What is a Captive Portal?

A captive portal is a web page that is automatically displayed to users when they first connect to a WiFi network. Until the user interacts with the portal — by accepting terms, entering a password, submitting a voucher code, or completing a form — their device is blocked from accessing the internet. It is the login screen you see when connecting to WiFi at a hotel, airport, or coffee shop.

The process works like this: a guest selects your WiFi network and connects. Their device attempts to reach the internet, but the network gateway intercepts the request and redirects the browser to the captive portal page. The guest then authenticates using whatever method you have configured — a simple click, a voucher code, a phone number for SMS verification, or a username and password. Once authenticated, the gateway allows the device through to the internet, subject to any bandwidth or time limits you have set.

Captive portals are managed through your network controller. On the TP-Link Omada platform, the portal is configured within the Omada Controller or Omada Central, giving you full control over the look, authentication method, and access policies — all from a single dashboard.

Why Your Business Needs a Captive Portal

Offering guest WiFi without a captive portal is like leaving your front door open and hoping only the right people walk in. A captive portal gives you control, security, and visibility over who is using your network and how.

Security — Isolate Guests from Your Business Network

The most important reason for a captive portal is network segmentation. Guest devices should never share the same network as your business systems, point-of-sale terminals, CCTV, or internal file servers. A captive portal works alongside VLANs to ensure guest traffic is completely isolated from your business network. Even if a guest device is compromised, it cannot reach your internal systems.

Legal Compliance — Terms of Use Acceptance

When you provide public WiFi, you take on a degree of responsibility for how it is used. A captive portal allows you to present terms of use that guests must accept before connecting. This creates a record of acceptance and helps protect your business from liability if a guest misuses the connection. For businesses in the UK, this is an important consideration under the Digital Economy Act and general duty-of-care obligations.

Marketing — Collect Email Addresses and Display Promotions

A captive portal is a direct touchpoint with every guest who connects to your WiFi. Using form-based authentication, you can collect email addresses, names, and other details before granting access. The portal page itself can display your branding, current promotions, social media links, or loyalty programme information. For hospitality and retail businesses, this turns your WiFi into a marketing channel.

Bandwidth Control — Limit Guest Usage

Without controls, a single guest streaming video can consume enough bandwidth to slow down your entire network. Captive portals work with rate limiting to cap the upload and download speeds available to each guest. You can also set session time limits — for example, granting two hours of access per voucher — ensuring fair usage across all guests.

Professional Image

A branded captive portal with your logo, colours, and a clean layout tells guests that your business takes technology seriously. It is a small detail that contributes to the overall impression of professionalism and quality — far better than scribbling a WiFi password on a napkin.

Authentication Types Explained

The TP-Link Omada platform supports a wide range of authentication methods for captive portals. The right choice depends on your business type, security requirements, and how much friction you want guests to experience when connecting.

No Authentication (One-Click Login)

The simplest option. Guests connect to the WiFi, see the portal page, and click a single button to accept terms and gain access. There is no password, no code, and no form to fill in. This is ideal for businesses that want to offer WiFi with minimal friction — cafes, waiting rooms, and public spaces where ease of access matters more than tracking individual users.

Simple Password

A shared password that is displayed at reception, printed on a sign, or given verbally to guests. All guests use the same password to authenticate through the portal. Simple to manage and easy for guests to understand. The downside is that the password can be shared beyond your intended audience, so it should be changed regularly.

Voucher

Unique, time-limited codes generated by the Omada Controller. Each voucher is a one-time-use code that grants access for a set duration — one hour, one day, one week, or any custom period. Vouchers can be printed and handed to guests at check-in, left in hotel rooms, or distributed by reception staff. This is the most popular method for hotels, B&Bs, and serviced accommodation because it gives you precise control over who has access and for how long.

Local User

Username and password accounts created directly on the Omada Controller. Each guest or user gets their own credentials, which can be set to expire after a defined period. This is useful for longer-term guests, co-working spaces, or situations where you want named accounts rather than anonymous vouchers.

SMS Verification

Guests enter their mobile phone number on the portal page and receive a verification code via text message. They enter the code to gain access. This method ties each connection to a real phone number, providing a higher level of accountability than anonymous access. It is commonly used in retail, restaurants, and public venues where you want to verify identity without creating accounts.

RADIUS Server

Enterprise-grade authentication using an external RADIUS server. Guest or staff credentials are verified against a centralised authentication database. This is the standard approach for larger organisations that already have RADIUS infrastructure, or for businesses that need to integrate WiFi authentication with existing identity management systems.

Form Authentication

Guests fill in a customisable form — typically name, email address, and optionally other fields — before being granted access. The collected data is stored and can be exported for marketing purposes. This is popular with retail businesses, event venues, and any organisation that wants to build a guest database from WiFi usage.

External LDAP Server

Authenticate guests or staff against an existing LDAP directory, such as Microsoft Active Directory. This allows employees to use their existing corporate credentials to connect to WiFi, and can also be used for guest authentication in environments where an LDAP directory is already in place.

External Portal Server

Redirect guests to a third-party portal hosted on an external server. This is used when businesses want to integrate with a specialist WiFi marketing platform, a third-party analytics provider, or a custom-built portal application. The Omada controller handles the redirect and access control, while the external server manages the portal experience.

Voucher Management

For many businesses — especially hotels, B&Bs, and serviced offices — vouchers are the preferred authentication method. The Omada platform provides a comprehensive voucher management system built into the controller.

