Login Modules
Sign In presents a branded Captive Portal where guests and devices get onto the network through one or more login modules. Any number of modules can run side by side on the same portal, and an access policy decides which methods a given visitor sees and on what terms (session length, device quota, redirect). Each module belongs to one of the two Sign In editions.
Editions at a glance
Section titled “Editions at a glance”Sign In comes in two editions. Go covers the essentials for guest Wi-Fi; Enterprise adds the Self-Service Portal and the full set of advanced methods and controls. Authoritative scope and pricing are on the Pricing page and the Sign In License page.
| Capability | Sign In Go | Sign In Enterprise |
|---|---|---|
| Branded Captive Portal | ✓ | ✓ |
| Administration Portal | ✓ | ✓ |
| Self-Service Portal | — | ✓ |
| Core sign-in methods (Click-to-Connect, email, SMS) | ✓ | ✓ |
| Advanced methods (Meeting Host, Conference, SAML SSO, and more) | — | ✓ |
| Device whitelisting | ✓ | ✓ |
| Device blacklisting, RADIUS, password & account logins | — | ✓ |
| Multi-language portal, statistics, access policies | ✓ | ✓ |
Core sign-in methods Sign In Go
Section titled “Core sign-in methods Sign In Go”The methods included in every Sign In edition. They cover the common guest-onboarding patterns with minimal friction.
Click-to-Connect
Section titled “Click-to-Connect”One click and the guest is online — no credentials, no approval. The guest opens the portal, accepts the terms and privacy policy, is granted access, and is redirected to a URL you choose (a homepage, a campaign page). Only session metadata is recorded; no personal data is collected. Configurable session length, redirect URL, and portal branding. Best for high-traffic public Wi-Fi (cafés, retail, lobbies) where the portal doubles as a brand touchpoint.
Self-provision via email
Section titled “Self-provision via email”The guest enters an email address, verifies it in one click, and gets controlled access. After entering the email and accepting the terms, a short access window opens and a verification email is sent; the guest confirms within 10 minutes to receive extended access per the policy. Collects the email address (with an optional newsletter opt-in). Supports a per-email device quota (the least-recently-seen device is disconnected when the quota is exceeded), domain filtering, a redirect URL, and real-time event webhooks. Best for guest and BYOD onboarding, hospitality, and lead capture.
Self-provision via SMS
Section titled “Self-provision via SMS”The guest enters a mobile number, receives a one-time PIN by SMS, and enters it to connect. The PIN is valid for 5 minutes and can be reused if the guest reconnects within the window. Collects the phone number. Requires an SMS gateway — Twilio, LINK Mobility, or Tele2. Configurable session length and redirect URL. Best for venues without email addresses on hand, events, and mobile-first audiences.
Whitelisting Sign In Go
Section titled “Whitelisting Sign In Go”Trusted devices without screens — printers, sensors, IoT, kiosks — get on instantly by MAC address, bypassing the portal entirely. Devices are added with a name and optional description and tags, individually, by CSV bulk import (file up to 1 MB), or through the MDM API. Whitelisting accounts for randomized (locally-administered) MAC addresses. Best for headless or permanently-trusted equipment.
Advanced sign-in methods Sign In Enterprise
Section titled “Advanced sign-in methods Sign In Enterprise”Available with Sign In Enterprise, alongside the Self-Service Portal that several of these methods build on.
Meeting Host
Section titled “Meeting Host”A visitor enters their name, their email, and their host’s email; the host approves access in one click — from the request email or the Self-Service Portal. On approval the visitor is admitted and redirected. Access policies decide who may act as a host (by email or domain), the session length, and the redirect, and several policies can run in parallel for different audiences. Collects the visitor’s name and email and the host’s email. Best for reception-free corporate visitor management.
