Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Mist AI Wireless Juniper Mist Wireless Assurance Configuration Guide WLAN Guest Portal

Juniper Mist Wireless Assurance Configuration Guide

keyboard_arrow_up
close
keyboard_arrow_left
Juniper Mist Wireless Assurance Configuration Guide
Table of Contents Expand all
list Table of Contents

Use an External Portal for Guest Access

date_range 10-Mar-25
arrow_backward
arrow_forward

Enable an external portal if you want guests to go to a sign-in portal that your web developers have designed on your own website.

An external portal is a webpage that your WLAN users see after they select your SSID. For example, you can send guests to your company's home page or a sign-in portal that your web developers have set up specifically for your organization.

For added security, you can specify authorized users, allowed subnets, and allowed hostnames. You also can enter a list of hostnames to block.

  1. Navigate to the WLAN.
    Note:

    • If the WLAN is in a WLAN template, select Organization > Wireless | WLAN Templates, click the template, and then click the WLAN.

    • For a site-level WLAN, select Site > Wireless | WLANs, and then click the WLAN.

  2. In the Edit WLAN window, under Guest Portal, click Forward to external portal.
    Forward to External Portal Option in the Edit WLAN Window
  3. (Optional) Click the Edit Guest Authorization button if you want to limit access to specific users. Then complete these steps:
    1. In the Authorized Guests window, click Add.
      Authorized Guests Window and Add Button
    2. On the Authorize Guest window, enter the guest's MAC Address (required), optional user information, and the period that the user remains authorized.
      Form Fields to Add a Guest
      Note:

      You can use the Search Client option to search for a client that is already connected to the WLAN.

    3. Click Authorize at the bottom of the Authorize Guest window.
    4. Repeat these steps to add more guests to the list.
  4. Enter the Portal URL, beginning with http:// or https://.
    Note:

    Use the other fields to finetune access. For example, allow only certain subnets or hostnames.

  5. Select or clear the Bypass guest/external portal in case of exception check box.

    When this feature is selected, each access point will try to reach the portal or IdP, but if it is not reachable then the AP will automatically authorize the guests to connect to the WLAN.

  6. Click Save at the bottom of the Edit WLAN window.

Use PHP and Read-Me files to Create Your External Portal

  1. Create your external portal by referring to the following sample PHP files and Read-Me Information.
    index.php
    content_copy zoom_out_map
    <?php
	/*
	  These parameters are sent by Mist on the 302 redirect to this portal page:
	    wlan_id - WLAN object's UUID
	    ap_mac - MAC address of the AP
	    client_mac - MAC address of the client device
	    url - Originally requested url by the client, ie: http://www.mist.com
	    ap_name - Name of the AP
	    site_name - Name of the Site
	
	  If you want to send the guest to a content page after authorization, configure the $url instead of using the valued that is passed as a parameter.
	*/

	$wlan_id = $_GET['wlan_id'];
	$ap_mac = $_GET['ap_mac'];
	$client_mac = $_GET['client_mac'];
	$url = $_GET['url'];
	$ap_name = $_GET['ap_name'];
	$site_name = $_GET['site_name'];
?>

<html>
	<body>
		<form action="authme.php" method="post">
			<input type="hidden" name="wlan_id" value="<?php echo($wlan_id) ?>" />
			<input type="hidden" name="ap_mac" value="<?php echo($ap_mac) ?>" />
			<input type="hidden" name="client_mac" value="<?php echo($client_mac) ?>" />
			<input type="hidden" name="url" value="<?php echo($url) ?>" />
			<input type="hidden" name="ap_name" value="<?php echo($ap_name) ?>" />
			<input type="hidden" name="site_name" value="<?php echo($site_name) ?>" />

			<table>
				<tr>
					<td><b>Your Full Name</b></td>
					<td><input type="text" name="name" /></td>
				</tr>
				<tr>
					<td><b>Your Email Address</b></td>
					<td><input type="text" name="email" /></td>
				</tr>
				<tr>
					<td><input type="submit" value="Login" /></td>
				</tr>
			</table>
		</form>
	</body>
</html>
    authme.php
    content_copy zoom_out_map
    <?php
	$secret = '';  // WLAN API Key, obtained from the Mist Web GUI after creating the WLAN
	$wlan_id = $_POST['wlan_id'];
	$ap_mac = $_POST['ap_mac'];
	$client_mac = $_POST['client_mac'];
	$url = $_POST['url'];
	$ap_name = $_POST['ap_name'];
	$site_name = $_POST['site_name'];

	$authorize_min = 525600;  // Duration (in minutes) the guest MAC address is authorized before they are redirected back to the portal page)
	$context = sprintf('%s/%s/%s/%d/%d/%d/%d',
		$wlan_id, $ap_mac, $client_mac,
		$authorize_min,
	);
	$token = urlencode(base64_encode($context));

	// The below portal fields are passed back to Mist and shown in the Guest Portal Information
	$name = $_POST['name'];
	$email = $_POST['email'];
	$field1 = 'Whatever you want Custom field 1 to be';
	$field2 = 'Whatever you want Custom field 2 to be';
	$field3 = 'Whatever you want Custom field 3 to be';
	$field4 = 'Whatever you want Custom field 4 to be';

