On the Wireless Protection > Hotspots > Hotspots tab you can manage different hotspots.

Note – A hotspot has to be assigned to an existing interface, typically a WLANClosed interface. All hosts using this interface will automatically be restricted by the hotspot. Therefore, before you create a hotspot you would typically create a wireless network with client traffic Separate Zone, then create an interface for the respective WLAN interface hardware. For more information, see Wireless Protection > Wireless Networks.

To create a hotspot, proceed as follows:

  1. Click Add Hotspot.

    The Add Hotspot dialog box opens.

  2. Make the following settings:

    Name: Enter a descriptive name for this hotspot.

    Interfaces: Add the interfaces which are to be restricted by the hotspot. Please ensure that for the selected interfaces a firewall rule exists which allows the desired traffic. An interface can only be used by one hotspot.

    Caution – You should not select an uplink interface here because traffic to the Internet will completely be blocked afterwards. Additionally, we strongly advise against using interfaces used by servers which provide essential services like authentication. You may irreversibly lock yourself out of WebAdmin!

    Administrative Users: Add or select users for administrative settings. Administrative users are allowed to create vouchers or change the password of the day in the User Portal. By default nobody is allowed to make administrative settings.

    Redirect to HTTPS: If enabled, users will be redirected to HTTPS.

    Hotspot type: Select the hotspot type for the selected interfaces.

    Note – If you select Backend authentication a new entry field for OTP token appears on the login form if Hotspot is configured as an OTP facility.

    Note – Every hotspot type drops the packets if the conditions are not fulfilled. ICMP packets types 8 and 0 (Echo Request and Echo Reply) will not be dropped.

    Password creation time (only with Hotspot type Password of the day): The assigned time of the day at which the new password will be created. At this time the former password will immediately get invalid and current sessions will be cut off.

    Send password by email to (only with Hotspot type Password of the day): Add email addresses to which the password shall be sent.

    Voucher definitions (only with Hotspot type Voucher): Add or select the voucher definitions you want to use for the hotspot. How to add a voucher definition is explained on the Voucher Definitions page.

    Devices per voucher (only with Hotspot type Voucher): Enter the number of devices which are allowed to log in with one voucher during its lifetime. It is not recommended to use the unlimited entry.

    Hotspot users (only with Hotspot type Backend Authentication): Select the users or user groups or add the users that should be able to access the hotspot via backend authentication. Typically, this is a backend user group.

    Session expires (only with Hotspot type Terms of Use Acceptance or Backend Authentication): Select the time span after which the access will expire. After that, with the hotspot type Terms of Use Acceptance, the users have to accept the terms of use again to log in. With the hotspot type Backend Authentication, the users have to authenticate again.

    Synchronize password with PSK of wireless networks (only with Hotspot type Password of the day): Select this option to synchronize the new generated/saved password with wireless PSK for separate zone networks.

    Note – With the new PSK all APs that are configured with a separate zone wireless network that is also used as a hotspot interface will be reconfigured and restarted. This means all connections will be dropped.

    Users have to accept terms of use (not with Hotspot type Terms of Use Acceptance): Select this option if you want the hotspot users to accept your terms of use before accessing the Internet.

    Redirect to URL after login: If selected, after entering the password or the voucher data, the users will be redirected automatically to a particular URL, e.g., your hotel's website or a webpage stating your portal system policies.

    Note – When you select hotspot type Voucher the Redirect to URL after login does not automatically redirect to the configured URL. Users will be redirected to a statistics page which contains important information about the voucher, e.g. period of validity. Users will be able to continue to the configured URL when they click on the link: You will be redirected to [URL].

    Comment (optional): Add a description or other information.

  3. Optionally, make the following hotspot customization settings:

    By default, users will be presented a login page with the Sophos logo. You can use a customized HTML file with your own images and stylesheets. Additionally, you can customize the voucher layout.

    Customization type: Select the customization type. The following types are available:

    Voucher template (only with hotspot type Voucher): Clicking the Folder icon opens a window where you can select and upload the PDF file with the voucher layout. By default, a default template is used. You can restore the default clicking the Restore Default button. The voucher PDF file has to have a PDF version PDF 1.5 or lower. It may have any page size and format—both size and format will be adjust during voucher creation in the User Portal, depending on page size and number of vouchers per page specified there. You can download the default PDF template on the Wireless Protection > Hotspots > Global tab.

    The PDF file may contain the following variables that will be replaced with the respective values during voucher generation in the User Portal:

    Note – When using variables, the PDF file must include the entire character sets of the fonts used. When a variable is replaced by its value, and one of the substitute characters is not available, it will be displayed incorrectly. We recommend to add the string <?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789?> (for English usage) to your PDF file, which will automatically be removed during voucher generation. If you use another language, you can include any other character set you want. Additionally, it is recommended to use a separate line for the variables as the layout could get corrupted if the substituted text is too long.

  4. Click Save.

    The hotspot will be created and appears on the Hotspots list.

Tip – You can open a preview of the login page after saving the hotspot. In the Hotspots list just click the button Preview Login Page of the respective hotspot.

To either edit or delete a hotspot, click the corresponding buttons.

Cross Reference – Find information about enabling backend authentication for hotspots in the Sophos Knowledge Base.

Using Variables in Login Page Template

The HTML template for the login page may contain various variables that can dynamically insert information for the hotspot login page. When Sophos UTM processes a template in order to display a login page, it replaces any template variables with the relevant value. Valid variables are:

Templates can contain if variables that make up sections like the ones shown below. Each section has an opening and a closing variable. The contents of an if section is only displayed on a specific condition.

If Section Meaning


Section is displayed when the user has successfully logged in.
Section is displayed when the user has not yet logged in, e.g., because terms of use have to be accepted or because an error occurred.
Section is displayed when hotspot type is Password of the day.
Section is displayed when hotspot type is Terms of Use Acceptance.
Section is displayed when hotspot type is Voucher.
Section is displayed when hotspot type is Backend Authentication.
Section is displayed when the user has been redirected.
Section is displayed when the checkbox Redirect to URL after login is enabled.
Section is displayed when the checkbox Redirect to URL after login is disabled.
Section is displayed when a validity period is set for a voucher.
Section is displayed when a data volume is set for a voucher.
Section is displayed when a time quota is set for a voucher.
Section is displayed when a Devices per voucher value is specified.
Section is displayed when Terms of Use are defined and enabled.
Section is displayed when an error occurred while trying to log in.

User-Specific Login Form

If you want to create your own login form instead of using the pre-defined <?login_form?> variable, consider the following:

Cross Reference – Find information about customizing the login page for Sophos UTM hotspots in the Sophos Knowledge Base.

© 2019 Sophos Limited Sophos UTM 9.600