Howto setup the Unifi Captive Portal for your Guests

58 Comments

If you want to provide your guests with free and easy internet access, setting up a Unifi Captive Portal might be a good idea. While you just can create an extra wireless network (SSID) with a simple password, you also need to keep the security of your network in mind. You don’t want to give your guests access to your systems. By using the Unifi Guest Portal you can isolate the clients on your network and give them access for only a few hours.

Settings up the captive portal in the Unifi Control is pretty simple. By using the guest isolation option we can prevent the guest from accessing our network without creating VLANs. Another advantage is that you can use the captive portal to promote some of your products or services.

In this article, I am going to walk you through setting up and customizing the Unifi Captive Portal in the Unifi Controller. To the portal, you will need to make sure the controller is running 24/7. So if you have a controller running on your computer that you turn off or take with you, then you really need to buy the Unifi Cloud key.

Create a Guest User group

You might want to limit the amount of bandwidth the guests can use on your network. So before we start creating a Guest Network we first need to create a new user group. This allows us to set upload and download limits for the guests later on.

Unifi Create User Groups for Guest Network
  1. Open Settings > User Groups
  2. Click Create New User Group
  3. Give the group a name: Guests
  4. Limit the upload and download bandwidth. For simple internet browsing, 5mbit download and 1mbit upload are enough. If you want to allow streaming you they need atleast 10mbit download.
  5. Click on Save

Creating a Unifi Guest Network

We need to create a new wireless network for our guests. We will make this a Guest Network which will add a few important restrictions:

  • Pre and Post-Authorization Access. This will make sure the guest can access the captive portal for authentication. After they authenticated they won’t have access to the local network.
  • Client Isolation. This will prevent the clients from sending broadcasts or unicast message to other clients in the same network.
Unifi Create Wireless Guest Network

To create the guest network open the Unifi Controller

  1. Go to Settings > Wireless Networks
  2. Click on Create New Wireless Network
  3. Give the wireless network a name. Something your guest will recognize as a guest network.
  4. Set the security to open. We will secure the network with the captive portal)
  5. Select Apply guest policies (captive portal, guest authentication, access)
  6. Expand the Advanced Options
  7. Select the User Group we just created.

We now have a guest network, but we still need to Set up the captive portal.

Configuring the Unifi Guest Portal

So we have the wireless network for our guests and limited the bandwidth they can use. Now all is left is to create the captive portal. Within the Unifi Controller under the Guest Control section, we can create our Guest Portal, and set the authentication and duration of access. So if you have a barbershop you might want to give your customers only 2 hours of access. But if you are running a B&B you can give them a couple of days access to the wifi network.

Setting up the Guest Policies

First, we are going to set up the guest policies. Open the Guest Control page in the Unifi Controller under settings.

Unifi Guest Portal Policies
  1. Enable the Guest Portal
  2. Set a simple password, something your customers can easily fill in. welkom@mybusiness for example 😉
  3. Set the expiration, you can choose anything you like here.
  4. Landing Page: you can either redirect the customer back to the page he attempted to visit or send them to a promotion URL. This can be your business website with the latest deal on it for example.
  5. Enable the HTTPS Redirection.

Customize the Unifi Captive Portal

The next step is to customize the captive portal. This allows you to do some corporate branding and inform your guests about the wifi network. There are a few things you will need to keep in mind when you customize the portal.

  • You can add a background picture, which is nice. But make sure you can still read the text. If you have a coffee shop for example, using a picture of coffee beans and your logo might work better than adding a photo of your shop.
  • Inform the users what they get, free access for x hours or days.
  • Add a different language if you have foreign guests.
  • Add the terms of service with what is allowed and what is not.
Customizing the Unifi Guest Portal

Unifi recommends a background image of 920px width and 640px high. On some screens, this will result in borders beside your image. So use at least an image of 1280px by 720px. Also make sure your images are not big, adding a photo straight from your camera will take a few seconds to download. Compress the image before uploading it.

Access Control

The last step is to limit the access of the guest to your local network. Below the portal customization, you will find the access control. With the access control we can give users access to part of our network before they are authorized and block access to our internet network after authorization.

