Skip to main content
Log in

EAP-SH: An EAP Authentication Protocol to Integrate Captive Portals in the 802.1X Security Architecture

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript


In a scenario where hotspot wireless networks are increasingly being used, and given the amount of sensitive information exchanged on Internet interactions, there is the need to implement security mechanisms that guarantee data confidentiality and integrity in such networks, as well as the authenticity of the hotspot providers. However, many hotspots today use Captive Portals, which rely on authentication through Web pages (thus, an application-level authentication approach) instead of a link-layer approach. The consequence of this is that there is no security in the wireless link to the hotspot (it has to be provided at upper protocol layers), and is cumbersome to manage wireless access profiles (we need special applications or browsers’ add-ons to do that). This work exposes the weaknesses of the Captive Portals’ paradigm, which does not follow a unique nor standard approach, and describes a solution that intends to suppress them, based on the 802.1X architecture. It relies on EAP-SH (extended authentication protocol for secure hotspots), a new EAP-compliant protocol that is able to integrate a Web-based registration or authentication with a Captive Portal within the 802.1X authentication framework. This work describes its design, implementation and prototype evaluation.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others


  1. Internet Assigned Numbers Authority,







  1. LAN/MAN Standards Committee of the IEEE Computer Society. Wireless LAN medium access control (MAC) and physical layer (PHY) specifications, amendment 6: Medium access control (MAC) security enhancements. IEEE Std 802.11i, July 2004.

  2. LAN/MAN Standards Committee of the IEEE Computer Society. Wireless LAN medium access control (MAC) and physical layer (PHY) specifications, amendment 4: Protected management frames. IEEE Std 802.11w, July 2009.

  3. LAN/MAN Standards Committee of the IEEE Computer Society. IEEE Standard for local and metropolitan area networks: Port-based network access control. IEEE Std 802.1X-2010, February 2010.

  4. Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., & Levkowetz, H. (2004). Extensible authentication protocol (EAP). RFC 3748 (Proposed Standard), June 2004.

  5. Dantu, R., Clothier, G., & Atri, A. (2007). EAP methods for wireless networks. Computer Standards & Interfaces, 29(3), 289–301.

    Article  Google Scholar 

  6. Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2017–2022. Cisco White Paper, February 2019. Retrieved from

  7. Captive portal and the new security paradigm: Options for handling redirection problems caused by certificate mismatches. Nomadix. (2013). Retrieved from

  8. wififreak. Captive portals. IETF HTTP Working Group Wiki, February 2016. Retrieved from

  9. Captive portal and HSTS difficulties. WirelessPhreak, May 2017. Retrieved from

  10. Kindberg, T. (2008). Measuring trust in Wi-Fi hotspots. In Proceedings of the 2008 conference on human factors in computing systems (CHI 2008) (pp. 173–182). Florence, Italy.

  11. Klasnja, P., Consolvo, S., Jung, J., Greenstein, B. M., LeGrand, L., Powledge, P., & Wetherall, D. (2009). “When I am on Wi-Fi, i am fearless”: Privacy concerns & practices in everyday Wi-Fi use. In Proceedings of the 2009 conference on human factors in computing systems (CHI 2009) (pp. 1993–2002). Boston, MA, USA.

  12. Consolvo, S., Jung, J., Greenstein, B., Powledge, P., Maganis, G. & Avrahami, D. (2010). The Wi-Fi privacy ticker: Improving awareness & control of personal information exposure on Wi-Fi. In Proceedings of the 12th ACM international conference on ubiquitous computing (UbiComp ’10) (pp. 321–330). Copenhagen, Denmark.

  13. The future of hotspots: Making Wi-Fi as secure and easy to use as cellular. Cisco White Paper (2011). Retrieved from

  14. Seigneur, J.-M. (2015). Wi-trust: Improving Wi-Fi hotspots trustworthiness with computational trust management. In 2015 ITU kaleidoscope: Trust in the information society (K-2015) (pp. 1–6). Barcelona, Spain.

  15. Sombatruang, N., Angela Sasse, M., & Baddeley, M. (2016). Why do people use unsecure public Wi-Fi?: An investigation of behaviour and factors driving decisions. In Proceedings of the 6th workshop on socio-technical aspects in security and trust (STAST ’16) (pp. 61–72). Los Angeles, California.

