Providing internet access for cafe customers, hotel guests, or shopping mall visitors requires more than just an access point, but a comprehensive user management system. A simple password on a Wi-Fi router isn't enough, as it doesn't allow for session time control, analytics collection, or displaying advertising banners before accessing the network. This is where Captive Portal technology, also known as guest portal or authorization page.
Implementing such a system allows businesses to turn free internet access into a powerful marketing tool. You can offer guests access via social media, SMS, or one-time codes. This not only increases the security of your local network but also allows you to legally collect customer contacts. In this article, we'll cover in detail how to set up Wi-Fi with authentication, the different types of portals available, and the equipment required to implement the project.
It's worth noting that setting up authorization requires a basic understanding of network architecture. You'll have to work with DNS, DHCP, and possibly Radius servers. However, the payoff is worth it: you get a flexible traffic management tool that can be tailored to any needs, whether it's limiting torrent download speeds or completely blocking certain resources.
Operating principle and types of authorization
Technically, the authorization process in Wi-Fi networks is implemented through a user request redirection mechanism. When a client device connects to an access point, the router or controller checks for an active session. If no session is found, all HTTP requests are redirected to a special local IP address, where a login page is displayed. This process is called Captive Portal.
There are several main methods of user identification, each with its own application scenarios. The choice of a specific method depends on your target audience and the technical capabilities of your equipment. For example, SMS authentication is often used at airports because it links the account to the phone number, which is required by law.
Simpler options, such as clicking the "I agree" button or logging in via social media, are ideal for retail and food service, where connection speed and marketing data collection are critical. Complex corporate environments may require integration with Active Directory to leverage existing employee accounts.
- 🔑 Voucher system: access using one-time logins and passwords generated by the administrator.
- 📱 SMS authorization: Receiving an access code via SMS to a mobile phone.
- 👍 Social media: Login via VKontakte, Facebook, Google or Odnoklassniki accounts.
- ✅ Click-through: the simplest form of agreement with the rules of using the network.
⚠️ Attention: When using SMS authorization, ensure that your gateway is connected to a reliable SMS provider, as delays in message delivery can cause user dissatisfaction.
Necessary equipment and software
To implement a fully-fledged access point with authentication, a standard home router is usually insufficient. You'll need equipment that supports external authentication servers or has built-in HotSpot functionality. Devices from MikroTik, Ubiquiti UniFi and professional solutions based on OpenWrt.
A key component is often a RADIUS (Remote Authentication Dial-In User Service) server. This specialized software stores the user database, verifies passwords, and tracks traffic. Popular solutions include FreeRADIUS, Winbox (for MikroTik) or cloud management platforms such as Tanaza or Cloud4Wi.
If you are looking for an all-in-one hardware solution, consider the series MikroTik hAP or RB with HotSpot support, as well as controllers Ubiquiti UniFi Cloud KeyThey allow you to customize beautiful login pages and manage users through a convenient web interface without extensive command line knowledge.
| Solution type | Example of equipment | Difficulty of setup | Price |
|---|---|---|---|
| Software router | MikroTik RouterOS | High | Average |
| Corporate point | Ubiquiti UniFi AP | Average | High |
| Open Source | OpenWrt + CoovaChilli | Very high | Low |
| Cloud service | Splashtopia / Tanaza | Low | Subscription |
Setting up a MikroTik HotSpot
One of the most popular ways to set up Wi-Fi with authentication is using MikroTik equipment. The RouterOS operating system has a built-in HotSpot module that allows you to create complex access scenarios. To get started, go to the menu. IP → HotSpot and run the setup wizard HotSpot Setup.
The wizard will prompt you to select an interface (usually a bridge, which connects wireless interfaces), configure client pool addressing, and specify DNS servers. Pay special attention to the HTTP/HTTPS Walled GardenHere you need to add domains available to users before authorization (for example, mobile operator websites or social media login pages).
Once the wizard completes, the system will create the necessary address pools and firewall rules. Next, configure the user profile and HotSpot server, where you can set time limits, access speed, and login page appearance. Login page files are stored in the router's file system and can be edited for branding.
/ip hotspot setuphotspot interface=bridge-local
local-address-network=192.168.10.0/24
address-pool=hs-pool-10
dns-name=hotspot.mysite.com
☑️ MikroTik Setup Checklist
⚠️ Attention: Interfaces and menu names may vary across different RouterOS versions. Always consult the official MikroTik documentation for your firmware version to avoid configuration errors.
Organization of a voucher access system
A voucher system is ideal for situations where access needs to be granted temporarily and in a controlled manner. The administrator generates a list of logins and passwords (or simply passwords) that are valid for a limited time or have a traffic limit. This data can be distributed to customers like a physical product or service.
To generate vouchers in MikroTik, use the section IP → HotSpot → Users, where is the button GenerateHere you can set the username prefix, password length, number of vouchers, and access profile. The profile determines how long the voucher is valid (e.g., 1 hour) and the internet speed.
The completed list can be saved to a file or sent directly to print. It is important to configure the speed limit profile correctly (Rate Limit) to prevent one user with a voucher from taking down the entire channel. Typically, values like 2M/2M or 5M/5M are set for basic surfing.
- 🎫 Generation: creating codes via web interface or scripts.
- ⏳ Time-out: Automatic expiration after first login.
- 📉 Limits: limiting the speed and volume of downloaded data.
- 🔄 Extension: Possibility of re-authorization with the same code (if available).
How to print vouchers beautifully?
Use MikroTik's built-in print template or export a CSV file for layout in specialized programs like HotSpot Printer. This will allow you to add your establishment's logo and connection instructions.
Integration with social networks and SMS
Modern users are accustomed to seamless access. Logging in via social networks (Social Login) or SMS eliminates the need to remember passwords. Implementing this functionality on standard hardware often requires additional software modules or cloud gateways, as native routers rarely support direct integration with the Facebook or VKontakte APIs.
The workflow typically looks like this: the router redirects the user to an external authorization server. The server requests permission from the social network, receives identity verification, and sends a command to the router to grant access to the client's device's MAC address. SMS authorization requires a connection to an SMS gateway, which receives the request from the router and sends a message to the user.
A popular solution for implementing such schemes is a combination of MikroTik + an external server (for example, based on PHP or Python) or the use of ready-made platforms like Splashtopia or Wi-Fi TribeThis allows you to create beautiful landing pages with advertising banners that the user sees before entering.
⚠️ Attention: Data collection via social media and SMS is subject to personal data laws. Be sure to add a checkbox to agree to the data processing policy on the login page.
Frequently Asked Questions (FAQ)
Do I need a separate server to set up WiFi with authorization?
Not necessarily. For simple scenarios (vouchers, click-out), the capabilities of the router itself (e.g., MikroTik) are sufficient. Complex scenarios involving CRM, billing, or social media integration will require an external server or cloud service.
Will authorization work if the user has JavaScript disabled?
Most modern Captive Portals require JavaScript to redirect or check status. However, the basic login form (username/password) will work without it if the page is designed correctly.
Is it possible to limit the speed for unauthorized users?
Yes, this is standard practice. You can set this parameter in the HotSpot profile settings. Rate Limit for the "pre-auth" group, which will severely limit the speed (for example, to 64 kbps) until successful login.
How to bypass HTTPS website blocking before authorization?
It's impossible to completely bypass this for SSL/TLS security reasons. However, modern browsers and operating systems automatically redirect to the portal. In Walled Garden, it's essential to add the domains of operators and key services so that the authorization page loads correctly.