It is very common nowadays that public and private environments allow the use of the Internet to visitors, as long as they undergo an authentication process. The Captive Portal, named for this procedure, is an extremely valuable resource.
However, a major challenge in this issue is to perform a control of the accesses made by the user – similar to what is done in the web proxy service. When a captive portal is up and running, this access does not pass through a content filter, for example. On the contrary: when performing the authentication, the access of the equipment will be totally released for a period pre-established by the company that provides the service.
Because these are mostly HTTPS websites (which work with encryption), it is not possible to redirect the connection to the firewall automatically, due to the fact that encryption is used to protect the access.
Thus, it is necessary to use some alternatives so that control is possible. To know these options and overcome some audit challenges with the Captive Portal on mobile devices, continue reading this blog post.
Alternative for access control
Using the Web Proxy Autodiscovery Protocol (WPAD) can be a solution to make the accesses made by users pass through the proxy server automatically. However, for it to work, some settings are required on the user equipment, generating a manual intervention on it.
The great challenge is that because it is a network of visitors where it is not known which devices will connect, it is difficult to ensure that the settings on the users’ devices are adequate, enabling the WPAD to function correctly. An important note about using WPAD for mobile devices is that the feature is only present on newer smartphones (with the latest versions of their operating systems). Most devices do not usually support the functionality, generating a technical limitation for the application of controls on the navigation of the connected users through the captive portal.
Another alternative would be, in fact, to work using a configuration for manual proxy use on customer/visitor equipment. With the manual configuration, the control can be done through internal proxy rules without any problem.
The only question is that this process is often rendered unsustainable by virtue of the need for manual intervention in the devices to accomplish such a configuration.
To alleviate the problem associated with the control over users navigation, some providers allow connections to be made, and then analyze the SSL/TSL header of the request, doing the analysis of the hostname by the client in the Server Name Indication (SNI) – or in the name of the certificate informed by the server.
It is worth mentioning that applying this technique has limitations. In these situations, it is not possible to identify exactly what the user tried to visit within a specific domain. For example, it is possible to identify visits to www.facebook.com, however it is not possible to conclude that someone has visited www.facebook.com/chat.
Guidelines for better use of the Captive Portal
The issue associated with the access control of users connected to the captive portal is a technological limitation, present in all existing solutions in the market. However, we can give you some guidelines to improve its use.
Isolate the portal network
Whether through a VLAN or some separate physical segment, it is very important that this network has no communication with the other local networks of the company. Because these accesses are made by different equipment, which are not controlled, this is something extremely interesting to apply.
Work on this network using a Bandwidth control
Another important point to be validated that can be applied in the portal network is to be working with some tool for bandwidth control, in order not to allow that network to be able to use all the available link of the organization. Even though it can not audit the accesses made, this type of control (at the link available bandwidth level) can and should be performed whenever necessary. Some companies even choose to dedicate an internet link exclusively to the network visitors.
Have a clear policy of use for portal access
The company needs to know clearly how the captive portal should work: whether it will enable the authentication option of more than one device per user simultaneously (notebook and mobile, for example). Whether users will be able to self-register, through web form, or integrated with social networks. Market solutions also enable the printing of vouchers for delivery to users interested in using the internet, which can be available at the company’s reception desk, or at another suitable location.
The time of disconnection of inactive users is also an important item and can usually be configured in the solution responsible for captive portal management. In this way – and based on these configurations – one can have a decrease of improper accesses on this network.
Now that you know how to overcome these creative challenges through potential alternatives, you can enjoy the benefits of Captive Portal. If you are interested, we suggest reading the blog post “Captive portal, provide wifi access for customers and suppliers”. This content brings fundamental items that must be evaluated before the implementation of Captive Portal for managing visitors network.