Skip to main content
Skip to main content

MSP and Multi-Tenant Management Guide

Overview

IronWiFi provides purpose-built multi-tenant capabilities for Managed Service Providers (MSPs), IT consultancies, and organizations managing WiFi across multiple locations or clients. Each tenant operates in complete isolation with independent users, networks, policies, and branding, all managed from a single pane of glass.

This guide covers tenant lifecycle management, white-label branding, billing delegation, and security isolation best practices.

Multi-Tenant Architecture

How Tenants Work

Each tenant has:

  • Dedicated RADIUS configuration with unique shared secrets
  • Isolated user database with no cross-tenant visibility
  • Independent captive portals with custom branding
  • Separate reporting and analytics
  • Individual policy sets for access control

Tenant Isolation Model

IronWiFi enforces strict tenant isolation at every layer:

LayerIsolation
AuthenticationEach tenant has unique RADIUS server settings and shared secrets
User DataUsers, groups, and credentials are scoped to a single tenant
Network ConfigurationNetworks, SSIDs, and VLANs are tenant-specific
Captive PortalsPortal pages, branding, and social login are per-tenant
Logs and AnalyticsAuthentication logs and session data are tenant-scoped
API AccessAPI tokens are bound to a specific tenant
note

Tenant isolation is enforced at the platform level. There is no configuration that can expose one tenant's data to another.

Setting Up Multi-Tenant Management

Creating Your MSP Account

  1. Log in to the IronWiFi Console
  2. Contact IronWiFi sales to enable multi-tenant features on your account
  3. Once enabled, navigate to Account > Tenants

Creating a New Tenant

  1. Navigate to Account > Tenants
  2. Click Create Tenant
  3. Enter the tenant details:
FieldDescription
NameClient or organization name
DescriptionOptional notes about the deployment
Contact EmailPrimary contact for this tenant
RegionGeographic region for RADIUS servers (choose closest to APs)
  1. Click Save

The tenant is immediately provisioned with its own isolated environment.

Switching Between Tenants

As an MSP administrator, you can switch between tenants without logging out:

  1. Click the tenant selector in the top navigation bar
  2. Select the target tenant from the dropdown
  3. The console reloads with that tenant's data and configuration

All actions you perform after switching apply only to the selected tenant.

Tenant Configuration

Network Setup per Tenant

Each tenant needs at least one Network for RADIUS authentication:

  1. Switch to the target tenant
  2. Navigate to Networks > Create Network
  3. Select the appropriate region
  4. Record the RADIUS server IPs, ports, and shared secret
  5. Configure the client's access points with these settings

See Networks for detailed configuration steps.

tip

Create a standardized naming convention across tenants, such as 

ClientName-Location-SSID
, to make multi-tenant management easier.

User Management per Tenant

Users are always scoped to a specific tenant. To manage users:

  1. Switch to the target tenant
  2. Navigate to Users
  3. Create users, groups, and organizational units as needed

See Users and Groups for detailed instructions.

Delegated Administration

Grant tenant-level access to your clients so they can manage their own users:

  1. Switch to the target tenant
  2. Navigate to Account > Team Members
  3. Click Invite Member
  4. Enter the client administrator's email
  5. Select the appropriate role:
RolePermissions
ViewerRead-only access to configuration and logs
OperatorManage users, vouchers, and view logs
AdministratorFull tenant configuration access

See Team Members for more details on roles.

warning

Delegated administrators can only see and manage their own tenant. They cannot access the MSP management layer or other tenants.

White-Label Branding

Captive Portal Customization

Customize the captive portal for each tenant to match the client's brand:

  1. Switch to the target tenant
  2. Navigate to Captive Portals > select or create a portal
  3. Open the Design tab
  4. Configure branding elements:
ElementDescription
LogoUpload client's logo (recommended: 200x60 px, PNG/SVG)
Background ImageFull-screen background for the splash page
Primary ColorBrand color for buttons and accents
Custom CSSAdvanced styling overrides
Terms of ServiceClient-specific acceptable use policy
Success MessagePost-authentication message

Custom Domain for Captive Portal

For a fully branded experience, configure a custom domain for the captive portal:

  1. Choose a subdomain (e.g., 
    wifi.clientdomain.com
    )
  2. Create a CNAME DNS record pointing to the IronWiFi portal endpoint
  3. Contact IronWiFi support to enable SSL for the custom domain
  4. Update the captive portal settings with the custom domain

Email Notification Branding

Customize automated emails sent to tenant users:

  1. Navigate to the tenant's Captive Portals > Email Templates
  2. Customize the sender name, subject, and body
  3. Add client branding (logo, colors, footer)

This applies to:

  • Voucher delivery emails
  • Sponsored access approval emails
  • Password reset notifications

Billing and Subscription Management

Understanding MSP Billing

IronWiFi MSP accounts use a consolidated billing model:

  • Single invoice for all tenants
  • Per-tenant usage tracking for internal cost allocation
  • Volume discounts based on total users across all tenants

Tracking Per-Tenant Usage

Monitor usage across your tenant portfolio:

  1. Navigate to Account > Usage
  2. View aggregated or per-tenant breakdowns:
MetricDescription
Active UsersUnique users who authenticated in the billing period
Authentication RequestsTotal RADIUS auth requests processed
NetworksNumber of active networks
Captive PortalsNumber of configured portals

Cost Allocation

To allocate costs to individual clients:

  1. Export the per-tenant usage report from Account > Usage > Export
  2. Use the exported data to calculate each tenant's share
  3. Apply your markup and generate client invoices
tip

Set up monthly usage alerts per tenant to proactively manage costs and identify unusual spikes in authentication volume.

