The access to the Internet can be provided to all users on any of their devices through a captive portal.
The captive portal serves as an access gateway to specific network resources with appropriate authentication. Access is facilitated through any web browser (HTTP or HTTPS protocol), eliminating the need for additional software installed on the user’s computer. The portal keeps track of user connection time and data traffic volume and can send this information to a RADIUS server. The captive portal can limit various parameters for each specific user, such as traffic rate, total traffic volume, connection time, etc.
Initially, the client obtains an IP address either statically or from a DHCP server. If required, the DHCP server can allocate IP addresses based on the clients’ MAC addresses. Additionally, the captive portal can automatically and transparently change the client’s IP address to a valid one with Internet access using the one-to-one NAT method.
The one-to-one NAT method accepts any incoming IP address from a connected network interface and translates it (Network Address Translation) so that client packets can be routed. Users do not perceive the address translation (i.e., there are no changes to user configurations), but the router itself sees a completely different source IP address for packets sent by clients.
This technique, also known as “Universal client,” is particularly useful for users who do not have permissions to change their computer’s operating system to configure their network settings and obtain valid IP addresses.
Enabling the captive portal automatically activates everything needed to present a login page to all clients who have not been authenticated. This is done by adding dynamic destination NAT rules. These rules are necessary to redirect all HTTP and HTTPS requests from unauthorized users to the captive portal’s access control gateway.
In the most common setup, opening any HTTP page will bring up the login page (which can be extensively customized). Websites are called with their Domain Name Server (DNS) names with a valid DNS parameter setting configured on the gateway.
User authentication can be done in the following ways:
HTTP PAP (Password Authentication Protocol) is an identity verification protocol based on a password, used by the Point-to-Point Protocol (PPP) to authenticate users. Almost all network operating system remote servers support PAP.
PAP is considered a weak authentication system (weak schemes are simple and have a lighter computational burden but are more vulnerable to attacks, while strong schemes may have limited applicability in certain environments and are generally avoided). One of the drawbacks of PAP is that it transmits unencrypted passwords over the network. Therefore, PAP is used only as a last resort when the remote server does not support a stronger protocol, such as CHAP.
HTTP CHAP (Challenge-Handshake Authentication Protocol) is a protocol that authenticates a user or network host to an authentication entity, which could be, for example, an Internet access provider.
CHAP is an authentication scheme used by Point-to-Point Protocol (PPP) servers to authenticate the identity of remote users. CHAP periodically verifies the client’s identity using a three-way handshake during the establishment of the initial connection, which can be repeated at any later time.
The verification is based on a shared secret (such as the client’s password).
After completing the link establishment phase, the authenticator sends a challenge message to the peer (other end).
The peer responds with a value calculated from a cryptographic hash function, such as MD5.
The authenticator checks the response using its own calculation of the expected hash value. If the values match, the authenticator recognizes the authentication; otherwise, it terminates the connection.
At random intervals, the authenticator sends a new challenge to the peer and repeats the previous steps.
The CHAP protocol provides protection against playback attacks from the peer through the use of an incrementally changing identifier and a variable challenge-value. Both the client and the server must also know the secret text, even though it is never transmitted over the network.
Microsoft has created a variation of CHAP called MS-CHAP, which does not require either peer to know the secret text.
HTTPS (Hypertext Transfer Protocol Secure): HTTPS is used to indicate a secure internet connection using HTTP. A link (URL) starting with the prefix “https” signifies that the HTTP protocol will be used normally, but the connection will be made on a different port (443 instead of 80), and the data will be exchanged encrypted. This system was initially designed by Netscape Communications Corporation to be used on sites requiring user authentication and encrypted communication. Today, it is widely used on the internet where increased security is needed for the transmission of sensitive information (e.g., credit card numbers, passwords). HTTPS is not a separate protocol, as some might think, but refers to the combination of the regular HTTP protocol and the encryption capabilities provided by the Secure Sockets Layer (SSL) protocol. The encryption used ensures that encrypted data cannot be intercepted by malicious users or man-in-the-middle attacks.
HTTP Cookie: Cookies are small text files stored in our browser during internet browsing. Their purpose is to inform the website being visited about the user’s previous activity. They usually describe information such as the username and password so that, during subsequent visits to the same site, the website can “remember” the user, eliminating the need to log in.
Cookies can come from the website we visited or from another source (third-party cookies), such as through advertisements. While cookies are generally benign, it has been shown that third-party cookies collect information about the user’s behavior on the internet, raising significant privacy concerns. This led the EU and the US to issue guidelines for their use and user notification for each website employing them. There are programs that clean malicious cookies, and users also have the option to delete them through their web browser.
MAC Address (Media Access Control Address): A MAC address, also known as a Media Access Control address or hardware address, is a unique identifier assigned to network interfaces for communication in the physical layer of the network. MAC addresses are used as network addresses in most IEEE 802 network technologies, including Ethernet and Wi-Fi. Typically, MAC addresses are used in the media access control sublayer of the OSI reference model.
MAC addresses are usually assigned by the manufacturer of the network interface controller (NIC) and stored in the hardware of the interface (in ROM memory). A network node can have multiple NICs, and each NIC must have a unique MAC address. MAC addresses are formed according to rules managed by the Institute of Electrical and Electronics Engineers (IEEE). MAC addresses are used for physical addressing in a local network, where routing based on IP addresses would require computers to process up to the network layer (where IP addresses are commonly used), resulting in unnecessary processing.
WiFi Access System with Trial Capability:
Users have the option to use the service for free for a specific period, and authentication is required only after this period.
After authentication, users are authorized to access specific resources through a local database or via a RADIUS Server with the same configuration as the local database. The system also supports internal accounting, and user data can be sent to a RADIUS server.
For users, the connection process is simple. They open their device, select the wireless network with the specific SSID (e.g., hotel_guest_WiFi), and connect to the captive portal page. Access is determined by the hotel’s policy and can be either free or after user registration. Registrations can be done directly by the user on the portal (self-registration) or through appropriate certificates (username-password) issued by the hotel through a thermal printer. Certificate issuance can also be done directly upon user request, or certificates can be pre-issued based on a list of authorized clients. Each user will have their unique certificate corresponding to a specific device.
The duration of access can be unlimited or for a specific period, such as the duration of the stay at the hotel, after which it will be automatically revoked.
During the initial access, the user may be required to accept a disclaimer, stating that the service is provided as-is, and users acknowledge that the security of internet access is their responsibility, agreeing to these terms.