Unifi Guest Portal Authorization

Pre-Authorization Access

The Pre-Authorization Access can be left blank by default. By default you want guests to have only access to the Guest Portal, this is built-in. So we don’t need to enter the Ip Address for the controller here.

But if you are using a custom Guest Portal (other then the Unifi), then you will have to enter the Ip Address here.

Post-Authorization Restrictions

For the Post-Authorization Restrictions, we enter the subnet of our local network. By default, all possible local network addresses are blocked, so you could leave this as is. But if you have a printer for your guest that you want to give them access to, but not the rest of your network, then you can block it here. (make it your self easy to use different subnets for your guest and your own network)

Managing the connected clients

Your Unifi Guest Portal is now ready for use. The guests can log in and access the internet, but how can you manage them? Within the controller, we can see on the Dashboard how many guests are connected to our network. If you click on the guest you will go to the Clients page filter on the Guests.

Manage Guest Clients Unifi

Here we can see all devices that are connected, how much data they used, to which access point they are connected, and the uptime. But more important, this is also the place to block a client or revoke the authorization.

Professional Guest Portal System

The built-in guest portal from Unifi is a great feature to start with, but what if you can do more with your guest wifi system? What if you wanted to know more about your customers, who they are, and how to reach them?

The guys from PoweredLocal reached out to me, they have a guest portal system that is not only really easy to set up but even better, it gives you a lot of (marketing) data back from your customers. Who they are, their contact details, when they visited your place, etc. 

PoweredLocal Guest Portal system for Unifi

Their product integrates really easily with the Unifi Controller, it can be set up in minutes. But, more importantly, it not only integrates with Unifi, but you can also connect PoweredLocal to pretty much any marketing or CRM system (MailChimp, Campaign Monitor, Facebook, or thousands of other platforms). This way you offer free Wifi to your customers, grow your mailing list and engage your customers at the same time.

Guest Portal System PoweredLocal

With a price starting around $7 per month per access point is it a really interesting product. For this, you get the ability to retarget your customers with custom ads, send them personalized emails and know your customers better in general. This way you could the investment back in no-time by the increase of (returning) customers and their engagement.

If you want to know more, then check out this Youtube video or their website at PoweredLocal.com

Conclusion

I hope this article helps you settings up your Unifi Guest Portal. If you own a (small) business or work with them, then make sure you check out PoweredLocal.

If you have any questions just leave a comment below.

You may also like the following articles:

Tweet
Pin
Share
Share
0 Shares

You may also like the following articles

58 thoughts on “Howto setup the Unifi Captive Portal for your Guests”

  1. I have a unifi controller with a unifi hotspot. We have 5 WAPs in the office. The landing page does not appear when I join the Guest network on WAP 1 but does appear when I join the Guest Network on WAP3 ? Any idea of what the issue could be?

  2. I want to set up my IOT devices like chrome cast and it should be able to work with devices on the captive portal network

  5. Good Day

    Hi i run a small ISP for about +100 clients, now i have a particular client that wants to run a campaign using public hot spots for about 5 of them, though our wireless system, they basicaly want the users to first register by typing in their mobile number before they are issued with voucher for logins

  6. Hi Everyone,

    I want to setup Guest WiFi Network with Captive Portal. I want the Captive Portal service to be hosted on Windows Server 2016.

    I will be using ASP.net, C # and Microsoft SQL Server 2016.

    I want a situation where by a customer connect to my open wifi and get redirected to my windows server for self registration and/or authentication if they have previously registered.

    I have seen YouTube video about UniFi access point, the video only talk about the UniFi Gateway and access point.

    I want the authentication to be done on my windows server 2016 via ASP.Net and SQL database.

    Something like you would see at McDonalds or Library.

    Any walk through or tutorial or YouTube video or book will be much appreciated.

    Please help me.

