Configure Captive Portal in InControl2

Introduction

This article describes step-by-step how to configure Captive Portal in InControl2. With captive portals you can easily offer internet to your guests and easily control connection time and speed, data usage limits, and more. By creating captive portals in InControl2 , you can apply the same configuration to all, or a selection of your Peplink Access Points in just a few clicks.

Sign in to InControl2

Select your Wi-Fi AP settings and click on the “Add new SSID” button

CPiIC2

A screen pops up to configure the SSID settings:

CPiIC2-01

Let’s go through the available options:

CPiIC2-02

Name your SSID.

CPiIC2-03

Tick this box to enable the SSID when you have finished configuring the SSID.

CPiIC2-04

Select the security required, the SSID supports several encryption methods (see below); if you are not sure choose WPA2 – personal

CPiIC2-05

Tick the box if you want to Enable Layer 2 isolation; this feature stops WiFi client devices from communicating with each other, but the clients are still able to access the rest of the LAN.

CPiIC2-06

Choose if you want your SSID to be visible (or not).

CPiIC2-07

If you want to block your SSID clients to access your LAN tick the guest protect box.
This is strongly recommended for Public Wi-Fi |(in combination with Layer 2 isolation)

CPiIC2-08

If you want to limit the bandwidth for your SSID Wi-Fi you have the possibility to do that here.

CPiIC2-10

Set your VLAN ID and enable VLAN tagging (leave default settings if you aren’t sure).

CPiIC2-11

Select one of the MAC filter options if you want to filter access to your SSID by MAC address.

CPiIC2-12

Select multicast filtering, multicast rate and IGMP snooping.
This can stay disabled in most cases.

CPiIC2-13

Select which radio channel band you want to advertise, 5Ghz is a newer and faster technology. If you aren’t sure leave both options ticked.

CPiIC2-15

Choose on which of your Peplink devices you want to enable this SSID. When you “tag” your devices you can include or exclude some of your devices.

CPiIC2-16

Tick this option to enable your Captive Portal.

CPiIC2-17

 

Select if you want to publish your SSID on all your routers and access points or on your routers only.

Note: Captive portal will be applied to Pepwave MAX and Peplink Balance One only. This is useful when Pepwave APs are set up on the LAN of Peplink/Pepwave router(s). The same SSID shall be applied to all devices. But to avoid double redirections, the captive portal shall only be applied to the Peplink/Pepwave router(s).

You now see 6 different ways of configuring your captive portal:

  • Social
  • Open Access
  • Guest Account
  • Token
  • E-mail
  • SMS

Social

For more details on the social Wi-Fi configuration options follow the instruction in this link: : http://www.peplink.com/knowledgebase/how-to-set-up-social-wi-fi/

Open Access

If you want to allow Open Access to your Wi-Fi tick the enable box.

The next option is Daily Quota; you can allow unlimited access or limit the access by time or bandwidth used by selecting the chosen option from the drop down list.

CPiIC2-20

Not limited

You don’t have to select any additional options.

Time based

CPiIC2-22

If you choose to limit the quota by time you can select the amount of time you want people to have access to your Wi-Fi- and have 2 options to reset this quota.
This can be done at a certain time, once a day or after a certain amount of minutes.

Bandwidth based

If you choose to limit the quota by bandwidth your Wi-Fi users will only be able to use the amount specified in this box. This quota will be reset once a day, you can choose at which time this is done.

Session Timeout

Wi-Fi clients that have disconnected from this SSID for more than this amount of time, or Ethernet clients that have not generated any traffic for more than this amount of time will be signed out automatically. When time based daily quota is enabled, 5 minutes is suggested. Default: 60 mins

Allowed Networks

In this field you can add domain names and / or network ip addresses that are allowed on this Open Access SSID. This automatically means that no other devices will be allowed on this SSID. Examples for network ip addresses are 172.16.0.0/24 or hotspotsystems.com

Allowed clients

In this field you can add single MAC or IP addresses for devices that you want to allow on this SSID

Company Name

This is a required field, fill in your company name.

Landing Page

You have got 3 options for your landing page :
  • Display a signed-in page with a Start Browsing button. Clicking the button will redirect to the URL the guest user had originally requested. In the auto-login popup browser on iOS, clicking the button will redirect to: “the webpage you have entered in this field”
  • Display a signed-in page with a Start Browsing button. Clicking the button will unconditionally redirect to: “the webpage you have entered in this field”
  • Redirect to: “the webpage you have entered in this field”

Guest Account

Your Guest Account options are quite similar to your Open Access options. The only difference is that you can add useraccounts to allow people on this SSiD. You can do this manually or import a .csv files with username and passwords:

Manually

Enter details in the window that pops up as shown below:

CSV file upload

Choose CSV file upload if you want to add multiple useraccounts. You need to have a list with usernames and passwords which will be uploaded to your device.

The format looks like this:

CPiIC2-24

 

After you uploaded your .csv file you see this window; just follow the onscreen instructions and click “Next”

Before the user accounts get imported you have an option to review your choices and go back if need be.

 

Token

The “Token” options are quite similar to your Open Access options. The only difference is that you can generate tokens to allow people on this SSiD.

To do this tick the “enable” box and after you click on the “Manage” button. You will see the window below:

When you click the “Generate” button you can choose the amount of tokens to generate, the token format (amount of characters and have a choice between numbers, lowercase letters, mixed case letters and letters & numbers).

