Wi-Fi Authorization: 5 Ways to Restrict Access to Your Network

Are you tired of your neighbors connecting to your Wi-Fi without permission? Or do you want to provide secure access for office guests without sharing your main network password? Wi-Fi authentication solves these problems by allowing you to control who connects to your hotspot and how. But how do you set it up correctly to avoid locking yourself out and creating unnecessary complications?

In this article, we will examine all current authorization methods - from the standard password to advanced solutions like radius servers And captive portalYou will learn how to set up access via the router's web interface and which security protocols to choose (WPA3 vs WPA2), and how to set up a guest network with SMS or social media authentication. Also, common mistakes that make your Wi-Fi vulnerable, even if you've set a password.

It doesn't matter if you use a budget TP-Link TL-WR840N or professional MikroTik RB4011 — The instructions are suitable for most modern devices. The main thing is to understand the operating principles of each method and its limitations. For example, The captive portal with authorization via Google/Facebook only works with an active internet connection, so it is not suitable for isolated networks..

1. Basic authorization: Wi-Fi password

The simplest and most common method is to protect your network with a password. While it may seem simple, it's effective if you choose the right encryption type and password. Most modern routers support three security standards:

  • 🔒 WPA3-Personal — the most secure to date (recommended for new devices). Uses individual data encryption for each client (SAE — Simultaneous Authentication of Equals).
  • 🔓 WPA2-PSK (AES) — an outdated but still relevant standard. Vulnerable to dictionary attacks if the password is weak.
  • ⚠️ WEP — an insecure protocol that can be cracked in minutes. It's only used for compatibility with older devices (such as printers). HP LaserJet 1020).

To set up a password:

  1. Open the router's web interface (usually at 192.168.0.1 or 192.168.1.1).
  2. Go to the section Wireless → Wireless Security (names may differ).
  3. Select WPA3-Personal (or WPA2-PSK, if you have older devices).
  4. In the field Password Enter a password of at least 12 characters, including numbers, letters, and special characters.
  5. Save the settings and reboot the router.

💡 Advice: Don't use personal information (birthdates, pet names) or popular combinations like 12345678 or qwertyHackers check them first.

⚠️ Attention: If your router does not support WPA3, update the firmware through the section Administration → Firmware UpgradeManufacturers regularly add support for new standards even to older models.
📊 What security standard does your Wi-Fi use?
WPA3
WPA2
WPA/WPA2 Mixed
WEP
Don't know

2. Guest access: separate network with restrictions

Guest Wi-Fi allows you to share internet without revealing your main network password. This is convenient for cafes, hotels, or offices that need temporary access. Key benefits:

  • 🛡️ Isolation from the main network (guests won't see your folders or printers).
  • 🕒 Possibility to limit session time (for example, 2 hours).
  • 📶 A separate SSID (network name) to avoid confusion with the main Wi-Fi.

Setting up an example ASUS RT-AX88U:

  1. Let's go in Guest Access → Guest Wi-Fi.
  2. Enable the option Enable guest network.
  3. We indicate the name of the network (for example, Cafe_FreeWiFi).
  4. Select the security type (WPA2-PSK or WPA3).
  5. Set a password or leave the network open (if you plan to use a captive portal).
  6. In the section LAN access we choose Ban.
  7. We limit the speed (for example, 10 Mbps) and operating time (for example, from 9:00 to 21:00).
Parameter Recommended value Explanation
SSID Guest_YourName A clear name will help users distinguish the guest network from the main one.
Encryption WPA3-Personal Maximum security for temporary users.
LAN access Ban Guests will not be able to connect to your devices on the local network.
Speed ​​Limit 5–10 Mbps Enough for social networks and email, but not for torrents.

On routers Keenetic Guest access is configured through the section Home Network → Segments → GuestHere you can additionally enable Isolation of clientsso that guests' devices cannot see each other.

3. Captive portal: authorization via a web page

A captive portal is a page that opens when you first connect to Wi-Fi and requires authorization (login/password entry, SMS confirmation, or social media verification). This method is often used at airports, shopping malls, and hotels. Benefits:

  • 📱 User-friendly (no need to enter a complex password).
  • 📊 Possibility of collecting statistics (email, phone for marketing).
  • 🔄 Flexible settings (you can grant access for a limited time).

A captive portal is overkill for home use, but it's a powerful tool for business. It can be configured:

  1. Via cloud services (For example, WiFiGuest, Purple WiFi). Suitable for non-technical users.
  2. On routers with support (For example, Ubiquiti UniFi, MikroTik With HotSpot).
  3. Using Raspberry Pi + software (CoovaChilli, PacketFence).

