Quick Start: Guest WiFi with Captive Portal
Set up a guest WiFi network with a captive portal splash page using IronWiFi. Visitors authenticate through email, social login, vouchers, or SMS before gaining internet access. This guide gets you running in under 30 minutes.
What You'll Build
Guest WiFi authentication flow:
- Guest connects to your open (or WPA2-PSK) SSID
- Guest opens a browser and is redirected to the IronWiFi captive portal splash page
- Guest authenticates (email, social login, voucher code, SMS, etc.)
- IronWiFi authorizes the guest and grants internet access with configured limits
Prerequisites
- An IronWiFi account (register here)
- Access points that support captive portal redirect (most enterprise APs)
- Administrative access to your network equipment
- Internet connectivity from the access points to IronWiFi
Step 1: Create a Network (~2 min)
- Log in to the IronWiFi Console
- Navigate to Networks
- Click Create Network
- Select a Region closest to your access points
- Click Save
Note your RADIUS server details (IPs, ports, shared secret) for later.
Step 2: Create a Captive Portal (~5 min)
- Navigate to Captive Portals
- Click Add Captive Portal
- Configure the basic settings:
| Setting | Value |
|---|---|
| Name | Descriptive name (e.g., "Lobby Guest WiFi") |
| Network | Select the Network you created in Step 1 |
| Access Point Vendor | Select your AP vendor (Meraki, UniFi, Aruba, etc.) |
- Click Save
After creation, note:
- Splash Page URL -- The URL guests will be redirected to
- Walled Garden entries -- IPs/domains that must be accessible before authentication
Choose authentication methods
In the captive portal settings, enable the authentication methods guests will use:
| Method | Best For | Configuration |
|---|---|---|
| General guest access | Enable email field on splash page | |
| Social Login | Easy sign-in for visitors | Enable Google, Facebook, LinkedIn, etc. |
| Voucher | Hotels, cafes, events | Pre-generate voucher codes |
| SMS | Phone-verified access | Enable SMS verification (requires SMS provider) |
| Click-through | Minimal friction, no data capture | Enable terms acceptance only |
You can enable multiple methods simultaneously. Guests choose their preferred option on the splash page.
For hotels and events, vouchers give you the most control -- you set the duration, bandwidth, and number of uses per voucher. For offices with frequent visitors, email or social login provides a smooth experience. See Vouchers for detailed voucher management.
Step 3: Customize the Splash Page (~5 min)
Brand the splash page to match your organization:
- In the Captive Portal settings, go to the Design tab
- Customize:
- Logo -- Upload your company or venue logo
- Background -- Set a background color or image
- Welcome message -- Greeting text for guests
- Terms of service -- Link or inline text for your acceptable use policy
- Colors -- Match your brand colors
- Click Save
- Preview the splash page using the preview link
For advanced customization, see Portal Pages.
Step 4: Configure Guest Access Policies (~3 min)
Control what guests can do after authentication by creating a Group with appropriate limits.
- Navigate to Users > Groups
- Click Add Group
- Name:
Guest Access - Add reply attributes:
- Click Save
Common guest policies
| Scenario | Session Timeout | Bandwidth Down | Bandwidth Up |
|---|---|---|---|
| Cafe (quick visit) | 1800 (30 min) | 5 Mbps | 2 Mbps |
| Hotel (all-day) | 86400 (24 hrs) | 10 Mbps | 5 Mbps |
| Conference | 28800 (8 hrs) | 20 Mbps | 10 Mbps |
| Lobby (brief access) | 900 (15 min) | 2 Mbps | 1 Mbps |
See Groups and Attributes for all available policy options.
Step 5: Configure Your Access Points (~10 min)
Configure your access points to redirect guests to the IronWiFi captive portal.
General AP configuration
Create a guest SSID with these settings:
| Setting | Value |
|---|---|
| SSID Name | Your guest network name (e.g., |
| Security | Open (no password) or WPA2-PSK with a simple shared password |
| RADIUS Server | Primary RADIUS IP from your Network settings |
| RADIUS Port | Authentication port from your Network settings |
| Shared Secret | Shared secret from your Network settings |
| Captive Portal | Enabled, pointing to IronWiFi splash page URL |
Walled garden configuration
The walled garden allows guests to reach the captive portal before authentication. Add these entries to your AP's walled garden (sometimes called "pre-auth access list"):
If you enabled social login, also add the provider domains:
Missing walled garden entries are the most common cause of captive portal issues. If the splash page does not load or social login buttons fail, the walled garden is the first thing to check.
