BOON PIN
Back to Projects

Guest Access Management System

A guest internet access platform for cafes, shops, and enterprises that need to control WiFi access through vouchers, captive portals, policies, accounting, and device-level traceability.

LaravelFreeRADIUSCaptive PortalRADIUS AAAMySQLInfluxDBOAuth2LDAPSocial OAuthNAS/AP Integration

Overview

The Guest Access Management System is an internet access control platform for businesses that want to manage guest WiFi without relying on a static shared password. Guests connect to the venue network, land on a captive portal, and receive access only after completing the configured flow: entering a voucher, viewing a campaign, accepting terms, or authenticating through an approved identity method.

The system acts as the control plane between business operators and the network enforcement layer. It manages tenants, sites, portals, vouchers, policies, accounting, reports, and device traceability. The actual user traffic remains on the customer network and is enforced by the NAS, router, gateway, or access point through RADIUS.

This makes the same architecture suitable for cafes that issue voucher codes after purchase, retail shops that want to show advertisements before allowing access, and companies that need better control over visitor WiFi without constantly rotating passwords.

Primary Use Cases

Cafe Voucher Login

Voucher

Customers buy something, receive a voucher code, and use it on the captive portal to unlock time-limited internet access.

Retail Advertisement Portal

Campaign

Shops can present promotions, announcements, or partner advertisements before allowing guests onto the internet.

Enterprise Guest WiFi

Guest Control

Companies can manage visitor access, avoid shared passwords, restrict access duration, and trace devices using the guest network.

Top-Level Architecture

The system is presented at service and module level only: control plane, guest experience, RADIUS enforcement, accounting, and reporting.

Users & Network

Guest Device

Phone, laptop, tablet on venue WiFi

Venue Operator

Cafe, shop, company, tenant admin

NAS / AP / Router

Network gateway that enforces access

->connect

Experience Layer

Captive Portal

Voucher login, ads, terms, guest flow

Admin Console

Tenants, portals, vouchers, reports

Integration API

Automation, CRM, external systems

->manage

Guest Access Control Plane

Business rules, identity, policy, and access orchestration

Tenant & Site ManagementPortal & Campaign BuilderVoucher & Guest IdentityAAA Policy EngineDevice RegistrySession AccountingReporting & AuditNetwork Actions
->enforce

Network Enforcement

FreeRADIUS Service

Authentication, authorization, accounting

NAS Gateway

Redirect, accept, reject, shape, expire

Disconnect / Reauthorize

Operator-triggered session control

Platform Services

Operational Store

Tenants, policies, portals, vouchers

Accounting Metrics

Usage, sessions, bandwidth history

Queue Worker

Voucher generation, sync, webhooks

External Services

LDAP, social login, CRM, SMTP

Control plane manages policyNetwork gateway enforces accessAccounting powers device traceability

Important Modules

The architecture focuses on the modules that matter for guest access control, without exposing low-level database structure.

Admin Console & Tenant Management

Operator-facing management layer

  • Manage tenants, sites, admins, and operator roles
  • Configure venues such as cafes, shops, offices, and branches
  • Assign network gateways and portals to the correct site
  • Control operator permissions across multi-tenant deployments

Captive Portal & Campaign Layer

Guest-facing access experience

  • Presents the guest login page after WiFi connection
  • Supports voucher redemption, terms acceptance, and promotional content
  • Allows each venue to run a different portal experience
  • Redirects approved guests back to the internet after access is granted

Voucher & Guest Identity Module

Access credential lifecycle

  • Generates voucher batches for purchase-based or campaign-based access
  • Tracks voucher status, expiry, usage limit, and assigned guest context
  • Supports temporary guest accounts and reusable identity flows
  • Prevents stale shared passwords from becoming the main access model

AAA Policy Engine

Business rules converted into network policy

  • Defines access duration, bandwidth profile, quota, and expiry rules
  • Maps voucher, guest, site, or tenant policy into RADIUS authorization
  • Controls whether a login attempt should be accepted, rejected, or limited
  • Keeps business policy separate from the physical network equipment

RADIUS Integration Layer

Bridge between application policy and FreeRADIUS

  • Synchronizes approved access identities and policy attributes
  • Supports authentication, authorization, and accounting flows
  • Receives network accounting events for online sessions and usage
  • Allows the network layer to enforce decisions in real time

NAS / AP Gateway Management

Managed network enforcement points

  • Registers routers, access points, gateways, or broadband network servers
  • Maps each gateway to the correct tenant, site, and portal
  • Supports disconnect or reauthorization actions for active sessions
  • Keeps gateway configuration visible from the admin console

Session Accounting & Device Trace

Visibility into who used the guest network

  • Tracks active and historical guest sessions at device level
  • Records device identity signals such as MAC address, assigned IP, site, and login method
  • Aggregates usage history for troubleshooting, abuse review, and reporting
  • Lets operators identify which device was connected through which access flow

Reporting & Audit Module

Operational visibility and compliance support

  • Shows active users, voucher usage, bandwidth trends, and session history
  • Provides tenant and site level reports for operators
  • Exports operational data for business review or support workflows
  • Maintains audit history for important operator and access actions

Guest Access Lifecycle

A typical flow from business setup to guest internet access and device traceability.

  1. 1

    Operator Configures Venue Access

    The tenant admin defines the site, network gateway, captive portal, voucher rules, access duration, quota, bandwidth limits, and any advertisement or terms page required for that venue.

  2. 2

    Guest Connects to WiFi

    The guest device joins the venue SSID. The NAS, AP, or gateway redirects the unauthenticated user to the captive portal instead of allowing open internet access.

  3. 3

    Portal Validates Guest Flow

    The guest enters a voucher code, views the configured campaign, accepts terms, or completes another approved login method. The system validates the access request against the venue policy.

  4. 4

    RADIUS Enforces the Decision

    The access policy is translated into an AAA decision. FreeRADIUS and the network gateway allow, reject, limit, or expire the session based on the configured rules.

  5. 5

    Accounting Tracks the Session

    As the guest uses the network, accounting events update session status, usage, online duration, device identity, and bandwidth history.

  6. 6

    Operator Reviews or Acts

    Operators can view active devices, inspect usage history, revoke access, disconnect a session, export reports, or tune the portal and voucher policy for the next campaign.

Architecture Boundaries

Control Plane, Not Traffic Plane

The application manages policy, identity, portals, vouchers, reporting, and accounting. Live internet traffic remains on the network gateway and is not proxied through the web application.

RADIUS as the Enforcement Contract

The platform expresses business access rules through RADIUS so routers, APs, and gateways can make real-time allow, reject, shaping, and accounting decisions.

Tenant and Site Scoped Operations

Each venue can have its own portal, voucher policy, gateway configuration, reports, and operator access while still sharing the same management platform.

Traceability Without Low-Level Exposure

The project describes device, session, voucher, and accounting concepts at module level only. Storage internals and table-level implementation details stay outside the case study.

Key Capabilities

Voucher-Based Access

Issue purchase-linked or campaign-linked voucher codes with controlled duration, quota, and validity.

Advertisement Portal

Use the captive portal as a business engagement point before granting guest internet access.

Device Visibility

Trace guest devices through session history, login method, access site, assigned network identity, and usage activity.

Bandwidth & Time Control

Apply access limits such as session duration, bandwidth profile, quota, and expiry at the network edge.

Multi-Tenant Management

Serve multiple businesses, branches, or venues from a shared platform with scoped operator access.

Operational Reports

Give admins visibility into active users, voucher consumption, usage trends, and historical access records.