Example setup for MikroTik:

/ip hotspot

add name=hotspot1 interface=wlan1

/ip hotspot user

add name=user1 password=123456

/ip hotspot profile

set [find] login-by=http-pap,http-chap

After setup, users will see a login page the first time they connect. You can customize its design, add your company logo, and terms of use.

⚠️ Attention: The captive portal requires a constant internet connection to use social media or SMS authentication. If the internet goes down, users will be unable to connect to Wi-Fi.
How to bypass a captive portal without authorization?

Some users try to bypass the portal by spoofing their MAC address or using a VPN. To avoid this, configure MAC address binding in your router and block known VPN services (for example, using firewall rules on MikroTik).

4. Radius server: login/password authorization

Protocol RADIUS (Remote Authentication Dial-In User Service) allows centralized management of Wi-Fi access via an external server. This solution is suitable for offices, universities, or large networks that require:

  • 👥 Issue unique logins/passwords to each user.
  • 🔄 Change access remotely (for example, block a dismissed employee).
  • 📅 Set time restrictions (access only during business hours).

To set this up you will need:

  1. Server with installed software (FreeRADIUS for Linux, Windows Server NPS for Windows).
  2. Router with support 802.1X (For example, Cisco RV340, Ubiquiti UniFi).
  3. Client devices with support WPA-Enterprise (most modern smartphones and laptops).

Configuration example FreeRADIUS on Ubuntu:

sudo apt install freeradius

sudo nano /etc/freeradius/3.0/clients.conf

Add the router as a client:

client router1 {

ipaddr = 192.168.1.1

secret = your_secret_key

}

On the router, we specify the IP of the RADIUS server and the port (1812 (for authentication). When connecting to Wi-Fi, users will see a login/password prompt instead of entering a network key.

Component Example of software/hardware Price
RADIUS server FreeRADIUS, Windows Server NPS Free / from 1000 ₽/month (cloud)
Router Ubiquiti UniFi, MikroTik RB4011 from 5000 ₽
Client software Built-in support in Windows/macOS/Android For free

For small offices, you can use cloud-based RADIUS services (for example, Cloud RADIUS or SecureW2), so as not to deploy your own server.

Install server software (FreeRADIUS/NPS)|Configure the client (router) in the RADIUS configuration|Create a user database with logins/passwords|Check 802.1X support on client devices|Test the connection in an isolated network-->

5. MAC address authentication: pros and cons

Filter by MAC addresses Allows you to restrict connections to specific devices. This is an older, but still used, access control method. Here's how it works:

  1. You collect MAC addresses of trusted devices (eg. 00:1A:2B:3C:4D:5E).
  2. Add them to the whitelist on the router.
  3. Enable filtering—the router will only allow devices from the list through.

Setting up on TP-Link Archer C7:

  1. Let's move on to Wireless → Wireless MAC Filtering.
  2. Select the mode Allow (allow only specified MAC).
  3. Add addresses to the list.
  4. Save and reboot the router.

🔴 Disadvantages of the method:

  • 🔄 MAC addresses are easy to spoof.
  • 📱 Inconvenient for guests (you have to add new addresses each time).
  • 🔧 It is difficult to manage a large number of devices.

🟢 When to use:

  • 🏠 In a home network with a fixed set of devices.
  • 🏢 In the office, in combination with other methods (for example, RADIUS + MAC filtering).
⚠️ Attention: MAC addresses are transmitted in cleartext over the network, making them susceptible to interception and spoofing. Don't rely solely on this method to protect sensitive data.

6. Two-factor authentication (2FA) for Wi-Fi

Two-factor authentication adds a second layer of security to your Wi-Fi. For example, in addition to your password, you may need:

  • 📱 Code from SMS or app (Google Authenticator).
  • 🔑 Hardware key (YubiKey).
  • 📧 Link is a one-time token via email.

You can implement 2FA for Wi-Fi via:

  1. Captive portal with the integration of services like Duo Security or Auth0.
  2. RADIUS server with 2FA support (for example, FreeRADIUS + Google Authenticator).
  3. Specialized solutions for business (Cisco ISE, Aruba ClearPass).

Example of setup FreeRADIUS + Google Authenticator:

# Install the module for Google Authenticator

sudo apt install libpam-google-authenticator

Configuring PAM in FreeRADIUS

sudo nano /etc/freeradius/3.0/mods-available/pam

Add the line:

pam {

auth = pam_google_authenticator

}

When connecting to Wi-Fi, users will first enter a password and then a code from the app. Google AuthenticatorThis significantly complicates unauthorized access, even if the network password becomes known to third parties.