Vendor-specific setup
Find detailed configuration guides for your hardware:
- Cisco Meraki -- Configure splash page under Wireless > Access Control
- Ubiquiti UniFi -- Set guest portal under Settings > Guest Control
- Aruba / HPE -- Configure captive portal profile
- MikroTik -- Set hotspot configuration
- Ruckus -- Configure WLAN guest access
See the complete list of Configuration Guides for your specific vendor.
Step 6: Test the Guest Experience (~5 min)
Test the full flow
- Connect a device to the guest SSID
- Open a browser (try if the redirect does not trigger automatically)
http://neverssl.com - The IronWiFi splash page should appear
- Authenticate using one of the configured methods
- After authentication, verify internet access
Verify in the IronWiFi Console
- Navigate to Reports > Authentication -- Confirm the guest authentication appears
- Navigate to Reports > Sessions -- Confirm an active session is created
- Check that bandwidth limits are applied (try a speed test)
Test each authentication method
| Method | Test |
|---|---|
| Enter a test email and verify access is granted | |
| Social login | Sign in with Google/Facebook and verify access |
| Voucher | Generate a test voucher, enter the code, and verify access |
| SMS | Enter a phone number, receive the code, and verify access |
| Click-through | Accept terms and verify access |
Test session expiry
- Set a short session timeout (e.g., 300 seconds / 5 minutes) on the test group
- Authenticate a guest device
- Wait for the session to expire
- Verify the guest is redirected back to the splash page
Voucher Management
Vouchers are ideal for controlled guest access. Generate them in bulk and distribute to guests.
Generate voucher batch
- Navigate to Users > Vouchers
- Click Generate Batch
- Configure:
- Quantity -- Number of vouchers (e.g., 100)
- Validity -- How long each voucher is usable after first use
- Max Usage -- Number of times a voucher can be used (1 for single-use)
- Click Generate
- Export the voucher list as CSV for printing
Printing vouchers
Export vouchers to CSV and use a template to print individual voucher cards with:
- The voucher code
- Network name (SSID)
- Instructions for connecting
- Duration/limits
For detailed voucher management, see the Vouchers guide.
Data Collection and Analytics
Guest WiFi data helps you understand visitor patterns:
- Email addresses -- Build your marketing list (with consent)
- Visit frequency -- Track returning visitors
- Session duration -- Understand guest engagement
- Peak times -- Staff and plan resources accordingly
IronWiFi can integrate with marketing platforms to forward guest data. See Google Analytics for captive portal analytics.
Ensure your guest WiFi data collection complies with local privacy regulations (GDPR, CCPA, etc.). Include a clear privacy policy on your splash page and obtain consent before collecting personal data. See GDPR Compliance for guidance.
Next Steps
After your guest WiFi is running:
- Accept payments -- Payment integration for paid WiFi access
- Customize further -- Portal Pages for advanced splash page design
- Track analytics -- Google Analytics integration for visitor insights
- Set up monitoring -- Monitoring and Alerting for captive portal health
- Manage vouchers -- Vouchers for batch generation and tracking
- Deploy at scale -- Venues for multi-location management
Troubleshooting
| Problem | Solution |
|---|---|
| Splash page does not load | Check walled garden entries. Ensure |
| Social login fails | Add social provider domains to the walled garden (see Step 5). |
| Redirect does not trigger | Try |
| Guest gets "Access Denied" | Check the captive portal is linked to the correct Network. Verify RADIUS settings on the AP. |
| Voucher code rejected | Verify the voucher is not expired or already at max usage. Check in Users > Vouchers. |
| Slow internet after auth | Check bandwidth limits in the Group. Verify the guest is assigned to the correct Group. |
For more solutions, see the Troubleshooting Guide.
Related Topics
- Quick Start Guide -- General IronWiFi setup overview
- Quick Start: WPA2/WPA3-Enterprise -- Enterprise WiFi deployment
- Captive Portals -- Complete captive portal reference
- Vouchers -- Voucher management
- Configuration Guides -- Vendor-specific AP setup
- GDPR Compliance -- Privacy compliance for guest data
Was this page helpful?