Portales Cautivos HTTPS en 2026: Por qué HSTS y el Reforzamiento del Navegador Están Rompiendo los Viejos Patrones

Esta guía detalla cómo HSTS y las políticas de prioridad HTTPS del navegador están rompiendo los portales cautivos de intercepción HTTP heredados en 2026. Proporciona orientación técnica práctica para que los arquitectos de red implementen alternativas modernas, incluyendo la API CAPPORT y Passpoint (Hotspot 2.0), asegurando un acceso WiFi seguro y confiable para invitados.

📖 6 min de lectura📝 1,495 palabras🔧 2 ejemplos❓ 3 preguntas📚 8 términos clave

🎧 Escucha esta guía

Ver transcripción

PODCAST SCRIPT: HTTPS Captive Portals in 2026 — Why HSTS and Browser Hardening Are Breaking the Old Patterns
Runtime target: ~10 minutes | Voice: UK English, senior consultant tone

---

[INTRO — ~60 seconds]

Welcome back. I'm going to cut straight to it today, because if you're running guest WiFi at scale — hotels, retail estates, stadiums, conference centres — you've probably already hit this problem, or you're about to.

The classic captive portal pattern — the one where your network intercepts an HTTP request and redirects the user to a splash page — is breaking. Not gradually. It's breaking hard, and the browser vendors are the ones doing it.

In the next ten minutes, I want to walk you through exactly what's changed, why it's changed, and what your realistic options are in 2026. This isn't theoretical. This is the conversation I'm having with network architects and IT directors every week right now.

Let's get into it.

---

[TECHNICAL DEEP-DIVE — ~5 minutes]

So let's start with the mechanism. The legacy captive portal pattern works like this: a device connects to your open or PSK-protected WiFi network. It tries to load a web page. Your network controller intercepts that HTTP request — port 80 traffic — and issues a 302 redirect to your portal page. The user sees your splash screen, accepts terms, maybe logs in, and then you open the walled garden. Simple. It's worked for twenty-plus years.

The problem is that pattern depends entirely on the device making an unencrypted HTTP request that you can intercept. And browsers are systematically eliminating those requests.

Here's the timeline of what's happened. HSTS — HTTP Strict Transport Security — has been around since RFC 6797 in 2012. The mechanism is straightforward: a site sends a Strict-Transport-Security header, and the browser remembers it. For the duration of the max-age period, the browser will refuse to load that site over plain HTTP. It upgrades the connection to HTTPS automatically. If HTTPS isn't available, the connection fails — hard. No bypass, no redirect, just a certificate error.

Now, HSTS on its own is manageable. The browser only enforces it after the first visit. But then came the HSTS preload list. Chrome maintains a hardcoded list of domains that are HTTPS-only, baked directly into the browser binary. Firefox, Safari, and Edge all consume the same list. As of 2026, that list covers well over 100,000 domains, including essentially every major consumer destination — Google, Facebook, Twitter, banking sites, government portals, the lot.

What that means in practice is this: when your guest device connects to your network and tries to load gmail.com, or bbc.co.uk, or any preloaded domain, the browser doesn't even attempt an HTTP request. It goes straight to HTTPS. Your network controller never sees a plain HTTP request to intercept. The redirect never happens. The user just gets a certificate error, because your portal's self-signed certificate is not trusted for gmail.com. They see NET::ERR_CERT_AUTHORITY_INVALID and they're stuck.

And it's getting worse. In October 2025, Google announced that Chrome 154 — shipping October 2026 — will enable "Always Use Secure Connections" by default for all users on public sites. Chrome 147, which shipped in April 2026, already enabled this for the one-billion-plus users who have Enhanced Safe Browsing turned on. Firefox has been moving in the same direction. Safari has had HTTPS-first behaviour on iOS for some time.

The net effect: by the end of 2026, the majority of your guests' browsers will attempt HTTPS for every navigation, regardless of whether the domain is on the preload list. The HTTP intercept pattern is not just unreliable — it's dead.

Now, there's a secondary problem that compounds this. Even when the OS-level Captive Network Assistant — the CNA — fires up its mini-browser to handle the portal, that mini-browser has its own HSTS enforcement. On iOS, the CNA uses a sandboxed WebKit instance. On Android, it uses a Chrome Custom Tab. Both enforce HSTS. Both will fail to load your portal if you're trying to serve it via a hostname that has an HSTS policy.

