Guest Wi-Fi access has become an expected amenity in virtually every business environment — from hotel lobbies and coffee shops to corporate offices, medical surgeries, and retail spaces. However, providing open, uncontrolled internet access to visitors creates significant security, legal, and compliance risks. A captive portal solves this problem by requiring guests to authenticate, accept terms and conditions, or register before accessing the network, while simultaneously keeping guest traffic completely separated from your corporate systems.
Cisco Meraki has established itself as one of the leading platforms for business Wi-Fi in the United Kingdom, with its cloud-managed approach making it particularly popular among SMEs and multi-site organisations. Meraki's built-in captive portal functionality allows you to create professional, branded guest access experiences without additional hardware or software — everything is configured through the Meraki Dashboard, Cisco's cloud management platform.
This guide walks you through the complete process of setting up a captive portal with Cisco Meraki, from network design and VLAN configuration through to portal customisation, security settings, and compliance with UK regulations.
Why You Need a Captive Portal
Before diving into the technical setup, it is important to understand why a captive portal is necessary rather than simply broadcasting an open Wi-Fi network for guests. There are four primary reasons: legal compliance, network security, bandwidth management, and brand presentation.
From a legal perspective, UK law requires that if your internet connection is used for illegal activity — such as downloading pirated content or accessing illegal material — you could potentially be held liable if you cannot demonstrate who was using your connection at the time. A captive portal that requires registration or acceptance of terms creates a log of who accessed your network and when, providing an audit trail that protects your organisation.
From a security perspective, an open Wi-Fi network is an invitation for attackers. Without a captive portal and proper network segmentation, anyone who connects to your Wi-Fi could potentially access internal resources, conduct man-in-the-middle attacks on other users, or use your network as a launchpad for attacks against external targets. A captive portal combined with VLAN isolation ensures that guest devices are contained in a separate network segment with internet access only.
While there is no specific UK law that mandates captive portals for guest Wi-Fi, several regulations create practical requirements that make them necessary. The Investigatory Powers Act 2016 requires telecommunications operators (which can include businesses providing Wi-Fi) to retain certain communications data. UK GDPR requires that if you collect personal data through a captive portal (such as email addresses or names), you must have a lawful basis for processing, provide a privacy notice, and protect the data appropriately. The Digital Economy Act 2017 places obligations on ISPs regarding copyright infringement, which can extend to businesses providing internet access to guests.
Step 1: Network Design and VLAN Configuration
The first step in setting up a Meraki captive portal is designing the network architecture to properly isolate guest traffic. This requires creating a dedicated VLAN for guest Wi-Fi that is completely separated from your corporate network.
In the Meraki Dashboard, navigate to your network and create a new SSID dedicated to guest access. Meraki access points support up to 15 SSIDs per radio, so you have plenty of capacity to add a guest network alongside your corporate SSID. Name the SSID something professional and identifiable — your company name followed by "Guest" is a common convention, such as "Cloudswitched Guest."
Configure the guest SSID to use a dedicated VLAN. In the Meraki Dashboard under Wireless > Configure > Firewall & traffic shaping, assign the guest SSID to a VLAN that is different from your corporate VLAN. This VLAN should be configured on your switch and firewall to have internet access only, with no routes to any internal network segments. The Meraki Dashboard makes this straightforward — you can define Layer 3 and Layer 7 firewall rules that restrict guest traffic to internet-bound traffic only.
Bandwidth Limits
To prevent guests from consuming all your available bandwidth, configure per-client bandwidth limits on the guest SSID. A reasonable limit for most businesses is 5-10 Mbps per client, which is sufficient for web browsing, email, and video conferencing but prevents any single guest from degrading the experience for others or impacting your corporate internet performance.
| Setting | Recommended Value | Purpose |
|---|---|---|
| Guest VLAN ID | 100 (or any unused ID) | Isolates guest traffic from corporate network |
| Per-client bandwidth limit | 5-10 Mbps down / 2-5 Mbps up | Prevents bandwidth abuse |
| Per-SSID bandwidth limit | 50-100 Mbps total | Caps total guest bandwidth usage |
| Client isolation | Enabled | Prevents guests from seeing each other |
| Session timeout | 8-24 hours | Forces re-authentication periodically |
| DHCP lease time | 1-4 hours | Recycles IP addresses efficiently |
Step 2: Configuring the Captive Portal
Meraki offers two types of captive portal: the built-in splash page and an external splash page hosted on your own server. For most UK businesses, the built-in splash page provides all the functionality needed and is far simpler to set up and maintain.
