing a portal. Whitelisting via MAC address is not usually the quickest method, but it is the most permanent.

What is OPNsense Captive Portal?

OPNsense is a firewall and routing platform based on HardenedBSD. It is open-source, simple to use, and simple to build. OPNsense provides the majority of the capabilities found in expensive commercial firewalls, as well as many more. It offers a wide range of commercial products with the benefits of open and trustworthy sources. One of the advantages of OPNsense is that it enables network administrators to easily configure a Captive Portal for providing secure Internet access to their clients. OPNsense not only lets you set up a Captive Portal to provide free Internet access to your guests or employees, but it also protects them from cyber attacks with the Zenarmor plugin.

OPNsense includes a Captive Portal that requires clients requesting network access to authenticate or redirect them to a click-through page. This solution is most commonly used on hotspot networks, but it is also widely used in enterprise networks to add an extra layer of security to the Internet or wireless access.

The following features are available in OPNsense Captive Portal.

  • Authentication OPNsense Captive Portal supports HTTPS-secured authentication or a splash-only portal with URL redirection to a specific page. The following sources can be used to authenticate a user in a zone:
  • Local user administration
  • Tickets / Vouchers
  • Radius
  • LDAP [Microsoft Active Directory]
  • No authentication (Splash Page Only)
  • Multiple (a combination of the preceding)
  • Voucher Manager: The Captive Portal of OPNsense includes a simple voucher creation system that exports vouchers to a 'CSV file for use with your preferred application. You can print vouchers by combining them with your LibreOffice or Microsoft Word template, resulting in a professional-looking handout with your company logo and style.
  • Platform Integration: Using the integrated REST API, the captive portal application can be integrated with other services.
  • Real-Time Reporting: The OPNsense Captive Portal includes basic real-time reporting features such as:
  • Active Sessions
  • Time left on Vouchers
  • Top IP Bandwidth usage(Live Graph)
  • Template Management: OPNsense's one-of-a-kind template manager makes it simple to create your own login page. At the same time, it includes extra features such as:
  • Option to create your own Pop-up
  • URL redirection: Users can be forcibly redirected to the specified URL after authenticating or clicking through the captive portal.
  • Customization of the first page
  • Zone Management: Each interface can be configured with a different zone, or multiple interfaces can share a single zone configuration. Each zone can use its own unique Captive Portal Template or share one.
  • Timeouts & Welcome Back: Connections can be terminated after a predetermined amount of time (idle timeout) and/or forced to disconnect after a predetermined number of minutes, even if the user remains active (hard timeout). No login is required if a user reconnects within the idle and/or hard timeouts, and the user's active session can be resumed.
  • Bandwidth Control: The OPNsense firewall includes a traffic-shaping feature. Its built-in traffic shaper can be used to accomplish the following tasks:
  • Protocol port numbers and/or IP addresses can be prioritized.
  • Distribute bandwidth uniformly.
  • Portal Bypass: The whitelisting option can be used to allow specific IP addresses or MAC addresses to bypass the portal.
  • Category-based Web Filtering: By combining the Captive Portal and the caching proxy, you can use category web filtering to block specific content for users while also reducing Internet bandwidth usage and improving response times.
  • User-based Next-Generation Firewall Policy Management: The Zenarmor OPNsense next-generation firewall plugin integrates with the OPNsense Captive Portal. You can try Zenarmor Free Edition and use this feature to create user-based policies for web content filtering and application control.

How to Configure Captive Portal on OPNsense?

You may find more information about configuring the OPNsense Captive Portal on this tutorial written by Sunny Valley Networks.