/
How to Configure Wi-Fi Guest Access

How to Configure Wi-Fi Guest Access

Jan 09, 2026

Wi-Fi guest access can only be used for Wi-Fi users. For a more generic guest access configuration (ticketing and confirmation page), see Firewall Authentication and Guest Access.

You can configure a fully customizable web-based portal that displays a disclaimer and requests login credentials from users when they first try to access the Internet or special network segments. For example, you can configure a Guest Access that looks similar to the following page:

To administer tickets for the Guest Access, you can also enable a web-based backend user interface for creating, deleting, managing, or printing tickets.

Step 1. Enable Guest Access

  1. Go to  CONFIGURATION > Configuration Tr ee >  Box > Assigned Services > Wi-Fi > Wi-Fi AP Configuration .

  2. Click Lock.

  3. From the Guest Access list, select either Confirmation or Ticketing. If you want to disable the Guest Access, select None.

  4. Click Send Changes and Activate.

Step 2. Configure Guest Access

  1. Go to  CONFIGURATION > Configuration Tr ee >  Box > Assigned Services > Firewall > Forwarding Settings .

  2. In the left menu, select Guest Access.

  3. Click Lock.

  4. You can specify the following settings for the Guest Access:

The customizable index.html page mentioned above is also the HTML template for the Next TokenNew Pin, Accept New Pin and One-time Password Authentication pages. You can use special tags in HTML comments within the index.html to enter content to be displayed only on the respective pages. The following tags are available:

  • Next token: %%NEXTTOKENMSG-BEGIN%% %%NEXTTOKENMSG-END%%

  • New pin: %%NEWPIN-BEGIN%% %%NEWPIN-END%%

  • Accept new server-generated PIN: %%ACCEPTNEWPIN-BEGIN%% %%ACCEPTNEWPIN-END%%

  • One-time password authentication: %%OTP-BEGIN%% %%OTP-END%%

Start your conditional HTML code block with a comment tag (<!–) directly followed by the respective special opening tag, and end it with a closing comment tag (-->) directly preceded by the respective special ending tag.

<!--

%%NEXTTOKENMSG-BEGIN%%

<div id="twofactorinfo">

<p>RSA ACE server requires a<br><strong>Next token authentication</strong>.<br>

Please enter the next token as Password.<br>

</div>

%%NEXTTOKENMSG-END%%

-->
The following code block writes the token ID into a hidden form field and is therefore always required. Copy and paste it into your HTML page.

<!--

%%NEXTTOKEN-BEGIN%%

<input

type=hidden

name="nexttoken"

value="%%NEXTTOKEN%%"/>

%%NEXTTOKEN-END%%

-->

(optional) Step 3. Upload Custom Header Logo for Guest Access

In case you want to display custom header logos for Guest Access, you must upload the image file. Note that in order for the web server to access the file, it is necessary to set the path to /lp/lib.

  1. In the left menu, click Authentication Messages

  2. Click + to add a custom image header file.

  3. In the window, enter the full file name including the file extension, i.e., myCustomLogoHeader.png

  4. From Type, select Binary.

  5. Enter /lp/lib for the Path.

  6. Click Ex/Import to select the source where to upload the header logo image from.

  7. Click OK.

  8. Click Send Changes.

  9. Click Activate.

View Authenticated Users

To see a list of authenticated users, go to the FIREWALL > Users page. On this page, successfully authenticated users are listed with either the LP- or TKT- prefix, followed by the IP address of the client.

Authenticated Users in Access Rules

Using the IP addresses on the FIREWALL > Users page, you can create access rules to regulate network access for authenticated users. In the rule editor window, specify the authenticated users in the Authenticated User field.

For example, a user is successfully authenticated from the Guest Access on a client with the IP address of 172.16.10.100. On the FIREWALL > Users page, the authenticated user is displayed with the following identity: LP-172.16.10.100. In the following access rule example, this identity string is used to allow Internet access for users that are authenticated on the Guest Access in the 172.16.10.0/24 network: 

The user=LP-172.16.10 string indicates that this access rule only applies to users who are residing in the 172.16.10.0/24 network and are currently authenticated through the Guest Access.

For more information on creating access rules, see Access Rules.

Guest Access Ticketing System

To administer tickets for the Guest Access, the Barracuda CloudGen Firewall offers a web-based backend user interface for creating, deleting, managing, or printing tickets.

Access to the Admin Ticket Interface

HTTP requests (port 80/443) that are addressed to the system that is running the Guest Access must be forwarded to the local web server of the system. Create a access rule that forwards these HTTP requests to the local web server.

It is recommended that you use TCP port 8080 (or similar). For more information, see How to Create an App Redirect Access Rule.

 

Ticketing Next Steps

After you create an access rule that grants access to the ticket system, you can connect to the ticketing interface from a web browser.

  1. In a web browser, enter: http://<IP:port>/lp/cgi-bin/ticketing

  2. On the ticketing system login page, enter the login credentials that you specified in the Ticketing Administration User section when configuring the Guest Access.

For more information, see How to Manage Guest Tickets - User's Guide .

Contact Us
Barracuda Campus
Barracuda Support