Skip to main content
English (UK)

Configuring Captive Portal Redirection on Enterprise Network Controllers

This authoritative guide details the technical architecture and vendor-specific configuration steps required to implement captive portal redirection on enterprise network controllers. It provides actionable guidance for IT teams on configuring walled gardens, integrating RADIUS authentication, and ensuring compliance with GDPR and PCI DSS.

📖 6 min read📝 1,397 words🔧 2 worked examples3 practice questions📚 8 key definitions

Listen to this guide

View podcast transcript
Welcome to the Purple Technical Briefing. I'm your host, and over the next ten minutes we're going straight into one of the most searched-for, least well-documented topics in enterprise WiFi: configuring captive portal redirection on network controllers. If you've ever searched for "configurar controlador portal cautivo" and come back empty-handed, this is the briefing you needed. We're covering the full picture - the technical architecture, the controller-by-controller configuration steps, the compliance requirements, and the real-world pitfalls that trip up even experienced network teams. Let's get into it. A captive portal is the mechanism that intercepts a guest device's first HTTP or HTTPS request after connecting to your WiFi network, and redirects it to a branded splash page before granting internet access. That splash page might ask for a social login, a form submission, a simple click-through acceptance of terms, or a RADIUS-backed credential check. The redirection itself is handled at the controller level - not the access point, not the firewall. The controller intercepts the unauthenticated client's traffic, applies a pre-authentication access control list - what we call a walled garden - and pushes the client's browser to your portal URL. Why does this matter commercially? Three reasons. First, compliance. Under GDPR, you are required to obtain explicit, informed consent before collecting personal data from visitors. A properly configured captive portal is your consent mechanism. Without it, you are collecting data without a lawful basis - and that is a regulatory exposure. Second, security. An open SSID with no authentication is a liability. Captive portal redirection, combined with VLAN segmentation and a RADIUS server, gives you per-session accountability. You know who connected, when, and from which device. Third, business intelligence. Every authenticated session is a first-party data point. Purple processes 440 million logins annually across 80,000 venues. That data - dwell time, visit frequency, demographic signals - is only available if your captive portal is correctly configured to capture and transmit it. Now let me walk you through the redirect flow, step by step. Step one: a guest device associates with your guest SSID. The controller assigns it an IP address via DHCP but places it in a restricted pre-authentication state. All traffic is blocked except for DNS and the walled garden domains you have explicitly permitted. Step two: the guest opens a browser. Their HTTP request hits the controller. The controller intercepts it and issues a 302 redirect to your portal URL. This is the core redirect mechanism. Step three: the guest's browser loads your splash page, hosted either on the controller itself or, more commonly in enterprise deployments, on an external cloud platform like Purple. Step four: the guest authenticates - via social login, form, or credentials. The portal sends an authorisation signal back to the controller, typically via a RADIUS Access-Accept message or a MAC authorisation bypass. Step five: the controller moves the client from the pre-authentication VLAN to the post-authentication VLAN, removes the redirect rule, and grants internet access. That five-step flow is consistent across all major controller platforms. What differs is how you configure each step on Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, and the others. Let's go through the major platforms. Cisco Meraki. Meraki uses a custom splash page configured entirely through the Meraki Dashboard - there is no CLI. Navigate to Wireless, then Access Control, select your guest SSID, set the splash page to "Sign-on with my RADIUS server" or "Click-through", then enter your external portal URL in the Custom Splash URL field. The walled garden is configured in the Advanced Splash Settings section - you add the IP addresses of your portal server so the guest can reach the splash page before authentication. RADIUS server details go in the RADIUS section: authentication on port 1812, accounting on port 1813. HPE Aruba. On ArubaOS, you configure a captive portal profile under the AAA section, specifying the login URL, the server group pointing to your RADIUS server, and the redirect URL. You then apply that profile to your SSID via the virtual AP profile. The pre-authentication role - what Aruba calls the "logon" role - contains the ACL that permits DNS, DHCP, and access to your portal server's IP range. Post-authentication, the controller assigns the "authenticated" role, which permits full internet access. Ruckus SmartZone uses a Hotspot WLAN type for captive portal deployments. Under WLAN configuration, set the WLAN type to Hotspot, then configure the portal URL, the RADIUS server for authentication and accounting, and the walled garden entries. The Northbound Portal Interface handles the MAC authorisation flow between the portal and the controller. Juniper Mist uses a cloud-native approach. Under Network, then WLANs, create a guest WLAN and set the portal type to "External Captive Portal". Enter your portal URL and configure the RADIUS server details. Mist passes the client MAC, the AP MAC, and the SSID name as URL parameters to the portal. Ubiquiti UniFi. In the UniFi Network Controller, navigate to Settings, then WiFi, select your guest network, and under Advanced Options set the Guest Policy to enable the hotspot portal. Set the portal type to "External" and enter your portal URL. Configure the RADIUS server under Profiles, then RADIUS. The walled garden is the most commonly misconfigured element in captive portal deployments. Get this wrong and your guests will see a browser error instead of your splash page. The walled garden must permit, at minimum: your portal server's IP addresses or domain, your RADIUS server's IP addresses, DNS resolution on port 53, and