UniFi Captive Portal Not Appearing? Troubleshooting Guide

When your Art of WiFi captive portal does not appear for the guest client device after connecting to the guest WiFi, the issue is almost always caused by the network configuration or the client device. This guide walks you through a systematic troubleshooting process to identify and resolve the problem.

Before You Start

Make sure the basics are in order:

• You are running a recent, official release of the UniFi Network Application (avoid beta and release candidate builds for production)

• All UniFi access points are on the latest official firmware version

• All UniFi access points have full, unrestricted internet connectivity (this is required for the DNS proxy function that redirects guests to the captive portal)

Step 1: Re-provision Your UniFi Devices

Re-provision or reboot all access points serving the guest SSID. If your network includes managed switches and a gateway, reboot those as well. This ensures all devices have the latest configuration, including the captive portal settings and pre-authorization access lists.

Step 2: Check VLAN Guest Policies

Verify that the VLAN associated with the guest SSID does not have guest policies applied at the network level. The guest hotspot (captive portal) settings on the SSID are separate from VLAN-level guest policies, and having both active can cause conflicts.

Step 3: Verify the Pre-Authorization Access List

The pre-authorization access list (also known as the walled garden) controls which domains and IP addresses guests can reach before authenticating. An incorrect list will prevent the splash page from loading.

In your Art of WiFi captive portal dashboard, navigate to:

Manage Captive Portal > Go Live

This page will verify and update the complete pre-authorization access list on your UniFi controller automatically, ensuring all required domains for your configured login methods (social logins, Microsoft Entra ID logins, payment gateway, etc.) are included.

Step 4: Reset the Test Device

Client devices cache network state, which can prevent the captive portal from appearing on subsequent connections. To get a clean test:

1. Remove the device from the UniFi controller:

2. Classic interface: Insights > Client History > hover over the device and remove

3. New interface: Client Devices > open the Details panel for the device > Remove

4. Forget the guest SSID on the client device (Settings > WiFi on iOS/Android)

5. Reconnect to the guest SSID

Step 5: Disable WiFi Assist (iOS)

If the captive portal still does not appear, check whether the client device has WiFi Assist enabled. This iOS feature automatically switches to cellular data when WiFi connectivity is poor, which interferes with captive portal detection.

To disable WiFi Assist on iOS, follow Apple's instructions.

Step 6: Check the Browser Console

If the browser opens but the splash page does not load correctly, check the browser console for errors (where supported by the device). Any hints or error messages visible there can help identify the root cause. Also take note of the full URL where the browser has stopped.

Step 7: Test DNS Resolution

While connected to the guest SSID, try accessing the captive portal server login page directly using its full, public hostname (e.g. https://portal.yourdomain.com).

If this fails: there is likely a DNS issue for the guest devices. DNS requests from guests are proxied by the UniFi access points, and if the APs cannot resolve the portal's hostname, guests won't be able to reach it either.

Possible fix: Add the IP addresses of the DNS servers used on the guest network to the pre-authorization access list. With recent firmware versions, this has been shown to resolve DNS proxy issues.

Step 8: Test Direct IP Connectivity

If DNS works but the page still doesn't load, try accessing the captive portal server using its IP address directly (e.g. https://167.172.40.39).

If this fails: something is blocking connectivity between the guest VLAN and the captive portal server. Check:

The pre-authorization access/allow lists on the UniFi controller should contain the IP address of the captive portal server with the /32 suffix

• Firewall rules controlling inter-VLAN traffic

• Any other security controls between the guest network and the portal server

Step 9: Verify the Pre-Auth Access List Entries

If you are using social logins, Microsoft Entra ID, or payment gateways, make sure the required IP addresses and domains for those services are included in the pre-authorization access list. The Art of WiFi Go Live page handles this automatically, but if you have made manual changes, entries may be incomplete or overcomplete.

Captive Portal Detection URLs to Exclude

Important: Make sure the following URLs are NOT in your pre-authorization access list. These are the URLs that devices use to detect whether they are behind a captive portal. If these are allowed before authentication, the device will think it has internet access and will never trigger the captive portal redirect.

Apple devices:

• https://www.apple.com/library/test/success.html

• http://captive.apple.com

• http://netcts.cdn-apple.com

Android devices:

• https://clients3.google.com

• http://connectivitycheck.gstatic.com

• http://www.google.com/gen_204

• http://www.samsung.com

Microsoft/Windows devices:

• http://edge-http.microsoft.com

• http://www.msftconnecttest.com/redirect

• http://ctldl.windowsupdate.com

Firefox browsers:

• http://detectportal.firefox.com

Still Not Working?

If you have worked through all of the steps above and the captive portal still does not appear, please contact us with the following information:

• UniFi Network Application version

• Access point model and firmware version

• Client device type and OS version

• The full URL where the browser stopped (if applicable)

• Any browser console errors

• Which steps you have completed from this guide