Captive Portal

How To Fix The Captive Portal

Every once in a while on Twitter, in the Wi-Fi circles, the issue of the dreaded captive portal comes up.  Honestly, I’m not sure why since it’s not something that the technical minded people have much control over.  At least the why of the portal, not the how of the portal.

See, that’s where the conversation breaks down, and then gets recirculated back into the forefront.  As technical people, we get the how part and then try to debate the why part.  The how part is heavy at Layer 2 and Layer 3 of the OSI model, and then jumps to the upper layers to actually present the portal page to the end user.  The why part usually starts at Layer 8 of the OSI model and then moves up from there.

Not familiar with the OSI model above Layer 7?  I’m jealous!  For a quick overview check out this Wikipedia entry.

The How

See, captive portals are a way to captivate an audience, get them to do something, and then allowing them to continue on their way (or not, your choice really.)  There are a lot of things in life that act like that. Security lines at airports, entrances to most paid events, stuff like that.  As much as we would like free and unfettered access to everything, that just isn’t a possibility.

In the Wi-Fi world, captive portals are a way to hijack your browsing session to get you to do something (click a box, enter some information, watch an advertisement) before you are allowed to freely access the internet.  There are a couple of ways to accomplish this, but it generally operates in the lower layers of the OSI model.  That’s the area that the technical people thrive in.

The rest of the how really depends on the solution chosen and the requirements that are defined at Layer 8 and above.  This is where the conversation needs to shift from the how to the why.

The Why

Layers 1 through 7 are very well (conceptually) defined and have strict protocols around them that have been determined by the smart folks at the International Organization for Standardization, or ISO.  Maybe you have heard of them.

As technical people, we thrive in organized standards.  It’s how we function.  It’s our one bastion of sanity in a world on insanity.  Unfortunately for us, the why comes from above our organized standards.  I believe this is where the conversation breaks down, as I referred to earlier.

There are many reasons behind The Why but since they aren’t organized and standardized, we can’t wrap our head around it.

Risk, reward, mitigation, acceptable, opinion.  These are all words that have been used during conversations around captive portals.  The other words that come up are policy and lawyers.  Combine those words and it quickly becomes apparent why the why becomes hard to define and comprehend.  It really all depends on something else, someone else.

Maybe you are trying to generate revenue, mitigate risk, track users, or gathering information about who transits your facility and uses your resources.  All of them are legitimate reasons that I can’t argue.  If that is the policy as defined by your organization then it becomes a legitimate reason that us techie folks need to honor.

“Ours is not to reason why…” goes the saying.

My personal issues come in the form of poorly configured captive portals from both an operational standpoint and from a lack of follow through on the requirement.

Don’t serve me a video, make me watch it, and then fail to deliver the implied access.  Don’t make me enter a password every time my connection drops for any reason.  I was in a conference center and every time we took a break we had to enter the password on the captive portal again.  The idle timeout was so short it was ridiculous.  I’m there all day, I already entered the password once, leave me alone.  Once a day I’m ok with, once every time is a little overboard.

If you want to collect info, because your CISO or regulations demand it, that’s fine as well.  However, if I’m allowed to enter “no no,” as a legit first and last name and email address, then why bother?  If your organization demands that users agree to an Acceptable Use Policy (AUP), Terms & Conditions (T&C), or any other term you want to call it, that’s still fine with me, as long as you acknowledge that the why is policy and lawyer driven, not just “legal.”

The Fix

In a departure from my normal blog posts, I’m actually going to propose a solution that anyone can follow.

I know, shocking!

In Conversations

If you find yourself talking about captive portals, feel free to ask the following questions:

  • Do applicable laws or regulations require it?
  • Does the service provider or organization have a written policy requiring a captive portal?
  • Are there clear, written requirements for the captive portal?
  • Did the provided solution (captive portal) meet the requirements?

If the answers are yes, then let it go.  Change the topic of the conversation to something less controversial like religion or politics.

In Practice

If, at some point, you find yourself being asked to provide a captive portal for a solution you are implementing, please ask the following questions:

  • Do applicable laws or regulations require it?
  • Does the service provider or organization have a written policy requiring a captive portal?
  • Are there clear, written requirements for the captive portal?
  • Am I, or is my organization, capable of providing a solution (captive portal) that will meet the requirements?
  • Does the solution provide a way to monitor the functionality of the solution from the clients perspective?
  • Does the solution actually work?  And not “does it work because I know how I designed it,” but does it work for my grandma that just got an Amazon Kindle on sale for $30 and has no idea how to turn it on?

If there aren’t enough yes answers, please, for the love of all that is holy, don’t just fudge something together.  The harm that it will do to a well designed wireless network is much more than any good you can do by being the worlds best RF designer.

Remember, as some restaurants are trending to do, you can always just turn off the Wi-Fi altogether instead of providing a service that shows up on Twitter in the middle of a heated argument!