You can centrally create and manage vouchers from the Omada Controller or Omada Central. Vouchers are generated in batches — create 50 one-day vouchers for a hotel, or 10 four-hour vouchers for a conference. Each voucher has a unique code and can be configured with specific time limits and bandwidth caps.

Vouchers can be printed directly from the controller for distribution to guests. The print layout supports customised language and currency settings, so you can tailor the printed vouchers to your business and location. Reception staff simply print a voucher and hand it to the guest at check-in.

The controller provides full statistics on voucher usage — how many have been issued, how many are active, when they expire, and how much bandwidth each has consumed. You can revoke individual vouchers at any time if a guest checks out early or if a code is compromised. This level of control makes vouchers the most manageable and secure option for transient guest access.

Hotspot Manager

The Omada platform includes a dedicated Hotspot Manager — a portal management system designed for monitoring and managing authorised clients across your guest WiFi network. The Hotspot Manager gives you a centralised view of all connected guests, their authentication status, session duration, and bandwidth usage.

One of the most practical features is the ability to create Hotspot Operator accounts. These are limited-access accounts designed for receptionists, secretaries, or front-desk staff who need to manage guest WiFi access without having full administrator privileges on the network controller. A Hotspot Operator can grant access to new guests, revoke access for guests who have checked out, and extend session times for guests who need longer access — all through a simple interface that does not expose any of the underlying network configuration.

This separation of duties is important for businesses where multiple staff members need to manage guest access throughout the day. The receptionist at a hotel does not need to see VLAN configurations or firewall rules — they just need to issue and manage guest access. Hotspot Operator accounts provide exactly that level of access and nothing more.

Pre-Authentication and Authentication-Free Access

Not all traffic needs to be blocked before a guest authenticates. The Omada captive portal supports pre-authentication access, which allows you to specify certain subnets or URLs that guests can reach before they log in. This is useful for allowing access to your business website, a booking portal, or specific internal resources that guests need before they authenticate.

You can also configure authentication-free clients — devices that are whitelisted by MAC address and bypass the captive portal entirely. This is practical for devices like smart TVs in hotel rooms, digital signage displays, printers in co-working spaces, or any device that cannot interact with a web-based portal. These devices connect to the guest SSID and receive internet access automatically without needing to authenticate.

Both features give you the flexibility to tailor the guest experience without compromising the overall security model. Pre-authentication access ensures guests can reach essential resources immediately, while authentication-free clients keep your non-interactive devices online without manual intervention.

How We Set Up Captive Portals

At Drakos Systems, we follow a structured process for every captive portal deployment to ensure the solution fits your business and works reliably from day one.

• Assess Requirements: We start by understanding your business — how many guests you expect, what level of authentication is appropriate, whether you need marketing data collection, and what your branding requirements are. A hotel has very different needs from a cafe or a corporate office
• Configure SSID and VLAN: We create a dedicated guest SSID and assign it to a separate VLAN, ensuring guest traffic is fully isolated from your business network. This is non-negotiable — guest devices must never have access to your internal systems
• Set Up Portal with Branding: We design and configure the captive portal page with your logo, colours, and messaging. The portal is the first thing guests see when they connect, so it needs to look professional and reflect your brand
• Configure Authentication Method: Based on your requirements, we set up the appropriate authentication type — voucher, form auth, SMS, simple password, or any combination. We configure time limits, bandwidth caps, and session policies to match your usage expectations
• Test: We test the complete guest journey on multiple devices — phones, tablets, and laptops across iOS, Android, and Windows — to ensure the portal displays correctly and authentication works reliably. We also verify that guest devices cannot reach the business network
• Train Staff on Voucher and User Management: We train your reception or front-desk staff on how to generate vouchers, create local user accounts, revoke access, and use the Hotspot Manager. If we have set up Hotspot Operator accounts, we walk staff through the simplified interface so they are confident managing guest access independently

Industries That Benefit Most

Captive portals are valuable for any business that offers guest WiFi, but some industries benefit more than others.

Hotels and B&Bs

Voucher-based authentication is the natural fit. Generate a unique voucher for each room or each guest at check-in, with the access duration matching the length of stay. Guests get a professional, branded login experience, and you maintain full control over who is on your network and for how long.

Cafes and Restaurants

A simple password or form-based authentication works well. A shared password displayed on a chalkboard or menu keeps things simple for customers, while form auth lets you collect email addresses for marketing. Time limits prevent customers from occupying tables all day on a single coffee.

Offices

A separate guest SSID with a captive portal keeps visitor devices isolated from the corporate network. Visitors authenticate through a simple password or local user account, while staff connect to the main business SSID using PPSK or 802.1X. This dual-network approach is standard practice for any security-conscious office.

Care Homes

Separate networks for residents and visitors, each with appropriate authentication and bandwidth controls. Residents may have persistent local user accounts, while visitors use a simple portal with terms acceptance. The care home's operational network for medical devices and staff systems remains completely isolated.

Schools and Education

PPSK for students and staff provides secure, individualised access to the main network. A captive portal on a separate guest SSID handles visitors — parents, inspectors, and contractors — with form-based or simple password authentication. Content filtering can be applied to both networks with different policies.

Retail

Form-based authentication turns your guest WiFi into a data collection tool. Customers provide their email address to connect, building a marketing database that you can use for promotions, loyalty programmes, and customer engagement. The portal page itself can display current offers and drive in-store purchases.