Before defining a captive portal configuration for a controller, service platform or access point, refer to the following deployment guidelines to ensure the configuration is optimally effective:
The architecture should consider the number of wireless clients allowed and the services provided. Each topology has benefits and disadvantages which should taken into consideration to meet each deployment's requirements.
Captive portal authentication uses secure HTTPS to protect user credentials, but does not typically provide encryption for user data once they have been authenticated. For private access applications, WPA2 (with a strong passphrase) should be enabled to provide strong encryption.
Guest user traffic should be assigned a dedicated VLAN, separate from other internal networks.
Guest access configurations should include firewall policies to ensure logical separation is provided between guest and internal networks so internal networks and hosts are not reachable from guest devices.
Guest access services should be defined in a manner whereby end-user traffic does not cause network congestion.
A valid certificate should be issued and installed on all devices providing captive portal access to the WLAN and wireless network. The certificate should be issued from a public certificate authority ensuring guests can access the captive portal without browser errors.