DHCP on port 67 and 68. If your portal loads assets from a CDN - fonts, images, JavaScript - those CDN domains must also be in the walled garden. For Purple deployments, we provide the specific IP ranges and domains to whitelist during onboarding. The most common failure mode is a portal that loads the HTML frame but fails to render images or execute JavaScript because the CDN domains are missing from the walled garden. Two compliance standards dominate here: GDPR and PCI DSS. Under GDPR, your captive portal must present a clear, specific consent mechanism before collecting personal data. This means separate, unticked checkboxes for WiFi access and marketing consent. You cannot bundle them. The consent record must be stored and retrievable for audit purposes. Purple's platform handles this automatically, storing consent records against each authenticated session. Under PCI DSS, if your venue processes card payments, your guest WiFi network must be isolated from your payment card environment. This means a dedicated guest VLAN with firewall rules preventing any routing between the guest segment and your POS network. PCI DSS version 4.0, which became mandatory in March 2024, requires network segmentation testing at least every six months. Let me give you two concrete scenarios. Scenario one: a 350-room hotel running Cisco Meraki. The hotel wants to replace a basic click-through portal with a branded guest experience that captures email addresses for their loyalty programme. The configuration: create a dedicated guest SSID on a separate VLAN with internet access only. Configure the Meraki splash page to point to Purple's portal URL. Set up RADIUS authentication using Purple's RADIUS server details. Configure the walled garden with Purple's IP ranges. In the Purple dashboard, build a branded splash page with a form capturing name, email, and room number, with explicit GDPR consent checkboxes. Connect the Purple CRM connector to the hotel's marketing platform. Premier Inn implemented this model across their estate and saw measurable increases in direct booking rates from WiFi-acquired guests. Scenario two: a regional retail chain with 40 stores running HPE Aruba. The retailer needs a consistent guest WiFi experience across all sites, with footfall analytics to compare store performance. Deploy Aruba Central to manage all 40 sites from a single dashboard. Configure a guest WLAN template with external captive portal pointing to Purple. Apply the template across all sites using Aruba Central's group policy feature. In Purple, configure a single portal template that applies across all venues, with per-venue analytics dashboards. The walled garden and RADIUS configuration are defined once in the template and propagated automatically. Result: the IT team manages 40 sites from one console. The marketing team gets per-store footfall data, dwell time analysis, and repeat visit rates - all from a single Purple dashboard. Four pitfalls I see repeatedly. One: HTTPS interception failures. Modern browsers and mobile operating systems use HTTPS probes to detect captive portals. If your controller cannot intercept HTTPS traffic - which requires a valid certificate for the redirect domain - the probe fails silently and the guest sees no redirect. The fix: configure your controller's virtual interface with a trusted certificate, or use HTTP-only probes on your guest SSID. Two: DNS leakage. If your pre-authentication ACL permits unrestricted DNS, guests can use DNS tunnelling to bypass the captive portal entirely. Restrict DNS to your designated resolver only. Three: session timeout mismatches. If your controller session timeout is shorter than your portal's session token validity, guests get redirected back to the portal mid-session. Align these values - typically 24 hours for hospitality, eight hours for retail. Four: missing accounting. RADIUS accounting - the Accounting-Start and Accounting-Stop messages - is how your portal knows a session has ended. Without accounting configured, your portal's session records will be inaccurate and your analytics will be unreliable. Quick questions, quick answers. Can I use an external portal with any controller? Yes, provided the controller supports external captive portal redirect - which all the platforms we have discussed do. Do I need a RADIUS server to run a captive portal? Not always. Simple click-through portals can use MAC authorisation bypass without a full RADIUS server. But for credential-based or social login portals, RADIUS is the standard mechanism. Does captive portal work with WPA3? Yes. WPA3 handles the wireless encryption layer. Captive portal handles the authentication layer. They operate independently and are fully compatible. How does Purple integrate with my existing controller? Purple acts as the external portal server. You point your controller's splash URL to Purple's portal endpoint, configure the walled garden with Purple's IP ranges, and set up RADIUS using Purple's server details. The integration is the same process regardless of whether you're on Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, or Ubiquiti UniFi. To summarise. Captive portal redirection is configured at the controller level, not the access point. The core components are: the splash URL pointing to your portal, the walled garden permitting access to your portal server, RADIUS for authentication and accounting, and VLAN segmentation for network isolation. The configuration steps differ by vendor but the architecture is consistent. For compliance, your portal must implement GDPR-compliant consent capture and PCI DSS-compliant network segmentation. WPA3 is the current standard for wireless encryption and should be your baseline specification on any new deployment. Purple integrates natively with Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet. Across 80,000 venues and 440 million logins in 2024, the platform is hardware-agnostic by design - your controller choice does not constrain your ability to capture first-party guest data or run analytics. Your next step: review your current controller configuration against the walled garden and RADIUS accounting checklist in this guide. If you're deploying a new guest WiFi network, start with the vendor-specific configuration steps for your controller platform and connect Purple as your external portal. Thanks for listening. This has been the Purple Technical Briefing.