  16. Sombatruang, N., Onwuzurike, L., Angela Sasse, M., & Baddeley, M. (2019). factors influencing users to use unsecured Wi-Fi networks: Evidence in the wild. In Proceedings of the 12th conference on security and privacy in wireless and mobile networks (WiSec ’19) (pp. 203–213). Miami, Florida, USA.

  17. Stakenburg, D., & Crampton, J. (2013). Underexposed risks of public Wi-Fi hotspots. Retrieved from

  18. Duhn, J. E. (2015). Are public Wi-Fi hotspots a security risk? Security risks of using public Wi-Fi explained. Computerworld UK, August 2015. Retrieved from

  19. 10 steps to staying secure on public Wi-Fi. WeLiveSecurity, September 2015. Retrieved from

  20. Rivera, D. (2017). Are captive portals a security challenge? Intraway, May 2017. Retrieved from

  21. Rescorla, E. (2018). The transport layer security (TLS) protocol version 1.3. RFC 8446 (proposed standard), August 2018.

  22. Rigney, C., Willens, S., Rubens, A., & Simpson, W. (2000). Remote authentication dial in user service (RADIUS). RFC 2865 (draft standard), June 2000.

  23. Simon, D., Aboba, B., & Hurst, R. (2008). The EAP-TLS authentication protocol. RFC 5216 (proposed standard), March 2008.

  24. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., & Polk, W. (2008). Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280 (proposed standard), updated by RFC 6818, May 2008.

  25. Prytuluk, M. (2017). Two new security categories: DNS tunneling VPN and potentially harmful. Cisco Umbrella, November 2017. Retrieved from

  26. Nussbaum, L., Neyron, P., & Richard, O. (2009). On robust covert channels inside DNS. In D. Gritzalis & J. Lopez (Eds.), Emerging challenges for security, privacy and trust (pp. 51–62). Berlin: Springer.

    Chapter  Google Scholar 

  27. Xia, H., & Brustoloni, J. (2004). Detecting and blocking unauthorized access in Wi-Fi networks. In Proceedings of the third IFIP-TC6 international conference on research in networking (Networking 2004), May 2004, Athens, Greece.

  28. Abu-Nimeh, S., & Nair, S. (2008). Bypassing security toolbars and phishing filters via DNS poisoning. In IEEE global telecommunications conference (IEEE GLOBECOM 2008), November 2008, New Orleans, LA, USA.

  29. Dabrowski, A., Merzdovnik, G., Kommenda, N., & Weippl, E. (2016). Browser history stealing with captive Wi-Fi portals. In IEEE security and privacy workshops (SPW 2016) (pp. 234–240), May 2016, San Jose, CA, USA.

  30. i Sprint. (2000). AccessMatrix UAM: Common security platform for enterprise applications. Retrieved from

  31. Nottingham, M., & Fielding, R. (2012). Additional HTTP status codes. RFC 6585 (proposed standard), April 2012.

  32. Frankel, S., & Krishnan, S. (2011). IP security (IPsec) and internet key exchange (IKE) document roadmap. RFC 6071 (informational), February 2011.

  33. Godber, A., & Dasgupta, P. (2002). Secure wireless gateway. In Proceedings of 1st ACM workshop on wireless security (Wise ’02) (pp. 41–46), Atlanta, GA, USA.

  34. Choi, J., Chang, S. Y., Ko, D., & Hu Y. C. (2011). Secure MAC-layer protocol for captive portals in wireless hotspots. In 2011 IEEE international conference on communications (ICC) (pp. 1–5). IEEE.

  35. Shamir, A. (1984). Identity-based cryptosystems and signature schemes. In Advances in cryptology: CRYPTO ’84 (LNCS 196) (vol. 84, pp. 47–53). Springer.

  36. Wi-Fi Alliance. (2016). Hotspot 2.0 (release 2) technical specification.

  37. LAN/MAN Standards Committee of the IEEE Computer Society. Wireless LAN medium access control (MAC) and physical layer (PHY) specifications, amendment 9: Interworking with external networks. IEEE Std 802.11u, February 2011.

  38. Ferreira, A., Huynen, J.-L., Koenig, V., & Lenzini, G. (2014). Socio-technical security analysis of wireless hotspots. In Proceedings of the international conference on human aspects of information security, privacy, and trust (pp. 306–317). Los Angeles, CA, USA.

