DIY Wi-Fi Authorization: How to Set It Up Yourself

Setting up an access point with authorization isn't just a technical whim, but a necessary step to ensure security and traffic control in offices, hotels, or public spaces. Many business owners believe that creating a login page with a username and password requires purchasing expensive server equipment or hiring a team of programmers. However, modern technologies make it possible. Wi-Fi authorization by one person, using standard equipment and free software.

The essence of the process comes down to intercepting user requests and redirecting them to a special web portal known as Captive PortalThis portal is what requests credentials or prompts you to accept the network's terms of use. Configuring this system yourself gives you complete control over who connects to your infrastructure and allows you to collect visitor statistics. This is the foundation for building a scalable and secure wireless network.

In this guide, we'll walk you through every step of creating an authorization system from scratch, from hardware selection to interface configuration. You'll learn how to turn a regular router into a smart access point, which software solutions are the most effective, and how to avoid common security mistakes. Mikrotik And Ubiquiti — this is just the tip of the iceberg, as the basic operating principles are applicable to many platforms.

Selection of hardware and software platform

The first step toward creating your own authentication system is choosing the right hardware. Not every home router is capable of fully supporting this feature. Captive Portal or HotspotBudget models typically limit their functionality to basic security settings, such as WPA2-PSK, which is insufficient for public networks with authentication. You'll need a device that supports external databases or has a powerful built-in user management mechanism.

The most popular and affordable solution in the professional equipment segment for small businesses are considered to be devices from the company MikroTikTheir operating system RouterOS provides incredibly flexible tools for setting up hotspots, including the ability to create custom login pages and integrate with external servers. Access points from Ubiquiti UniFi, which offer a more user-friendly interface but require a controller to manage users.

⚠️ Important: When choosing a router, pay attention to the amount of RAM. If you plan to store a database of thousands of users locally on the device, the minimum RAM should be 256 MB; otherwise, the system will run slowly or freeze under peak loads.

It's also important to consider the device's processor bandwidth. The authorization process, especially if it uses encryption or complex scripts on the login page, requires computing resources. If you plan to serve more than 50 concurrent users, consider a dedicated server for Radius authentication, leaving the router to handle traffic forwarding only.

📊 What equipment do you plan to use for setup?
MikroTik
Ubiquiti
OpenWRT router
A ready-made solution from the provider

Basic network and DHCP server setup

Before implementing complex authorization mechanisms, it is necessary to ensure the stable operation of the underlying network infrastructure. Correct configuration DHCP servers This is critically important because it assigns IP addresses to connecting devices before they log in. A hotspot configuration typically uses two address pools: one for unauthorized users (walled garden) and one for those who have already been authenticated.

Configure DHCP so that unauthorized clients receive an address from a separate subnet. This will allow you to easily filter traffic and redirect requests to the login page. In most systems, this is done by creating a separate pool of IP addresses with a short lease time, such as 5-10 minutes. A short lease time helps release addresses more quickly if users connect for short periods.

Be sure to configure DNS servers for the guest network. Unauthorized users are often blocked from accessing all external resources except those on the "whitelist." DNS must be working even before authorization so that the browser can open the login page. If the DNS isn't configured correctly, users will see a "No internet connection" error instead of the password entry form.

Test the network without authorization by connecting a test device. Ensure that the IP address, subnet mask, and default gateway are assigned correctly. Only after a basic connection is established and the ping to the gateway is stable can you begin implementing traffic redirection mechanisms.

Setting up the Captive Portal and Login Page

The heart of the entire system is the authorization page that the user sees upon connecting. In professional terminology, this is called Captive PortalConfiguring this component requires an understanding of how the router processes HTTP requests. All requests to ports 80 and 443 should be intercepted and redirected to the router's internal web server or external authentication server.

The appearance of the login page is a matter of design and usability. The page should be lightweight so it loads quickly even with a weak signal. Avoid using heavy graphics or complex JavaScript, which can be blocked by antivirus software on client devices. A simple form with username and password fields or a "Login via social media" button, if the appropriate integration is configured, is sufficient.

To implement functionality, HTML markup language is often used in conjunction with router variables. For example, in MikroTik variable $(link-login-only) specifies the address where the form data should be sent. It is important to write this attribute correctly. action in the form tag, otherwise the data won't go anywhere. The form code usually looks like a standard POST request to the router's internal handler.

⚠️ Note: Modern browsers (Chrome, Safari) may block the login page from displaying if it is not secured with an SSL certificate, marking the connection as "Not secure." It is recommended to use a self-signed certificate or a valid SSL certificate for the login page domain.

An example of a simple HTML form for MikroTik

This code creates a minimalistic form that sends data to the router for processing.

