wi fi captive portal

Wi-Fi Onboarding Captive Portal Best Practices

Patrick Grubbs Education

Wi-Fi Onboarding Captive Portal Best Practices

Onboarding new users to Wi-Fi is hasslesome at best and overwhelming at worst. For organizations that have to regularly onboard thousands of users – such as school, universities, and event organizers – it’s simply not possible without an automated enrollment process like a captive portal.

Wi-Fi onboarding can be an easy, positive experience for both users and IT if you follow these guidelines for captive portal configuration and design.

1. Clear and Concise Communication

It feels obvious, but it has to be said. End user-facing solutions have to be easily understood and navigated by even the least tech-savvy person imaginable. The only way to guide them through a self-enrollment process is by removing as many obstacles to authentication as possible.

At the most basic level, that means all of the verbiage used should be concise and direct. It means the graphical elements of your captive portal should make it clear what to do next. Also, it should be apparent whether the user has internet access or not – before, during, and after the process.

captiveportal wifiHere you can see our default language on our Captive Portal. We make sure to state what the user needs to accomplish and how they can accomplish it. We also address potential future error messages, like the text that is bolded above the JoinNow button.

Investing in a simple user experience will save IT lots of headache down the line. Organizations that use our software for Wi-Fi captive portals often reduce their Wi-Fi connectivity support tickets by up to 50% and good communication plays a big part in it!

2. Use CNA Breakout Technology

A CNA, or Captive Network Assistant, is a feature of several common operating systems that’s meant to streamline and secure the process of onboarding to guest Wi-Fi networks. It’s a limited browser that pops up whenever the user connects to an open SSID. The following OSs have a native CNA:

  • Android
  • iOS
  • macOS

The strongest security measure of a CNA also happens to make it unsuitable for onboarding users to Wi-Fi. A CNA doesn’t allow anything to be downloaded and installed to the device; that’s great for preventing spoofed SSIDs from installing malware on unsuspecting devices, but it prevents us from downloading the configuration payload for automatic onboarding to secure Wi-Fi.

Working around CNAs isn’t very simple, unfortunately. Even if the user exits the CNA browser and opens a new browser window it won’t redirect them to the captive portal you set up. They would have to try to navigate to an HTTP address specifically – and all of the typical sites a user might try to access are almost certainly HTTPS. It’s worse on Android – disconnecting from the CNA disconnects you from the limited internet altogether.

The only true solution to onboarding mobile devices and macOS to Wi-Fi is with SecureW2’s industry-first CNA Breakout solution. The solution detects the user is in the CNA limited browser, and presents instructions to the user alongside a button that will automatically open the Captive Portal in a full, non-CNA, browser. For more information about CNA Breakout, contact our specialists here.

3. Use Hidden SSIDs for Simple Onboarding

The first step in automatic onboarding is always to get the users to connect to your onboarding SSID. Depending on the location, though, they might be bombarded with 10 or 20 potential SSIDs when they open their network settings. That can be overwhelming, especially to users that don’t already know what to look for.

You can hide all of the SSIDs that you control other than the onboarding SSID. This won’t affect your existing network users – they’ll be able to find and connect to the hidden SSIDs with no issues. The new users to be onboarded will only see the onboarding SSID, eliminating confusion as to which network they need to connect to.

4. Onboarding Network Segmentation with VLAN

Most organizations already use VLANs to segment classes of users and to implement Group Policies. It’s an easy way to restrict access to certain resources and enable permissions to others with broad strokes.

Also having your onboarding SSID on a separate network, whether physical or virtual, is a good security practice. Onboarding is a complicated process, so there are a lot of potential nooks and crannies a bad actor might exploit. It’s better to play it safe and keep your primary network safe by keeping it separate from the onboarding network.

SecureW2’s Onboarding software can roll onboarding into user segmentation, automatically sorting newly onboarded users based on attributes from your directory. Appropriate network privileges will be assigned automatically, ensuring a smooth and safe onboarding experience.

5. Include Onboarding Resources in the ACL

In a similar vein as network segmentation, you’ll need to set up an Access Control List (ACL) which determines what privileges a given user has within the captive portal. Typically you configure the ACL to deny access to the internet, with the exception of resources required for onboarding.

Keep in mind that different operating systems will receive their required resources from different places. You’ll have to include app stores (Google Play Store, Apple App Store, etc.) and any external resources (SAML, SSO, Jamf, etc.) otherwise users will not be able to configure their devices during the onboarding process.

Easy Wi-Fi Onboarding With SecureW2 JoinNow

A good onboarding process is simple, secure, and streamlined. The user should hardly be aware they’re being onboarded and, ideally, IT will hardly be involved.

A well-configured Wi-Fi captive portal can head off many of the issues commonly encountered in the onboarding process, which is why it’s so critical to get this first step right. It establishes a foundation for the user’s future network experience and for the security of your network as a whole.

SecureW2’s JoinNow solutionis the industry’s leading onboarding software for organizations of every type. It seamlessly integrates with your existing hardware to onboard any user and any device. Our management suite makes it a cinch to customize every aspect of onboarding, including your own custom captive portals and vanity SSIDs.

We have affordable options for organizations of all sizes. Click here to see our pricing.


Learn About This Author

Patrick Grubbs

Patrick is the SEO guy at SecureW2, but he enjoys writing a little too much to give it up entirely. He got his start blogging about his ever-expanding collection of succulents and cacti. His hobbies include running, gardening, playing video games, and buying tools he will never use. Special skills: 5th grade chess champion, ultra-specific color identification, clapping with one hand