Captive Portal Authentication Flow

J
Julien Robert, CTO

A network flow diagram for captive portal authentication in an educational institution — showing how student devices move through 802.1X/RADIUS authentication, dynamic VLAN assignment, and captive portal fallback. Two paths are modeled: authenticated devices go straight to the student VLAN; unauthenticated BYOD devices hit the quarantine VLAN and get redirected to the portal. Built for IT administrators and network architects who need to document or communicate their access control architecture.

How to create a Captive Portal Authentication Flow

To create a captive portal authentication flow, follow these steps:

01.
List the main components
Identify every network element: access points, switches, RADIUS server, firewall, Nginx frontend, backend API, VLANs.
02.
Define the two authentication paths
Path A: 802.1X credentials → RADIUS → student VLAN. Path B: BYOD → quarantine VLAN → captive portal.
03.
Organize with subgraphs
Group elements into labeled subgraphs: Network Access, Switch Authentication, Dynamic VLANs, Captive Portal, Internet.
04.
Model the decision point
After the firewall, use a diamond node to check for an active session. No session → redirect. Active session → internet access.
05.
Show the portal authentication flow
Redirect → Nginx → backend API → validation → session creation → redirect to internet.
06.
Add the RADIUS success path
Show how authenticated 802.1X traffic bypasses the portal and routes directly to the internet.
07.
Label edges
Annotate arrows with protocol and port details where relevant — this makes the diagram useful as actual reference documentation.

Share with others

Tags

Network ArchitectureAuthenticationCaptive Portal802.1XRADIUSVLANFlowchartIT InfrastructureEducation