Skip to content

Access Rights and Profiles

Access profile combines various permissions/rights (RADIUS attributes) into groups, and when attached to user accounts, it controls the access rights after authentication.

It defines the Authorization component of AAA (Authentication, Authorization, Accounting).

Navigate to HOTSPOT USERS → Access Profile. The system includes several default profiles that you can immediately attach to users.

Click New Profile to create a new profile, or Edit on an existing profile to modify its settings.

Access Profile

Profile Info

Enter a unique Profile Name and optional Description for easy reference and organization.

Field Purpose Notes
Profile Name Unique identifier for this access profile Used in dropdowns, user assignment, and reporting; no spaces or special characters recommended
Description Human-readable explanation of the profile's purpose Example: "Premium Hotel Guests - 10 Mbps, 50 GB/month"

Access Profile

Access Info

This tab defines the access attributes (speed, time limits, data quotas, device limits) that control what users can do after authentication.

Two approaches to organize policies:

  1. Single attribute per profile — Create many profiles (each with one control), then attach multiple profiles to each user. Flexible but complex.
  2. Multiple attributes per profile — Create a few profiles (each combining multiple controls), then attach one profile to all users in a tier. Simple and maintainable.

Recommendation: Use approach #2 (multiple attributes per profile) for most deployments. If you need truly granular per-user control beyond a profile, use per-account access rights.

Access Speed (Speed Control)

This attribute sets the maximum upload and download speed per user connection, enforcing bandwidth caps at the application level.

Access Profile

Setting Purpose Notes
Download Speed Maximum downstream bandwidth per user Measured in Kbps (kilobits per second); limits the fastest possible download speed
Upload Speed Maximum upstream bandwidth per user Measured in Kbps; limits the fastest possible upload speed

Examples: Differentiate between Premium (50000 Kbps down / 10000 Kbps up) and Standard (10000 Kbps down / 2000 Kbps up) tiers.

Access Time (Time Control)

There are several attributes you can use (or combine) for user/device time and session duration control.

Access Profile

Setting Purpose Notes
Session Time Limit Maximum duration for a single continuous session Once limit is reached, user is disconnected and must re-login for a new session
Idle Timeout Disconnect if user is inactive for this duration Useful to free up resources from inactive devices; user can reconnect immediately
Daily Time Quota Total allowed online time per calendar day Once consumed, user cannot reconnect until the next day (00:00)
Weekly Time Quota Total allowed online time per week Reset weekly; use for fair-share bandwidth policies
Monthly Time Quota Total allowed online time per month Reset monthly; common for monthly subscription plans

Access Device (Device Control)

Controls device behavior including simultaneous device limits and dynamic VLAN assignment for traffic steering.

Access Profile

Setting Purpose Notes
No. of concurrent device Maximum number of devices logged in with this account at the same time Prevents account sharing across too many devices; common limits are 1, 2, or 5 devices
Dynamic VLAN Assignment Assign user devices to a different VLAN based on profile Used for traffic steering and access isolation; see VLAN Steering for detailed use cases

Example: A hotel guest with a Premium account might allow 3 devices (phone, tablet, laptop), while a Standard guest gets 1 device only. Premium devices could be assigned to a high-speed VLAN, while Standard devices use a limited-speed VLAN.

Access Data (Data Quota Control)

Controls how much data (upload + download combined) a user can consume before access is restricted.

Access Profile

Setting Purpose Notes
Daily Data Quota Total data allowed per calendar day Once exceeded, user is blocked until next day (00:00)
Weekly Data Quota Total data allowed per week Reset weekly; use for fair-share pricing models
Monthly Data Quota Total data allowed per month Reset monthly; common for monthly subscription plans
Data Tracking Monitor current consumption per user Enable to show users their remaining quota and usage

Example: A Premium plan offers 10 GB/month, while a Standard plan offers 2 GB/month.

Access Source Network (Network Control)

Restricts where a user account can login from by specifying which hotspot instance(s) or VLAN(s) are allowed. Useful when the same gateway runs multiple hotspot instances on different SSIDs or VLANs.

Access Profile

Example: A staff account on a hotel network might be allowed on the Staff-VLAN instance only, while guest accounts can use any public instance.

Authentication Type

Controls whether an account is allowed to authenticate or should be rejected. By default, new accounts are enabled (Accept). Use this to disable accounts without deleting them.

Access Profile

Setting Purpose Notes
Accept Account is enabled and can authenticate normally Default state for new accounts
Reject Account is disabled and cannot authenticate User sees login error; useful for temporary suspension without deletion

Account Expiry

Sets when and how an account becomes invalid. Accounts can expire at a fixed date/time, or a duration after first use.

Access Profile

Setting Purpose Notes
Expiry Date Fixed calendar date when account becomes invalid Example: 2026-12-31 (useful for seasonal or promotional accounts)
Expiry Time Fixed time-of-day when account resets or expires Example: 23:59 daily (account active until end of day)
Expire After First Use Account becomes invalid N minutes after first login Useful for one-time-use vouchers or trial accounts; prevents indefinite reuse

Example: A hotel guest account might expire on their checkout date, while a trial account might expire 24 hours after first use.

URL Redirect

After successful authentication, users are redirected to a landing URL. This can be set at three levels, with priority from highest to lowest:

If multiple levels are configured, the highest precedence level wins (account-level overrides profile-level, which overrides instance-level).

Use Cases:

  • Account-level: VIP guests redirected to personalized welcome page
  • Profile-level: All Standard-tier users see the same post-login dashboard
  • Instance-level: Default landing page for all users on a hotspot instance