	$forward = urlencode($url);  // URL the user is forwarded to after authorization
	$extra = '&forward=' . $forward;
	$extra .= '&name=' . urlencode("$name");
	$extra .= '&field1=' . urlencode("$field1");
	$extra .= '&field2=' . urlencode("$field2");
	$extra .= '&field3=' . urlencode("$field3");
	$extra .= '&field4=' . urlencode("$field4");
	$extra .= '&email=' . urlencode("$email");
	$expires = time() + 120;  // The time until which the authorization URL is valid
	$payload = sprintf('expires=%d&token=%s%s', $expires, $token, $extra);

	$signature = urlencode(base64_encode(hash_hmac('sha1', $payload, $secret, true)));
	$final_url = sprintf('http://portal.mist.com/authorize?signature=%s&%s', $signature, $payload);

	/*
	  Debug code used for testing purposes only
	  If set to true, display the variable details without authorizing the guest in the Mist cloud
	*/
	$debugging = false;
	if ($debugging) {
		header('Content-Type: text/plain');
		echo sprintf('token          : urlencode(base64(%s))', $context) . PHP_EOL;
		echo sprintf('                 %s', $token) . PHP_EOL;
		echo sprintf('foward         : %s', $url) . PHP_EOL;
		echo sprintf('                 %s', $foward) . PHP_EOL;
		echo sprintf('payload-to-sign: %s', $payload) . PHP_EOL;
		echo sprintf('signature      : %s', $signature) . PHP_EOL;
		echo sprintf('URL            : %s', $final_url) . PHP_EOL;
		echo sprintf('client_mac     : %s', $client_mac) . PHP_EOL;
		echo sprintf('ap_mac         : %s', $ap_mac) . PHP_EOL;
		echo sprintf('ap_name        : %s', $ap_name) . PHP_EOL;
		echo sprintf('wlan_id        : %s', $wlan_id) . PHP_EOL;
		echo sprintf('site_name      : %s', $site_name) . PHP_EOL;
		echo sprintf('name           : %s', $name) . PHP_EOL;
		echo sprintf('email          : %s', $email) . PHP_EOL;
		echo sprintf('field1         : %s', $field1) . PHP_EOL;
		echo sprintf('field2         : %s', $field2) . PHP_EOL;
		echo sprintf('field3         : %s', $field3) . PHP_EOL;
		echo sprintf('field4         : %s', $field4) . PHP_EOL;
	}
	else {
		// Guest is redirected to the Mist portal for authorization. If successful, the Mist portal will then redirect the guest to the $url 
		header('Location: ' . $final_url);
	}
?>
    Read-Me Information
    content_copy zoom_out_map
    This sample code shows how to use the PHP POST method to pass the below parameter values from the landing page (index.php) 
to the authorization page (authme.php). The authorization page will also request the user to provide some information. 

Authorization HOW-TOs
=====================
Syntax: signature=<signature>&expires=<epoch-seconds>&token=<token>&forward=<forward>

Note: Wired captive portal does not support this mechanism, please use the JWT based one.

<forward>: url to forward the user to after authorization
<token>: base64("wlan-id/ap-mac/client-mac/authorize_min/0/0/0")
<signature>: base64(hmac_sha1(<secret>, "expires=..."))


Example

token     : urlencode(base64("be22bba7-8e22-e1cf-5185-b880816fe2cf/5c5b35001234/d58f6bb4c9d8/480/0/0/0")) =
            YmUyMmJiYTctOGUyMi1lMWNmLTUxODUtYjg4MDgxNmZlMmNmLzVjNWIzNTAwMTIzNC9kNThmNmJiNGM5ZDgvNDgwLzAvMC8w
expires   : 1768587994
forward    : urlencode("http://www.mist.com")
            http%3A%2F%2Fwww.mist.com%2F
payload-to-sign: expires=1768587994&token=YmUyMmJiYTctOGUyMi1lMWNmLTUxODUtYjg4MDgxNmZlMmNmLzVjNWIzNTAwMTIzNC9kNThmNmJiNGM5ZDgvNDgwLzAvMC8w&forward=http%3A%2F%2Fwww.mist.com%2F
secret    : test-secret (only used by /authorize-test for testing purpose)
signature : J7VJlf2Zlcs%2BOxhVxCf8hL0XYC0%3D

final URL : http://portal.mist.com/authorize-test?signature=J7VJlf2Zlcs%2BOxhVxCf8hL0XYC0%3D&expires=1768587994&token=YmUyMmJiYTctOGUyMi1lMWNmLTUxODUtYjg4MDgxNmZlMmNmLzVjNWIzNTAwMTIzNC9kNThmNmJiNGM5ZDgvNDgwLzAvMC8w&forward=http%3A%2F%2Fwww.mist.com%2F


Alternatively, you can use JWT tokens:

Syntax: jwt=<jwt token>

Payload:
{
    "ap_mac": "5c5b35001234",
    "wlan_id": "be22bba7-8e22-e1cf-5185-b880816fe2cf",
    "client_mac": "d58f6bb4c9d8",
    "minutes": 480,
    "expires": 1768587994,
    "forward": "http://www.mist.com",
    "authorize_only": false
}

