What Is a Captive Portal? Complete Guide for WiFi Resellers
Key Takeaways: A captive portal is a web page that intercepts a device's network connection and requires user interaction — typically authentication or consent — before granting internet access. Captive portals are the primary data collection mechanism in guest WiFi marketing, capturing emails, phone numbers, social profiles, and device metadata. For resellers, the captive portal is the revenue engine: it turns anonymous WiFi users into identified contacts your clients can market to.
A captive portal is a network access control mechanism that redirects a user's HTTP request to a login or consent page before allowing them onto the internet. Every time someone connects to WiFi at a coffee shop, hotel, or airport and sees a login screen, that's a captive portal in action.
The technology dates back to the late 1990s when hotels started charging for internet access. Today, captive portals serve a different purpose. They're the front door to guest WiFi marketing — collecting contact information, enforcing terms of service, and feeding data into CRM and marketing automation systems.
For resellers (MSPs, agencies, VARs), the captive portal is the product you sell. Not the WiFi itself. The portal.
How captive portals work (technical overview)
The mechanics are straightforward, but the implementation details matter.
The redirect flow
- •Guest device associates with the access point (connects to the SSID)
- •DHCP assigns a local IP address — the device is on the network but has no internet
- •DNS interception or HTTP redirect catches the device's first web request
- •The portal page loads in a Captive Network Assistant (CNA) or browser window
- •User authenticates via social login, email, SMS, form, or passkey
- •RADIUS or controller authorizes the device MAC address for internet access
- •Post-auth redirect sends the user to a landing page, app store, or the URL they originally requested
Modern captive portals use HTTPS redirects and comply with RFC 8908 (Captive Portal API), which lets operating systems detect portals automatically and present them in a standardized way. Apple's CNA, Android's connectivity check, and Windows' NCSI all probe specific endpoints to detect portal presence.
Authentication methods
Not all portals require the same level of authentication. The method you choose determines data quality, friction, and compliance obligations.
| Method | Data Captured | Friction | Best For |
|---|---|---|---|
| Social login (Facebook, Google, Apple) | Name, email, profile photo, age range | Low — one tap | High-traffic transient venues |
| Email form | Email, optional name/phone | Medium | Restaurants, retail |
| SMS OTP | Verified phone number | Medium | Compliance-heavy markets |
| WhatsApp OTP | Verified phone + WhatsApp ID | Medium | LATAM, MENA, SEA markets |
| Click-through | Device MAC only | Zero | Free WiFi with ToS consent |
| Passcode | Nothing beyond MAC | Zero | Staff or VIP access |
According to a 2025 Cisco Annual Internet Report, 87% of consumers expect free WiFi at commercial venues. The question isn't whether to offer WiFi — it's what you capture when they connect.
What data flows through a captive portal
Every portal interaction generates multiple data points:
- •Identity data: email, phone, name, birthday, gender (from social or form)
- •Device data: MAC address, OS, browser, device manufacturer, screen resolution
- •Session data: connect time, disconnect time, duration, bandwidth consumed
- •Location data: which AP they connected to (maps to physical zone)
- •Behavioral data: new vs. returning, visit frequency, time between visits
- •Consent data: which terms they accepted, when, IP address at time of consent
A single portal interaction at a busy restaurant captures more actionable data than a $500/month foot traffic counter. That's the pitch resellers make — and the data backs it up.
Why captive portals matter for resellers
You're not selling WiFi. You're selling the data layer that sits on top of WiFi.
The recurring revenue model
Here's how the economics work for a typical MSP or agency reseller:
- •Client pays you $99-$299/month for "WiFi marketing" or "guest intelligence"
- •Your platform cost is $3-$10/month per location (depending on plan tier and AP count)
- •Margin: 70-90% gross on a monthly recurring basis
A reseller managing 50 restaurant locations at $149/month generates $7,450 MRR with roughly $1,500 in platform costs. That's $71K/year in gross margin from one product line.
The captive portal is what makes this model work. Without it, guest WiFi is a cost center — an amenity that generates zero data and zero revenue.