header_image.png

Executive Summary

Configuring a captive portal redirect on an enterprise network controller is a fundamental requirement for delivering secure, compliant guest WiFi. When configured correctly, the controller intercepts unauthenticated client traffic and issues an HTTP 302 redirect to an external portal, enabling authentication, consent capture, and network segmentation. When misconfigured, it results in silent connection failures, browser security warnings, and compliance exposures.

This guide provides the technical architecture and vendor-specific configuration steps required to deploy external captive portals across Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, and Ubiquiti UniFi. We detail the mechanics of the redirect flow, the precise requirements for walled garden configuration, and the integration of RADIUS for authentication and accounting. By following these steps, you ensure that your guest network meets PCI DSS segmentation requirements, captures explicit GDPR consent, and securely routes first-party data to platforms like Purple.

Technical Deep-Dive

The captive portal redirect mechanism operates at the network controller level. It relies on a specific sequence of network state changes to intercept, authenticate, and authorise a client device.

architecture_overview.png

The Redirect Flow

  1. Association and DHCP: A guest device associates with the guest SSID. The controller assigns an IP address via DHCP but places the client in a restricted pre-authentication state (often mapped to a specific pre-auth VLAN or role).
  2. Walled Garden Enforcement: In this pre-authentication state, all outbound traffic is dropped except for DNS (port 53), DHCP (ports 67 and 68), and traffic destined for specific IP addresses or domains defined in the access control list (ACL). This ACL is known as the walled garden.
  3. Interception and Redirect: When the guest opens a browser and initiates an HTTP request, the controller intercepts the request. Instead of routing the traffic to the internet, the controller responds with an HTTP 302 Found status code, redirecting the browser to your external captive portal URL. Modern operating systems use automatic HTTPS probes (like Apple's Captive Network Assistant) to detect this redirect and trigger a pseudo-browser.
  4. Authentication: The guest interacts with the splash page hosted on the external portal (e.g., Purple). This might involve a social login, a form submission, or a simple click-through. Upon completion, the portal communicates with the controller to authorise the session.
  5. Authorisation and Accounting: The authorisation signal is typically sent via a RADIUS Access-Accept message or through a vendor-specific API. The controller receives this signal, moves the client to the post-authentication state (often a different VLAN), removes the redirect rule, and grants internet access. The controller then sends a RADIUS Accounting-Start message to log the session duration and data usage.

