On the Wireless Protection > Hotspots pages you can manage access with the captive portal system. The Hotspot feature allows cafés, hotels, companies, etc. to provide time- and traffic-restricted Internet access to guests. The feature is available within the wireless subscription, but also works with wired networks.
Note – Technically, the Hotspot feature serves to restrict traffic which is basically allowed by the firewall. Therefore you have to ensure that a firewall rule exists which allows the traffic to be managed via the hotspots. It is recommended to test the traffic with the hotspot feature disabled before enabling the hotspots.
Sophos UTM intercepts HTTP traffic and redirects users to a predefined page, the so-called hotspot or captive portal. There, users have to use one of the configured authentication methods before they can access the allowed networks, e.g. the Internet. HTTPS and other traffic is not intercepted and redirected to the hotspot.
Before a device in a hotspot network can receive or send traffic to other devices, it has to authenticate. Otherwise the UTM will drop the traffic.
Note – If the Hotspot feature is used in combination with an active-active cluster setup, the respective traffic cannot be distributed between master and workers. All traffic from and to the hotspot interfaces will be directed through the master.
In a first step, you create and enable a hotspot with a specific type of access. The following types are available:
- Password of the day: The guest has to enter a password to get access. The password changes on a daily basis.
- Voucher: The guest gets a voucher and has to enter the voucher code to get access. The voucher can be limited in the number of devices, in time, and traffic.
Distribution of Access Information to Guests
With the types Password of the day and Voucher, the access information has to be handed out to the guests. Therefore you can define users who are allowed to manage and distribute access information. Those users receive and distribute the access information via the Hotspot tab of the User Portal:
- Password of the day: The current password can be sent via email and the users find the password in the User Portal. The users forward the password to the guests. They can generate or enter a new password. Hereby, the former password automatically becomes invalid and active sessions will be terminated. Potential other users will be informed of the new password, either by email or via the User Portal, depending on what is configured for them.
- Voucher: In the User Portal, users have the possibility to create vouchers, each with a unique code. Different types of vouchers can be available if specified by an administrator. The vouchers can be printed or exported and given to the guests. A list of created vouchers gives an overview about their usage and helps to manage them.
In many countries, operating a public wireless LAN is subject to specific national laws, restricting access to websites of legally questionable content (e.g., file sharing sites, extremist websites, etc.). To meet this requirement, you can combine the hotspot with the web protection capabilities of Sophos UTM, which allow you to control web access by blocking and allowing everything from an entire website category type to a single URL. Sophos UTM gives you complete control over what is allowed to be accessed, by whom, and when. That way you can put the hotspot under heavy restrictions, if national or corporate policies require you to do so.
Using the built-in HTTP proxy of Sophos UTM also gives you advanced logging and reporting capabilities. The reporting will show who visited what site, when, and how many times, allowing you to identify inappropriate usage in case you want to operate a hotspot without any access restrictions.
In addition to that, legal regulations may require you to register your hotspot at the national's regulatory body.