Managing Guest Wi-Fi with a Captive Portal
TL;DR: What a captive portal is, how it's deployed in SME offices and guest-Wi-Fi scenarios, Law-5651-compliant logging, and brand-experience guide.
Summary: A captive portal is the sign-in / consent page that appears when a user joins guest Wi-Fi. For an SME it has three core roles: (1) user authentication under Türkiye's Law 5651 (who connected, and when), (2) acceptance of terms of use, (3) brand experience (company logo, language selection, cross-promotion). The standard router approach of "WPA2 password" isn't enough for Law 5651 — there's no record of who connected. A captive portal closes that gap with SMS code, room number + surname, or national-ID verification. At SME scale, Ubiquiti UniFi, Aruba Instant On, MikroTik Hotspot, or cloud-based options can be rolled out in 1–2 hours.
SME offices, hotels, cafés, salons, clinics — all need guest Wi-Fi. The classic approach: a "Guest" SSID + a WPA2 password + the password printed on a notice. That isn't Law-5651 compliant (no record of who connected), the password spreads quickly, and there's no brand experience. A captive portal closes all three gaps in a single flow: user connects, portal opens, authenticates, gets internet access — and the whole flow is logged, branded, and legally compliant.
In this article we cover captive-portal setup at SME scale, Law 5651 alignment, and brand-experience design. Target audience: IT managers, office owners, hotel / café operators, and decision-makers who want to end the "everyone knows the guest Wi-Fi password" problem systematically.
What Is a Captive Portal?
When a device joins guest Wi-Fi, its browser is automatically redirected to a sign-in page before internet access opens.
Typical User Flow
- The user picks the SSID (e.g. "Hotel_Guest")
- The device connects and gets an IP (DHCP)
- A browser opens or the first HTTP request is made
- The captive-portal page appears
- The user authenticates (SMS code, room no, etc.)
- On success → internet opens
- The session is logged
This flow is triggered automatically by device operating systems (iOS, Android, Windows, macOS).
The Three Roles of a Captive Portal
1. Legal Alignment (Law 5651)
In Türkiye, Law 5651 obliges anyone offering public internet (hotels, cafés, offices — including SMEs serving guest Wi-Fi) to retain user records.
- Who connected (national ID, phone, room number)
- When they connected
- For how long
- From which IP / MAC
- Retained for 2 years
Captive-portal user authentication satisfies this obligation naturally.
2. Terms of Use
Reducing legal exposure:
- "I will not access illegal content"
- "Personal-data sharing is prohibited"
- "Responsibility in case of violation lies with me"
The user's acceptance functions as a signature (KVKK information notice + consent).
3. Brand Experience
Added value:
- Company logo, brand colours
- Language selection (TR / EN)
- Social-media links
- Promotions / announcements
- Survey integration
In the hotel sector, the captive portal is used as the guest welcome face.
Authentication Methods
Methods typical at SME scale:
1. SMS Code
- The user enters a phone number
- A 6-digit code arrives by SMS
- The code is verified
- Pro: phone = identity, KVKK-aligned
- Con: SMS-gateway cost (cents per message)
2. Room Number + Surname (Hotels)
- The guest enters their room number + surname
- It's verified against the PMS
- Pro: no friction for the guest
- Con: PMS integration required
3. National ID / Passport
- The legally strictest option
- e-Devlet verification (advanced)
- Pro: indisputable identity
- Con: high user friction
4. Voucher / PIN
- A physical card at the front desk
- Single-use or time-limited
- Pro: per-guest, controlled
- Con: handed out manually
5. Social-Media Login
- Sign in with Facebook, Google, Apple
- Pro: easy
- Con: KVKK risk, contested under Law 5651
6. Email Verification
- Email + confirmation link
- Pro: no cost
- Con: slow, fake-email risk
Typical SME picks: SMS code (most compliant + reasonable cost) or room no + surname (hotels).