Creating a user base and managing access

Once the redirection mechanism is working, it's necessary to create a user database. In simple scenarios, you can use the router's local database, creating accounts manually through the interface or importing CSV files. However, for scalable solutions, it's better to use an external one. RADIUS server, which allows you to centrally manage access, keep logs, and set up tariff plans.

When creating users, it's important to configure profile parameters. A profile determines the speed a client will receive, the amount of traffic they will have, and the session duration. For example, you can create a "Free_30min" profile with a speed limit of 2 Mbps and a "Premium_Full" profile with no restrictions. The flexibility of profile settings allows you to monetize access or simply regulate bandwidth usage.

Active sessions are also managed through the control panel. The administrator should be able to see in real time who is connected, how much traffic is consumed, and, if necessary, forcefully terminate connections or block specific MAC addresses. This is especially useful for detecting suspicious activity or violating network rules.

☑️ User Base Preparation Checklist

Completed: 0 / 4

Special scripts or built-in generator functions are often used to generate one-time passwords (vouchers). This is ideal for cafes or hotels, where guests are given a receipt with a unique code. The system automatically creates a user, activates them for a set period, and deletes or deactivates them after the expiration date.

Authentication Method Comparison Table

The choice of authorization method depends on your goals and technical expertise. Below is a comparison of the main approaches you can implement yourself.

Authorization method Difficulty of setup Security Cost of implementation
Local database (User Manager) Average High Low (equipment only)
External RADIUS server High Very high Medium (requires server)
Voucher system (Vouchers) Low Average Low
Social networks (OAuth) High Medium (API dependent) High (development/service)

As the table shows, a local user base is the golden mean for small businesses. It doesn't require a separate server, but provides sufficient functionality for accounting and control. External RADIUS makes sense when the number of users numbers in the hundreds or integration with accounting systems is required.

Walled Garden and whitelisting

A critical element of hotspot setup is Walled Garden (Walled Garden). This is a list of domain names and IP addresses that users are allowed to access. to Authorization. Without proper Walled Garden configuration, the login page may simply fail to load, as the browser will attempt to navigate via the secure HTTPS protocol, but the router will block the request.

It is essential to add operating system domains to the whitelist (for example, apple.com, msftconnecttest.com, google.com) so that devices can correctly detect the presence of the portal and open it automatically. It also includes the domains of your login page, if it's hosted externally, and any necessary resources (e.g., logos, fonts).

Setting up a Walled Garden RouterOS or similar systems is accomplished by adding rules to the IP Hotspot Walled Garden. Wildcard masks can be used, for example, *.google.comto cover all subdomains. However, be careful: an overly broad whitelist can create a security hole, allowing payment or registration bypasses.

⚠️ Note: The HTTPS protocol encrypts the request content, so the router doesn't see the full URL, only the domain. Be sure to add domain names, not full page paths, to Walled Garden, otherwise authorization won't work for secure sites.

Check the whitelist by connecting a clean device to the network. If the login page appears automatically and all design elements (logos, background images) load, then Walled Garden is configured correctly. If the page is blank or doesn't load, check the router logs for blocked requests to external resources.

Frequently Asked Questions (FAQ)

Is it possible to authorize via SMS?

Yes, this is possible, but it requires integrating the router with the SMS gateway via an API. The router must be able to send HTTP requests to the messaging service. This is usually implemented through external PHP or Python scripts that work in conjunction with the Radius server. Setting this up independently is more difficult than simple login and password authentication.

Will authorization work if the Internet provider is disconnected?

Yes, local authentication will continue to work, as it is handled within your network by the router hardware. Users will be able to connect and access local resources (if configured), but will not be able to access the global network. The user database is stored in the router's memory or disk.

How to protect the administrator page from guests?

The router's management page should be inaccessible from the guest network. To do this, create a rule in the Firewall settings that denies access from the Hotspot interface (guest network) to the router's IP address via management ports (usually 80, 443, 8080, 22). Access to the admin panel should only be allowed from trusted ports or through a dedicated VLAN.

Do I need a static IP from my provider to use a hotspot?

A static IP is not required for the authorization process itself; a regular dynamic address is sufficient. A static IP or port forwarding is only required if you want to manage the router remotely from the outside or if the authorization page is hosted on an external server that needs to contact you.

How many users can a regular router with authorization support?

It depends on the processor (CPU) power and the amount of RAM. Budget models (MikroTik hAP series) comfortably support 15-30 simultaneous users. For a load of 50-100 people, devices of the level RB750Gr3 or Cloud Core RouterIf the CPU limit is exceeded, the load will increase to 100%, and the network will crash.