The splash page that WiFi customers see before they access the WiFi is technically a captive portal. This presents login options that the user must complete to gain access to the Internet. See more information regarding splash pages.
When deploying our services, we recommend WiFi services are provided over an Open WiFi Network to encourage people to engage. The Open WiFi Network is now the standard convention, which helps reduce friction by increasing familiarity for your WiFi customers. The captive portal is designed to help manage the login process.
Most devices used to connect to the Internet have a Captive Network Assistant (CNA) embedded in the Operating System to help them interact with a captive portal. This checks a predefined domain name to test whether the Internet is available to help navigate the captive portal. See the differences in platforms below.
Different Operating Systems manage the CNA process in different ways but the fundamental operations of the CNA are to:
- Check Internet connectivity when it establishes a connection to the WiFi
- Notify the client using the device that they might need to log in
- On acknowledgement of the notification, launch a browser (usually the system browser)
- Acknowledge an 'Online' status
The process of logging in to the captive portal begins with the Controller managing the WiFi interaction with our Splash Page server systems. The Splash Page systems collect the client details for login and provide the client with a one-time login. The Controller then passes this to our RADIUS server to complete the login process.
Captive Network Assistant (CNA) Platform Response
The CNA is designed to simplify the login process. It presents a 'blank canvas', which allows the redirection that the captive portal initiates to complete unhindered.
If the Captive Network Assistant is missed by the WiFi customer, it is recommended to open a browser and navigate to neverssl.com. This third party site is useful to avoid problems with SSL redirects.
Android phones will provide a notification that 'you may need to login'.
Clicking this notification will launch Android's CNA browser session to guide the client online.
Since Android v5.4, Google has designed the CNA browser window to automatically close the captive portal browser session upon successful online authentication. This default action is occasionally altered by mobile phone companies that implement Android on their phones, in which case the CNA Browser may need to be closed manually.
On iOS (iPhoneOS and iPadOS) you will see the CNA browser in the form of a pop-up window, as the client connects to the WiFi to help them online.
On OSX (laptops) you will also be presented with a pop up. Regrettably, OSX does not allow cookies on the CNA browser session and Purple require a cookie (just for the login session) to make sure that the login journey can be maintained. Therefore the CNA pop-up provides a recommendation to open a browser and navigate to neverssl.com.
Windows works similarly to Android in that the WiFi customer will typically be presented with a notification which then opens a browser to guide them online.
When the WiFi customer connects to an SSID, they will be redirected to a captive portal splash page hosted by Purple.
Captive portal splash pages are hosted on access nodes. These are elastically scaling PHP applications backed by a scaling NoSQL database. Static content is served from Amazon’s Cloudfront.
When the Wifi customer completes the captive portal login page, Purple then authorize them on our RADIUS server and redirect the session authorization back to the network controller. This releases them from the captive portal so they can access the wider internet. As the customer credentials are presented to RADIUS, we typically populate the aggregated login details & session data.
RADIUS (Remote Authentication Dial-In User Service)
Remote Authentication Dial-In User Service (RADIUS) is a network protocol which provides centralized authentication, authorization, and account management for users to connect and use a network service.
Purple uses this mechanism to authenticate and authorize users during a captive portal login process. Purple RADIUS servers are FreeRADIUS servers which store data on a GCP Cloud SQL database.
After a RADIUS server receives an Access Request packet, it must send an Access Accept packet if authentication succeeds. The AP will remove any captive portal/walled garden restrictions and allow the user online.