This document outlines the fundamentals and a step-by-step guide for setting up a Captive Portal in Altostrat. You’ll also learn about custom configurations you can apply.
Before proceeding, confirm you have an IDP Instance configured if you plan to use OAuth 2.0 authentication (e.g., Google, Microsoft Azure). Otherwise, you won’t be able to authenticate users via third-party providers.

Step 1: Navigate to the Captive Portal Page

  1. From your Dashboard, select Captive Portal (or a similarly named menu option).
  2. You’ll see an Overview or Get Started button to create a new Captive Portal instance.
  3. Click Get Started (or + Add).
Placeholder: Captive Portal Overview

Step 2: Create Your Captive Portal Instance

  1. Provide a Name for the instance, e.g. “Guest Wi-Fi Portal.”
  2. Set the Authentication Strategy (currently OAuth 2.0 only).
  3. Pick the Identity Provider you previously configured, or click + to create a new one.
  4. Click Next to confirm and move to customization.
If you haven’t created an IDP yet, follow our Identity Providers guide before continuing.

Captive Portal Customization

After initial setup, you’ll be redirected to a Customization page where you can:
  • Branding: Add logos, colors, and messaging.
  • Terms of Use: Insert disclaimers or acceptable use policies for users to accept before accessing the network.
  • Redirects: Control where users land post-authentication.
  • Voucher or Coupon Codes: Issue time-limited or usage-limited codes for guests.
Placeholder: Captive Portal Customization

Network Considerations

  1. Firewall Rules Ensure your MikroTik’s firewall permits traffic for the Captive Portal flow.
  2. DHCP & DNS Confirm your router provides IP addresses and DNS resolution for guest clients.

Step 3: Finalizing & Applying the Captive Portal

After you finish customizing:
  1. Click Add or Save to finalize.
  2. If your router is behind NAT, verify that the required ports are open or that the Management VPN is set up for behind-NAT usage.

Testing the Captive Portal

  1. Connect a test device (phone, laptop, etc.) to your Wi-Fi or LAN.
  2. When prompted by the Captive Portal, log in with the IDP you configured or a local account.
  3. Confirm the authentication process succeeds, and you’re able to browse the permitted network resources.
For public or guest-facing portals, regularly monitor the captive portal logs to ensure usage is within acceptable limits.
If you run into issues or need advanced behavior (like custom login pages or deeper policy integration), consult additional docs on Transient Access or Security Essentials.