100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

What is a Captive Portal?

Learn what a captive portal is, how it intercepts traffic on public Wi-Fi, and how OS detection works — with networking interview Q&A.

easyQ142 of 224 in Computer Networks Est. time: 4 minsLast updated:
Open Code Lab

Expected Interview Answer

A captive portal is a web page that a network (commonly public Wi-Fi in hotels, airports, or cafés) forces a newly connected device to view and interact with — usually to accept terms, log in, or pay — before granting general internet access, implemented by intercepting HTTP requests and redirecting them until the device is authorized.

When a device joins the network, the access point or gateway initially allows only DNS and traffic to the portal itself, while blocking everything else. The device’s OS (or the user opening a browser) sends an HTTP request that the gateway intercepts and redirects to the captive portal login/terms page, often triggered automatically by the OS’s captive portal detection mechanism, which probes a known URL and notices it does not get the expected response. Once the user authenticates, accepts terms, or pays, the gateway records the device’s MAC address (or a session token) as authorized and opens up full internet access, typically for a set duration or until the session ends. Because captive portals intercept traffic, they can break HTTPS connections or trigger security warnings, which is why modern OSes use dedicated captive portal detection endpoints rather than relying on the user’s first real browsing attempt.

  • Gatekeeps network access behind acceptance of terms, login, or payment
  • Uses OS-level captive portal detection to prompt the login page automatically
  • Tracks authorized devices via MAC address or session token
  • Commonly used for guest Wi-Fi, hotel/airport networks, and paid hotspots

AI Mentor Explanation

A captive portal is like the gate steward at a stadium entrance who stops every spectator before letting them onto the general concourse, requiring them to show a ticket or sign a waiver at a small booth first. Until that booth signs off, the spectator can only stand in the entrance area — they cannot reach the stands, food stalls, or any other part of the ground. Once the booth approves them, the steward waves them through freely for the rest of the match. Every new arrival goes through this same booth check, no matter how many times they have visited the stadium before.

Step-by-Step Explanation

  1. Step 1

    Association

    The device joins the Wi-Fi network and receives an IP address via DHCP, but the gateway only permits DNS and traffic to the portal.

  2. Step 2

    Detection

    The OS probes a known captive-portal-check URL; getting an unexpected redirect signals a captive portal is present.

  3. Step 3

    Redirect and interaction

    Any HTTP request (or the OS-triggered probe) is redirected to the login/terms/payment page, which the user completes.

  4. Step 4

    Authorization

    The gateway marks the device (by MAC or session token) as authorized and opens full internet access for the session.

What Interviewer Expects

  • Describes the intercept-and-redirect mechanism for HTTP traffic
  • Explains how the OS detects a captive portal via a known probe URL
  • Knows access is initially restricted to DNS/portal traffic only
  • Mentions the HTTPS-breaking side effect and why detection endpoints exist

Common Mistakes

  • Thinking a captive portal encrypts or secures the connection itself
  • Not knowing that HTTPS requests to arbitrary sites cannot be silently redirected without a certificate warning
  • Confusing captive portal authentication with WPA2/WPA3 Wi-Fi encryption
  • Assuming authorization persists forever rather than for a limited session/duration

Best Answer (HR Friendly)

A captive portal is that login or terms page you see when you connect to hotel, airport, or café Wi-Fi before you can actually browse the internet. The network blocks general access until you accept the terms, log in, or pay, and only then does it let your device through — it is basically a gatekeeper page for public networks.

Code Example

Detecting a captive portal from the command line
# Probe a known captive-portal detection endpoint
curl -sI http://connectivitycheck.gstatic.com/generate_204

# Expected response with no captive portal: HTTP/1.1 204 No Content
# If a captive portal is active, you typically get a 200/302 redirect
# to the portal’s login page instead of the expected 204.

Follow-up Questions

  • Why do captive portals often break HTTPS connections?
  • How does an operating system automatically detect a captive portal?
  • How is a device tracked as “authorized” after logging in?
  • What security risks does a captive portal introduce on public Wi-Fi?

MCQ Practice

1. What does a captive portal restrict before authentication?

Before authorization, the gateway typically permits only DNS and traffic to the captive portal page, blocking general internet access.

2. How does an OS commonly detect a captive portal is present?

OSes probe a well-known connectivity-check URL; a redirect or unexpected response instead of the expected result indicates a captive portal.

3. How is a device typically tracked as authorized after passing a captive portal?

The gateway commonly records the authorized device by MAC address or an issued session token for the duration of access.

Flash Cards

What is a captive portal?A forced web page that gates internet access until terms are accepted, login happens, or payment is made.

What traffic is allowed before authorization?Typically only DNS and traffic to the portal page itself.

How is the portal triggered?By intercepting HTTP requests and redirecting, often detected via OS captive-portal probe URLs.

Why can captive portals break HTTPS?They cannot cleanly redirect encrypted HTTPS requests without triggering certificate warnings.

1 / 4

Continue Learning