Dashboard
Endpoints
Active Sessions
Pending Approvals
Network Devices
Sites
Total Rejects
Recent Auth Events
View all →| Time | Identity | Method | Result | VLAN | Reason |
|---|---|---|---|---|---|
Clients
| Name | Status | Created | Actions |
|---|---|---|---|
Sites & VLANs
| Tag | Name | Purpose | Actions |
|---|---|---|---|
No VLANs at this site yet.
No sites yet
Network Devices
| Name | Type | RADIUS Client IP | Vendor | Ports |
|---|---|---|---|---|
No network devices yet
Endpoints
| Hostname | Type | Status | Access | Description | Actions |
|---|---|---|---|---|---|
| always-allowpolicy |
No endpoints yet
Pending Approvals
Access Policies
| Priority | Match Type | Match Value | Result | VLAN | Actions |
|---|---|---|---|---|---|
No access policies yet
Auth Events
| Time | Identity | Method | Result | VLAN | Reason | Port |
|---|---|---|---|---|---|---|
Accounting Sessions
| Session ID | MAC | VLAN | Port | Started | Status |
|---|---|---|---|---|---|
Guest Portal Configuration
Configure captive portal branding, Stripe payment, pricing plans, and guest access behavior.
RADIUS Server Public Endpoint
Use this as the RADIUS server address in UniFi/MikroTik.
Auth / Accounting / CoA
/ /
UDP 1812/1813 inbound required; UDP 3799 if using CoA disconnect.
RADIUS Client IP Reminder
Each Network Device's RADIUS Client IP is the source IP this server sees from the client site (its public WAN or VPN/RadSec tunnel IP). Do not enter the RADIUS server's own IP unless the device is on the same LAN as the server.
Guest Captive Portal URL (for this client)
Set this as the external/captive portal URL on the client’s UniFi or MikroTik. The AP appends the guest MAC automatically. Click Preview to test it now.
Portal Branding & Access Methods
Stripe
Stripe webhook URL: https:///api/guest/stripe-webhook
Add Pricing / Access Plan
Current Guest Plans
| Name | Method | Duration | Price | VLAN | Actions |
|---|---|---|---|---|---|
Recent Guest Sessions
| MAC | Status | Method | Guest | VLAN | Expires |
|---|---|---|---|---|---|
Certificates & PKI
Manage Certificate Authorities and issue EAP-TLS client/server certificates.
Expires
No Certificate Authority yet. Create one to enable EAP-TLS.
WiFi Networks
Define SSIDs and push them to UniFi / MikroTik equipment.
No WiFi networks defined yet.
Enrollment Tokens
Generate self-service links so users can onboard devices and download certificates.
New enrollment link — copy it now, the full token is shown only once:
| Token | Purpose | Uses | Expires |
|---|---|---|---|
Identity & Group Mappings
Connect Entra ID / OAuth and map directory groups to VLANs.
Identity Providers
Last sync:
Group → VLAN Mappings
| Group | VLAN | Priority |
|---|---|---|
Client Setup Wizard
Guided onboarding — from organization to a verified RADIUS deployment in 8 steps.
You can add this later under Identity & Groups. Group→VLAN mappings are configured there after the first sync.
A private Certificate Authority will be created for , used to issue EAP-TLS WiFi certificates. Devices trust it automatically once enrolled — no cost, no public CA needed.
Defaults to your organization name. Leave as-is unless you have a reason to change it.
Tip: the RADIUS Client IP is the source IP this server sees from the site (its public WAN or VPN/RadSec tunnel IP) — not the RADIUS server's own IP.
Generated FreeRADIUS clients.conf (preview):
Deployment packages:
Test command:
Team & Access
Manage internal/admin users, their roles, and per-client access.
| User | Scope | Roles | Status | Actions |
|---|---|---|---|---|
| none |
Settings
Global platform configuration. Changes apply immediately — no restart. Values feed the dashboard, RadSec bundles, and setup guides.
Public RADIUS Endpoint
What client sites (UniFi/MikroTik) point at. The hostname is preferred for RadSec/TLS; the IP is the fallback.
Preferred. Baked into every RadSec bundle, appliance .env, and the UniFi guide.
Ports
Defaults are standard; change only if your firewall/NAT remaps them.
Branding
PNG/JPEG/GIF/WebP, max 2 MB. Shown in the dashboard header.
Device Onboarding (NAC)
One SSID: devices with an Intune-deployed certificate auto-join the corporate network via EAP-TLS. Devices without a cert fall back to username/password and land on the BYOD network.
Where password-auth (no cert) devices go. Per-site override: create a VLAN with purpose "byod" at each site (SD-WAN sites can use different tags).
Note: the RadSec/EAP server TLS certificate is separate — if you change the hostname, re-issue the server cert with the new name (see the RadSec docs) so certificate validation still matches.