  39. Aruba Networks. (2012). Apple captive network assistant bypass with Amigopod, version 1.0. Retrieved from

  40. Kumari, W., Gudmundsson, O., Ebersman, P., & Sheng, S. (2015). Captive-portal identification using DHCP or router advertisements (RAs). RFC 7710 (proposed standard), December 2015.

  41. Thurston, R. (2010). WISPr 2.0 boosts roaming between 3G and Wi-Fi. ZDNet, June 2010. Retrieved from

  42. Tan, T. K., & Bing, B. (2003). Wi-Fi hotspots. The world wide Wi-Fi: Technological trends and business strategies (pp. 75–95). Hoboken: Wiley.

    Chapter  Google Scholar 

  43. Brunato, M., & Severina, D. (2005). WilmaGate: A new open access gateway for hotspot management. In Proceedings of the 3rd ACM international workshop on wireless mobile applications and services on WLAN hotspots (WMASH ’05) (pp. 56–64). Cologne, Germany.

  44. Matos, A., Romão, D., & Trezentos, P. (2012). Secure hotspot authentication through a near field communication side-channel. In IEEE 8th international conference on wireless and mobile computing, networking and communications (WiMob), October 2012 (pp. 807–814).

  45. Want, R. (2011). Near field communication. IEEE Pervasive Computing, 10(3), 4–7.

    Article  Google Scholar 

  46. Aruba Networks. (2018). WPA3 and enhanced open: Next generation Wi-Fi security. White Paper. Retrieved from

  47. Harkins, D., & Kumari, W. (2017). Opportunistic wireless encryption. RFC 8110 (informational), March 2017.

  48. Palekar, A., Simon, D., Salowey, J., Zhou, H., Zorn, G., & Josefsson, S. (2004). Protected EAP protocol (PEAP) version 2. Internet draft draft-josefsson-pppext-eap-tls-eap-10, October 2004. Retrieved from

  49. Schaad, J. (2005). Internet X.509 public key infrastructure certificate request message format (CRMF). RFC 4211 (proposed standard), September 2005.

  50. Saint-Andre, P., Crocker, D., & Nottingham, M. (2012). Deprecating the “X-” prefix and similar constructs in application protocols. RFC 6648 (best current practice), June 2012.

  51. Martin, J., Mayberry, T., Donahue, C., Foppe, L., Brown, L., Riggins, C., Rye, E. C., & Brown, D. (2017). A study of MAC address randomization in mobile devices and when it fails. arXiv:1703.02874.

  52. Moriarty, K., Kaliski, B., Jonsson, J., & Rusch, A. (2016). PKCS #1: RSA cryptography specifications version 2.2. RFC 8017 (informational), November 2016.

  53. Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., & Adams, C. (2013). X.509 internet public key infrastructure online certificate status protocol—OCSP. RFC 6960 (proposed standard), June 2013.

  54. Eastlake, D., 3rd. (2011). Transport layer security (TLS) extensions: Extension definitions. RFC 6066 (proposed standard), January 2011.

  55. Funk, P., & Blake-Wilson, S. (2008). Extensible authentication protocol tunneled transport layer security authenticated protocol version 0 (EAP-TTLSv0). RFC 5281 (informational), August 2008.

  56. Krawczyk, H., Bellare, M., & Canetti, R. (1997). HMAC: Keyed-hashing for message authentication. RFC 2104 (informational). Updated by RFC 6151, February 1997.

  57. Eastlake, D., 3rd., & Jones, P. (2001). US secure hash algorithm 1 (SHA1). RFC 3174 (informational), September 2001. Updated by RFCs 4634, 6234.

Download references


This work was partially funded by FCT (Foundation for Science and Technology), in the context of the Projects UID/CEC/00127/2013, UID/CEC/00127/2019 and UIDB/00127/2020. This work was also partially funded by FCT/MCTES through national funds and when applicable co-funded EU funds under the project UIDB/50008/2020-UIDP/50008/2020.

Author information

Authors and Affiliations


Corresponding author

Correspondence to André Zúquete.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Marques, N., Zúquete, A. & Barraca, J.P. EAP-SH: An EAP Authentication Protocol to Integrate Captive Portals in the 802.1X Security Architecture. Wireless Pers Commun 113, 1891–1915 (2020).

Download citation

  • Published:

  • Issue Date:

  • DOI: