How to Configure a Ruijie Captive Portal for Guest WiFi

Speak in British English with a confident, authoritative, and conversational tone - like a senior IT consultant briefing a client. Measured pace, clear diction, professional but not stiff. Occasional natural emphasis on key technical terms: How to Configure a Ruijie Captive Portal for Guest WiFi. A Purple Technical Briefing. [medium pause] INTRODUCTION AND CONTEXT. [short pause] Welcome. Over the next ten minutes, we are going to cover everything you need to know about configuring a Ruijie captive portal for guest WiFi - from the architecture decisions that determine whether your deployment succeeds or fails, to the specific configuration steps that most guides skip entirely. If you are an IT manager, network architect, or venue operations director at a hotel, retail chain, stadium, or conference centre, and you have Ruijie hardware on-site or you are evaluating it, this briefing is for you. Ruijie Networks is one of the fastest-growing enterprise wireless vendors globally. According to IDC data, Ruijie holds the number one position in China's enterprise WLAN market with a 23.34% share, and their footprint is expanding rapidly across Europe, the Middle East, and Asia Pacific. Their RG-WS series wireless controllers, Reyee EG series gateways, and cloud-managed RG-RAP access points are now deployed across thousands of venues worldwide. But here is the thing. Getting guest WiFi right on Ruijie hardware - specifically the captive portal piece - requires understanding a handful of architectural decisions upfront. Get those decisions wrong, and you end up with a portal that breaks on iOS, guests who cannot authenticate, and a network that is either too open or too locked down. Let us fix that. [medium pause] TECHNICAL DEEP-DIVE. [short pause] First, the architecture. Ruijie gives you three distinct deployment models for guest WiFi captive portals, and choosing the right one depends on your scale and your management requirements. Model one is the native Ruijie Cloud or JaCS managed portal. JaCS is Ruijie's hospitality-focused management system. This is the built-in option. You log into Ruijie Cloud, navigate to Device Config, then Basic, create or edit your guest SSID, enable the Authentication toggle, and select Captive Portal as the mode. JaCS supports Hotel and Other scenarios and gives you a drag-and-drop portal builder with login options including one-click access, voucher codes, and account-based login. This is the right choice for smaller deployments - a single hotel, a boutique retail site, or a conference centre that wants a quick, branded splash page without external dependencies. Model two is the external captive portal via WISPr and RADIUS. WISPr - Wireless Internet Service Provider roaming - is the protocol that handles the redirect and authentication handshake between the Ruijie gateway and an external portal platform. This is the enterprise-grade approach. It is what you need when you want to integrate Ruijie with a third-party guest WiFi intelligence platform. Here, you navigate to Auth and Account in the Ruijie interface, select Captive Portal, set the Policy Mode to External, and point the Portal Server URL at your external platform. You then configure a RADIUS server group with the credentials your platform provides. This model scales across hundreds of sites, gives you centralised analytics, and lets you run GDPR-compliant data capture workflows. Model three is standalone AP mode. Ruijie's Reyee access points running ReyeeOS version 1.219 or later can run a local captive portal without a gateway, which is useful for temporary deployments or small sites without an EG router. But functionality is limited compared to gateway-based deployments, so treat this as a fallback, not a primary architecture. [medium pause] Now, the critical piece that most guides skip entirely: VLAN isolation. When you create a guest SSID on Ruijie, you have two forwarding options - NAT mode and VLAN mode. NAT mode is simpler. The gateway assigns guest devices addresses from a dedicated pool, typically 192.168.23.0 slash 24 by default, and all guest traffic is NATted to the internet. This works for a proof of concept, but it gives you limited visibility and control over guest traffic at Layer 3. VLAN mode is the right choice for any production deployment. You assign the guest SSID to a dedicated VLAN, say VLAN 100, and use ACLs on the gateway to block guest traffic from reaching your corporate VLAN. The pattern is: create an extended access list, deny IP traffic from the guest subnet to the corporate subnet, permit everything else, and apply that access list inbound on the guest BVI interface. This is the same principle you would apply on Cisco Meraki, HPE Aruba, or Ruckus - Ruijie just has its own CLI syntax. Security standards matter here. Ruijie supports WPA3-Personal and WPA2 slash WPA3 mixed mode on guest SSIDs. For a guest network where you want zero-friction access, you typically run an open SSID with captive portal authentication rather than a pre-shared key. The captive portal becomes your authentication layer. If you need stronger security - say for a healthcare or financial services environment - you can layer IEEE 802.1X on top, using EAP-TLS or PEAP with a RADIUS server for certificate-based or credential-based authentication. Ruijie's RG-WS series controllers