Scenario 2 – captive portal

In this scenario, the hotel Wi-Fi redirects users’ browsers to an online enrollment page (a captive portal) before allowing the user to connect to the Internet. The roaming user’s browser is configured with the standard PAC file on port 8082

  1. The user requests www.google.de.
  2. The browser first requests the PAC file from webdefence.global.blackspider.com over port 8082.
  3. The hotel’s firewall checks its access control list (ACL) for the user’s MAC address. The MAC address is not on the firewall’s ACL, because the user has not yet registered.
  4. Using the PAC file setting, the browser requests the PAC file from webdefence.global.blackspider.com over port 8082. Since the firewall does not recognize the user's MAC address, it does not allow the request for the PAC file.

    The firewall does not respond with the captive portal on port 8082, which is a non-standard port for web browsing. Because most HTTP requests use port 80, the firewall expects web requests on port 80.

    Note: It is possible, though unlikely, that the firewall will respond to web requests on port 8082 with the captive portal. In this case, the user will receive the enrollment page, and the browser will retrieve its PAC file. When the user attempts to browse, the they will be directed to the “You are connecting from an unrecognized location” logon page. Once they log on, the appropriate policy is applied.

If the firewall has been configured to serve the captive portal for requests on port 80 (most likely), the following occurs.

The browser continues to try to retrieve the PAC file over port 8082 until it times out. (By default, Internet Explorer will time out after 20 seconds.)

Once the browser times out trying to obtain the PAC file, it will then attempt to follow the proxy server setting, if configured.

  • If this is blank, the browser will connect via port 80. The hotel firewall will now respond with the enrollment page on port 80. The user will complete registration, and the firewall will register the user's MAC address. Now that the user’s MAC address is registered, the firewall will allow requests on all ports for that machine. The roaming user now is connecting to www.google.de over port 80 (it is not using the PAC file to direct traffic to the cloud proxy). As such, the user will be connecting directly to the Internet for this browser session, with no policy enforcement applied.

    Only when the user opens a new browser session (that is, a new browser window), the browser will then request the PAC file over port 8082.

    Because the user has registered, the user will now be directed to the “You are connecting from an unrecognized location” logon page. Once the user logs on, the appropriate policy is applied.

  • If the browser has a proxy server setting configured, the browser attempts to connect to this proxy. For example, if the proxy server is configured as webdefence.global.blackspider.com and the port as 8081, then the browser will attempt to connect to webdefence.global.blackspider.com over port 8081.

    However, because the firewall does not find the user’s MAC address on its ACL, it does not allow the request. The firewall is not configured to respond with the enrollment page on port 8081.

    At this point, the browser times out. The user cannot then connect to the Internet at all.

  • If the browser is configured with a third-party proxy server, abc.com over port 80, then the browser will attempt to connect to this third-party proxy over port 80. As the firewall receives the request on port 80, it responds with the enrollment page. The user can complete enrollment, and the firewall will register the user’s MAC address. The firewall will now allow requests out on all ports for that MAC address. Consequently, the roaming user now is connecting to www.google.de over port 80 via the proxy, abc.com for this browser session.

    Only if the user opens a new browser session, i.e. a new browser window, will the browser then request the PAC file over port 8082.

    Because the user’s MAC address has been registered, the user will now be directed to the “You are connecting from an unrecognized location” logon page. Once the user logs on, the appropriate policy is applied.

For guidance on resolving these issues for roaming users, see the recommendations detailed in the section Recommendations for roaming users.