Captive Portals

Key Takeaways

IronWiFi captive portals are fully cloud-hosted -- no on-premises portal server required. You configure your access points to redirect users to IronWiFi's splash page URL.
Supported authentication methods include email, social login (Google, Facebook, LinkedIn, Apple), SMS verification, voucher codes, username/password, SAML SSO, and payment gateways (Stripe, PayPal).
The walled garden (pre-authorization access list) must include
```
107.178.250.42/32
```
on every controller; without it, the splash page will not load.
MAC-based authentication allows returning users to auto-connect without seeing the splash page again, improving repeat visitor experience.
Captive portals comply with GDPR requirements through configurable consent checkboxes, privacy policy links, and automatic account expiration tied to data retention policies.

A captive portal is a web page that is automatically displayed to users when they connect to a WiFi network, requiring them to complete an authentication step -- such as entering an email address, logging in with a social account, entering a voucher code, or making a payment -- before they are granted internet access. Captive portals are the standard method for controlling guest WiFi access in hotels, cafes, airports, and offices.

IronWiFi hosts and manages your captive portal in the cloud, with full customization of splash page design and authentication methods.

Quick Start

Navigate to Captive Portals > Add Captive Portal
Enter a name and select your network
Choose your vendor (access point brand)
Enable authentication providers (email, social login, etc.)
Copy the Splash Page URL to your controller
Configure the Walled Garden on your controller
Test by connecting to the WiFi network

How Captive Portals Work

┌──────────────┐
│ User Device  │
└──────┬───────┘
       ▼
┌──────────────┐
│ Access Point │
└──────┬───────┘
       ▼
┌──────────────┐
│   Redirect   │
│  to Splash   │
└──────┬───────┘
       ▼
┌──────────────┐
│    Splash    │
│     Page     │
└──────┬───────┘
       ▼
┌──────────────┐
│     Auth     │ (Google, Email, SMS, voucher, etc.)
│   Provider   │
└──────┬───────┘
       ▼
┌──────────────┐
│   IronWiFi   │
│    RADIUS    │
└──────┬───────┘
       │ Accept
       ▼
┌──────────────┐
│   Internet   │
│    Access    │
└──────────────┘

Creating a Captive Portal

Navigate to Captive Portals
Click Add Captive Portal
Configure the settings described below
Click Save

Basic Settings

Setting	Description
Name	Give your Captive Portal a descriptive name
Description	Optional description for your reference
Network	The network this portal belongs to (uses that network's RADIUS servers)
Vendor	Brand of your Access Points or Controller

Authentication Settings

Splash Page URL

This is the URL where your splash page is hosted. Configure this URL in your Controller settings as the External Captive Portal.

tip

The Splash Page URL is displayed in your Captive Portal settings after creation.

On Success Redirect

Define where users go after successful authentication:

Option	Description
Initially Requested URL	Return to the page they were trying to visit
Success Page	Show a custom success page
External URL	Redirect to a specific URL (include protocol, e.g., `https://www.example.com` )

Language

Select the language for internal error and notice messages.

Authentication Providers

Configure which authentication methods are available on your splash page:

Email - Users enter their email address
Social Login - Google, Facebook, LinkedIn, Twitter, Apple
SMS - Phone verification via text message
Vouchers - Pre-generated access codes
Username/Password - Traditional login
SAML - Enterprise single sign-on
Payment - Pay for access via Stripe, Braintree, PayPal

See Authentication Providers for detailed configuration.

Portal Pages

Customize the pages users see during authentication:

Splash Page - Initial landing page
Success Page - Shown after successful authentication
Error Page - Displayed when authentication fails
Terms Page - Terms and conditions

See Portal Pages for customization options.

Advanced Features

File Library

Upload and manage static files for your portal pages:

Logos and images
Custom CSS stylesheets
JavaScript files

Reference uploaded files using relative paths:

<img src="./logo.png" alt="Company Logo">
<link type="text/css" href="custom.css" />

Cloud CDN

Enable Google Cloud CDN for faster loading of static files. This adds caching headers to improve performance globally.

Client Analytics

Collect detailed visitor information:

Screen resolution
Operating system
Browser and version
Installed fonts
Device type

Data is available in Reports.

MAC-Based Authentication

Allow returning users to auto-authenticate based on their device's MAC address:

MAC address is extracted from the URL
If the device was previously authenticated, access is granted automatically
Users can manage authorized devices in their profile
Administrators can deauthorize devices in the Console

note

If you delete a user, their MAC address associations are also deleted.

Purchase Confirmation

Enable to automatically send confirmation emails after successful access purchases.

Security Settings

IP Address Whitelist

Restrict access to the captive portal by IP range:

127.0.0.1, 10.0.2.0/24, 192.168.1.0/24

Leave empty for public access.

Webhook URL

Receive POST notifications after every successful authentication. The webhook sends a JSON payload containing user details, authentication provider, and device information.

See the REST API documentation for webhook integration details and code examples.

Controller Configuration

Your Captive Portal settings page displays information needed for controller configuration:

SAML Settings (if enabled)

Setting	Description
SAML ACS URL	Assertion Consumer URL for your Identity Provider
SAML Logout URL	Optional logout URL for IdP configuration
Entity Id	Globally unique name for this SAML entity

RADIUS Servers

IP addresses, ports, and shared secrets for Primary and Backup servers (same as Network settings).