Data capture benchmarks
Industry data from WiFi marketing deployments (aggregated from multiple platform providers, 2024-2025):
- •Opt-in rate (email form): 15-25% of connected guests
- •Opt-in rate (social login): 30-45% of connected guests
- •Opt-in rate (SMS/WhatsApp OTP): 55-70% of connected guests
- •Average data points per guest: 8-12 fields
- •Return visit identification rate: 60-80% (via MAC + cookie matching)
OTP-based authentication consistently outperforms other methods because the friction-to-value tradeoff is clear: enter your number, get WiFi. No password to remember, no social account to authorize.
Captive portal compliance: GDPR, CCPA, and beyond
This is where resellers either protect their clients or expose them to liability.
GDPR (EU/EEA)
Under GDPR, the captive portal must:
- •Display clear purpose of data collection before capture
- •Obtain explicit opt-in consent (pre-checked boxes don't count)
- •Provide data access, correction, and deletion mechanisms
- •Include data controller and processor identification
- •Specify data retention periods
Fines for GDPR violations reach up to 4% of annual global revenue or EUR 20 million, whichever is higher. In 2024, the Italian DPA fined a hotel chain EUR 150,000 for WiFi data processing without adequate consent mechanisms.
CCPA (California)
CCPA requires:
- •Notice at collection (what data, why, who gets it)
- •Right to opt out of data sale
- •Right to deletion
- •No discrimination against users who opt out
LGPD (Brazil)
Brazil's LGPD mirrors GDPR in most respects. Given that WhatsApp has 98% penetration in Brazil, portals serving Brazilian venues should offer WhatsApp OTP authentication with LGPD-compliant consent flows.
Reseller liability
Here's the part many resellers miss: as the platform operator, you may be classified as a data processor under GDPR. Your client (the venue) is the data controller. You need a Data Processing Agreement (DPA) with every client. The portal must display the client's privacy policy, not yours.
Platforms like MyWiFi Networks include configurable consent forms, data retention controls, and per-client legal terms that resellers can customize at the location level.
Captive portal architecture patterns
Cloud-managed portals
The dominant model for resellers. The portal page is hosted in the cloud (CDN-delivered), and the access point redirects to it via an external URL. Authentication decisions are made server-side, and the cloud platform pushes authorization back to the controller or RADIUS server.
Pros: Centralized management, instant updates across all locations, no on-site server needed. Cons: Requires internet connectivity for portal to load (no offline fallback).
Controller-hosted portals
The portal HTML lives on the WiFi controller (Meraki dashboard, UniFi controller, etc.). Customization is limited to what the controller's portal editor supports.
Pros: Works even if upstream internet is down. Fast load times. Cons: Limited customization, no centralized multi-site management, data stays siloed on the controller.
RADIUS-based authentication
RADIUS (Remote Authentication Dial-In User Service) is the protocol that handles authentication decisions. The access point sends an authentication request to a RADIUS server, which validates the user and returns an accept or reject.
For marketing portals, RADIUS handles the back-end authorization while the cloud portal handles the front-end UX. The RADIUS server logs session accounting data (radacct) — connect time, disconnect time, bytes transferred, session duration — which feeds into analytics dashboards.
Captive portal design: what converts
Portal design has a measurable impact on opt-in rates. These patterns are backed by A/B testing across thousands of deployments.
Keep it to one screen
Portals with a single-screen layout (no scrolling required) convert 23% better than multi-step flows on mobile devices. The login method, branding, and legal consent should all be visible without scrolling.
Minimize form fields
Every additional form field reduces completion rates by 8-12%. If you need email and name, capture email on the portal and collect the name via a post-auth survey or automation trigger.
Load time under 2 seconds
Portal load time is critical. According to Google's Core Web Vitals data, 53% of mobile users abandon a page that takes longer than 3 seconds to load. Portal pages served from a CDN with optimized assets consistently hit sub-2-second load times.
Match the venue brand
White-label portals that match the venue's brand (logo, colors, imagery) increase trust and opt-in rates. Generic or platform-branded portals signal "this is marketing software" to guests, which reduces engagement.
Platforms with WYSIWYG portal builders let resellers create venue-branded portals in minutes without touching code.