  8. Please advise what may be lacking or need changing in the following situation.
    I am using a windows server as DHCP server in 10.0.0.x range.
    I have a Fritz!Box router with a static IP that I use for the internet gateway.
    This router has a static IP 10.0.0.45.
    I have enabled a guest wi-fi network as a hotspot on this router which generates a default IP range 192.168.179.x
    The hotspot feature does not require any password.
    Should this be able to work on the UniFi guest control if I use Pre-Auth access of 10.0.0.45/32 and perhaps 192.168.179.1?
    I have tried this, but do not get internet access

    Thanks

  9. Hi Rudy,

    regarding:

    Post-Authorization Restrictions
    For the Post-Authorization Restrictions, we enter the subnet of our local network. By default, all possible local network address are blocked, so you could leave this as is. But if you have a printer for your guest that you want to give them access to, but not the rest of you network, then you can block it here. (make it your self easy to use different subnets for your guest and your own network)

    My LAN has subnet 192.168.10.0 , now what to to with the three Post-Authorization addresses:

    192.168.0.0/16
    172.16.0.0/12
    10.0.0.0/8

    Use the three above or need to change them?

    Now I didn’t change them, but when after connecting the Guest Portal I can still ping my local network and see all pinged local devices in the ping overview!?
    My IP-address remains the same, I expected to get a new IP-address from one of the three subnets from above…?

  10. Hey Rudy,
    I’m looking for someone to customize a couple of hotspot features using vouchers. Can you suggest anyone.
    Thanks

  11. Rudy, thanks for this guide. The options under Guest Control appear to have changed. There is no option for Simple Password. The options are No authentication, Hotspot, Facebook Wifi and External portal server. Any idea how I can implement password authentication?

  12. Thank you,
    UniFi CloudKey Pi is getting a new Menu Layout; Pls consider updating when it goes Stable

  13. This was really helpful, thank you so match!

    Everything works as expected but, when the users comes to the guest portal it´s saying that is an insecure website, seems that it´s missing the certificate, I already have installed on the Unifi controller, do I configured somewhere else?

    Kind regards,

  14. Hi Rudy,

    thanks for this excellent piece. I am struggling to have my guests get an IP from my DHCP server. Like others I am running a Windows server with DHCP on my corporate LAN. The WiFi for the LAN (192.168.14.0/24) works great by forwarding DHCP but I cannot get the guests to pull an IP on my Guest network.

    If I understand the other posts here then with my DHCP server on 192.168.14.5 then I shouldn’t have to add anything to the guest wireless network Pre or Post auth as the DHCP is meant to be passed through and the local subnet already blocked?

    This isn’t even really a guest WiFi – we just want to isolate staff BYOD so they can use WiFi on their phones etc, but keep them discrete from the company hardware.

    Any ideas?
    Sincerely

    • Hi Paul,

      Yes getting this working is always a bit of struggle. If you don’t set any pre IP ranges, then the clients can only connect to the quest portal (Unifi controller). If the controller isn’t doing the DHCP, then your client won’t get an IP Address. So you will have to add the DHCP server address to the Pre addresses.

  15. Hi Rudy,

    The pre and post part is a bit unclear to me. I am not able to get to my portal page.
    My cloud key is on 192.168.1.24, so will pre be 192.168.1.24/22 ?

    I just want users to connect to my guest network, portal page popping up and being redirected to the original page they were visiting.

  16. A helpful post thank you, my guest wifi is working fine but I am unable to print to the network printer, I have added the static ip of the printer to the Pre Auth but still no go. If you can help that would be great.

  18. Hi
    I have a Windows Server running DHCP on 192.168.5.3, a Draytek gateway on 192.168.5.1
    When I try to connect to my Guest wifi it says it can’t find the Internet.
    What should I put in for Pre and Post Authorization?

  19. Just a little comment on enabling Hotspot/Voucher system – if you’re using/running locally installed UniFi controller and other network equipment except USG or from other vendors ie. EdgeRouter or EdgeRouter-X to manage your traffic/firewall rules and you have a firewall rule isolating your guest WiFi network you definitely need to create a new rule (should be at top of other firewall rules for your guest WiFi network to function properly) allowing access to your UniFi controller. For example if your locally UniFi Controller is running on 192.168.99.1 and you’re isolating guest WiFi on 192.168.100.0/24 you need to define firewall rule for 192.168.100.0/24 allowing access to 192.168.99.1 (your UniFi controller IP address or hostname).

