<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-WLFXGWL" height="0" width="0" style="display:none;visibility:hidden">
Call us now at   1-216-777-2900


Do Captive Portals Still Have a Place in WLAN Security?

Opinions are divided on captive portals for Wi-Fi access. Learn the benefits and drawbacks of using them.

47.1.4 C 7SIGNAL

Captive portals are primarily used for guest Wi-Fi access. They are the windows that come up when someone tries to connect to a public Wi-Fi network and often require entering personal information, agreeing to usage terms, or even payment before the user can get online.

There is no one right answer to whether a captive portal is right for your organization. Sometimes they're important, and the problems they cause are outweighed by the needs of the organization, while other implementations are nightmares. Opinions are thus very divided on captive portals.

This post covers the history of captive portals, their most significant benefits and downsides, and some important considerations for using them.

A brief history of the captive portal

In the past, there wasn’t a lot of controversy about captive portals, and they’ve existed almost from the inception of Wi-Fi. Generally, anytime you have a captive portal, it has to do with guest networks.

Portals used to be fairly benign, typical, and expected. It was reasonable and customary to convey terms and conditions to users before they could get on a network. It wasn’t uncommon to find a captive portal for a guest network associated with something like NoCatAuth, which was a way to authenticate users before current Wi-Fi standards.

The user experience was much better in those days when people only accessed the guest Wi-Fi network through a computer with a desktop OS and primarily used unencrypted HTTP and DNS. Those conditions made intercepting the communication and presenting the portal simple and frustration-free. But today’s reliance on TLS and HTTPS and the growing use of encrypted DNS protocols have resulted in a much more frustrating experience with captive portals, as they are essentially performing a man-in-the-middle attack on the end-user. Today, end-users regularly see confusing and alarming certificate warnings and page load errors caused by captive portals, and they don’t know how to respond to them.

So these days, captive portals are highly debated because they don't always work, and users can become really frustrated, especially if they have to pay to access guest Wi-Fi. While many organizations still use them, many others don’t, especially in cases where guests are using the Wi-Fi network for mission-critical digital experiences.

Benefits and downsides of captive portals

So why were they used in the first place? Here are the key benefits of captive portals:

  • They can have high flexibility. No one design or standard says how the portals should be, so many variations are possible. 
  • They can be simple when conveying information. 
  • You can use various sign-in methods that involve acknowledging something via a text message, unverified social logins, email accounts, etc. A captive portal can also be the equivalent of a paywall.
  • Portals were an advertising vehicle. Within the terms and conditions that people agreed to, the outer real estate of a page could be used for ads.

Nevertheless, captive portals can also be utterly terrible for users and organizations, especially when they’re gateways to different tiers of wireless access. Often, the lower tier doesn’t work well at all, so users have to spend more money for the better option. 

Some organizations have dubious intent—simply getting more money out of users—which ruins the average user experience. But even portals with the best intentions can be very technically glitchy. For example, different browsers work differently or maybe have weird plugins. Sometimes, user-experience problems never get fixed, or the portal doesn't work well from day one. And at some organizations, such as a hotel, users may find that there's no one to complain to since on-site staff doesn't know or care, and it's a corporate issue.

What factors determine whether a captive portal is warranted?

When planning to offer wireless internet, what determines if you should use a portal? Here are a few factors:

  • Policy: Solutions should always enforce policy. A captive portal may be in order if your policy says you simply can't have wide-open guest access.
  • Organizational goals: Maybe an organization’s goal is to make every bit of money it can, even if it annoys people. In that case, perhaps the drawbacks of a captive portal are minor.
  • Balance of security versus user pain: Captive portals can enhance security, but at a price; this concern is viewed through the lens of organizational goals.
  • Cost and complexity of achieving goals with alternate methodology: There are other options if you want enhanced security for wireless access but don’t want to go with a captive portal—but there aren’t many.

A big challenge is conflicting ideologies. Some people believe that high-speed Wi-Fi needs to be free and accessible to everyone. Others view Wi-Fi access as a selling point or an added benefit and don’t think the organization ‘owes people’ this feature, even if it costs them customers. It all depends on who you are and how you see your guests. Not every organization has the same framework for why it gives people access or not. 

Say that a family runs a café, and people come there primarily to eat, not to use the Wi-Fi. The owners may want people to know that they’re offering free Wi-Fi, so they set up a captive portal so users will comply with the terms and be aware that they’re getting an extra benefit. The owners don’t want to gather information from people, so the terms are low-intensity.

A very different example would be a large commercial organization offering guests wireless access. Guests must provide their phone number in the portal, are texted a password, and can get online when they enter that password. This captive portal is reliable and tested often, so it works acceptably well. But people don’t like having to put in their phone number to use it. Nevertheless, the organization decided to add this step because it wants a way to track people in case the worst happens, as it’s had issues in the past. 

These examples represent two different philosophies and reasons to do a portal. One is much more involved on the back end, but both come down to an organization’s policy and its security goals and requirements.

What if you opt to use captive portals?

If you’re going to integrate a captive portal, here are a few important considerations:

Test the portal regularly. Today, many portals are a pretty lousy experience. Maybe a portal wasn't built right, and no one tested it. So first, ensure it works the way it's supposed to work and then test it frequently.

Keep it updated. There are a lot of browser updates happening all the time, so keep the portal up to date to conform with all browsers that people may be using.

Recognize potential hiccups. The portal will cause issues with secure web and DNS traffic, and recognizing that challenge early can help you prepare. 

Recognize they can be faked. Portals can absolutely be spoofed; it’s pretty easy for hackers to replicate them with logos and a similar look to make the pages feel legitimate. This problem isn't unique to portals, but their graphics can make it easier to trick people.

Know that some apps want connectivity before browsers are opened. Some apps must connect before someone logs into the portal. The organization needs to decide whether or not to allow that.

Understand why people might complain. Think through the reasons guests might not want a portal or complain about it. For instance, most users won’t like being monetized significantly for a captive portal, so be ready to deal with pushback.

Monitor the end-user experience with 7SIGNAL

Wi-Fi is becoming more accessible, expected, and free. Nevertheless, captive portals still have a place in many organizations, and knowing the benefits and drawbacks can help you decide whether to employ one. Regardless of whether you choose this route, ensure you always know how clients are experiencing your Wi-Fi so you can make changes as needed.

Mobile Eye® and Sapphire Eye® from 7SIGNAL help organizations foster thriving connections while mitigating risk against downtime and impacts to revenue. 7SIGNAL is a cloud-based platform that continuously monitors Wi-Fi performance at the edge of the network from the device perspective, enabling swift solutions to Wi-Fi issues and stronger connections for mission-critical users, devices, and applications. You’ll always know how people are accessing and experiencing the Wi-Fi connection.

Learn more by contacting 7SIGNAL today.

7SIGNAL® is a leader in enterprise cloud Wi-Fi performance management. Founded by wireless networking pioneers, the company delivers applications that continuously monitor the stability of its clients' Wi-Fi networks in order to mitigate risk. The 7SIGNAL platform is designed for the world's most innovative organizations, educational institutions, hospitals and government agencies and are currently deployed at IBM, Kaiser Permanente, Nike and other Fortune 500 companies. 7SIGNAL continuously monitors the connectivity of an estimated 20 million global devices. Learn more at www.7signal.com.