Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Use an External Portal for Guest Access

SUMMARY Enable an external portal if you want guests to go to a sign-in portal that your web developers have designed on your own website.

An external portal is a webpage that your WLAN users see after they select your SSID. For example, you can send guests to your company's home page or a sign-in portal that your web developers have set up specifically for your organization.

For added security, you can specify authorized users, allowed subnets, and allowed hostnames. You also can enter a list of hostnames to block.

  1. Navigate to the WLAN.
    • If the WLAN is in a WLAN template, select Organization > Wireless | WLAN Templates, click the template, and then click the WLAN.

    • For a site-level WLAN, select Site > Wireless | WLANs, and then click the WLAN.

  2. In the Edit WLAN window, under Guest Portal, click Forward to external portal.
    Forward to External Portal Option in the Edit WLAN Window
  3. (Optional) Click the Edit Guest Authorization button if you want to limit access to specific users. Then complete these steps:
    1. In the Authorized Guests window, click Add.
      Authorized Guests Window and Add Button
    2. On the Authorize Guest window, enter the guest's MAC Address (required), optional user information, and the period that the user remains authorized.
      Form Fields to Add a Guest

      You can use the Search Client option to search for a client that is already connected to the WLAN.

    3. Click Authorize at the bottom of the Authorize Guest window.
    4. Repeat these steps to add more guests to the list.
  4. Enter the Portal URL, beginning with http:// or https://.

    Use the other fields to finetune access. For example, allow only certain subnets or hostnames.

  5. Select or clear the Bypass guest/external portal in case of exception check box.

    When this feature is selected, each access point will try to reach the portal or IdP, but if it is not reachable then the AP will automatically authorize the guests to connect to the WLAN.

  6. Click Save at the bottom of the Edit WLAN window.
  7. Create your external portal by referring to the following sample PHP files and Read-Me Information.
    Read-Me Information

    Replace with the appropriate Guest Wi-Fi Portal URL based on the cloud instance in which your Mist organization was created. To look up the Guest Wi-Fi Portal URL for your region, see the Mist Cloud IP Addresses and Ports information in the Juniper Mist Management Guide.

  8. To get the value that you need for $secret in auth.php, reopen the Edit WLAN window, and copy the API Secret.
  9. Configure your authorization page (authme.php) to call the Juniper Mist backend with the required query string parameters: ?signature=signature&expires=expires&token=token&optional
    • expires – The epoch timestamp until which the authorization URL is valid.

      For example: 1768587994 (This means the authorization URL would expire on January 16, 2026 at 6:26:34 PM UTC.)

    • token – A base64 string having format: wlan_id/ap_mac/client_mac/authorize_min/0/0/0

      For example: be22bba7-8e22-e1cf-5185-b880816fe2cf/5c5b35001234/d58f6bb4c9d8/480/0/0/0

    • signature – A base64 string of hashed values, using sha1 as the hashing algorithm and the Guest WLAN’s API Secret as the key. This would have the following format: expires=expires&token=token&optional

      For example: J7VJlf2Zlcs%2BOxhVxCf8hL0XYC0%3D

    • optional – The optional guest details and the URL to which the user is forwarded after authorization, having the following format: forward=url&name=name&email=email&company=company&field1=field1&field2=field2&field3=field3&field4=field4

      Note: Ensure all parameter values are passed as base64.

      For example:

  10. Configure your authorization page to call Juniper Mist for guest authorization. The final authorization URL would look something like this:
  11. Test the external captive portal by connecting a device and attempting to authenticate.

    The device should be redirected to the Juniper Mist portal for authorization. If authentication is successful, the user will be redirected to the URL as defined in your external captive portal code.


    Use /authorize for the live portal. For testing purposes, you can use /authorize-test, which requires the dummy example values as provided in the Read-Me Information.