Security Best Practices

Tenant Isolation Verification

Regularly verify that tenant isolation is working correctly:

  1. Credential Testing -- Confirm that credentials from Tenant A cannot authenticate on Tenant B's network
  2. Portal Isolation -- Verify each tenant's captive portal shows only their branding
  3. Log Separation -- Check that authentication logs only show events for the current tenant
  4. API Scoping -- Confirm API tokens return data only for the associated tenant

Shared Secret Management

Each tenant should have unique, strong shared secrets:

  • Use at least 16 characters with mixed case, numbers, and symbols
  • Rotate shared secrets on a regular schedule (quarterly recommended)
  • Never reuse shared secrets across tenants
  • Store secrets securely (use a password manager)

Access Control for MSP Staff

Implement least-privilege access for your MSP team:

  1. Create individual accounts for each MSP team member (no shared accounts)
  2. Assign roles based on job function
  3. Review access quarterly and remove unused accounts
  4. Enable two-factor authentication for all MSP accounts

Audit Logging

Monitor administrative actions across all tenants:

  1. Navigate to Account > Audit Log
  2. Review changes made by MSP administrators
  3. Filter by tenant, user, or action type
  4. Export logs for compliance documentation

Onboarding a New Tenant

Follow this checklist when onboarding a new client:

Pre-Deployment

  • Gather client requirements (number of users, locations, SSIDs)
  • Determine authentication method (captive portal, WPA2-Enterprise, MAC auth)
  • Collect branding assets (logo, colors, terms of service)
  • Plan network architecture (VLANs, bandwidth policies, session limits)

Provisioning

  • Create the tenant in the MSP console
  • Create the Network and record RADIUS settings
  • Configure captive portal with client branding
  • Set up user groups with appropriate policies
  • Create initial user accounts or configure external authentication
  • Configure RADIUS attributes for bandwidth and session control

Testing

  • Test authentication with the client's access points
  • Verify captive portal displays correctly with client branding
  • Test all configured authentication methods
  • Verify VLAN assignment and bandwidth limits
  • Confirm accounting data flows correctly

Handoff

  • Create delegated admin account for the client
  • Provide documentation with RADIUS settings and portal URLs
  • Train client administrators on user management
  • Set up monitoring alerts for the tenant

Offboarding a Tenant

When a client contract ends:

  1. Export Data -- Download all tenant data (users, logs, configuration) for records
  2. Disable Authentication -- Disable all networks to stop accepting new authentications
  3. Notify Users -- Inform end users about the service termination date
  4. Remove Configuration -- After the grace period, delete the tenant's access points' RADIUS configuration
  5. Delete Tenant -- Remove the tenant from your MSP account
  6. Update Billing -- Confirm the tenant is no longer counted in your billing
warning

Deleting a tenant permanently removes all associated data including users, logs, and configuration. Export any needed data before deletion.

Scaling Your MSP Practice

Template-Based Deployment

Create standardized configurations to speed up new tenant deployments:

  1. Document your standard group policies (bandwidth tiers, session limits)
  2. Create reusable captive portal templates
  3. Standardize VLAN numbering schemes
  4. Build deployment runbooks for common AP vendors

Monitoring Across Tenants

Maintain visibility across your entire tenant portfolio:

  • Service Monitor -- Configure health checks for each tenant's critical networks. See Service Monitor.
  • Alerts -- Set up email alerts for authentication failures, server unreachable events, and certificate expiration
  • Regular Reviews -- Schedule monthly reviews of each tenant's usage patterns and security posture

API-Driven Management

Automate repetitive tasks across tenants using the IronWiFi API:

See the REST API documentation for complete documentation.

Troubleshooting Multi-Tenant Issues

Tenant Switching Not Working

  • Clear browser cache and cookies
  • Ensure your MSP account has multi-tenant features enabled
  • Verify you have the correct role on the target tenant

Client Cannot Access Their Tenant

  • Confirm the invitation email was sent and accepted
  • Verify the delegated admin role is correctly assigned
  • Check that two-factor authentication is properly configured

RADIUS Settings Conflict Between Tenants

  • Each tenant must use its own Network with unique RADIUS settings
  • Shared secrets must be unique per tenant
  • Verify the client's APs are configured with the correct tenant's RADIUS settings
  • Networks -- Creating and managing RADIUS network configurations
  • Team Members -- Managing administrative access
  • Captive Portals -- Portal customization and branding
  • Groups -- User group policies and attributes
  • REST API -- Automating management tasks

Was this page helpful?