- What is the difference?
- Which one is suitable for my business?
- Which one is more secure?
- How does the setup process differ?
Both Captive Portal and WPA Enterprise authentication have their advantages and disadvantages, however, simply understanding the difference should be enough to make an informed decision when securing your wifi network.
A captive portal is a webpage, also known as the splash page, that comes up after a user connects to an open Wi-Fi network. The splash page requires the user to either authenticate themselves using credentials or provide personal information such as email address in exchange for internet access. The network manager might want to limit the session time of guests on their premises or require a small payment for using their wifi network. In the IronWiFi console, you can create a captive portal, edit the source code of the splash page to customize its design, configure an authentication provider (a form that requires specific information from the user) such as paid access or voucher code. Your guests are also able to register to use your Wi-Fi network and use the credentials later to sign in.
For a business, it might be interesting to place advertisement of certain products on the splash page or collect guest information for later marketing purposes. That is why IronWiFi is integrated with major platforms such as SendGrid or MailChimp, to create a seamless experience when sending marketing emails.
How does it work?
If you are, at this point, keen on configuring a captive portal for your business, it may be beneficial to understand the basic technicalities.
User -> Access Point -> IronWiFi -> Access Point -> User
When a user connects to your Access Point to use internet access, the access point points them to our webservers (splash page come up). After that, the user submits the form with their credentials. We receive an authentication request, verify the credentials and send a response to the access point, telling it whether or not to allow the user access to the internet.
To set this up, you need the following information from our console -> splash page URL, both primary and backup RADIUS server IPs and port numbers. To receive accounting data, you also need to specify the accounting port (can be found after clicking on your network’s name). Essentially, all you are doing is telling the access point where to point the user that is trying to get internet access.
WPA/WPA2 Enterprise authentication w/RADIUS
WPA-Enterprise, or employee authentication, is a more secure option for corporations that need more control over their users (usually employees). WPA-Enterprise can be set up to authenticate with Azure, G Suite, client certificates…etc. Connecting your active directories is seamless thanks to our integrations with major platforms in the space as well as detailed instructions.
Distribution – certificates need to be installed on the user’s device to work. Three options are available to obtain the generated certificate:
- Download certificate – the certificate will be automatically downloaded to the administrator’s browser. An import password will be displayed in the pop-up window.
- Email certificate to the User – The user will obtain an email with a certificate in the attachment. Import password is included in the email. This method requires the user to have a valid email address.
- Email download link to the User – an email is sent to the user with an import password and a link to download the certificate. The certificate can be downloaded only once. A valid email address in the user profile is required to deliver the email.
IronWiFi strives to support industry standards for enterprise authentication such as SCEP, which is currently in the final stages of development.
At this point, it should be fairly clear for you which way to go, for most customers (restaurants, hotels, coffee shops), including coworking spaces, is a captive portal the go-to. WPA-Enterprise is suitable for corporations that require high levels of security.