The correct technical response here is to serve your portal from a dedicated hostname that has never had an HSTS header and is not on the preload list — something like portal.yourvenue.com — with a valid, CA-signed TLS certificate. That's table stakes now. But even that doesn't fully solve the detection problem, because the device still needs to discover that it's behind a captive portal in the first place.

That's where RFC 8910 and RFC 8908 come in. RFC 8910 defines a DHCP option — option 114 — and an IPv6 Router Advertisement option that tells the client device the URL of the captive portal API endpoint. RFC 8908 defines that API: a simple JSON endpoint that the OS queries to determine whether internet access is restricted, and if so, where the portal is. Modern operating systems — iOS 14 and later, Android 11 and later, Windows 11 — all support this. When you implement CAPPORT correctly, the device knows it's behind a portal before it ever tries to load a web page. The OS fires up the CNA with the correct portal URL directly. No HTTP intercept required.

That's the first modern alternative: DNS and DHCP signalling via CAPPORT, with a properly-signed portal served from a dedicated hostname.

The second alternative is Passpoint, based on IEEE 802.11u and the Wi-Fi Alliance's Hotspot 2.0 specification. Passpoint takes a fundamentally different approach. Instead of intercepting traffic, the access point advertises its identity and authentication requirements via ANQP — Access Network Query Protocol — before the device even associates. The device checks whether it has valid credentials for this network. If it does, it authenticates via 802.1X and WPA2 or WPA3 Enterprise, and gets full network access immediately. No portal, no redirect, no browser involvement at all.

Passpoint is the right answer for a specific set of deployments: multi-site operators, enterprise environments, healthcare, transport hubs, anywhere you have repeat users who benefit from zero-touch connectivity. Purple's SecurePass product line is built around this model, and for the right deployment profile it eliminates the captive portal problem entirely.

The third option, which sits between the two, is OWE — Opportunistic Wireless Encryption. OWE is defined in RFC 8110 and provides per-client encryption on open networks without requiring credentials. It doesn't replace the portal, but it removes the open-network security exposure that makes regulators nervous, particularly under GDPR and PCI DSS.

---

[IMPLEMENTATION RECOMMENDATIONS & PITFALLS — ~2 minutes]

Right, so what should you actually do? Let me give you the practical framework.

If you're running a captive portal today and it's working, your immediate priority is to implement CAPPORT. That means configuring DHCP option 114 on your controller to point to your portal API endpoint, implementing the RFC 8908 JSON API on your portal server, and ensuring your portal is served from a dedicated hostname with a valid CA-signed certificate. This will restore reliable portal detection on modern devices and eliminate the certificate error problem.

Do not — I repeat, do not — attempt to serve your portal from a hostname that appears on the HSTS preload list. And do not use a self-signed certificate. Both of these are instant failure modes.

The second thing to address is your walled garden configuration. Your DHCP server, your DNS resolver, and your portal hostname all need to be accessible before authentication. That includes the OS detection probe URLs: captive.apple.com for Apple devices, connectivitycheck.gstatic.com for Android, and msftconnecttest.com for Windows. If any of these are blocked pre-auth, the CNA won't fire and your users will be stuck.

For new deployments, particularly in hospitality and multi-site retail, I'd strongly recommend evaluating a hybrid architecture: a Passpoint SSID for repeat visitors and a CAPPORT-compliant portal SSID for first-time guests, with the portal offering Passpoint profile installation as part of the onboarding flow. This gives you the marketing touchpoint for new visitors while delivering zero-friction connectivity for returning ones.

The pitfall I see most often is operators who've invested in portal customisation and data collection treating Passpoint as a threat to their marketing stack. It isn't. Purple's platform, for example, supports progressive onboarding where the initial portal interaction captures consent and profile data, and then provisions a Passpoint credential for future visits. You get the first-party data on the first visit and the seamless experience on every subsequent one.

---

[RAPID-FIRE Q&A — ~1 minute]

Quick-fire questions I get asked constantly:

"Can I just use a self-signed cert for my portal?" No. Modern browsers and CNA implementations will reject it. You need a CA-signed certificate.

