on-premise (large sites)

On-premise design is typically for large venues with more than 100 expected concurrent user devices.

Target environments (large venues)

  • Hospitals, hostels, hotels, dormitories, schools, Large offices
  • Malls, shopping centers
  • Airports, stadiums

This design provides maximum user experience in terms of faster splash portal and authentication, because captive portal is hosted and delivered from on-premise HSG, and authentication is done by local HSG/RADIUS.

It is particularly useful for venues with existing 3rd-party AP already.

Bill of Materials:

  • Internet link (optional HA)
  • mbox HotSpot Gateway (HSG, optional HA)
  • Wireless LAN Controller (WLC) *
  • Wireless access points (MAP) *
  • LAN PoE switches
  • Misc: structured Cabling, professional setup services and managed services


  • This design can integrate with any wireless infrastructure, any brands or models of wireless Access Points (AP).
  • * When 3rd-party AP is used, WLC is typically required to manage the AP (some brands of AP can be managed by cloud WLC); when mbox Access Point (MAP) is used, the WLC is a software module sitting inside HSG (MACC), so no physical WLC hardware is required.
  • Can support multiple SSID and multiple VLANs. Each SSID will map to a VLAN, to support different captive portals, different user accounts and different access control policies for each Portal/SSID/VLAN.
  • Can integrate with external authentication database (eg. PMS, CRM, RADIUS, SocialMedia, etc), using mbox API, RADIUS proxy, or social media provider API (eg. facebook/twitter API).
  • The HSGs can be managed and monitored centrally from multi-tenant cloud mfusion.
  • Detail user access logs can be generated by turning on firewall access logging and URL logging. Access logs can be sent and stored in an external dedicated log collector for security audit compliance and forensic investigation purposes.
  • Because the on-premise HSG hosts captive portal content locally and deliver to users from local network, the performance and user experience for captive portal authentication is maximized.
  • If using MAP, MAP can be managed by on-premise HSG MACC (AP controller) or cloud mfusion MACC.
  • The sizing (model) of HSG is based on max no. of expected concurrent users (available models: HSG-100, HSG-200, HSG-800, HSG-2000, HSG-5000, HSG-15000, HSG-25000).

NOTE: We recommend best network sizing up to /23 per VLAN, maximum /22 (eg. up to 1000 hosts per VLAN). To support more users per box (eg. for HSG-5000 and above), you can provision more VLANs and run more hotspot instances.


  • Integrated gateway solution. Cost effective. Easy to manage.
  • Easy portal customization via web-based CMS with comprehensive templates.
  • Full access to user access records for data analytics purposes
  • Full security compliance with detail user access logs

Typical traffic flow for on-premise model

  1. User device associates to wireless SSID broadcasted by AP.
  2. AP forwards user connection request to WLC, which asks HSG HotSpot controller to issue user DHCP IP addresses. Each SSID is mapped to a specific vlan on WLC (which in turn trunks to HSG), so user will get respective IP address from the respective vlan (hotspot instance) on HSG. PS: If external DHCP server is used, HSG relays user requests to upstream DHCP server and returns DHCP OFFER back to user device.
  3. After getting DHCP IP address, user launches Internet browser for Internet access (some devices will auto trigger CNA portal), and the browsing request is forwarded to HSG by AP-WLC.
  4. HSG hotspot controller intercepts the browsing request, and (if not authenticated user) redirects user browser to a customized login page (landing page), asking for authentication. PS: the login page can be hosted locally or on external server.
  5. User enters login credentials at login portal, which are forwarded to HSG. If local HSG RADIUS is used, HSG checks local database to authenticate user; if external RADIUS is used, HSG forwards authentication requests to external AAA/RADIUS server.
  6. If RADIUS accepts (account exists and valid), HSG redirects user browser to the original URL (or customer preferred redirect URL) and enforces session bandwidth control; if RADIUS rejects, HSG hotspot controller denies user access