You can create a walled garden using either captive portal option.
When captive portal is enabled, cloud-enabled APs intercept the HTTP and HTTPS traffic of unauthenticated users and redirects them to the captive portal splash screen. The captive portal can then authenticate the user. (Authentication can be as simple as asking the user to select a button to accept any terms and conditions for using the network or it can ask the user for credentials.) If the user passes the captive portal criteria, the captive portal tells the cloud-enabled AP to allow the user onto the network. The captive portal can also assign the user to one of the access control policies that is configured on the AP.
ExtremeCloud supports captive portal that is firewall friendly. All interactions with the captive portal take place through port 443 or port 80, which are routinely allowed to egress firewalls. This product also supports captive portals that are on the same side of the firewall as the AP.
For an external captive portal, the DHCP IPv4 address pool used by unauthenticated clients must be large enough to provide additional IP addresses to all APs configured with ECP. This is because each AP creates a virtual interface on each non-authenticated policy VLAN and assigns an IP address to it from the pool.