"Does CAPPORT work on all devices?" iOS 14+, Android 11+, Windows 11 — yes. Older devices fall back to legacy detection behaviour. Plan for both.

"Is Passpoint GDPR-compliant?" Yes, when implemented correctly. The credential provisioning step is where you capture consent. Purple handles this as part of the SecurePass onboarding flow.

"What about PCI DSS scope?" If your guest network carries any cardholder data, you need network segmentation regardless of portal type. Passpoint's WPA3-Enterprise encryption significantly reduces your attack surface and simplifies scope arguments with QSAs.

---

[SUMMARY & NEXT STEPS — ~1 minute]

To wrap up: the HTTP intercept pattern is broken by HSTS preloading and Chrome's move to HTTPS-first by default. The fix for existing deployments is CAPPORT — RFC 8910 plus RFC 8908 — with a properly-signed portal on a dedicated hostname. For new deployments or major refreshes, evaluate Passpoint, particularly if you have repeat-visitor traffic or compliance requirements that benefit from WPA3-Enterprise encryption.

The browser vendors have made their position clear. The question isn't whether to adapt — it's how fast.

If you want to dig into the specifics for your deployment, the Purple team can walk you through a CAPPORT readiness assessment and a Passpoint feasibility analysis. Links in the show notes.

Thanks for listening. See you next time.

---
END OF SCRIPT

Conclusiones clave

✓Legacy HTTP intercept captive portals are fundamentally broken by HSTS preloading and browser HTTPS-first policies.
✓Chrome 154 (October 2026) enforces HTTPS-first by default, eliminating unencrypted port 80 traffic for portal detection.
✓Network architects must immediately implement the CAPPORT API (RFC 8908/8910) to restore reliable OS-level portal detection.
✓Portals must be hosted on dedicated hostnames with valid CA-signed certificates; self-signed certs and preloaded domains will fail.
✓Passpoint (Hotspot 2.0) is the definitive replacement for portals in enterprise and multi-site environments, offering WPA3 security and zero-touch roaming.
✓A hybrid approach—using CAPPORT for initial data capture and provisioning a Passpoint profile for return visits—balances marketing needs with seamless UX.
✓Proper walled garden configuration, including allowlisting OS probe URLs, is critical for the Captive Network Assistant (CNA) to function.

Resumen Ejecutivo

El patrón de portal cautivo heredado —interceptar el tráfico HTTP y emitir una redirección 302— está obsoleto. Impulsado por HTTP Strict Transport Security (HSTS) y el reforzamiento agresivo de los navegadores, el mecanismo tradicional de 'intercepción y redirección' está fallando a gran escala en entornos de Hospitalidad , Comercio Minorista y empresariales. A partir de 2026, con Chrome aplicando el comportamiento HTTPS-first por defecto y la lista de precarga HSTS superando los 100,000 dominios, los controladores de red ya no pueden depender de las solicitudes HTTP no cifradas para activar la detección del portal.

Para los gerentes de TI y arquitectos de red, esto representa un cambio arquitectónico crítico. Mantener un acceso WiFi para Invitados sin interrupciones ahora requiere modernizar su flujo de incorporación. Esta guía detalla los mecanismos técnicos que están rompiendo los portales heredados y describe el camino de implementación neutral para el proveedor: desplegar la API CAPPORT (RFC 8908/8910) para una estabilidad inmediata, y migrar a Passpoint (Hotspot 2.0) y OpenRoaming para una conectividad segura y sin contacto.

Análisis Técnico Detallado: Por qué HSTS Rompe el Patrón de Intercepción

El portal cautivo tradicional se basa en una suposición fundamental: el dispositivo cliente realizará una solicitud HTTP no cifrada en el puerto 80 que el servidor de acceso a la red (NAS) o el controlador puede interceptar y redirigir a la página de inicio del portal.

Esta suposición ya no es válida.

El Problema de la Precarga HSTS

HTTP Strict Transport Security (HSTS), definido en RFC 6797, permite a un servidor web declarar que los navegadores web solo deben interactuar con él utilizando conexiones HTTPS seguras. Cuando un usuario intenta acceder a un dominio protegido por HSTS a través de HTTP, el navegador actualiza internamente la solicitud a HTTPS antes de que se envíe cualquier tráfico de red.

