How to Set Up Wi-Fi Web Auth: Creating a Guest Network

Providing internet access to visitors in a café, hotel, or office requires not only a signal but also a mechanism for managing that access. The standard system, with a shared password posted on the wall, has critical flaws: anyone who knows the code can connect, and tracking a specific user's actions is virtually impossible. The solution to this problem is technology. Web Authentication, often referred to as a Captive Portal, is a mechanism that forcibly redirects the user's device to a special authorization page when attempting to connect to the network.

Implementing such a system allows you to not only secure the organization's main network, but also collect visitor statistics, display advertising, or simply provide temporary access with a timer. Wi-Fi Web Auth This may seem like a daunting task for a beginner, but modern business-class routers and OpenWrt firmware make the process quite accessible. In this article, we'll look at how to turn a regular access point into a managed hotspot.

Before proceeding with the settings, it's important to understand that this mechanism requires DNS and HTTP requests to be redirected to the router's internal server until successful authorization. This creates a so-called "locked" network segment, where the user is restricted from performing actions until they log in or accept the terms of the agreement. This redirection process is key to the architecture. Captive Portal.

Captive Portal Operation and Architecture

Technically, the web interface authorization process is based on intercepting client network requests. When a user connects to a wireless network, the router assigns them an IP address but places it in a special isolated zone (VLAN or separate address pool). All requests to external resources are blocked or redirected to the internal IP address of the gateway, where the web server with the login form is running.

The key element here is the redirection mechanism. If a user tries to go to http://example.com, the router spoofs the response and sends the authorization page. However, with the introduction of widespread encryption HTTPS, this process has become more complicated since the router cannot read the request content. Therefore, modern systems use special detection methods, such as requests to known operating system URLs (e.g., connectivitycheck.gstatic.com for Android or captive.apple.com for iOS) to initiate the pop-up window.

  • 📡 Access point Creates a wireless network with an open or encrypted channel.
  • 🔀 Gateway intercepts traffic from unauthorized clients and redirects them to the portal.
  • 💾 Authorization server Checks credentials and updates firewall rules for internet access.
  • 📱 Client device receives the IP and automatically opens a browser window for data entry.

⚠️ Attention: When using HTTPS websites, the redirect mechanism may not work automatically on some devices if the browser strictly blocks redirects. In such cases, the user may need to manually enter the router address (e.g., 192.168.1.1) in the address bar.

It's important to note that the entire architecture is built on the interaction of several services: a DHCP server for issuing addresses, a DNS server for name resolution, and the authorization service itself. In most modern solutions, such as MikroTik Hotspot or Ubiquiti UniFi, all of these components are already integrated into a single control panel, which greatly simplifies deployment.

Selection of hardware and software

Successful implementation of Web Auth directly depends on the hardware chosen. Not all home routers have sufficient processor power and firmware functionality to handle multiple simultaneous authorized connections. OpenWrt-based solutions are often used for small offices and home networks, while specialized controllers are preferable for enterprise networks.

One of the most popular solutions in the world of providers and hotspots is equipment MikroTikTheir Hotspot system is considered one of the most flexible, allowing for complex billing scenarios, traffic limits, and integration with external databases (RADIUS). However, the entry barrier is quite high due to the complex interface. RouterOS.

For those looking for a balance between simplicity and functionality, wireless network management systems such as Ubiquiti UniFi or TP-Link OmadaThey allow you to set up a guest portal with a company logo and social login buttons in just a few clicks through a centralized controller.

📊 What equipment do you plan to use for setup?
MikroTik (RouterOS)
Ubiquiti UniFi
Router with OpenWrt
Ready-to-use cloud solution (Keenetic/TP-Link)
Other
Solution Difficulty of setup Scalability Price
MikroTik High Excellent Average
Ubiquiti UniFi Average Excellent High
OpenWrt (CoovaChilli) Very high Depends on the hardware Low
Keenetic (KeenOS) Low Medium (up to 10 points) Average

If your budget is limited and your programming skills are high, you might want to consider a Linux server and software bundle. CoovaChilli or pfSense with a package pfBlockerNG and Captive Portal. This provides maximum flexibility but requires a separate dedicated server or a powerful router with virtualization support.

Basic setup using MikroTik as an example

Let's look at the process of creating a hotspot based on RouterOS, as this is the most universal example demonstrating the logic behind all systems. The first step is to prepare a pool of addresses for guests. Go to the menu IP -> Pool and create a new pool, for example, guest-pool with a range 10.10.10.10-10.10.10.254.

Next, you need to configure a DHCP server that will issue addresses from the created pool only for the guest network interface. In the menu IP -> DHCP Server click Setup, select the interface (eg. bridge-guest), specify the created address pool and network mask. It's important to specify the correct DNS servers so that clients can resolve names even before authorization (usually this is the router's address).

☑️ Checklist before launching Hotspot

Completed: 0 / 5

Now let's move on to the most important thing - Hotspot configuration. In the menu IP -> Hotspot click SetupThe setup wizard will prompt you to select an interface (the same bridge-guest), address pool, and server address (router's local IP). During the DNS Name configuration step, specify the domain that will be used for redirection, for example, login.localThis name will be registered in the DNS so that any request will lead to the portal.

