MikroTik Hotspot Captive Portal Setup: A Step-by-Step Guide
MikroTik RouterOS's built-in Hotspot feature lets you put guests through a login page before they reach the internet. In this guide we set up a captive portal with Captivo on MikroTik step by step — one that shows your own branding, verifies guests by SMS and keeps compliant connection records.
*.captivo.io in Walled Garden → upload the branded template → fix the clock (NTP). When a guest connects, your portal opens, verifies them and grants internet; records are kept for compliance.Requirements
- A MikroTik device running RouterOS (v6 or v7)
- A network interface carrying guest traffic (ether/bridge) — a network interface, not the WinBox GUI
- A Captivo account (portal design and RADIUS details come from here)
- WinBox, WebFig or an FTP client to upload files
1. Set up the Hotspot
In WinBox, run IP → Hotspot → Hotspot Setup and pick the interface your guest network is connected to. The wizard creates the basic configuration — address pool, DNS and a default login page. The device's own default page appears for now; we'll replace it with Captivo's branded page shortly.
2. Configure RADIUS
Captivo's RADIUS server handles verification. First add the RADIUS server to MikroTik, then point the Hotspot profile at it:
- Open your profile under IP → Hotspot → Server Profiles and tick "Use RADIUS" on the RADIUS tab.
- In the Radius menu add a new entry: service
hotspot, the Captivo RADIUS server address, and the shared secret from your dashboard. - In Captivo, add your MikroTik router as a NAS client (IP + the same shared secret).
login-by=http-pap or http-chap in the Hotspot profile; the Captivo template supports both automatically. CHAP hashes the password with MD5 instead of sending it in clear (more secure). You can enable both: login-by=http-chap,http-pap.3. Open the Walled Garden
Before a guest is verified, the portal page must reach Captivo (logo, verification, SMS). Allow it under IP → Hotspot → Walled Garden:
*.captivo.io— the portal and API domains (including subdomains)- Your SMS / email provider domains
Note: do NOT add the RADIUS server address (e.g. radius.captivo.io) to the Walled Garden — that is RADIUS traffic between the router and the server (UDP 1812/1813), not the guest's web traffic.
4. Upload the branded template
- In Captivo, download the ZIP from Settings → Portal → Templates → MikroTik.
- The ZIP contains
login.htmlandalogin.html. - In WinBox/WebFig → Files, upload both into the Hotspot html directory (usually
flash/hotspotorhotspot), replacing the existinglogin.html/alogin.html. Keep the other default files (status, logout, error, md5.js).
5. Fix the clock (NTP) — critical
RouterOS often ships with NTP disabled and its clock can be hours off. Because RADIUS accounting timestamps come from the router's clock, a wrong clock means active sessions won't appear in the dashboard and the times in your compliance logs will be wrong. Enable NTP and the right time zone:
Enable it via System → NTP Client (WinBox), add a server (e.g. pool.ntp.org) and set the time zone. (Menus differ slightly between v6 and v7; the easiest path is through WinBox.)
How it works
When a guest connects, MikroTik shows login.html. The guest enters their phone number, the portal verifies it against Captivo's API, then places the returned username and password into a hidden form and posts it to the router's own login URL. RADIUS authenticates; on success the guest is redirected via alogin.html to their original destination — and the connection is recorded.
Testing and common issues
- Portal opens but logo/verification missing:
*.captivo.iomay be missing from the Walled Garden. - Login succeeds but no session in the dashboard: almost always a clock issue — enable NTP.
- CHAP login fails: make sure RADIUS can process CHAP; Captivo RADIUS supports it out of the box.
Ready to go?
Create a free Captivo account, design your portal in minutes and add branded, compliant guest WiFi to your MikroTik Hotspot.