Captive portal

Definition

A captive portal is, for example, a public WiFi network name (ESS) which leads to an Internet connection which redirects all traffic to a specific login pages, until you log in the system.

Typical applications are: hotel, airport, park free WiFi.

Captive portals disadvantages are:

WPA/RADIUS based authentication is much better but is often seen as more complicated for the end-user compared to captive portals, and require pre-arranged authentication. There is work in progress for standardizing the captive portal protocols[3][4].

How the captive portal's login is activated

Mobile phones (Android, iOS) will detect that the captive portal exists and automatically open a browser for the login.

This is not implemented in Debian (to my knowledge). So, just after connecting to the wireless network, you cannot immediately use e-mail, SSH or other application software. You first need to launch a web browser and access the captive portal login page. However that login page's URL is usually unknown. Sometimes, it is sufficient to start your Web browser and enter any non HTTPS URL, which will be redirected to the HTTP or HTTPS captive portal login page. You can also enter any IP address, in general.

In case this does not work, you'll need to find the gateway's address and enter that into your browser's address bar. An easy way to do this is by using a terminal and requesting the gateway's address to open in your default browser:

xdg-open http://$(ip --oneline route get 1.1.1.1 | awk '{print $3}'

In some cases, the browser window must be kept open (but will work minimized), so that the access token can be refreshed e.g. through background ?JavaScript code.

Tools

Troubleshooting

With recent browsers such as Firefox, which support the HSTS[1] local cache and will prevent any HTTP access if the site is to be accessed by HTTPS, a bug might happen: you type "google.com" in the web browser URL bar, and you get a security error. The work-around is to use any HTTP URL which is guaranteed to not use HSTS nor DNSSEC, or an IP address (such as the one from the default route as seen in netstat -rn | grep default)

  1. https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

  2. https://lists.debian.org/debian-user/2017/04/msg00041.html

  3. https://www.rfc-editor.org/rfc/rfc7710.txt

  4. https://en.wikipedia.org/wiki/WISPr