💡 Advice: 2FA is overkill for home use, but if you have an office with sensitive data, it's worth considering. Start with a captive portal + SMS code—it's easier to set up than RADIUS.

7. Common mistakes when setting up authorization

Even experienced administrators sometimes make mistakes that can ruin all their Wi-Fi security efforts. Here are the most common ones:

  • 🔑 Weak password: Using short passwords or dictionary words. Hacking in 10 minutes with Aircrack-ng.
  • 📡 Open network without encryption: Even with a captive portal, traffic is transmitted in clear text.
  • 🔄 Outdated router firmware: Vulnerabilities in the old version of the software allow authorization to be bypassed.
  • 📱 Lack of guest network isolation: Guests get access to local resources.
  • 🔧 Incorrect RADIUS settings: The server is not responding and users cannot connect.

🛠 How to avoid mistakes:

  1. Check your password strength using online services.
  2. Always enable encryption (WPA3 or WPA2-AES).
  3. Update your router firmware every 3–6 months.
  4. Test the guest network for isolation (try accessing shared folders from a connected device).
  5. Use tools like Wireshark to check traffic for leaks.

🔍 How to check your network for vulnerabilities:

# Network Scanning with Kali Linux

sudo airmon-ng start wlan0

sudo airodump-ng wlan0mon

Checking password strength (if you have a handshake)

sudo aircrack-ng -w wordlist.txt capture.cap

⚠️ Attention: If you use a cloud-based RADIUS or captive portal, make sure the service provider doesn't store logins and passwords in plaintext. Review their security policy or use self-hosting.

8. Alternative methods of access control

In addition to standard methods, there are less obvious ways to restrict Wi-Fi access:

  • 🕒 Network operating schedule: Disabling Wi-Fi at night or during non-working hours (configured in the router).
  • 📶 Signal limitation: Reduce the transmitter power so that the network is not available outside the home/office.
  • 🔗 VLANs for different user groups: Separation of traffic across virtual networks (for example, for employees and guests).
  • 🔑 Certificates instead of passwords: Authentication via EAP-TLS (requires PKI infrastructure).

Example of setting up a schedule on Keenetic:

  1. Let's move on to Home Network → Access Point.
  2. Select the network and click Schedule.
  3. We specify the days and hours when Wi-Fi should work (for example, Mon–Fri, 8:00–20:00).

To limit the coverage area on Ubiquiti UniFi:

  1. Open Settings → Wireless Networks.
  2. Select the network and install Transmit Power on Low or Medium.
  3. Set up Minimum RSSI (For example, -70 dBm) to turn off devices with a weak signal.

💡 Advice: If you need to temporarily block access to a specific device, use ARP spoofing Or add their MAC address to the blacklist on the router. This is faster than changing the network password.

FAQ: Frequently Asked Questions about Wi-Fi Authorization

Is it possible to log in via social networks (VKontakte, Google) without a captive portal?

No, a captive portal is required for social media authentication. This is because social media requires user interaction (redirection to their login page), and standard Wi-Fi protocols (WPA2/WPA3) don't support this. An alternative is to use RADIUS with OAuth integration, but this is complex to set up.

What is the most secure authentication method for an office with 50 employees?

The best option is - RADIUS + WPA3-Enterprise with a link to Active Directory (if you have a Windows server). This allows you to:

  • Manage access centrally.
  • Block accounts upon dismissal.
  • Set up different access levels (for example, for the accounting and technical departments).

For added security, add 2FA via Google Authenticator or hardware keys.

My router doesn't support WPA3. What should I do?

There are several solutions:

  1. Update your router's firmware (manufacturers often add WPA3 support to older models).
  2. Buy a new router with support WPA3 (For example, ASUS RT-AX86U or TP-Link Archer AX6000).
  3. Use WPA2-PSK with a long password (20+ characters) and disable WPS (this will eliminate most of the vulnerabilities).
How do I know who is connected to my Wi-Fi?

You can view the list of connected devices:

  • In the router's web interface (section DHCP Clients, Attached Devices or similar).
  • Through the manufacturer's mobile applications (for example, TP-Link Tether, ASUS Router).
  • Using third-party utilities like Wireless Network Watcher (Windows) or Fing (Android/iOS).

If you see an unfamiliar device, block it by MAC address or change the network password.

Is it possible to use fingerprint authorization?

Wi-Fi standards don't support direct biometric authentication, but there are workarounds:

  1. Use a captive portal with biometric authentication integration (e.g. via Windows Hello on corporate laptops).
  2. Configure RADIUS with support EAP-TLS and link certificates to biometric data on the device.

These are complex solutions that require extensive configuration and aren't supported by all devices. For home use, it's easier to use standard methods (password + guest network).