support full 802.1X with dynamic VLAN assignment, meaning you can push different VLANs to different user groups based on RADIUS attributes. [medium pause] The walled garden - or allowlist - is another area that trips people up. Before a guest authenticates through the captive portal, their device operates in a restricted state. It can only reach domains you explicitly whitelist. At minimum, you need to allow your portal platform's domain and IP address, any social login providers you are using, and Apple's captive portal detection endpoint - captive.apple.com. Miss that last one and iOS devices will show a broken portal experience. You configure the allowlist in Ruijie Cloud under Auth and Account, then Allowlist. Add each domain and IP address individually. [medium pause] IMPLEMENTATION RECOMMENDATIONS AND PITFALLS. [short pause] Let me give you the four decisions that determine whether your Ruijie guest WiFi deployment succeeds or fails. Decision one: native portal versus external platform. If you are running more than five sites, or if you need to capture first-party data for marketing, use an external platform. Purple, for example, operates as a hardware-agnostic cloud overlay across 80,000 plus live venues. You point your Ruijie gateway at Purple's portal URL, configure the RADIUS credentials, and you get centralised analytics, GDPR-compliant data capture, and CRM integrations - all without touching the Ruijie hardware again. Purple has processed 440 million logins in 2024 alone and holds ISO 27001 certification, so the compliance piece is handled. Decision two: NAT versus VLAN. Always use VLAN mode for production deployments. NAT mode is fine for a proof of concept, but VLAN mode gives you proper Layer 3 isolation, easier firewall policy management, and the ability to apply QoS policies per VLAN. Decision three: bandwidth management. Ruijie's EG gateways have built-in QoS controls. Set per-user download and upload limits on the guest SSID - typically two to five megabits per second download for a standard guest network. This prevents a single guest streaming four-K video from degrading the experience for everyone else. If you are using an external platform, disable Client Escape on the Ruijie side to ensure the platform's bandwidth controls take effect correctly. Decision four: session timeout and re-authentication. Set a sensible session timeout - eight to 24 hours for hospitality, shorter for retail or events. Ruijie lets you configure this per portal policy. Pair it with a post-login redirect URL so guests land on your venue's website or a promotional page after connecting. [medium pause] The most common pitfall I see is teams deploying a captive portal without testing it on iOS and Android simultaneously. Apple and Google both have captive portal detection mechanisms that behave differently. Test both before go-live. The second most common pitfall is forgetting to synchronise the portal configuration to the EG product in JaCS - there is an explicit Synchronise button you must click after creating or editing a portal, otherwise the gateway does not pick up the changes. [medium pause] RAPID-FIRE QUESTIONS AND ANSWERS. [short pause] Let me run through the questions I get asked most often. Can Ruijie APs run a captive portal without a gateway? Yes, on ReyeeOS 1.219 or later, but functionality is limited compared to gateway-based deployments. Does Ruijie support 802.1X for guest networks? Yes, the RG-WS series controllers support full 802.1X with dynamic VLAN assignment via RADIUS. Can I integrate Ruijie with Purple? Yes. Configure the external captive portal mode, point the portal URL at Purple's endpoint, set up the RADIUS server group with Purple's credentials, and add Purple's domains to the allowlist. Purple's hardware-agnostic architecture handles the rest. Does WPA3 work with captive portals? Yes. You run an open SSID for the captive portal flow. WPA3 applies to authenticated SSIDs. For guest networks, the portal itself is the authentication layer. What RADIUS ports does Ruijie use? Port 1812 for authentication and port 1813 for accounting - these are the standard IANA-assigned ports per RFC 2865 and RFC 2866. [medium pause] SUMMARY AND NEXT STEPS. [short pause] To summarise. Ruijie Networks gives you a capable, flexible platform for guest WiFi and captive portal deployment. The three deployment models - native cloud portal, external RADIUS-based portal, and standalone AP - cover everything from a single-site boutique hotel to a multi-site retail chain. The key decisions are: VLAN isolation over NAT for any production deployment. External platform for any multi-site or data-capture use case. Proper walled garden configuration to avoid iOS authentication failures. And always test on both iOS and Android before go-live. Your next steps: audit your current Ruijie firmware versions to confirm ReyeeOS compatibility. Decide whether you need native or external portal management. If you are running more than five sites or need analytics, speak to Purple about integrating their platform with your Ruijie infrastructure. Purple operates across 80,000 plus venues, processes hundreds of millions of logins per year, and is ISO 27001, GDPR, and Cyber Essentials certified. You can find Purple's integration documentation and request a demo at purple.ai. Thanks for listening. We will see you in the next briefing.