Do not index
Do not index
A captive portal is a web page that is displayed to users when they try to connect to a public Wi-Fi network or an internet service that requires authentication. The captive portal usually prompts users to enter login credentials or to agree to terms and conditions before they can access the internet.
How does the UniFi Captive Portal work?
Captive portal works by intercepting a user’s attempt to access internet, and redirecting them to a page ( usually called Splash-page ) with Terms and conditions or login options. A user will not have access to internet before captive portal is viewed and the login process is completed.
In case of UniFi, the captive portal will only work if there is an active UniFi controller. However majority of the captive portal handling is done by the AP itself.
If captive portal is enabled, UniFi controller will create a set of iptables rules to redirect all HTTP ( optionally HTTPS ) traffic done by a “Pending” client into the AP itself.
The rules also intercept all the DNS traffic for Pending clients and send them to the local DNSmasq process.
Only traffic to IPs/Hosts that are in the Pre-Authorization Access list is allowed to by-pass this rules.
UniFi Walled garden ( a.k.a Pre-Authorization Access)
Walled garden controls are handle by the DNSmasq. Each hostname added into the Pre-Authorization Acess list gets added to the ipset rule guest_pre_allow
This will “freeze” the IP of each of these hosts, so that devices are allowed to communicate freely with these IPs.
And since the DNS queries from devices are answered by the internal DNSMasq itself, they should be able to communicate with these hosts.
We have made an easy to use External Captive Portal solution for UniFi. Start you 15 day free trial here.
UniFi Redirector
The final piece of the puzzle is an application called redirector, which listens on port 80. It responds to all incoming HTTP traffic with a 302 redirect to the actual captive portal.
What to do when nothing works?
As you can see from above, for the captive portal to work properly, a number of things should fall into place. Many times it doesn’t happen! At Spotipo we do a step by step approach to debug when sh*t hits the fan. We are able to fix 99.99% of the issues by following these steps.
In the order-
- Ask Guest to forget the network and connect again: 95% of the issues are caused by captive portal detection on the Client side. Ask Guest to remove the WiFi profile and connect again!
- DHCP issues: check that the Guest gets a proper IP
- DNS on client side: Check that Client is able to do DNS resolutions, if it doesn’t could be that AP has some issues with DNS. Try restarting it/ check if the AP firmware has known issues
- Check that your captive portal is active: ( You wouldn’t need to do this if you are Spotipo customer, we monitor all our portals 24X7)
- Check for captive portal: Open a browser on the client’s device and type http://neverssl.com this should force open the captive portal. If it doesn’t work, look at the pre-authorization list and check if the captive portal’s domain is added.
- If all these fails, try a UniFi controller reboot
Written by