Case Project 7-3: Captive Portal Aps

Most hotspots and guest networks are secured by a captive portal. A captive portal is essentially the integration of a firewall with an authentication web page. Although captive portals are often associated with hotspots and wireless guest networks, the technology is not specifically affiliated with wireless networks. When a user connects to the guest network, whether wired or wireless, any packets that the user transmits are intercepted and blocked from accessing a gateway to the network resources until the user has authenticated through the captive portal. Captive portals are available as standalone software solutions, but most WLAN vendors offer integrated captive portal solutions. The captive portal may exist within a WLAN controller, or it may be deployed at the edge with an access point. WLAN vendors that support captive portals provide the ability to customize the captive portal page. You can typically personalize the page by adding graphics, such as a company logo, inserting an acceptable use policy, or configuring the logon requirements. Authenticating to a captive portal typically requires the user to enter a username and password. This username and password are verified against a RADIUS database. If the username and password are valid, the user is then allowed to access other resources, such as the Internet. A firewall policy normally restricts the guest users from any corporate resources but gives the users access to an Internet gateway. Not all captive portal pages require a username and password for authentication. Some vendors have begun to use unique dynamic PSKs as user credentials. A guest management solution that utilizes unique PSKs as credentials also provides data privacy for guest users with WPA/WPA encryption. Some organizations deploy a guest WLAN where the captive web portal does not require any credentials whatsoever. Captive web portals can be configured for self-registration. Captive web portals that do not require credentials still provide an acceptable use policy, which functions as a legal disclaimer for the guest network. This method is used to restrict system access to authorized users only. When wireless users authenticate via the WLAN, they inherit the permissions of whatever roles they have been assigned. For example, users who associate with a Guest SSID are placed in a unique guest VLAN. The users then authenticate via a captive portal and are assigned a guest role. The guest role may have bandwidth permissions that restrict them to 100 kbps of bandwidth and allow them to use only ports 80 (HTTP), 25 (SMTP), and 110 (POP) during working hours. This scenario would restrict guest users who are accessing the Internet from hogging bandwidth and only allow them to view web pages and check email between 9 a.m. and 5 p.m. When used in a WLAN environment, role-based access control can provide granular wireless user management.