Implementation Guide

The fundamental architecture is consistent across vendors, but the configuration syntax varies significantly. Below are the steps for the leading enterprise platforms.

vendor_comparison_chart.png

Cisco Meraki

Cisco Meraki configures captive portals entirely through the Meraki Dashboard.

  1. Navigate to Wireless > Access Control and select your guest SSID.
  2. Under Splash page, select Sign-on with my RADIUS server (for credential-based access) or Click-through.
  3. In the Custom Splash URL field, enter your external portal URL provided by Purple.
  4. Under RADIUS, enter the IP addresses of the primary and secondary RADIUS servers for both authentication (port 1812) and accounting (port 1813), along with the shared secret.
  5. Scroll to Advanced Splash Settings to configure the walled garden. Add the IP addresses or domains of your portal server and any required CDNs.

HPE Aruba

Aruba configuration involves defining a captive portal profile and applying it to a role.

  1. In ArubaOS, navigate to Configuration > Authentication > L3 Authentication.
  2. Create a new Captive Portal Authentication Profile. Enter the Login URL pointing to your Purple splash page.
  3. Create a Server Group containing your RADIUS servers and assign it to the captive portal profile.
  4. Navigate to Configuration > Security > Roles. Edit the pre-authentication role (often named logon). Ensure the ACL permits DHCP, DNS, and HTTP/HTTPS traffic to your walled garden IP addresses, and applies the captive portal profile to all other HTTP traffic.
  5. Assign the logon role as the initial role in your AAA profile for the guest SSID.

Ruckus SmartZone

Ruckus uses a specific WLAN type for hotspot deployments.

  1. Navigate to WLANs and create a new WLAN. Set the WLAN Type to Hotspot (WISPr).
  2. Under Authentication Options, select External RADIUS Server and input your server details for both authentication and accounting.
  3. Under Hotspot Portal, select External and enter your portal URL.
  4. Configure the Walled Garden by adding the necessary IP addresses or domains.
  5. Ruckus relies on its Northbound Portal Interface (NPI) to handle the authorisation flow, which requires configuring the NPI settings to allow communication from your portal server.

Ubiquiti UniFi

UniFi provides a straightforward interface for external portals.

  1. In the UniFi Network Controller, go to Settings > WiFi and select your guest network.
  2. Under Advanced Options, enable the Guest Policy.
  3. Go to Settings > Guest Control. Under Portal Type, select External Portal Server and enter your portal URL.
  4. Under Access Control, add the required IP addresses to the Pre-Authorisation Access list (the walled garden).
  5. Configure the RADIUS server details under Profiles > RADIUS and apply the profile to the guest network.

Best Practices

1. Walled Garden Configuration

The walled garden is the most critical point of failure in captive portal deployments. If the walled garden is incomplete, the guest's browser will fail to load the splash page, resulting in a blank screen or a timeout error.

You must explicitly permit access to:

  • The primary portal server IP addresses or domains.
  • The RADIUS server IP addresses.
  • Any Content Delivery Networks (CDNs) used by the portal to load fonts, images, or JavaScript.
  • Identity provider domains if using social login (e.g., facebook.com, google.com).

2. Network Segmentation for PCI DSS

If your venue processes card payments, PCI DSS compliance requires strict isolation of the guest network from the cardholder data environment. Do not rely solely on SSID separation. You must configure a dedicated guest VLAN at the controller or switch level, with firewall rules that explicitly deny routing between the guest VLAN and any internal corporate or Point of Sale (POS) networks.

3. RADIUS Accounting

Always configure RADIUS accounting. While MAC authorisation bypass can grant access, RADIUS accounting (Accounting-Start and Accounting-Stop messages) is required to accurately track session duration and data usage. Without accounting, your analytics platform will report inaccurate dwell times and concurrent user counts.