Debido a que la solicitud está cifrada, el controlador de red no puede inspeccionar el encabezado del host ni emitir una redirección HTTP 302. En su lugar, el controlador intercepta el tráfico HTTPS y presenta su propio certificado de portal. Dado que este certificado no coincide con el dominio solicitado (por ejemplo, google.com), el navegador arroja un error fatal NET::ERR_CERT_AUTHORITY_INVALID. El usuario es bloqueado y el portal nunca carga.

La lista de precarga HSTS exacerba este problema. Los navegadores codifican una lista de dominios a los que siempre se debe acceder a través de HTTPS, incluso en la primera visita. En 2026, esta lista incluye prácticamente todos los principales destinos de consumo. Cuando un invitado se conecta a su red y escribe una URL común, el navegador fuerza HTTPS, lo que activa el error de certificado y rompe el flujo del portal cautivo.

Reforzamiento del Navegador: Modo HTTPS-First

Más allá de HSTS, los proveedores de navegadores han reforzado sistemáticamente sus comportamientos predeterminados. A finales de 2025, Google anunció que Chrome 154 (lanzado en octubre de 2026) habilitaría "Usar siempre conexiones seguras" por defecto para todos los usuarios en sitios públicos. Safari y Firefox han implementado modos HTTPS-first similares.

Esto significa que, incluso para dominios que no están en la lista de precarga HSTS, el navegador intentará una conexión HTTPS primero. El patrón de intercepción HTTP está efectivamente obsoleto.

Alternativas Modernas: CAPPORT y Passpoint

Para restaurar la funcionalidad y mejorar la experiencia del usuario, los arquitectos de red deben hacer la transición a mecanismos modernos de detección de portales cautivos y marcos de autenticación.

1. La API CAPPORT (RFC 8908 y RFC 8910)

El Grupo de Trabajo de Ingeniería de Internet (IETF) abordó el problema de la detección de portales cautivos con la arquitectura CAPPORT. En lugar de depender del tráfico web interceptado, CAPPORT proporciona un mecanismo de señalización explícito.

RFC 8910 (Identificación de Portal Cautivo): La red utiliza DHCP (Opción 114) o Anuncios de Router IPv6 para proporcionar al dispositivo cliente la URI de la API del portal cautivo.
RFC 8908 (API de Portal Cautivo): El cliente consulta la URI proporcionada (un endpoint JSON) para determinar si está cautivo y para obtener la URL de la página del portal orientada al usuario.

Cuando se implementa, el sistema operativo cliente (iOS, Android, Windows) detecta el portal de forma nativa antes de que el usuario abra un navegador. El sistema operativo lanza su Asistente de Red Cautiva (CNA) y carga la URL del portal directamente a través de una conexión HTTPS segura. Esto elimina la necesidad de intercepción HTTP y evita errores de certificado.

2. Passpoint (Hotspot 2.0) y OpenRoaming

Para entornos con visitantes recurrentes o altos requisitos de seguridad, Passpoint (basado en IEEE 802.11u) es el reemplazo definitivo para el portal cautivo.

Passpoint opera en la capa MAC. Antes de asociarse con el Punto de Acceso (AP), el dispositivo cliente utiliza el Protocolo de Consulta de Red de Acceso (ANQP) para descubrir las capacidades de la red y los consorcios de roaming. Si el dispositivo posee una credencial coincidente (por ejemplo, un perfil instalado durante una visita anterior o a través de un proveedor de identidad), se autentica automáticamente utilizando 802.1X y WPA2/WPA3-Enterprise.

Este enfoque proporciona conectividad tipo celular, sin contacto. Cifra el tráfico por aire, mitigando los riesgos de redes abiertas y ataques de gemelo malvado. OpenRoaming, construido sobre Passpoint, extiende esto al federar proveedores de identidad, permitiendo a los usuarios moverse sin problemas entre diferentes ubicaciones. Cabe destacar que Purple actúa como un proveedor de identidad gratuito para servicios como OpenRoaming bajo la licencia Connect, facilitando una amplia adopción sin tarifas de licencia por usuario.

Guía de Implementación

Implementar una arquitectura de acceso para invitados resiliente requiere un enfoque por fases, pasando de la remediación inmediata a la transformación estratégica.