Once the wizard completes, the system will create the necessary firewall rules and queues. Simple authorization will be enabled by default. You can create users in the menu. IP -> Hotspot -> Users, giving them logins, passwords and profiles with speed or time limits.

⚠️ Attention: Make sure that on the guest network interface in the settings IP -> Services Access to critical services (telnet, ssh, ftp) from the outside is disabled or limited, leaving only the ports necessary for the portal to operate (80, 443, 53).

Customizing the login page

The default login page for MikroTik or any other router looks spartan and doesn't inspire confidence in users. A branded portal is crucial for businesses. Page files are stored in the router's file system (in MikroTik, this is Files, folder hotspot). You can download the standard template, edit the HTML and CSS code, and add your company logo, background image, and current terms of use.

The page code uses special variables that are substituted by the authorization server. For example, the tag $(link-login-only) Specifies the address where the form data will be sent. By modifying the HTML structure, you can add fields for entering a phone number (for SMS authorization) or a checkbox for accepting the rules.

To upload modified files back to the router, use an FTP client or the built-in WinBox file manager. Simply drag the folder containing your template to the hotspot's root directory. Afterward, users will see the updated design when they refresh the page or connect again.

What variables should I use in my template?

Main variables: $(link-login) — the login URL, $(username) — the username, $(error) — the error text for an incorrect password. A full list is available in the RouterOS documentation under Hotspot variables.

Avoid overloading the page with heavy graphic elements. The login page should load instantly, even if the connection is congested. The optimal size of all resources (images, styles) should not exceed 100-200 KB.

Integration with external systems and RADIUS

As the number of users grows, manually maintaining a login and password database on the router becomes ineffective. This is where the protocol comes into play. RADIUS (Remote Authentication Dial-In User Service). It allows you to move the user database to a separate server (for example, FreeRADIUS or Microsoft NPS).

In this scenario, the router acts only as an intermediary (NAS — Network Access Server). When a user enters data on a web page, the router sends a request to the RADIUS server. The server checks the credentials against its database (which can be linked to Active Directory or SQL) and returns an "Access-Accept" or "Access-Reject" response.

This architecture offers enormous advantages:

  • 🔐 Centralized management: You can block access for dismissed employees in all branches at once.
  • 📊 Detailed billing: Accurate traffic and time tracking for each user.
  • 🔄 Flexibility: the ability to use vouchers, SMS codes or authorization via social networks.

To configure it, you need to enable the RADIUS client in the menu IP -> Hotspot -> Server Profile and specify the IP address of the authorization server and the shared secret. Without matching keys, data exchange between the router and the server is impossible.

Safety and common mistakes

Despite the presence of a login page, a network with Web Auth is not completely secure. Traffic between the client and the access point (before login) is often unencrypted if an open network is used. Therefore, it is strongly recommended to use HTTPS for the portal page itself to protect transmitted passwords, although this requires installing an SSL certificate on the router.

A common mistake administrators make is failing to implement rate limiting for unauthorized users. Without strict limits, a bot or virus on a guest's network can attempt to brute-force passwords or generate traffic, consuming the router's processor even before login.

⚠️ Attention: Interfaces and menu item names may vary depending on your router's firmware version. Always consult the manufacturer's official documentation before making any changes to critical network settings.

It's also worth keeping in mind compatibility with mobile operating systems. Apple and Google require that login portals correctly handle specific connection verification requests. If the portal doesn't respond as expected, the phone may display a "Secure Connection" warning or simply fail to open the login window, leading to a flood of user complaints.

Diagnosing connection problems

If users complain that the login page isn't appearing, first check the DNS settings. The client device should be receiving the router's DNS server address. Try accessing any HTTP site in the client's browser, for example: http://neverssl.comThis site is specifically designed for testing the Captive Portal, as it does not use HTTPS and is guaranteed to cause a redirect.

In the router logs (menu Log or System -> Log) look for messages from the service hotspot or radiusErrors like "no free IP addresses" indicate an address pool overflow, while "authentication failed" indicates problems with the user database or RADIUS server.

For in-depth diagnostics, you can use the built-in tracing tools. Run torch On the guest network interface in WinBox and monitor the packets passing through. You should see DHCP Discover/Request requests and DNS queries from clients. If you don't see them, the problem lies with the radio interface or access point drivers.

Why won't the login page open on my iPhone?

iOS requires the authorization server to respond to requests to Apple URLs (like captive.apple.com) with a 302 Redirect. If the router is configured incorrectly or blocks these requests, the phone won't recognize the browser. Ensure that your hotspot rules allow access to apple.com domains without authorization (Walled Garden).

Is it possible to set up Web Auth on a regular home router?

This feature is rare on the stock firmware of inexpensive home routers. However, if the device supports alternative firmware (OpenWrt, DD-WRT, Padavan), then implementing a full-fledged Captive Portal with vouchers and timers is entirely possible, although it will require command line skills.

How to limit access time for a guest?

This is done by creating profiles (User Profiles). The profile specifies the parameter Uptime Limit (for example 1 hour) or Rate LimitWhen the time expires, the router automatically disconnects the user or reduces the speed to zero, requiring re-authorization.