Troubleshooting & Risk Mitigation

HTTPS Interception Failures

Modern operating systems use HTTPS probes to detect captive portals. If the controller intercepts an HTTPS request but presents an invalid or untrusted SSL certificate for the redirect, the browser will display a severe security warning (e.g., "Your connection is not private") and block the redirect. To mitigate this, ensure your controller is provisioned with a valid, publicly trusted SSL certificate for its virtual interface, or configure the controller to only intercept HTTP traffic for the initial redirect.

DNS Leakage

If the pre-authentication ACL permits unrestricted outbound DNS traffic, sophisticated users can use DNS tunnelling to bypass the captive portal and access the internet without authenticating. Mitigate this by restricting outbound DNS traffic in the pre-authentication role to only your designated DNS resolvers, blocking all other port 53 traffic.

Session Timeout Mismatches

If the session timeout configured on the wireless controller is shorter than the session validity period defined in the external portal, guests will be abruptly disconnected and forced to re-authenticate. Ensure the controller's idle timeout and absolute session timeout align with the intended guest experience (e.g., 24 hours for hospitality environments, 8 hours for retail).

ROI & Business Impact

Deploying a properly configured captive portal transforms guest WiFi from an operational cost into a strategic asset. By integrating enterprise controllers with an intelligence layer like Purple, venues can capture explicit GDPR consent and collect valuable first-party data.

Purple processes 440 million logins annually across 80,000 venues. This data feeds directly into CRM platforms, enabling targeted marketing campaigns based on actual physical visits. For example, Retail operators can measure footfall and repeat visit rates, while Hospitality venues can drive direct bookings by engaging guests post-stay. The ROI is measured in increased customer lifetime value, improved operational efficiency through accurate footfall analytics, and the mitigation of regulatory risk through automated compliance management.

Key Definitions

Captive Portal

A web page that intercepts unauthenticated network traffic and requires user interaction—such as accepting terms or providing credentials—before granting internet access.

Used in enterprise networks to enforce security policies, capture first-party data, and ensure regulatory compliance.

Walled Garden

An access control list (ACL) applied to unauthenticated clients, permitting access only to specific IP addresses or domains required to load the captive portal.

Critical for ensuring the splash page loads correctly; missing CDN domains in the walled garden will cause the portal to render improperly.

RADIUS

Remote Authentication Dial-In User Service. A networking protocol that provides centralised Authentication, Authorization, and Accounting (AAA) management.

Used by network controllers to verify guest credentials against an external database and log session metrics.

VLAN Segmentation

The practice of dividing a physical network into multiple logical networks to isolate traffic.

Mandatory for PCI DSS compliance to ensure guest WiFi traffic cannot route to payment card environments.

HTTP 302 Redirect

A standard HTTP response status code indicating that the requested resource has been temporarily moved to a different URL.

The mechanism used by network controllers to intercept a guest's initial web request and push their browser to the splash page.

IEEE 802.1X

An IEEE standard for port-based network access control, requiring devices to authenticate before gaining access to the network.

Provides enterprise-grade security by ensuring each connection is individually authenticated, often backed by a RADIUS server.

WPA3-Enterprise

The latest Wi-Fi security protocol, providing robust encryption and requiring 802.1X authentication.

Recommended for secure enterprise deployments to protect against offline dictionary attacks and ensure data confidentiality.

MAC Authorisation Bypass (MAB)

A method of granting network access based on the client device's MAC address rather than requiring explicit user credentials.

Often used in click-through captive portals where the portal registers the MAC address after the user accepts the terms of service.

Worked Examples

A 350-room hotel needs to deploy a branded guest WiFi portal that captures email addresses for their loyalty programme, ensuring compliance with GDPR and isolating guest traffic from the corporate network.