Fase 1: Estabilizar Portales Existentes con CAPPORT

Si debe mantener un Captive Portal tradicional para la captura de datos o WiFi Analytics , debe implementar CAPPORT para evitar la ruptura de HSTS.

Configurar la Opción DHCP 114: Actualice su servidor DHCP o controlador de red para difundir la Opción 114, apuntando al endpoint de la API de su portal (p. ej., https://portal.yourvenue.com/capport).
Implementar la API RFC 8908: Asegúrese de que su servidor de portal responda a la solicitud de la API con JSON válido que indique el estado cautivo y la URL de cara al usuario.
Usar un Nombre de Host Dedicado y Válido: El portal debe servirse a través de HTTPS utilizando un certificado válido firmado por una CA. Nunca utilice un certificado autofirmado o un nombre de host que esté en la lista de precarga HSTS.
Permitir Sondas del SO: Asegúrese de que las sondas de detección de Captive Portal a nivel del SO (p. ej., captive.apple.com, connectivitycheck.gstatic.com) estén permitidas a través del "walled garden" de preautenticación.

Fase 2: Implementar Passpoint para un Acceso Seguro y Sin Interrupciones

La transición a Passpoint mejora significativamente la seguridad y la experiencia del usuario, particularmente en implementaciones de Salud y Transporte .

Verificar el Soporte de Infraestructura: Asegúrese de que sus APs y controladores soporten Hotspot 2.0/Passpoint y autenticación 802.1X.
Configurar Perfiles ANQP: Defina el nombre del lugar, los OIs del consorcio de roaming y los reinos NAI en su controlador de red.
Establecer un Backend RADIUS/AAA: Implemente un servidor RADIUS capaz de manejar la autenticación EAP (p. ej., EAP-TLS, EAP-TTLS).
Implementar el Aprovisionamiento de Perfiles: Utilice un servidor de Registro en Línea (OSU) o integre con una plataforma como Purple SecurePass para aprovisionar perfiles Passpoint en los dispositivos de los usuarios.

Fase 3: El Modelo de Incorporación Progresiva Híbrido

Para lugares que requieren tanto acceso sin interrupciones como captura inicial de datos (p. ej., entornos minoristas que buscan impulsar la lealtad), un enfoque híbrido es óptimo.

Primera Visita: El usuario se conecta a un SSID abierto y es dirigido a un Captive Portal habilitado para CAPPORT. El portal captura los datos necesarios (p. ej., correo electrónico, aceptación de términos) y aprovisiona un perfil Passpoint en el dispositivo.
Visitas Posteriores: El dispositivo del usuario detecta automáticamente la red Passpoint a través de ANQP y se autentica sin problemas utilizando 802.1X. El Captive Portal se omite por completo.

Mejores Prácticas

Evite el Lenguaje de Marketing 'Sin Fricción': Concéntrese en la realidad técnica. Passpoint requiere una fricción de aprovisionamiento inicial para lograr una fluidez a largo plazo.
Segmentar el Tráfico de Invitados: Independientemente del método de autenticación, el tráfico de invitados debe separarse lógicamente de las redes corporativas utilizando VLANs y firewalls, en línea con Arquitectura de Internet de las Cosas: Una Guía Completa .
Monitorear la Caducidad de Certificados: Un certificado TLS caducado en su portal o servidor RADIUS causará fallos catastróficos de autenticación. Implemente la renovación y el monitoreo automatizados.
Cumplir con las Regulaciones de Privacidad de Datos: Asegúrese de que sus políticas de captura y retención de datos se alineen con las leyes locales. Para obtener orientación regional específica, consulte recursos como la LGPD de Brasil y WiFi para Invitados: Una Guía de Cumplimiento .

