Enable a Captive Portal

A captive portal is a web page to which a client is redirected when they connect to a guest SSID. The client can gain access to the Internet after they successfully authenticate or accept the terms of use on the portal page. This enables you to restrict wireless connectivity (such as Internet-only connectivity) for guest wireless clients.

You can create portal splash pages with Analyze and Engage, or you can host your own splash page on an external server.

Analyze and Engage captive portal features require a Total Wi-Fi AP subscription.

To enable and manage Captive Portals with Analyze, see About Portal Management.

You can create Captive Portal splash pages with Engage. For more information, see About WatchGuard Engage.

Configure Captive Portal Settings

To enable and configure captive portal settings in an SSID profile:

  1. Open Manage.
  2. Select Configuration > Device Configuration > SSID Profiles.
  3. Select an existing SSID profile or create a new profile.
  4. Expand the Captive Portal section.
  5. Select the Enable Captive Portal check box to display a portal page to be shown to clients on the guest network.

Captive Portal settings page

  1. Select a captive portal type:
  1. Configure your Walled Garden and Authentication Sites.

A walled garden is a method to provide a list of restricted Internet sites that guest users can get access to without redirection to a portal splash page. Authentication sites are sites that a guest user can use for authentication to receive Wi-Fi access through the portal.

For more information, see About Authentication Sites and Walled Garden.

  1. In the Redirect URL text box, specify the URL to redirect to after the user authenticates on the portal page.

If you leave this option undefined, the browser is redirected to the original URL requested when the portal page was displayed.

  1. Select the Roaming check box if you do not want Wi-Fi clients to see the splash page when they roam from one AP to another.
  2. Select the Enable Internet connectivity detection check box if you want to check internet connectivity and display a portal error page if Internet connectivity is lost.

Use the Enable Internet connectivity detection feature to provide feedback to guests when the Internet is temporarily unavailable on the guest SSID. When the AP detects that Internet connectivity is not available from the guest VLAN, it automatically redirects all HTTP requests from guest users to a splash page. A message is displayed that the Internet is temporarily unavailable. When you use the AP Hosted Splash Page for Click-through option, a customized splash page included in the bundle with the name “NoInternet.html” is displayed when the Internet is not available. If this page is not included in the bundle, or if external splash page options are configured, the AP displays a factory-default splash page when Internet connectivity is unavailable.

If Internet connectivity is interrupted, guest users cannot get access to local HTTP services if the Enable Internet connectivity detection feature is enabled. The Enable Internet connectivity detection feature does not work for an SSID profile configured with GRE.

  1. In the Login Timeout text box, specify the time, in minutes, during which a wireless user can get access to the guest network after they submit the portal page.

After the timeout, access to the guest network is blocked and the portal page is displayed again. The user has to submit the portal page to regain access to the guest network. If the user disconnects and reconnects to the guest network before the session times out, the user does not have to enter their credentials on the splash page. If you use Analyze and you have specified a login timeout, this login timeout overrides the login timeout setting in the SSID profile.

  1. In the Blackout Time text box, specify the time, in minutes. for which a user is not allowed to log in after the previous successful session timed out.

For example,  if the session timeout is one hour and the blackout time is 30 minutes, a user will be timed out one hour after a successful login. After this point, the user cannot log in again for 30 minutes. At the end of  30 minutes, the user can log in again.

  1. In the Service Identifier text box, specify the identifier you have defined in Advanced Parameters.

This is a free-form parameter that can be passed to the external portal. The external portal uses this parameter to implement SSID profile-specific functionality. For example, each SSID can have a separate portal page defined.

  1. Select Enable HTTPS Redirection to securely redirect a user to the portal when the user tries to get access to an HTTPS site. If HTTPS Redirection is not enabled, the client is not redirected to the captive portal if they first browse to an HTTPS site. Type the organization details (Common Name, Organization, and Organization Unit) to use as the information for HTTPS redirection purposes.
  2. Click Save

Advanced External Portal Parameters

You must configure the external portal parameters if you want to redirect users to a portal page hosted on an external server.

All request and response attributes that are marked with an asterisk are mandatory. The request parameters and attributes are sent from the AP to the external portal. The response parameters are sent from the external portal to the AP. These parameters are used in the name-value pairs in the redirection URL. The following table explains the request and response attributes in detail.

 Request Attributes         


Request Type

Field name for the request type field


Field name for random text used for authentication

Client MAC

Field name for the MAC address of the client

AP MAC Address

Field name for the MAC address of the AP that is communicating with the external portal

AP IP Address

Field name for the IP address of the AP that is communicating with the external portal. This should match the field name used by the external portal.

AP Port Number

Field name for the AP port number on which the AP and external server communicate.

Failure Count

Field name for the count of the number of failed login attempts.

Requested URL

Field name for the requested URL which is the URL requested by the client through the AP to the external server.

Login URL

Field name for the login URL.

Logoff URL

Field name for the logoff URL.

Remaining Blackout Time

Field name for the remaining blackout time.

Service Identifier

Name of the portal parameter that is used to pass the service identifier value to the external portal. The service identifier value is specified in the Captive Portal section of the SSID Profile. This parameter can be used by the external portal to implement SSID profile specific functionality such as different portals for different SSIDs.

Response Attributes         



Field name for the challenge

Response Type

Field name for the response type

Challenge Response

Field name for the challenge response

Redirect URL

Field name for the redirect URL

Login Timeout

Field name for login timeout

User name

Field name for user name


Field name for password

The individual field names used by the AP should match the corresponding field names used by the external server hosting the portal. The AP and the external server might not be able to communicate if the name of the same parameter is different.