Notes:
authorize_only: if true and authorization is successful, 200 OK will be returned instead of 302 Redirect the user to the `forward` URL

Example

```
import jwt

secret = "test-secret"
payload = {
    "ap_mac": "5c5b35001234",
    "wlan_id": "be22bba7-8e22-e1cf-5185-b880816fe2cf",  # only for _wireless_ captive portal
    "site_id": "ce22bba7-8e22-e1cf-5185-b880816fe2ce",  # only for _wired_ captive portal"
    "port_name": "eth0",  # only for _wired_ captive portal"
    "client_mac": "d58f6bb4c9d8",
    "minutes": 480,
    "expires": 1768587994,
    "forward": "http://www.mist.com",
    "authorize_only": False
}

encoded_jwt = jwt.encode(payload, secret, algorithm='HS256')
```

encoded_jwt: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVfb25seSI6ZmFsc2UsImV4cGlyZXMiOjE3Njg1ODc5OTQsImFwX21hYyI6IjVjNWIzNTAwMTIzNCIsImZvcndhcmQiOiJodHRwOi8vd3d3Lm1pc3QuY29tIiwiY2xpZW50X21hYyI6ImQ1OGY2YmI0YzlkOCIsIm1pbnV0ZXMiOjQ4MCwid2xhbl9pZCI6ImJlMjJiYmE3LThlMjItZTFjZi01MTg1LWI4ODA4MTZmZTJjZiJ9.msBloHe05XzbzaMEqjsi8XSNWa_3uc--4wucKz3dQGk
final URL  : http://portal.mist.com/authorize-test?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVfb25seSI6ZmFsc2UsImV4cGlyZXMiOjE3Njg1ODc5OTQsImFwX21hYyI6IjVjNWIzNTAwMTIzNCIsImZvcndhcmQiOiJodHRwOi8vd3d3Lm1pc3QuY29tIiwiY2xpZW50X21hYyI6ImQ1OGY2YmI0YzlkOCIsIm1pbnV0ZXMiOjQ4MCwid2xhbl9pZCI6ImJlMjJiYmE3LThlMjItZTFjZi01MTg1LWI4ODA4MTZmZTJjZiJ9.msBloHe05XzbzaMEqjsi8XSNWa_3uc--4wucKz3dQGk
    Note:

    Replace portal.mist.com with the appropriate Guest Wi-Fi Portal URL based on the cloud instance in which your Mist organization was created. To look up the Guest Wi-Fi Portal URL for your region, see the Mist Cloud IP Addresses and Ports information in the Juniper Mist Management Guide.

  2. To get the value that you need for $secret in auth.php, reopen the Edit WLAN window, and copy the API Secret.
  3. Configure your authorization page (authme.php) to call the Juniper Mist backend with the required query string parameters: ?signature=signature&expires=expires&token=token&optional

    • expires – The epoch timestamp until which the authorization URL is valid.

      • For example: 1768587994 (This means the authorization URL would expire on January 16, 2026 at 6:26:34 PM UTC.)

    • token – A base64 string having format: wlan_id/ap_mac/client_mac/authorize_min/0/0/0

      • For example: be22bba7-8e22-e1cf-5185-b880816fe2cf/5c5b35001234/d58f6bb4c9d8/480/0/0/0

    • signature – A base64 string of hashed values, using sha1 as the hashing algorithm and the Guest WLAN’s API Secret as the key. This would have the following format: expires=expires&token=token&optional

      • For example: J7VJlf2Zlcs%2BOxhVxCf8hL0XYC0%3D

    • optional – The optional guest details and the URL to which the user is forwarded after authorization, having the following format: forward=url&name=name&email=email&company=company&field1=field1&field2=field2&field3=field3&field4=field4

      Note: Ensure all parameter values are passed as base64.

      • For example: forward=http%3A%2F%2Fwww.mist.com%2F

  4. Configure your authorization page to call Juniper Mist for guest authorization. The final authorization URL would look something like this: http://portal.mist.com/authorize?signature=J7VJlf2Zlcs%2BOxhVxCf8hL0XYC0%3D&expires=1768587994&token=YmUyMmJiYTctOGUyMi1lMWNmLTUxODUtYjg4MDgxNmZlMmNmLzVjNWIzNTAwMTIzNC9kNThmNmJiNGM5ZDgvNDgwLzAvMC8w&forward=http%3A%2F%2Fwww.mist.com%2F
  5. Test the external captive portal by connecting a device and attempting to authenticate.

    The device should be redirected to the Juniper Mist portal for authorization. If authentication is successful, the user will be redirected to the URL as defined in your external captive portal code.

    Note:

    Use /authorize for the live portal. For testing purposes, you can use /authorize-test, which requires the dummy example values as provided in the Read-Me Information.

arrow_backward PREVIOUS Enable Guest Portal Social Login with Microsoft® Azure
NEXT arrow_forward Use an Identity Provider for Guest Access
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top

keyboard_arrow_down
file_download
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
language