Guest Access WLAN-External Hotspot with RADIUS Authentication


Guest access WLAN is designed specifically for BYOD (Bring your own device) setup, where large organizations have both staff and guests running on same WLAN or similar WLANs. Cambium Networks provides different options to the customers to achieve this based on where the captive portal page is hosted and who will be validating and performing authentication process.

There are 3 locations where the captive portal page can be hosted:

  1. Internal Access Point (Limited customization like Logo and Background Image)
  2. External Hotspot (External 3rd party Web/Cloud hosted captive portal, fully customized)
  3. cnMaestro (Semi customized portal, with additional features like SMS Authentication, Payment Gateways and Vouchers)

Authentication Methods:

  1. Clickthrough (Portal page with a button to accept terms & conditions and get internet access)
  2. RADIUS (External Authentication server like, Windows NPS / IAS or Free RADIUS)
  3. LDAP (Authenticate using LDAP/Active Directory)
  4. Local Guest Account (Single username /password stored on Access Point)

In this document we will be specifically talking about External Hotspot with RADIUS based authentication.

This setup consists of 3 main parts:

  1. Supplicant (Wireless clients- Laptops, mobile phones etc)
  2. Authenticator (Cambium Access Points)
  3. Authentication Server (RADIUS)

The general workflow when an external server is being used is as follows:



  1. On cnPilot Access Points: Configure >> WLAN
  2. On cnMaestro: Shared Settings/ WLANs and AP Groups >> WLANs

Enter the WLAN/SSID name and enable it on required Radios of the AP.

Enter the AAA Server settings like IP address (RADIUS server) and shared secret (This shared secret should match to the secret created on RADIUS server).

Guest Access: Enter the URL of captive portal hosted on external web server.

The Portal Page hosted on the webserver should perform a POST from the client to Access Point in case of all the authentication methods.

POST should happen to the Access Point http://<AccessPoint IP Address>:880/cgi-bin/hotspot_login.cgi


Here is one real time example of POST when submit button is clicked :

Port No Opened On AP: 880


Here is the packet flow between AP and the wireless client:

  1. When wireless client connects, it will get redirection page whose URL will be of the below format:

    Web Server IP is :
    Cambium AP IP is :
    Client MAC : 74-DF-BF-B7-C6-8D
    Query String : Everything after the question mark in the above url

    Note, that Cambium AP IP is present in ga_srvr in the query string part of above url.

  2. When wireless client fills the form and do/click the submit button, Cambium AP expects the submit URL (internally called as POST url), in the below format :

    Cambium AP IP:
    Cambium Port No: 880

    Note that, everything received as part of query string (everything after question mark) in the redirection URL, needs to be appended back in the POST URL.