Skip to main content
Skip to main content

Choosing Your Authentication Method

IronWifi supports multiple authentication methods, each designed for different use cases, security requirements, and user experiences. Most deployments combine two or more methods — for example, WPA2-Enterprise for employees and a captive portal for guests.

This guide helps you understand the options and choose the right approach before configuring your access points.

Comparison Overview

MethodBest ForSecurity LevelUser Experience
Captive PortalGuest networks, retail, hospitalityMediumSplash page login
WPA2/WPA3-EnterpriseEmployee networks, educationHighTransparent 802.1X
Passpoint / Hotspot 2.0Public venues, carriers, roamingHighAutomatic, no interaction
MAC AuthenticationIoT devices, printersLowAutomatic, device-based
Choosing the right method

Start with your primary use case. If you need guest access, begin with a captive portal. If you need secure employee access, start with WPA2/WPA3-Enterprise. You can always add more methods later.

Captive Portal

A captive portal presents users with a splash page when they connect to your WiFi. Users must complete an authentication step — such as entering an email, logging in with a social account, or entering a voucher code — before gaining internet access.

When to use

  • Guest WiFi in hotels, restaurants, retail stores, and public venues
  • Visitor networks where you need to collect user information
  • Paid WiFi access with payment gateway integration
  • Marketing-driven networks that capture leads or display promotions

What it provides

  • Social login — Google, Facebook, LinkedIn, Instagram, Apple, Twitter
  • SMS verification — Via Twilio, Clickatell, or other providers
  • Email registration — Self-service guest sign-up
  • Voucher codes — Pre-generated access codes for controlled distribution
  • Payment gateways — Stripe, PayPal, Braintree, Square, Authorize.net
  • Customizable splash pages — Brand your portal with logos, colors, and custom HTML

How it works

  1. User connects to an open or pre-shared-key SSID
  2. The access point redirects the user to IronWifi's captive portal
  3. User completes the authentication step (login, voucher, payment, etc.)
  4. IronWifi authorizes the session and the user gains internet access

Learn more

WPA2/WPA3-Enterprise

WPA2/WPA3-Enterprise (also called 802.1X) authenticates each user individually with their own credentials or certificate. The authentication happens transparently at the network level — users enter their credentials once on their device, and subsequent connections are automatic.

When to use

  • Corporate and employee WiFi networks
  • Education networks (campus, staff, student)
  • Any environment requiring individual user accountability
  • Networks where you need to assign per-user or per-group policies (VLANs, bandwidth)

Authentication protocols

IronWifi supports three EAP (Extensible Authentication Protocol) methods:

ProtocolCredentialsSecurityBest For
EAP-PEAPUsername + passwordHighMost deployments; works on all platforms
EAP-TLSClient certificateHighestZero-trust environments; managed devices
TTLS-PAPUsername + passwordHighLegacy systems; specific IdP integrations
  • EAP-PEAP (MSCHAPv2) is the most common choice. It works on Windows, macOS, iOS, Android, Chromebook, and Linux without additional software.
  • EAP-TLS provides the highest security by using client certificates instead of passwords. It requires an MDM or manual certificate deployment.
  • TTLS-PAP is useful when integrating with identity providers that require plaintext password verification (e.g., Azure AD with certain configurations).

How it works

  1. User's device discovers the SSID and initiates an 802.1X connection
  2. The access point forwards the authentication request to IronWifi's RADIUS server
  3. IronWifi verifies the user's credentials or certificate
  4. On success, IronWifi sends back authorization attributes (VLAN, bandwidth, session timeout)
  5. The access point grants the user access with the assigned policies

Learn more

Passpoint / Hotspot 2.0

Passpoint (also known as Hotspot 2.0 or Wi-Fi Certified Passpoint) enables devices to automatically discover and connect to WiFi networks without user interaction. It uses the same 802.1X security as WPA2-Enterprise but adds automatic network discovery and selection.

When to use

  • Public venues (airports, stadiums, convention centers)
  • Carrier WiFi offload
  • OpenRoaming deployments for seamless roaming across venues
  • Any scenario where users should connect automatically without a splash page or manual configuration

Key benefits

  • No user interaction — Devices connect automatically based on pre-provisioned profiles
  • Seamless roaming — Users move between Passpoint-enabled venues without reauthenticating
  • Carrier-grade security — WPA2/WPA3-Enterprise encryption on every connection
  • OpenRoaming compatibility — Participate in the global OpenRoaming federation for cross-venue roaming

How it works

  1. The access point broadcasts Passpoint capability via ANQP (Access Network Query Protocol)
  2. The user's device checks its stored profiles for a matching network
  3. If a match is found, the device connects automatically using 802.1X
  4. IronWifi authenticates the user via RADIUS and applies policies

Learn more

MAC Authentication

MAC authentication (also called MAC Authentication Bypass or MAB) identifies devices by their hardware MAC address instead of user credentials. IronWifi checks the device's MAC address against a list of known devices and grants or denies access based on the result.

When to use

  • IoT devices (sensors, smart displays, building automation)
  • Printers, scanners, and other headless devices
  • Network equipment that cannot perform 802.1X authentication
  • Devices without a keyboard or user interface

Limitations

  • Low security — MAC addresses can be spoofed; do not rely on MAB as a sole security mechanism
  • No user identity — Authentication is device-based, not user-based
  • Manual management — Each device's MAC address must be registered in IronWifi
  • No encryption negotiation — MAB does not establish per-device encryption keys like 802.1X does
tip

Use MAC authentication alongside WPA2-Enterprise on the same network. Configure your access point to attempt 802.1X first and fall back to MAB for devices that do not support it.

How it works

  1. Device connects to the SSID
  2. The access point sends the device's MAC address as the username and password to IronWifi
  3. IronWifi checks the MAC address against registered devices
  4. If the MAC address is found, IronWifi authorizes the device and returns any configured policies

Combining Methods

Most real-world deployments use multiple authentication methods on separate SSIDs:

SSIDMethodAudience
Corp-WiFi
WPA2-Enterprise (EAP-PEAP)Employees
Guest-WiFi
Captive PortalVisitors and guests
IoT-Devices
MAC AuthenticationPrinters, sensors, displays

Each SSID points to a separate Network in IronWifi with its own RADIUS settings, user groups, and policies. This lets you enforce different bandwidth limits, VLAN assignments, and session timeouts for each audience.

For venues with Passpoint, you can add a fourth SSID that broadcasts Passpoint capability alongside your existing SSIDs, enabling automatic roaming for compatible devices.

Next Steps