  21. Hi Rudy,

    Am i wright in my case?
    My controller(Cloudkey) has IP 192.168.178.45 and my Firewall(Zyxel USG20VPN) has 192.168.178.1
    I just want to give acces to internet and . not to the lan.
    Pre= 192.168.178.1/32?
    Post= 192.168.178.0/24?

    thannk you already

    • Hi Wim,

      Pre should be 192.168.178.45/32. Pre (before authorization) access is allowed to only the controller (cloudkey). After the client is authorized, the post, you allow access to the whole subnet /24

    • Hi Rudy,

      Are you shure?
      I have now set it up like a wrote earlier.
      In PRE I put the IP adres of my firewall
      and POST de whole subnet/24 because the comment say’s: “Enable post-authorization restrictions to prevent guests from accessing specific hostnames or subnets”. seems to work……when i login to the guest wifi I can acces the internet and can ping my firewall, but can not ping my networkprinter and other network participants

      • Yeah pretty sure. Pre-authorization will allow the guest to access the specified subnet before the guest is authorized. So this way you are giving them access to your firewall, which isn’t necessary. DHCP and DNS are forwarded anyway and the user should only be given access to the guest portal.

        Even pre-authorization access to Unifi Controller isn’t necessary. The guest portal will show anyway. Just did some new tests. No pre-authorization, when connected, can’t ping the router, but can ping a DNS server (Google) and can’t access the internet.
        After authorization with the default Post-Authorization Restrictions, I can’t connect to the internal network but can connect to the internet.

          • Hi Rudy,

            Test it and indeed works fine without filling in a IP -adres in the pre-authorization section. Only put the whole subnet in de post – section. After authorization could only ping ip adresses on the internet and no local IP’s. TOP!
            Thx a lot!!

  22. This drives me nuts…
    I have spent hours and hours to search and try to understand how everything works, and how to get access to a Guest portal via the VLAN that I configures on the Edgerouter X.
    There are may webpages explaining specific steps, but none describing the entire setup, step by step and the logic of the different configurations from ER-X –> HP 1810 –> Ubiquity AP-Pro. The HP switch in the middle has a rather complicated GUI.
    I simply failed to get it to work after more that a week trying. Frustration all over, as I can only use my basic house wifi, and not a guest, special area, or IoT VLAN to connect to and being seperated from the house wifi. So, only conclusion: NO MORE GUESTS IN THE HOUSE…. 🙁

  23. I am new to Unifi/Ubiquity, so Thank you for putting this ‘How To’ together. It was clear and easy to follow. Well Done!

  24. I’m not sure what happened to my comment? My question is will the post authorization 192.168.1.0/24 block the DNS server if it ware at 192.168.1.1 Also does pre authorization need the DNS IP as well as the controller IP?

    • I manually approve every comment, sometimes it may take a couple of days because I don’t always have the time to respond immediately. But your answer is just below here 😉

  25. Using a USG as the DHCP server in this exact setup described. Does 192.168.1.0/24 in post authorization block the DNS server set by USG as 192.168.1.1

  26. Great article, I did everything you said but when I check the post restrictions after I login to guest network I can still access all the other devices on my network. What am I missing?

      • Hi Rudy. I m very new to this. We have a small resort with restaurant. I have 3 wifi networks. One private one. Then one for our in-house guests and one for walk inns. The speed for our guests are different. The in-house guest have a much faster one then the walk-inns. And they both should be a guest network. Can you help?

  28. Thank you very much for the tutorial!

    Can you tell me the correct settings for Access Control, so the guests can only access the internet?

    Our intranet has a range of ip-addresses with 10.0.0.x (Subnet 255.255.255.0). The Gateway (Fritzbox) is 10.0.0.230.

    Thank you very much in advance!

  29. Thanks for posting. Clear concise documentation seems to be a bit of weakness for Unifi and this was a perfect how to.

  30. A nice quick manual, but what about the security of the wifi traffic. With open selected I assume there is no encryption of the wifi network traffic.

    I think it should be better to have your wifi protected with at least WPA2. Is there an option to do so with a portal ?

    • You cant combine the guest portal with a WPA2 protected wifi network. Yes, WPA2 is more secure, but keep in mind that with the guest portal you have the option to isolate the network. That means that one client in the guest network can’t reach or see the other guest.

      If you protect your network with a WPA2 key, then anyone that has the password of your wifi network can still intercept the traffic. With the captive portal, you can atleast control how long somebody is connected and isolate each guest traffic on your network.

Leave a Comment

0 Shares
Tweet
Pin
Share
Share