The IT team deploys Cisco Meraki APs and configures a dedicated guest SSID on VLAN 100. In the Meraki Dashboard, they set the splash page to 'Sign-on with my RADIUS server' and enter Purple's portal URL. They configure the walled garden to include Purple's IP ranges and CDN domains. Firewall rules are applied to VLAN 100, denying routing to the corporate VLAN to ensure PCI DSS compliance. In the Purple platform, a branded portal is created with a data capture form and explicit GDPR consent checkboxes. The Purple CRM connector is configured to sync captured emails directly to the hotel's marketing platform.

Examiner's Commentary: This approach correctly addresses both the technical and commercial requirements. VLAN segmentation ensures security and compliance, while the integration with Purple provides the necessary consent capture and CRM synchronisation. The use of RADIUS ensures accurate session tracking.

A regional retail chain with 40 stores requires a consistent guest WiFi experience across all locations, with centralised management and store-level footfall analytics.

The retailer deploys HPE Aruba APs managed via Aruba Central. A single guest WLAN template is created with an external captive portal pointing to Purple. The pre-authentication role is configured with the necessary walled garden ACLs. This template is applied across all 40 sites using Aruba Central's group policy. In Purple, a unified portal design is deployed, with analytics dashboards configured to segment data by individual store locations.

Examiner's Commentary: Using Aruba Central's template-driven configuration eliminates configuration drift across the 40 sites. The integration with Purple allows the marketing team to compare footfall and dwell time metrics across the entire estate from a single interface, demonstrating the value of a hardware-agnostic intelligence layer.

Practice Questions

Q1. A venue reports that guests connecting to the WiFi are seeing a blank screen instead of the branded splash page. The portal uses custom fonts hosted on Google Fonts. What is the most likely configuration error?

Hint: Consider what traffic is permitted before a user authenticates.

View model answer

The walled garden is incomplete. The Google Fonts CDN domains have not been added to the pre-authentication ACL. The controller is blocking the request to load the fonts, causing the page render to fail.

Q2. To comply with PCI DSS, an IT manager creates a new SSID named 'Guest_WiFi' on the same subnet as the corporate network. Is this sufficient?

Hint: PCI DSS requires isolation of the cardholder data environment.

View model answer

No. Creating a separate SSID on the same subnet does not provide network isolation. The guest network must be placed on a dedicated VLAN with firewall rules explicitly denying routing to the corporate or POS networks.

Q3. A retail chain notices that their analytics dashboard shows 1,000 authentications per day, but the average dwell time metric is missing or zero. What configuration step was missed?

Hint: Which protocol is responsible for tracking session duration?

View model answer

RADIUS Accounting has not been configured on the controller. Without the Accounting-Start and Accounting-Stop messages, the analytics platform cannot calculate the duration of the sessions.

Continue reading in this series

Integrating WeChat WiFi Authentication: Captive Portal Onboarding for APAC Customers

WeChat has 1.41 billion monthly active users, making it the primary digital identity for Chinese consumers globally. This guide explains how to integrate WeChat OAuth 2.0 authentication into enterprise captive portals for APAC venues, covering platform registration, scope selection, RADIUS Change of Authorisation enforcement, and dual-framework compliance with GDPR and China's PIPL. It is aimed at IT managers, network architects, and venue operations directors who need to act this quarter.

Read the guide →

Step-by-Step Guide: Configuring Ruijie Wireless Controllers for Guest WiFi Captive Portals

This guide provides a complete technical walkthrough for configuring Ruijie wireless controllers and gateways to deploy enterprise-grade guest WiFi captive portals. It covers VLAN segmentation, external RADIUS authentication via WISPr protocol, walled garden configuration, and seamless integration with Purple's Identity-Based Networks platform to capture first-party data and drive measurable business value across hospitality, retail, and public-sector environments.

Read the guide →

Step-by-Step Guide: Configuring Ruijie Wireless Controllers for Guest WiFi Captive Portals

This guide provides a complete technical walkthrough for configuring Ruijie wireless controllers and gateways to deploy enterprise-grade guest WiFi captive portals. It covers VLAN segmentation, external RADIUS authentication via WISPr protocol, walled garden configuration, and seamless integration with Purple's Identity-Based Networks platform to capture first-party data and drive measurable business value across hospitality, retail, and public-sector environments.

Read the guide →