On the Wireless Protection > Hotspots pages you can manage access with the captive portal system. The Hotspot feature allows cafés, hotels, companies, etc. to provide time- and traffic-restricted Internet access to guests. The feature is available within the wireless subscription, but also works with wired networks.

Note – Technically, the Hotspot feature serves to restrict traffic which is basically allowed by the firewall. Therefore you have to ensure that a firewall rule exists which allows the traffic to be managed via the hotspots. It is recommended to test the traffic with the hotspot feature disabled before enabling the hotspots.

Sophos UTM intercepts HTTP traffic and redirects users to a predefined page, the so-called hotspot or captive portal. There, users have to use one of the configured authentication methods before they can access the allowed networks, e.g. the Internet. HTTPS and other traffic is not intercepted and redirected to the hotspot.

Before a device in a hotspot network can receive or send traffic to other devices, it has to authenticate. Otherwise the UTM will drop the traffic.

Note – If the Hotspot feature is used in combination with an active-active cluster setup, the respective traffic cannot be distributed between master and workers. All traffic from and to the hotspot interfaces will be directed through the master.

Hotspot Generation

In a first step, you create and enable a hotspot with a specific type of access. The following types are available:

Distribution of Access Information to Guests

With the types Password of the day and Voucher, the access information has to be handed out to the guests. Therefore you can define users who are allowed to manage and distribute access information. Those users receive and distribute the access information via the Hotspot tab of the User Portal:

Legal Information

In many countries, operating a public wireless LAN is subject to specific national laws, restricting access to websites of legally questionable content (e.g., file sharing sites, extremist websites, etc.). To meet this requirement, you can combine the hotspot with the web protection capabilities of Sophos UTM, which allow you to control web access by blocking and allowing everything from an entire website category type to a single URL. Sophos UTM gives you complete control over what is allowed to be accessed, by whom, and when. That way you can put the hotspot under heavy restrictions, if national or corporate policies require you to do so.

Using the built-in HTTP proxy of Sophos UTM also gives you advanced logging and reporting capabilities. The reporting will show who visited what site, when, and how many times, allowing you to identify inappropriate usage in case you want to operate a hotspot without any access restrictions.

In addition to that, legal regulations may require you to register your hotspot at the national's regulatory body.

Related Topics Link IconRelated Topics