Solución de Problemas y Mitigación de Riesgos

Síntoma: Los dispositivos iOS muestran una pantalla CNA en blanco.
- Causa: La página del portal contiene recursos (imágenes, scripts) alojados en dominios externos que están bloqueados por el "walled garden".
- Solución: Aloje todos los activos esenciales del portal localmente o añada los dominios externos requeridos a la lista de permitidos de preautenticación.
Síntoma: Los dispositivos Android muestran una advertencia de certificado en lugar del portal.
- Causa: El controlador está interceptando el tráfico HTTPS a un dominio HSTS precargado, o el certificado TLS del portal es inválido/autofirmado.
- Solución: Implemente CAPPORT y asegúrese de que el portal utilice un certificado firmado por una CA en un nombre de host dedicado.
Síntoma: La instalación del perfil Passpoint falla en Windows 11.
- Causa: La cadena de certificados del servidor de aprovisionamiento está incompleta o no es de confianza para el SO.
- Solución: Verifique que la cadena de certificados completa (incluidas las CA intermedias) se sirva durante el handshake TLS.

ROI e Impacto Comercial

La transición de portales de intercepción HTTP heredados a arquitecturas modernas de CAPPORT y Passpoint ofrece un valor comercial medible:

Reducción de Tickets de Soporte: La eliminación de errores de certificado relacionados con HSTS reduce directamente el volumen del servicio de asistencia de TI en cuanto a problemas de conectividad de invitados.
Mayores Tasas de Conexión: La detección fiable del portal a nivel del SO garantiza que más invitados completen con éxito el flujo de incorporación, expandiendo su audiencia alcanzable para iniciativas de marketing.
Postura de Seguridad Mejorada: La transición a Passpoint y WPA3-Enterprise mitiga los riesgos asociados con las redes abiertas, protegiendo contra la escucha y los ataques de "evil twin", lo cual es crítico para el cumplimiento en sectores como finanzas y salud.
Mejora de la Experiencia del Usuario: El roaming sin contacto a través de Passpoint impulsa una mayor satisfacción del usuario y un compromiso repetido, apoyando iniciativas digitales más amplias como Sistema de Posicionamiento Interior: Guía UWB, BLE y WiFi y Su Guía para Soluciones Empresariales de Wi-Fi en el Coche .

Términos clave y definiciones

HSTS (HTTP Strict Transport Security)

A web security policy mechanism that forces web browsers to interact with domains only via secure HTTPS connections, preventing protocol downgrade attacks and HTTP interception.

When IT teams see an increase in certificate errors on guest networks, HSTS enforcement on popular domains is typically the root cause, breaking legacy redirect mechanisms.

HSTS Preload List

A hardcoded list built into modern web browsers containing domains that must always be accessed via HTTPS, even on the very first visit.

If a user attempts to navigate to a preloaded domain (like google.com) while behind a legacy captive portal, the browser will refuse the HTTP connection, preventing the portal redirect.

CAPPORT (Captive Portal Architecture)

An IETF standard (RFC 8908 and 8910) that uses DHCP or IPv6 Router Advertisements to explicitly signal the presence and URL of a captive portal to a client device.

Implementing CAPPORT is the primary remediation strategy for network architects to fix broken portal detection on modern iOS, Android, and Windows devices.

Passpoint (Hotspot 2.0)

A Wi-Fi Alliance specification based on IEEE 802.11u that enables devices to automatically discover and securely authenticate to Wi-Fi networks without user intervention.

Used in enterprise and multi-site deployments to replace captive portals entirely, providing cellular-like roaming and WPA3-Enterprise security.

ANQP (Access Network Query Protocol)

A layer 2 protocol used by client devices to query Access Points for network information (like roaming partners and supported authentication types) before associating.

ANQP is the discovery mechanism that allows a Passpoint-enabled device to determine if it has the correct credentials to join a specific network silently.

CNA (Captive Network Assistant)

The OS-level pseudo-browser that automatically opens when a device detects it is behind a captive portal, allowing the user to authenticate before gaining full internet access.

IT teams must ensure their walled garden allows access to the OS-specific probe URLs (e.g., captive.apple.com) so the CNA triggers correctly.

OpenRoaming

A global Wi-Fi roaming federation that allows users to connect automatically and securely across different venues using a single set of credentials provided by an identity provider.

Venues adopt OpenRoaming to provide seamless access for guests, leveraging identity providers like Purple to manage authentication without complex bilateral agreements.

Walled Garden

A restricted network environment where unauthenticated users can only access a specific set of pre-approved IP addresses or domains necessary for the login process.

Misconfigured walled gardens that block OS detection probes or external portal assets are a leading cause of blank screens and failed guest onboarding.

