With an active captive portal, a user needs to pass a splash page based authentication to connect to the network. To achieve this, the user first gets intercepted by the Access Point, and is then redirected to the captive portal service provider’s splash page. Here, one or more authentication steps need to be fulfilled before network access is granted. The look and nature of these steps is fully customizable: captive portal service providers can control every aspect of the authentication process from design to implementation, to be able to cater to various use cases.
The sections below outline the general process as well as the configuration steps required to integrate a captive portal solution with the Kaiwoo platform.
Splash page Configuration
To allow a connecting user to be redirected to the splash page by the Access Point, the service provider needs to configure the splash page URL. This can be achieved either by:
- Entering the splash page URL into the Kaiwoo console (learn how to get started with the Kaiwoo console here); or
- Defining the splash page URL via the Provisioning API (the related API documentation can be found here).
Upon completion of all the splash page authentication steps, the user will be redirected back to the Access Point. The Access Point then communicates with the service providers back-end to establish whether network access was granted and if any restrictions apply (i.e., session length, upload/download limit, etc.). To learn how to configure splash page related settings, including traffic and fail-over policies, please see details here.
Device to Cloud Communication
The device to cloud communication is formed by four distinct processes which all need to be addressed:
- Pre-login process;
- Login process;
- Accounting process;
- Logout process.
Please find the overview of all these processes below.
A pre-login request is used to recognize clients with ongoing sessions or clients who are not supposed to see a splash page for various reasons. It can be understood as a filter for specific clients not required to undergo the login process. If the request is accepted, the user will be granted network access.
If, on the other hand, a client cannot satisfy the specified pre-login requirements, it will be redirected to the splash page and continue with the normal login process.
The connecting user is redirected by the Access Point to the service provider’s splash page for authentication. After Splash page authentication, the WiFi client is redirected back to the Access Point. The Access Point initiates the Login process in order to verify whether the WiFi client was successfully authenticated by the Splash page service provider. This device to cloud communication can be achieved either via a HTTP or RADIUS authentication server.
In case of authentication success, the Access Point grants network access to the user and redirects it either to a success landing page or the URL the user originally requested.
On the other hand, if the authentication attempt is unsuccessful, the service provider’s splash page is expected to inform the user about the failure and offer to re-try the authentication process.
While a user is connected, the Access Point will send accounting information about the user’s ongoing session to the service provider in regular intervals. This includes details such as:
- The number of bytes uploaded and downloaded by the WiFi client;
- The number of seconds the session has been active;
- And more.
The logout process can either be initiated by:
- Expiration of a session; or
- A manual user logout.
Afterwards, the Access Point will send a termination message to the service provider, and disconnect the user from the network.
RADIUS or HTTP-based Authentication Server
The device to cloud communication can be performed by using either a RADIUS- or HTTP-based authentication server. For configuration details, please refer to the following articles: