Contents
VLAN Steering
In this scenario, we showcase how we can use captive portal features to dynamically steer users to their respective VLAN based on the user profile. Traditionally, if we want to assign authorized users to different networks, we need to run multiple SSID to map to multiple VLANs and multiple portals for a different profile of users. Then users need to choose their respective SSID to connect and sign-in to their respective network. This can confuse users and also hard to maintain Wi-Fi configurations.

RansNet Dynamic VLAN assignment (VLAN steering) over captive portal authentication significantly simplifies wireless configuration and improves network security. You just need to provision a single SSID on wireless setting, and manage all users/VLAN/captive portal settings on HSG. HSG will work with AP to dynamically steer users to their respective VLAN upon successful authentication.
Common Sectors
Hotels | Enterprises | Institutions | Airports | Stadium | Dormitories.
VLAN Steering Scenario Workflow

- For any new device associated with SSID, they will be assigned to a quarantine/default VLAN (VLAN10)
- The Vlan10 assigns an IP and prompts with a captive portal login page.
- For Staff, after login with Staff accounts, they will be assigned to VLAN20-Staff VLAN
- For Guest, they will register with SMS OTP and auto-assigned to VLAN30-Guest VLAN
Deployment of VLAN Steering Using UI
Prerequisites
- Upgrade the Hotspot Gateway box firmware version 20210213-2300. See link Upgrade Firmware
- Connect the WAN Interface of HSG to ISP device (ONT or Modem)
- Info– The WAN port (eth0) of HSG is pre-configured to get dhcp IP from ISP ONT/modem (or upstream router).
- Connect ETH1 port of HSG to the LAN Switch.
- Info– The ETH1 port (eth1) of HSG is pre-configured to release IP to LAN.
- Connect the AP to the LAN Switch
- Use default VLAN1 as management VLAN for AP/WLC
- Access Point will be receiving DHCP IP from HSG from network 192.168.8.0/22
- Info– Reserved IP for WLC or other devices, range from 192.168.8.2 to 192.168.8.99.
- Add all VLANs on the switch (VLAN100, 102, 103), configure all switch-ports to be in trunk mode, and permit all VLANs for each port (default)
- Configure APs to broadcast the VLAN100’s SSID and enable MAC-based Authentication.
- Configure AP/WLC to point the HSG as a RADIUS server with the below settings (Radius) for MAC-based authentication.
- NAME – RansNet-HSG-AUTH
- AUTH TYPE – RADIUS
- IP ADDRESS – 192.168.8.1
- PORT – 1812
- SHARED SECRET – testing123
- Use default VLAN1 as management VLAN for AP/WLC
- Connect ETH2 port to a PC for Management
- Info– The ETH2 port (eth2) of HSG is pre-configured to release IP.
Procedure
Step 1 – Access to Hotspot Management UI
- Login to Hotspot Gateway UI
- on-premises Hotspot Gateway – Use the Management PC and browse to http://10.10.10.1 and login with the Credentials.

Step 2 – Create Entity, User Account, and Permission for the User Account
- Create Entity – See link Create Customer Entity
- User can use the Company name as entity name
- Create and Configure Permission for the User Account
- Navigate to ‘ADMIN > Permissions‘. Click on the
button and configure the required permission.
- Recommendation – Create the new User Account and in the Profile field select ‘Super admin’ for this Scenario.
- Navigate to ‘ADMIN > Permissions‘. Click on the
- Create User Account – See link Create User Account
Step 3 – Create VLANs (100, 102 & 103) on eth1 interface
- Navigate to the ‘NETWORK SETTINGS > Interfaces > VLAN‘ tab and click on the
button, See link New VLAN interface
- Configure three new VLANs as per the below Tables,
S/N | Section | Field | Value | Remarks |
---|---|---|---|---|
01 | New Interface VLAN (Quarantine VLAN) | |||
VLAN Name | vlan100 | |||
Admin Status | Enabled | |||
Physical Interface | eth1 | |||
IP/Netmask (IP Address/Mask) | 172.16.100.1/24 | |||
02 | Hotspot Service | Enable |
.
S/N | Section | Field | Value | Remarks |
---|---|---|---|---|
01 | New Interface VLAN (Staff VLAN) | |||
VLAN Name | vlan102 | |||
Admin Status | Enabled | |||
Physical Interface | eth1 | |||
IP/Netmask (IP Address/Mask) | 172.16.102.1/24 | |||
02 | DHCP Server | Enable | ||
DNS Servers | 8.8.8.8 | 8.8.4.4 | |||
Client Default Gateway | 172.16.102.1 | |||
Lease Time (Seconds) | 86400 | |||
Client DHCP Pool Range | 172.16.102.2 – 172.16.102.254 |
.
S/N | Section | Field | Value | Remarks |
---|---|---|---|---|
01 | New Interface VLAN (Guest VLAN) | |||
VLAN Name | vlan103 | |||
Admin Status | Enabled | |||
Physical Interface | eth1 | |||
IP/Netmask (IP Address/Mask) | 172.16.103.1/24 | |||
02 | DHCP Server | Enable | ||
DNS Servers | 8.8.8.8 | 8.8.4.4 | |||
Client Default Gateway | 172.16.103.1 | |||
Lease Time (Seconds) | 86400 | |||
Client DHCP Pool Range | 172.16.103.2 – 172.16.103.254 |
.
Step 4 – Create, Configure Captive Portal and Login Method
- User can create a Captive Portal. See link Create/Edit Captive portal.
- Portal name – ‘Dy_Vlan100’ | portal template – ‘Central’
- Configure Login Method (SMS OTP and Username+Password methods). Enable Login Methods as mentioned below. See link Login Method Types.
![]() |
Portal Name: Dy_Vlan100 Portal Template: Central Entity: [Customer’s Entity name] Login Method: SMS OTP (Guest Login) and Username & Password (Staff Login) |
Step 5 – Configure Hotspot Instance (VLAN100) Interface.
- Navigate to ‘Hotspot Settings > Hotspot Instances‘. Click on ‘vlan100′ below the interface column heading and configure the vlan100 and all three sections of instance, as per the Table 2 settings below.
- Configure the VLAN interfaces as per below
- In the ‘Hotspot Instance Option Config Section‘, Refer to Table 2 below for configuration.



S/N | Section | Field | Value | Remarks |
---|---|---|---|---|
01 | Hotspot Instance Base Config | |||
Hotspot Enable | enable by ticking the option | |||
Hotspot Portal | Select the Portal according to the VLAN interface. Eg: http://captive.ransnet.com/pid/Dy_Vlan100/login.php | |||
02 | Hotspot Instance Optional Config | |||
Client Parameters | Permit External Client Network – 172.16.100.0 Permit External Client Netmask – 255.255.255.0 | |||
Redirect/Success URL | http://www.ransnet.com | |||
Bypass/Whitelist By | Destination Domain – .ransnet.com Destination IP/URL – 2.1.2.1 | |||
Enable/Disable Parameters | Intercept DNS Requests – enable by ticking the option | |||
03 | DHCP Optional Config | |||
DHCP Description | vlan100 Hotspot DHCP |
.
Step 6 – Configure Access Control
User can create two different Access Profile for Default Quarantine (Vlan100), Staff (Vlan102) VLANs with different Profile Access Info as per the below table, and Guest (Vlan103) profile will be Auto-generated by the system.
Info – User can configure ‘Access Profile‘ name and the ‘Access info‘ setting for Quarantine Vlan, Staff Vlan manually and for the Guest Vlan the profile is created automatically and the Access Info setting can be manually edited.
See Link Manual Profile
See Link Auto Profile
- Configure Access Profile for Default Quarantine VLan and Staff VLan by navigating to ‘HOTSPOT USERS > Access Profile‘
- Navigate to ‘HOTSPOT USERS > Access Profile‘ and locate for
- Note – To configure the Email Registration profile, the user has to first test the Captive portal Email Registration Authentication. After the first test is successful, the Email OTP auto-creates the profile in ‘Access Profile’ in the format of (RansNet_[Device Name]_[Interface Name]_[MAC Address, last 4 digits]_<<emailonepageotp??>>. Eg : RansNet_mbox_br-vlan10_96-19_emailonepageotp). User can click on the Profile name and configure the account info settings as per the user requirement.
S/N | VLAN Reference | Access Profile Name | Access Info | Value |
---|---|---|---|---|
01 | Default Quarantine VLan (Manual Profile) | NACDEFAULT | Access Time | Session Timeout – 60 Idle Timeout – 100 |
Access Device | Dynamic VLAN Assignment – 100 | |||
02 | Staff VLAN (Manual Profile) | Staff_Vlan102 | Access Speed | Maximum Upload – 1700 Maximum Downloads – 2000 |
Access Device | Dynamic VLAN Assignment – 102 | |||
03 | Guest VLAN (Auto Profile) | RansNet_Test04_br-vlan10_9a-b1_smsonepageotp Info – This Profile name is Auto-created, and should not be edited. | Access Speed | Maximum Upload – 2000 Maximum Downloads – 2000 |
Access Device | Dynamic VLAN Assignment – 102 Dynamic VLAN Assignment (Timeout) – 30 | |||
Access Data (MB) | Total data quota – 100 |
.
.
Integration with 3rd Party Access Point Reference Link
.
Deployment References Links (Videos/Demos)
- Create Captive portal and Configure Login Methods – https://youtu.be/yrjAkt8XkT8
- Configure Seamless User Re-login – https://www.youtube.com/watch?v=CABBfKHO4gY