CPiIC2-29

You can also select how for how long the token should be valid.

 

After generating the tokens they are ready to be downloaded and you see an overview in your Token window:

Most companies print these tokens in a handy format and hand them out to their Wi-Fi users.
You can see how many tokens are used in the Access token management window.

Email

The “Email” options are quite similar to the Open Access options. The only difference is that people can sign in with their email address to gain access to this SSiD.

CPiIC2-32

The “Email” option allows you to collect Wi-Fi user details by clicking the “Collect User details” tickbox.

You can set the Amount of time for E-mail checking from 2 to 5 minutes.
And there is an option to set the E-mail sender name.

SMS

To enable authentication by SMS (also known as text messages) you first have to manage the SMS settings for Captive portal in the InControl group settings.

Open the Group settings:

In the group settings page you’ll find the SMS Settings for Captive Portal

Click on manage:

 

After clicking on Manage you can add the service name and provider details.
At the moment of writing this article Peplink only support Twilio as a service Provider but this list will grow if the demand for SMS Captive Portal support increases.
This is in fact the phone number that will send SMS messages to your Wi-Fi users.

CPiIC2-35

Once you have added and saved these settings, return to your Group-Wide SSID settings screen.

The “SMS” options are quite similar to your “Token” options.
The only difference is that you generate tokens that are sent to the Wi-Fi- users mobile number that they fill in on the Captive Portal.

You have an option to set the length of the tokens and the amount of time for SMS checking in minutes.
Your Wi-Fi users are now asked to fill in their phone number and will receive a token to access the SSID in a SMS (text) message as shown in the image below.

CPiIC2-36

3 Likes

Hi, it would be possible to change the order of show “social, email, anonymus” at Incontrol2 Captive Portal ? For example: we would like that Email option will show first that others. Kind regards

2 Likes

Hello @Pabloescolano,
When you create the Captive Portal within InControl2, you can change the order of the tab by just click&hold on the title of the tab and dragging the tab to the left or right of where you want it and release the click.

As an example, say you start with this on your screen when creating the Captive Portal

Well to make the E-mail as the first option, you just click&hold on the E-mail tab and drag it to the left

As can be seen in this example we swapped all of the positions except the Guest Account.
Happy to Help,
Marcus :slight_smile:

1 Like

Thanks for this information. I have setup our captive portal, but here is my issue. I have setup 2 SSID’s on the router, one for guests and one for drivers. I want the drivers SSID to be completely open for our drivers and have the guests go through the captive portal. How do I set that up?

1 Like

Guide as follows.

2 Likes

in addition to Kv_Chen’s guide, if you need more information on setting up captive portals and social Wi-Fi, have a look at this article:

2 Likes

Thanks, this worked perfectly.

2 Likes

HI ;
We are trying to test the Token option in captive portal with IC2, and I have a problem with when I authenticate in captive portal with Tokens code either generated or imported, captive portal lets me connect for 1 or 2 minutes after It shows me an error message on the captive portal as what the token code invalid

@rachid

Please open a support ticket for support team to check.

2 Likes

We are setting up a Captive Portal for 2 different SSIDs.
Our Wifi systems are Cisco and Meraki.
I don’t see a way to allow specific VLANs (I assume becuase I am not using Peplink APs). In the Allowed Networks I am putting in the subnets the devices on these 2 networks will get from DHCP.

We have some devices (time clocks) that will need to connect to one of these SSIDs that do not have a browser or a way accept the Splash page. Is there a way to allow a certain IP or MAC address to bypass the splash page?

Thanks,
Eric

Hello @eglass,
Where are you attempting to put in your VLAN information?

When using InControl2, VLANs for Balance Routers & MAX Routers need to be configured separately from the Captive Portal, create your Captive Portal within InControl2 & then you can then assign the Captive Portal to a new VLAN created within InControl2.

  • Step #1 Create your Captive Portal (follow the guides here in the forum)

  • Step #2 Assign to your new VLAN the Captive Portal

  • Step #3 Assign the VLAN to your SSIDs and your network switches

Happy to Help,
Marcus :slight_smile:

1 Like

Marcus,
Thanks for the reply.
We figured this part out but the captive portal will not load from our “Guest VLAN”. Nothing we’ve tried is working. We enabled inter-vlan routing (which we don’t want) but that did not fix it either.
User can connect to the SSID but never gets the captive portal screen to even try to accept it.

Thoughts?

Thanks,
Eric

1 Like

Just a WAG based on personal, painful experience:

Do you by any chance have a managed router between the AP and the router? If so, did you remember to trunk the guest VLAN through from the AP to the router?

[In the early days one of our clients forgot that in his set of check-boxes, and the symptoms were similar]

Z

2 Likes

We enabled ‘DNS Proxy’ and that solved the issue.
We had disabled DNS Proxy as it was causing a high CPU utilization causing the HD2 to stop responding and require a hard reboot.

1 Like

DNS proxy service required to resolve some of the defined captive portal local domain (depend the captive portal configuration defined).

Would you able to open a support ticket for support team to check ? This is something weird.

2 Likes

Hi,

I would like to ask. Can I know how to do the one time register only?

1 Like

We are using CP with tokens and Quota. It works fine. But when Clients move through the building, they are required to re-login very often.
Would changing the Option “Guests required to sign-in…” fix this?
If we change it to “once only - Guests will never be asked to sign-in again.” Would they be disconnected once quota is used up and be able to re-login with different token?
Thanks a lot
Johannes