Applies To: WatchGuard Cloud-managed Access Points
A captive portal is a web page that you redirect clients to when they connect to an SSID on your wireless network. The captive portal web page is called a splash page.
With a captive portal you can restrict Internet-only connectivity for guest wireless clients.
You can customize the captive portal splash page images and text in the Custom Branding page.
To enable a captive portal for an SSID, you must enable the Captive Portal option in an access point site.
- Select Configure > Access Point Sites.
The Access Point Sites page opens.
- Edit an existing site, or click Add Site to add a new site.
The Configuration Details page opens.
- Click Add SSID to add an wireless network to the site that will use the captive portal.
Configure these basic SSID settings:
- SSID Name — Type the SSID name. This is the name for this wireless network that appears to wireless clients.
- Broadcast SSID — Use the default settings to broadcast the SSID name to wireless clients.
- SSID Type — Select a Private or Guest wireless network. If you select Guest, this also enables client isolation in the advanced SSID settings to prevent direct communication between guest wireless clients.
- Radio — Select the access point radios that will broadcast this SSID. For this example, use the default setting of 2.4 GHz and 5 GHz to broadcast on both radios.
- Security — Select the type of security for this SSID. If you want to secure the network, use at minimum WPA2 Personal. Many public hotspots use Open, so you do not have to provide a passphrase, but this also allows unauthorized users access to the network. OWE (Opportunistic Wireless Encryption, also known as Enhanced Open) is also available for 802.11ax devices. OWE enables you to create an open network that can encrypt data to provide data privacy without authentication. However, both the access point and client must support OWE.
After you complete the SSID configuration, return to the site configuration settings.
- Click Captive Portal.
The Captive Portal settings page opens.
- Configure these Captive Portal settings:
- Select SSID — Select the SSIDs that will use the captive portal. Wireless clients that connect to this SSID will be redirected the captive portal splash page.
- Captive Portal Reserved IP Address Range — The portal uses an internal reserved IP address range that replaces the NAT settings of the SSID you selected when the wireless client connects to the portal. Select a recommended IP address range that is not currently in use by the NAT settings of the SSID. WatchGuard Cloud determines these recommended reserved IP addresses based on the NAT network settings of SSIDs configured in the site. You must also consider the network where the access point is deployed and any SSIDs created in the device configuration. If your access point receives IP address settings from DHCP, make sure that the DHCP address does not conflict with the reserved IP address range selected for captive portal internal use.
This IP address range is for internal use only by the captive portal. The wireless client still uses the IP address assigned to it from the SSID (NAT or bridged address) after connecting through the Captive Portal.
- Splash Page — The splash page is the web page that appears when a wireless client connects to an SSID with a captive portal. You can customize the splash page images and text in the Custom Branding page in Administration > Branding.
You can configure these settings:
- Logo and background image — Logos and images are shared with other account features such as the WatchGuard Cloud login page, emails, and report headers.
- Header title, body and button text, footer text
- Landing page URL — The URL of the web site to which the user is redirected after they connect through the splash page.
- Advanced Captive Portal Settings
- Session Timeout — Type the time, in seconds, after which the wireless client's captive portal session expires and the client must re-authenticate to the portal splash page. You can enter a value between 0 and 604,800 seconds (7 days). The default is 86,400 seconds (24 hours).
When wireless clients authenticate to a captive portal from an access point, and then roam to a different access point, the client does not need to re-authenticate to the captive portal on the new access point unless the captive portal session time has expired. The access points must have the same site configuration applied to enable captive portal clients to roam without re-authentication.
- Idle Timeout — Type the time, in seconds, after a wireless client disconnects that the client must re-authenticate to a captive portal session through the portal splash page. If the client re-establishes a connection before the idle timeout value, the client does not have to re-authenticate with the portal. You can enter a value between 0 and 604,800 seconds (7 days). The default is 86,400 seconds (24 hours).
- Walled Garden — A Walled Garden is a list of domains and IP addresses that wireless clients can access before they pass the portal splash page to access the Internet. Consider adding your company and support information site to your Walled Garden for users to access help before they connect. To add a Domain Name or Network IPv4 IP address, click Add Destination.
The Walled Garden already includes default internal domains for branding images from WatchGuard Cloud and fonts from fonts.googleapis.com and fonts.gstatic.com.
- Click Save.