Captive-Portal Options
Solutions practical at SME scale:
Hardware-Based
- Ubiquiti UniFi: built-in captive portal, free, easy
- Aruba Instant On: cloud-managed, simple
- TP-Link Omada: economical, SME-focused
- MikroTik Hotspot: flexible, needs technical know-how
- Ruckus / CommScope: enterprise
Software-Based
- pfSense Captive Portal: open source, flexible
- OpenWrt: open-source router OS
Cloud-Based (SaaS)
- HotSpotSystem: Türkiye-based provider
- Cloud4Wi: global, rich analytics
- Purple WiFi: marketing-oriented
- Tanaza: compatible with many hardware brands
Law-5651-Compliant Local Providers
In Türkiye, TIB-approved captive-portal providers with integrated Law-5651 logging:
- HotSpotSystem
- Wifrog
- KobaWiFi
- Telkonet (hotels)
Local providers have an edge on Turkish-language support and Law-5651 certification.
Hardware Setup — Ubiquiti UniFi Example
The most common SME pick: UniFi.
Steps
- UniFi Controller / UniFi Cloud Key
- Add a new Wireless Network: SSID "Guest"
- Security: Open
- Guest Policy: Enabled
- Guest Control:
- Authentication: Hotspot
- Hotspot template: customised
- Hotspot setup:
- Authentication: SMS code (Twilio integration) or voucher
- Logo, colours, terms of use
- Session length (e.g. 24 hours)
- Bandwidth limit (e.g. 5 Mbps)
- Save the configuration
The whole flow is done in 30 minutes.
Law-5651 Logger Integration
The captive portal authenticates the user; traffic logging is a separate component.
Logger Required
- Which user (MAC / IP / account) reached which domain
- Retained 2 years
- Timestamped, signed, tamper-evident
Options
- Hardware logger: a TIB-approved local appliance, one-off investment (30,000–100,000 TL)
- Cloud Law-5651 service: monthly subscription (500–2,000 TL/month), popular at SME scale
- Open source + signing: technical know-how required, economical
Captive Portal + Logger, Bundled
Some captive-portal providers include the logger (e.g. HotSpotSystem) — a single integrated solution.
Brand-Experience Design
The captive portal is the hotel's / organisation's "digital welcome face".
Design Principles
- Mobile-friendly: 80%+ of traffic is mobile
- Fast loading: even on poor bandwidth
- Clear language selection: TR / EN / AR (for hotels)
- Few steps: fewer clicks = better
- Logo + tagline: brand presentation
- Social media: optional sharing
Hotel Captive-Portal Sketch
[Hotel Logo]
Welcome!
Enter your details for Wi-Fi access:
Room No: ____
Surname: ____
[ ] I accept the terms of use
[ ] I've read the KVKK information notice
[ Connect ]
────────────
Restaurant reservation
Discover the spa
Contact via WhatsApp
Cross-Promotion
The captive portal is a direct sales tool:
- Restaurant-reservation link
- Spa discount
- Contest / survey
- Newsletter signup
In the hotel sector, 5–15% economic uplift from captive-portal traffic is common.
KVKK and the Information Notice
Captive portals collect personal data → a KVKK information notice is mandatory.
Information-Notice Contents
- Which data (phone, MAC, IP, visit time)
- For what purpose (Law-5651 alignment, service)
- For how long (2 years for Law 5651 + a reasonable period for marketing)
- With whom it's shared (authorities)
- Data-subject rights (deletion, access)
Explicit Consent
For marketing purposes (e.g. SMS sending), separate explicit consent is required — it can't be folded into the acceptance of terms. A separate checkbox.