Casos de éxito

A 400-room enterprise hotel is experiencing a 30% drop in successful guest WiFi connections. Users report seeing 'Your connection is not private' (NET::ERR_CERT_AUTHORITY_INVALID) errors on their smartphones when trying to access the network. The hotel currently uses a legacy open SSID that intercepts port 80 traffic to redirect to a branded splash page.

The IT team must immediately implement the CAPPORT API (RFC 8908/8910). First, configure the network controller's DHCP server to broadcast Option 114, providing the URI of the captive portal API. Second, deploy the RFC 8908 JSON endpoint on the portal server. Third, ensure the portal is hosted on a dedicated subdomain (e.g., wifi.hoteldomain.com) with a valid, CA-signed TLS certificate. Finally, verify that OS detection URLs (like captive.apple.com) are allowed pre-authentication.

Notas de implementación: This approach directly addresses the HSTS breakage by utilizing out-of-band signalling (DHCP) to inform the OS of the portal's location, rather than relying on intercepting encrypted web traffic. It restores the native Captive Network Assistant (CNA) experience without triggering browser certificate warnings.

A large retail chain with 500 locations wants to implement seamless WiFi roaming for their loyalty app users, eliminating the need for customers to interact with a captive portal on every visit, while still maintaining high security standards (WPA3).

The architect should deploy a Passpoint (Hotspot 2.0) architecture. The initial onboarding can occur via the retailer's loyalty app, which provisions a Passpoint profile (credential) to the user's device. The APs across all 500 locations must be configured to broadcast the appropriate ANQP roaming consortium OIs. A centralized RADIUS infrastructure will handle the 802.1X EAP authentication when the device automatically associates with the network.

Notas de implementación: Passpoint is the correct solution for multi-site roaming and high security. By moving authentication to the MAC layer (802.1X) and utilizing WPA3-Enterprise, the network avoids the vulnerabilities of open SSIDs and the UX friction of repeated captive portal logins.

Análisis de escenarios

Q1. Your organisation is deploying a new guest WiFi network across 50 regional offices. Security policy mandates that all wireless traffic must be encrypted over the air, but the marketing team insists on capturing user email addresses upon first connection. Which architecture should you propose?

💡 Sugerencia:Consider how to balance the requirement for initial data capture with the mandate for over-the-air encryption.

Mostrar enfoque recomendado

Propose a hybrid progressive onboarding architecture. First-time users connect to an open SSID and are directed to a CAPPORT-enabled captive portal to provide their email address. Upon submission, the portal provisions a Passpoint profile to the device. The device then automatically transitions to a secure, WPA3-Enterprise encrypted Passpoint SSID for all subsequent traffic and future visits. This satisfies marketing's data capture requirement while enforcing security policy for the vast majority of network usage.

Q2. A client complains that their newly designed, highly customized captive portal page is displaying a blank white screen on all modern iOS devices, although it works perfectly on older Android phones. The portal relies heavily on external web fonts and a third-party analytics script.

💡 Sugerencia:Think about how the iOS Captive Network Assistant (CNA) interacts with external resources before the device is fully authenticated.

Mostrar enfoque recomendado

The issue is a misconfigured walled garden. The iOS CNA is attempting to render the portal page, but the external domains hosting the web fonts and analytics scripts are blocked by the network controller pre-authentication. Because these resources cannot load, the CNA stalls and displays a blank screen. The solution is to either host all required assets locally on the portal server or add the specific external domains (FQDNs) to the controller's pre-authentication allowlist.

Q3. During a network audit, you discover that the legacy captive portal is intercepting traffic and serving a self-signed certificate. You are tasked with upgrading the system to use the CAPPORT API. What specific certificate requirements must be met for the new portal server?

💡 Sugerencia:Consider how modern browsers and OS CNAs handle certificate validation during the captive portal detection phase.

Mostrar enfoque recomendado

The new portal server must be accessed via a dedicated Fully Qualified Domain Name (FQDN) that is NOT on the HSTS preload list. Furthermore, it must use a valid TLS certificate issued by a publicly trusted Certificate Authority (CA). Self-signed certificates will be rejected by the OS CNA and modern browsers, preventing the portal from loading and halting the onboarding process.