Captive portals vs. alternative authentication
802.1X / WPA-Enterprise
Enterprise authentication that requires a certificate or username/password pre-provisioned on the device. Used for corporate networks, not guest WiFi marketing. No data capture opportunity.
Passpoint (Hotspot 2.0)
Automatic authentication using carrier credentials or pre-provisioned profiles. Eliminates the portal entirely. Great for connectivity, terrible for marketing — no data capture, no consent flow, no brand interaction. Learn more in our guide on Hotspot 2.0.
QR code login
Guest scans a QR code that opens the portal in their browser. Useful for printed signage or table tents. The portal still handles authentication — QR is just the entry mechanism.
MAC authentication bypass (MAB)
The device is authenticated based on its MAC address alone. Used for IoT devices and known equipment. No human interaction, no data capture.
Setting up a captive portal: the reseller workflow
For resellers deploying portals across multiple client venues, the workflow looks like this:
- •Connect hardware — Use a 2-minute device integration wizard to link the client's access points (Meraki, UniFi, Aruba, Ruckus, etc.) to the cloud platform
- •Design the portal — Build a branded splash page with the client's logo, colors, and messaging using a drag-and-drop editor
- •Configure authentication — Select login methods (social, email, SMS, WhatsApp OTP) based on the venue type and market
- •Set compliance rules — Configure consent text, privacy policy links, data retention periods, and opt-out mechanisms for the relevant jurisdiction
- •Set up automations — Create post-connection email sequences, SMS follow-ups, or CRM syncs that trigger on connect, disconnect, or inactivity
- •Launch and monitor — Assign the portal to the location, test the flow on a real device, and monitor opt-in rates via the analytics dashboard
The entire setup takes 15-30 minutes per location for an experienced reseller. Platforms that support portal templates and cloning reduce this to under 5 minutes for subsequent locations.
Frequently asked questions
Is a captive portal the same as a splash page?
They're related but not identical. A captive portal is the network mechanism that intercepts traffic and forces authentication. A splash page is the visual web page the user sees. The splash page is one component of the captive portal system. Read more about splash page design.
Do captive portals work on all devices?
Modern captive portals work on iOS, Android, Windows, macOS, and ChromeOS. Each operating system has a built-in Captive Network Assistant (CNA) that detects portals and presents them to the user. Edge cases: some IoT devices and older firmware don't trigger CNA properly — these typically need MAC authentication bypass.
Can captive portals capture data without consent?
No. Under GDPR, CCPA, LGPD, and most modern privacy regulations, you must obtain explicit consent before collecting personal data through a captive portal. Click-through portals that only capture MAC addresses operate in a gray area — MAC addresses are considered personal data under GDPR.
How do captive portals handle returning guests?
Most platforms use a combination of MAC address matching and browser cookies to identify returning guests. The "Welcome Back" flow can automatically reconnect returning guests without requiring re-authentication, while still logging the visit for analytics. The reconnect window is configurable — typically 24 hours to 30 days.
What's the difference between a captive portal and a paywall?
A paywall requires payment for access (common in hotels and airports). A captive portal can include a payment step (via Stripe or other processors), but most marketing-focused portals exchange data for access rather than money. Some deployments use hybrid models: free basic WiFi via data capture, premium bandwidth via payment.
Do VPNs bypass captive portals?
VPNs can't establish a tunnel until the device has internet access, which requires portal authentication first. However, once authenticated, a VPN will encrypt subsequent traffic, making it invisible to the portal's analytics. This affects session duration tracking but not initial data capture.
Bottom line
A captive portal is the mechanism that turns anonymous WiFi users into identified contacts. For resellers, it's the core product — the thing clients pay for, the thing that generates recurring revenue, and the thing that differentiates "we installed WiFi" from "we built you a customer database."
The technology is mature. The compliance landscape is well-defined. The economics are proven. The only variable is execution: how well the portal is designed, how cleanly data flows into downstream systems, and how effectively the reseller positions the value to clients.
Start with the right platform, configure compliance correctly, and let the portal do what it was built to do — capture data at the moment of connection. To deploy for your clients under your own brand, review the partner program. For captive portal use cases by industry, see solutions by vertical.