Walled Garden

List of IP addresses and domains to add to your controller's pre-authorization access list. See Walled Garden Guide.

important

All visitors need access to the Splash Page URL, hosted at

107.178.250.42/32

Guest Manager

Configure how temporary user accounts are created during captive portal authentication.

Auto-Registration Settings

Setting	Description
Auto-create users	Automatically create user accounts when guests authenticate
Default group	Assign new users to a specific group with predefined policies
Username format	Use email, phone number, or generate unique ID
Password policy	Auto-generate or allow user-defined passwords

Account Policies

Setting	Description	Recommended
Account Expiration	How long until account is deleted	30-90 days
Session Duration	Max time per login session	24 hours
Max Sessions	Concurrent device limit	3-5 devices
Re-authentication	Require login after period	7 days

Data Privacy

For GDPR and privacy compliance, see the GDPR Compliance guide. Key settings include consent checkboxes, privacy policy links, data retention periods, and support for data export and deletion requests.

tip

Set account expiration to match your data retention policy to automatically comply with privacy regulations.

Session Management

Session Timeout

Setting	Description
Session Timeout	Maximum session duration (e.g., 24 hours)
Idle Timeout	Disconnect after inactivity (e.g., 30 minutes)
Session Limit	Maximum concurrent sessions per user

Bandwidth Limits

Setting	Description
Download Limit	Maximum download speed (Mbps)
Upload Limit	Maximum upload speed (Mbps)
Data Cap	Maximum data transfer per session

Troubleshooting

For common captive portal issues, see the Troubleshooting guide.

Quick checks:

Splash page not loading - Verify
```
107.178.250.42/32
```
is in your Walled Garden and check the controller captive portal URL
Authentication failing - Check IronWiFi Console logs, verify provider credentials, and ensure required domains are in the Walled Garden
Users not redirected - Verify captive portal is enabled on the controller and the client is on the correct VLAN/SSID
Social login not working - Verify OAuth app credentials and ensure social provider domains are in the Walled Garden

FAQ

How do I customize the splash page design?

See Portal Pages for customization options including the visual editor and HTML/CSS editing.

Can I use my own domain for the splash page?

Yes, contact IronWiFi support to configure a custom domain with SSL certificate.

How do I require terms acceptance?

Enable the Terms page in Portal Pages and configure the checkbox requirement in your splash page settings.

Can users authenticate on multiple devices?

Yes, configure the session limit in Guest Manager settings. Users can also manage their authorized devices.

How do I set up paid WiFi access?

Enable a payment provider (Stripe, Braintree) in Authentication Providers and configure access plans with pricing.

When to Use a Captive Portal

Captive portals are the right choice when you need to authenticate users who do not have pre-configured credentials on their devices. Based on deployment experience across thousands of IronWiFi networks, the following guidelines help determine the best approach.

Use a captive portal when

Guest or visitor WiFi -- Visitors at hotels, cafes, airports, retail stores, and offices need a self-service way to get online without pre-shared passwords.
Data collection is required -- You need to capture email addresses, phone numbers, or marketing consent before granting access.
Multiple authentication options -- You want to offer social login, email, SMS, vouchers, and payment options on a single splash page.
Terms of service acceptance -- Legal or compliance requirements mandate that users agree to an acceptable use policy before accessing the network.
Temporary or time-limited access -- You need session timeouts, data caps, or automatic account expiration for transient users.

Use WPA2/WPA3-Enterprise instead when

Employee or corporate WiFi -- Staff with managed devices should use 802.1X (PEAP-MSCHAPv2 or EAP-TLS) for seamless, passwordless authentication without splash pages.
Security is the primary concern -- WPA2/WPA3-Enterprise provides per-user encryption keys and mutual authentication, which captive portals on open SSIDs cannot match.
Seamless roaming is critical -- Captive portals require browser interaction, which interrupts the connection experience. Enterprise 802.1X authentication happens at the network layer and supports fast roaming (802.11r/k/v).
IoT or headless devices -- Devices without browsers (printers, sensors, cameras) cannot interact with splash pages. Use MAC authentication or 802.1X instead.

Deployment Scenario

Many organizations deploy both: a WPA2-Enterprise SSID for employees (authenticating via IronWiFi with credentials synced from Microsoft Entra ID or Google Workspace) and a separate open SSID with a captive portal for guests. IronWiFi manages both from a single console.

Controller Configuration Guides

For vendor-specific setup instructions, see the Configuration Guides.

Was this page helpful?

Quick Start​

How Captive Portals Work​

Creating a Captive Portal​

Basic Settings​

Authentication Settings​

Splash Page URL​

On Success Redirect​

Language​

Authentication Providers​

Portal Pages​

Advanced Features​

File Library​

Cloud CDN​

Client Analytics​

MAC-Based Authentication​

Purchase Confirmation​

Security Settings​

IP Address Whitelist​

Webhook URL​

Controller Configuration​

SAML Settings (if enabled)​

RADIUS Servers​

Walled Garden​

Guest Manager​

Auto-Registration Settings​

Account Policies​

Data Privacy​

Session Management​

Session Timeout​

Bandwidth Limits​

Troubleshooting​

FAQ​

How do I customize the splash page design?​

Can I use my own domain for the splash page?​

How do I require terms acceptance?​

Can users authenticate on multiple devices?​

How do I set up paid WiFi access?​

When to Use a Captive Portal​

Use a captive portal when​

Use WPA2/WPA3-Enterprise instead when​

Controller Configuration Guides​

Related Topics​