Skip to content

Captive portal

A captive portal directs users to a landing page before they’re allowed to access the internet.

Captive portal for SSID (2.4 GHz, 5 GHz, 6 GHz)

To turn on captive portal for your SSIDs, select Enable next to the SSIDs and click Apply.

After you turn the captive portal on, click Edit next to the SSID you want to edit and select Enable. You then can configure the captive portal options described below.

Restriction

If your access point has a static IP address, the captive portal may not work when you connect the access point to multiple networks, such as VLANs. You must configure your access point as a DHCP client for the captive portal to work. See LAN-side IP address.

Alternatively, you can create MAC reservations on the connected router. For example, on Sophos Firewall, run the following commands from the device console:

system dhcp conf-generation-method new

system dhcp static-entry-scope global

Landing page

You can customize the landing page with your title, welcome message, corporate logo, and background color. You can also create custom terms of service that users must agree to before accessing the network. The options you can configure are as follows:

  • Template: Choose Default or Custom from the drop-down menu. Custom lets you configure the following options:

    • Page title: Sets the title of the captive portal page seen in the browser.
    • Welcome text: Sets the welcome message seen on the captive portal page.
    • Terms of service: Sets the terms of service that users must agree to before accessing the network.
    • Company logo: Upload your organization's logo in PNG or JPEG format.
    • Background color: Sets the background color of the captive portal page.

Click Preview page to preview the captive portal page as it would appear on a mobile device.

Authentication type

Devices need to authenticate in the captive portal before accessing the internet. Choose from the following authentication options:

  • Authentication type: Choose one of the following authentication types from the drop-down menu:

    • None: No authentication.

    • Backend authentication: Allows authentication via a RADIUS server with Password Authentication Protocol (PAP). You must configure the following options:

      • RADIUS server IP: The IP address of the RADIUS server.
      • RADIUS port: The port to use when connecting to the RADIUS server. Default it 1812.
      • Shared secret: The shared secret to use when connecting to the RADIUS server.

    • Password schedule: Creates a new password automatically on a fixed schedule. You must configure the following options:

      • Schedule: Sets the frequency at which the access point creates a new password. Choose from the following options:

        • daily: Use Time to set the time the access point creates a new password each day.
        • weekly: Use Weekday and Time to set the day of the week and time of day that the access point creates a new password.
        • monthly: Use Week, Weekday, and Time to set the week of the month, day of the week, and time of day that the access point creates a new password.

      • Notifications: Select Notify all admins to notify all Sophos Central admins of the password change.

      To send captive portal password emails, you must configure the following Email settings:

      • Email notification: Turn DD/WW/MM password emails on or off.
      • Email subject: Enter a subject line for the password email.
      • Email server address: The IP address of your SMTP server.
      • SMTP server port: The port to use when connecting to the SMTP server.
      • Sender email: This email address appears as the sender.
      • Recipient email: The access point sends the captive portal password email to this address.

      • Authentication: Choose from the following options:

        • disable: No authentication with the SMTP server.
        • SSL: Authentication with the SMTP server takes place over SSL. You must configure an Account and Password for the SMTP server.
        • TLS: Authentication with the SMTP server takes place over TLS. You must configure an Account and Password for the SMTP server.

    • Social login: Allows authentication via social media accounts. You can configure the following options:

      • Google: Select Enable to allow users to sign in with their Google credentials.

        1. Sign in to the Google Developer Console.
        2. Click Credentials and create a new project.
        3. Click OAuth consent screen, select the User Type and click Create.
        4. Fill in the required fields on the OAuth Consent screen, click Add domain and enter myapsophos.com as the Authorized domain.
        5. Save your changes.
        6. Click Credentials, click Create credentials, and click OAuth client ID.

        7. Choose Web application as the application type, enter a name, and enter the following information:

          • Authorized JavaScript origins: https://www.myapsophos.com
          • Authorized redirect URIs: https://www.myapsophos.com

      • Facebook: Select Enable to allow users to sign in with their Facebook credentials.

        1. Sign in to the Facebook developer site.
        2. Click My Apps and click Add New App.
        3. Select an app type and click Next.
        4. Fill in the required details and click Create App.
        5. Click Settings and click Basic. You can see your App ID.
        6. Click Show to see your App Secret.

      • Authorized domain: You can set the authorized domain for Google and Facebook.

      • Session timeout: You can set Session Timeout between 1 and 24 hours.
      • Re-login timeout: When you select Enable users don't have to sign in to the network for 24 hours after they authenticate for the first time.

    • Voucher: Use printable vouchers with time limits for authentication. Click Create voucher to create a new voucher with the following settings:

      • Voucher name: Give your voucher a name.
      • Access time: Choose Unlimited to prevent your voucher from expiring. Choose Period to configure the Start date and End date for your voucher.
      • Data limit: Choose Unlimited to give voucher users access to unlimited data. Choose Limit to set the Data limit for the voucher.
      • Amount of vouchers: Select the amount of vouchers to create. Maximum of 10.
      • Devices per voucher: Select the number of devices that can use a single voucher. Maximum of 8.
      • Valid for: Select the number of days and hours the voucher is valid for.

Redirect URL

You can set the behavior of the captive portal after users authenticate. You can send authenticated users to the page they initially requested or to a custom URL. The options are as follows:

  • Redirect URL: Choose from the following options:

    • Redirect to original URL: Redirects users to the website they originally wanted to reach after authentication.
    • Custom URL: Redirects users to a specific website after authentication. Enter the URL in the Custom URL field.