Conference & Group ID
Section titled “Conference & Group ID”One-time access IDs for events, courses, or classes — large groups onboard themselves in seconds. An administrator or an employee (via the Self-Service Portal) creates an ID; the guest selects conference access, enters the ID, accepts the terms, and — if an optional attendee form is enabled — fills in the requested fields. Each ID can carry a visitor limit, a validity start and end date, and its own redirect URL; employee-created IDs are capped at a maximum duration by policy. The optional attendee form (name, email, phone, each configurable as mandatory or optional) is CSV-exportable. Best for conferences, training, and group access.
BYOD with SAML SSO
Section titled “BYOD with SAML SSO”Employees sign in with their existing identity — Microsoft Entra ID, Google Workspace, or Okta — with no passwords on the captive portal. The guest is redirected to the organization’s identity provider, authenticates there, and the SAML response admits them. Credentials are handled entirely by the identity provider and are never stored in the portal; the platform logs the authenticated identity, timestamps, and device IDs. Supports domain-based access policies, a per-user device quota, a redirect URL, and self-service device management. Best for BYOD on corporate networks and federated environments.
Username & password
Section titled “Username & password”Account-based login with accounts you provision yourself, each with its own device quota. The guest signs in with a username and password that is verified against the user store. Accounts are created through the Administration Portal or the API; deleting an account revokes access for all of its devices. Supports a per-account device quota, a session timeout, custom field labels, and per-user statistics. Best for long-term contractors and accountable individual access.
The full Username & Password (U&P guests) API reference — endpoints, request and response formats, and examples — is documented on the Netgraph wiki.
Password subscription
Section titled “Password subscription”Time-bound network passwords — static, or rotating daily, weekly, or monthly — displayed on an intranet or pushed to staff by email subscription. A static password is fixed and can carry its own redirect URL; a scheduled password rotates automatically with configurable complexity rules, notifies email subscribers when it changes, and can be shown automatically on a public URL. Per-password session length and redirect. No personal data is collected. Best for controlled environments and signage-distributed access.
Event access
Section titled “Event access”Frictionless, time-limited public access for one-off events. Devices auto-authenticate with no captive portal shown and are redirected to the event page; the window opens at the start and closes automatically when the event is over, after which devices must reconnect. Records device identifiers only. Best for conferences, trade shows, and exhibitions.
RADIUS authentication
Section titled “RADIUS authentication”The portal collects a username and password and validates them against an external RADIUS server — including EntryPoint — for centralized authentication. Credentials are forwarded to the RADIUS server and are not stored locally. Configurable RADIUS host, port, and shared secret, a session timeout, custom field labels and instructions, a redirect URL, and login history. Best for integrating with an existing credential store, such as a library or membership system.
WiFi4EU
Section titled “WiFi4EU”A compliance mode for the EU WiFi4EU programme, providing the network snippet and metrics the programme requires for public municipal networks. Best for municipalities participating in WiFi4EU.
Device and access controls
Section titled “Device and access controls”Controls that shape who reaches the portal and when, rather than how a guest signs in.
Blacklisting Sign In Enterprise
Section titled “Blacklisting Sign In Enterprise”Blocks specific devices by MAC address; a blocked device can still associate but sees a “blocked” notice on the portal. Blocking is manual (a MAC with an optional description and end date) or automatic — email-bounce protection blocks a device for 48 hours after three or more bounces from invalid email logins, and email identity-theft protection lets the real owner of an email block an unauthorized device from the notification email. The list separates active from historical blocks. Best for abuse mitigation and security enforcement.
Opening hours
Section titled “Opening hours”Restricts guest access to configured time windows. Outside the allowed hours — set per day of the week — everyone sees a customizable “closed” message on the portal, with no exceptions. Best for libraries, schools, and business centres with set hours.
Related pages
Section titled “Related pages”- Captive Portal: the branded page these modules are presented on.
- Administration Portal: where modules, access policies, and portal look-and-feel are configured.
- Sign In service description and License: scope, editions, and product codes.