Choosing the right self-onboarding channel is essential for delivering a seamless connection experience to your staff, employees, and users. Cloud NAC provides two primary methods for user self-onboarding: the BYOD Portal and the Captive Portal.
While both channels facilitate secure network access via your corporate Identity Provider (IdP), they differ significantly in user experience, technical requirements, and long-term management. Use this guide to understand the pros, cons, and ideal use cases for each channel.
At-a-Glance Comparison
| Feature / Capability | BYOD Portal (Recommended) | Captive Portal |
|---|---|---|
| Primary Connection Mechanism | Passpoint / Wi-Fi Profile | Web-based Browser Authentication |
| User Autonomy | High (Self-service portal for FAQs, device history, and profile resets) | Low (Session-based, no persistent user dashboard) |
| MFA Compatibility | Excellent (Runs in standard mobile/desktop browsers) | Problematic (Prone to loops in temporary mobile mini-browsers) |
| MAC Address Rotation Issues | None (Tied to secure profile) | High Risk (Frequent re-onboarding on open networks) |
| Hardware Requirement | Infrastructure must support Passpoint | Works on almost all legacy/standard hardware |
Channel 1: The BYOD Portal (Highly Recommended)
The BYOD Portal is a dedicated, branded online web portal with a unique URL. You can easily distribute this URL to your users through standard communication channels, such as automated corporate onboarding emails.
How It Works
The user visits the unique BYOD URL on their device.
They authenticate securely using their existing corporate account.
The portal guides them through a few quick steps to download and install a secure Wi-Fi profile on their device.
Once installed, the device automatically and securely connects to the network moving forward, governed by the Cloud NAC Group Policies assigned to that user.
Why You Should Choose It
Complete User Autonomy: The BYOD portal acts as a long-term resource dashboard. If a user gets a new device or experiences connectivity issues, they don't need to submit an IT ticket. They can independently log back into the portal to view their active devices, review recent connections, access user guides, read FAQs, or re-download their Wi-Fi profile.
Set-and-Forget Connectivity: Once the profile is installed, the user never has to manually log in to the Wi-Fi network again.
Channel 2: The Captive Portal
The Captive Portal is the traditional "web-page pop-up" method. When users connect to the network, a browser window opens automatically, prompting them with a single corporate Single Sign-On (SSO) button to log in.
When to Use It
We strongly suggest using the BYOD Portal whenever possible. However, the Captive Portal serves as an excellent fallback if your existing wireless network infrastructure does not support Passpoint.
Critical Implementation Challenges & Workarounds
While simple on paper, deploying a corporate IdP through a Captive Portal introduces two major technical hurdles on modern operating systems. If you choose this route, you must configure your network to mitigate these issues:
1. The Multi-Factor Authentication (MFA) Loop
Most corporate IdPs strictly enforce Multi-Factor Authentication (MFA). When a user connects to a Captive Portal, mobile operating systems open a stripped-down, temporary mini-browser (known as a Captive Network Assistant, or CNA browser) rather than a full browser like Safari or Chrome.
🛑 The Problem: When the IdP prompts the user for an MFA code, the user must minimize or leave the captive portal window to open their authenticator app. On many mobile devices, leaving this window completely kills the temporary CNA browser session. The user loses their progress, has to reopen the portal, logs in again, triggers another MFA prompt, and becomes trapped in an infinite loop.
The Workaround: To prevent this frustrating cycle, you must configure your corporate IdP to bypass or disable the MFA requirement specifically for requests originating from the
cloud4wi.comdomain.
2. MAC Address Rotation & Frequent Re-Onboarding
To protect user privacy, modern mobile devices and operating systems frequently rotate or randomize their MAC addresses when connecting to open, unencrypted wireless networks.
⚠️ The Problem: Because traditional Captive Portals rely on tracking the device's MAC address to remember the authenticated session, a rotated MAC address causes Cloud NAC to see the device as completely new. This forces employees to go through the entire re-onboarding and login process repeatedly—often daily.
The Workaround: To stabilize MAC address rotation, do not leave your Captive Portal Wi-Fi network completely open. Instead, protect the SSID with a WPA3-Personal (or WPA2/WPA3 mixed) pre-shared key. Securely communicate this password to your staff in your onboarding materials. Because the wireless connection is encrypted, modern devices recognize the network as secure and will stop rotating their MAC addresses, eliminating frequent, repetitive login prompts.