Common Mistakes
Typical pitfalls in SME captive-portal rollouts:
- No Law-5651 logger integration: user authentication exists, traffic logging doesn't
- HTTPS redirect issues: modern HTTPS-only sites may not trigger the captive portal
- No device isolation: a guest device can see another guest's
- Session length too long: the same user connects for 30 days without re-authentication
- Missing information notice: KVKK violation
- No bandwidth caps: a single user saturates the link
- Default router branding: generates no brand value
What Yamanlar Bilişim Offers
Our captive-portal support areas at SME scale:
- Audit of current guest Wi-Fi
- Captive-portal solution selection
- Ubiquiti / Aruba / MikroTik rollout
- Law-5651 logger integration
- Brand design (logo, colours, languages)
- KVKK information-notice support
- SMS-gateway integration
- Annual captive-portal health audit
Frequently Asked Questions
Conclusion
A captive portal is the basic tool that turns SME guest Wi-Fi into something legally compliant, branded, and controlled. The standard "WPA2 password" approach is dated and carries a Law-5651 violation risk; an SMS-, room-no-, or voucher-based captive portal closes that gap in minutes. Add brand design on top and a single Wi-Fi sign-in screen becomes part of the guest experience.
Yamanlar Bilişim provides captive-portal selection, Law-5651 logger integration, and brand-design services sized to your needs — turning your guest Wi-Fi from a grey area of shared passwords into a measurable, compliant, branded digital touchpoint.
Frequently Asked Questions
Isn't a WPA2 password instead of a captive portal enough?
Not for Law 5651. A password doesn't identify who connected — everyone uses the same one. In a legal review, you can't answer Mehmet connected at 14:30 . A captive portal closes the gap with user authentication (phone number, room number).
Is a captive portal really mandatory even for an SME office?
If you offer guest Wi-Fi (i.e. visitors from outside connect), yes — you fall under the Law-5651 obligation. If only your employees connect (even BYOD authenticated against AD), it's different; but if guests connect, a portal is required.
How much do SMS gateways cost monthly?
At SME scale, 100–500 connections / month → 100–500 SMS. Türkiye SMS rates run 0.10–0.30 TL/SMS. So 30–150 TL/month. Lower with a bulk contract. Hotel scale (thousands of SMS / month) warrants tailored packages.
Should the same user be re-prompted with an SMS code every time?
No — that creates user friction. The typical setup: a 24-hour to 7-day remember device after the first authentication — MAC-based. Re-authentication on expiry. For hotels, the typical window is the length of stay (e.g. 3 days); for an office visitor, 1 day.
The device isn't triggering the captive portal — what do I do?
Some modern OSes (notably iOS) sometimes fail to trigger the captive portal for HTTPS-only sites. Fixes: the device's Wi-Fi captive portal detected hint, manually navigate to an HTTP site (e.g. neverssl.com ), or add DHCP option 114 (RFC 7710) to the router / portal config.
Can attacks like DDoS hit a captive portal?
The captive-portal page itself can be exposed to DoS; rate limiting and CAPTCHA mitigate it. The main network is behind the portal, so an attacker only reaches the portal, not the network behind it. Modern captive-portal providers ship with DDoS protection built in.
Author
Serdar
Yamanlar Bilişim Expert
Writes content on IT infrastructure, cybersecurity, and digital transformation at Yamanlar Bilişim. Get in touch for any questions.
Professional Support
Get help on this topic
Let's design the Network and Security solution you need together. Our experts get back to you within 1 business day.
support@yamanlarbilisim.com.tr · Response time: 1 business day
Keep Reading
Related Articles
Getting Ready for IPv6: When and How Should an SME Make the Move?
What IPv6 is, when an SME should make the move, dual-stack architecture, and a practical preparation guide.
Moving to Wi-Fi 6 and 6E: Coverage Planning for an SME Office
Wi-Fi 6 (802.11ax) and Wi-Fi 6E features — the SME-office migration decision, coverage planning, and device-compatibility guide.
SD-WAN for SMEs: Rethinking Branch Connectivity
What SD-WAN is and what it brings at SME scale instead of MPLS — multi-branch connectivity, cost, and application-prioritisation guide.