In the Meraki Dashboard, navigate to Wireless > Configure > Access control. Under the guest SSID, set the splash page type to "Click-through" for a simple terms acceptance page, or "Sign-on with" for authentication options including Meraki-hosted authentication, RADIUS, Active Directory, or social login (Facebook, Google).
The click-through option is the simplest: guests connect to the SSID, are redirected to a splash page showing your terms and conditions, and click a button to accept and gain access. This provides the legal protection of requiring terms acceptance without creating friction for visitors. The sign-on option adds authentication, requiring guests to enter credentials before accessing the network. This provides better audit trails but adds friction to the guest experience.
Portal Customisation
Meraki's splash page editor allows you to customise the appearance of your captive portal to match your brand identity. You can upload your company logo, set background colours and images, customise the text displayed to users, and include your full terms and conditions or a link to them. Take the time to create a professional-looking portal — it is often the first digital interaction a visitor has with your organisation, and a well-designed portal reinforces your brand.
Click-Through Captive Portal
- Simplest setup and lowest friction
- Guest accepts terms and gains immediate access
- No credentials required from guest
- Logs MAC address and acceptance time
- Suitable for retail, hospitality, waiting rooms
- No personal data collected (simpler GDPR compliance)
Sign-On Captive Portal
- Higher friction but better audit trail
- Guest must enter name, email, or social login
- Creates a record of who accessed the network
- Supports time-limited and sponsored access
- Better suited for corporate offices, conferences
- Requires GDPR-compliant data handling
Step 3: Security Configuration
With the captive portal configured, you need to ensure the security settings properly protect your corporate network from guest traffic. Meraki provides multiple layers of security that should all be configured.
Layer 3 firewall rules should deny all traffic from the guest VLAN to your corporate VLAN IP ranges. This is configured in the Meraki Dashboard under Wireless > Configure > Firewall & traffic shaping. Create explicit deny rules for your corporate network ranges (for example, deny all traffic to 192.168.1.0/24 if that is your corporate range) and allow traffic to the internet.
Content filtering should be enabled on the guest SSID to block access to categories of websites that could expose your organisation to legal risk. Meraki's built-in content filtering can block categories including adult content, malware distribution sites, peer-to-peer file sharing, and other undesirable content. This protects your organisation from liability if a guest uses your network to access inappropriate material.
Client isolation should be enabled to prevent guest devices from communicating with each other on the same VLAN. Without client isolation, one guest device could potentially attack or monitor traffic from another guest device on the same network segment.
Step 4: GDPR Compliance for Guest Wi-Fi Data
If your captive portal collects any personal data — names, email addresses, phone numbers, or even MAC addresses that can be linked to individuals — you must comply with UK GDPR. This means having a lawful basis for processing (legitimate interest or consent are most common), providing a clear privacy notice on the splash page, implementing appropriate security measures to protect the data, and defining a retention period after which the data is deleted.
Meraki's splash page allows you to include your privacy notice text or a link to your full privacy policy. Your privacy notice should explain what data is collected, why it is collected, how long it will be retained, who it may be shared with, and how guests can exercise their data protection rights (access, erasure, etc.).
Configure a data retention period that is proportionate to your purposes. If you are collecting data purely for network security and audit trail purposes, a retention period of 30 to 90 days is generally considered proportionate. If you are collecting email addresses for marketing purposes (with consent), you may retain them longer, but you must have obtained explicit opt-in consent for this purpose — a pre-ticked checkbox is not valid consent under UK GDPR.
Multi-Site Deployment with Meraki
One of Meraki's greatest strengths is its cloud management model, which makes deploying captive portals across multiple sites trivially simple. Configuration templates in the Meraki Dashboard allow you to define your guest Wi-Fi settings once and apply them to every site in your network. When you update the captive portal design, terms and conditions, or security settings, the changes propagate to all sites automatically.
For UK businesses with multiple offices, retail locations, or branches, this centralised management is transformative. A consistent guest Wi-Fi experience across all locations reinforces your brand, while centralised security policies ensure that every site meets the same compliance standards. New sites can be brought online in minutes — simply plug in a Meraki access point, and it automatically downloads the configuration from the cloud, including the captive portal settings.
Meraki also provides centralised reporting across all sites, showing guest Wi-Fi usage, authentication events, bandwidth consumption, and security incidents. This visibility allows you to monitor your guest network health across your entire estate from a single dashboard, identifying sites with unusual patterns or capacity issues before they affect the guest experience.
Need Help with Meraki Guest Wi-Fi?
Cloudswitched is a Cisco Meraki partner with extensive experience deploying captive portals for UK businesses across all sectors. From single-site setups to multi-site rollouts, we design, configure, and manage secure guest Wi-Fi solutions that comply with UK regulations and enhance your brand.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.