Captive Portal Deployment Considerations

Before defining a captive portal configuration for a controller, service platform or access point, refer to the following deployment guidelines to ensure the configuration is optimally effective:

  • The architecture should consider the number of wireless clients allowed and the services provided. Each topology has benefits and disadvantages which should taken into consideration to meet each deployment's requirements.

  • Captive portal authentication uses secure HTTPS to protect user credentials, but does not typically provide encryption for user data once they have been authenticated. For private access applications, WPA2 (with a strong passphrase) should be enabled to provide strong encryption.

  • Guest user traffic should be assigned a dedicated VLAN, separate from other internal networks.

  • Guest access configurations should include firewall policies to ensure logical separation is provided between guest and internal networks so internal networks and hosts are not reachable from guest devices.

  • Guest access services should be defined in a manner whereby end-user traffic does not cause network congestion.

  • A valid certificate should be issued and installed on all devices providing captive portal access to the WLAN and wireless network. The certificate should be issued from a public certificate authority ensuring guests can access the captive portal without browser errors.