Skip to main content
Altostrat’s Captive Portal service allows you to provide secure, controlled, and branded internet access for guests on your network. When a user connects to a designated guest Wi-Fi or LAN segment, their traffic is intercepted and they are redirected to a customizable login page. They must authenticate before gaining full internet access. This is ideal for corporate guest networks, retail locations, hotels, and any environment where you need to manage and track guest access.

How It Works: The Connection Flow

The magic of the captive portal happens through a seamless, automated redirection process. When a guest’s device tries to access the internet, your MikroTik router intelligently intercepts the request and guides them through authentication.
  1. Connection: A guest connects to your designated Wi-Fi network.
  2. Interception: The on-site MikroTik router, configured by SDX, intercepts the user’s first attempt to access an external website.
  3. STUN Redirect: The router redirects the user to our STUN (Session Traversal Utilities for NAT) service. This lightweight service is critical for identifying the user’s internal IP address even when they are behind NAT.
  4. Secure Token: The STUN service captures the user’s internal and external IP addresses, along with the Site ID, encrypts this data into a secure, short-lived token, and redirects the user to the main Captive Portal page with this token.
  5. Authentication: The user sees your branded login page and authenticates using one of the strategies you’ve configured.
  6. Authorization: Upon successful authentication, the Altostrat platform sends a secure command to your MikroTik router, instructing it to add the user’s internal IP address to a temporary “allow” list in its firewall for a specified duration (Session TTL).
  7. Access Granted: The user now has full internet access until their session expires.

Core Concepts

Instance

The complete configuration for a single captive portal, including its name, branding (theme), authentication strategy, and session rules. You can have multiple instances for different locations or networks.

Auth Integration (IDP)

A reusable configuration for a third-party Identity Provider (e.g., Google, Microsoft Azure, GitHub). This is required if you use the OAuth2 authentication strategy.

Walled Garden

A crucial list of IP addresses and domains that guests are allowed to access before they authenticate. This is essential for allowing users to reach the login pages of identity providers like Google or Microsoft.

Authentication Strategies

Altostrat offers two flexible authentication strategies for your captive portals.

OAuth2 (Social & Corporate Login)

Allow users to authenticate using their existing Google, Microsoft Azure, or GitHub accounts. This provides a seamless login experience and captures the user’s name and email for tracking and accountability.

Coupon-Based Access

Generate unique, single-use access codes (coupons) that you can distribute to guests. This method is perfect for environments like hotels or conference centers where you want to provide temporary, controlled access without requiring users to have a specific online account.

Next Steps

Configuring a Captive Portal

Learn the practical steps to set up an Auth Integration, create your first portal instance, customize its branding, and apply it to a site.