1. Is the module activated on this Context?
Each Sign In Module has its own activation switch at the top of its admin page. If the module was never activated — or was deactivated by mistake — it won’t appear on the Captive Portal.- Go to Sign In Modules → module name.
- Confirm the status card says Active. If it says Not Active, click Activate module Login Module.
2. Does the guest’s Access Policy enable the module?
Five modules — Meeting Host, Email Self-Provisioning, SAML Login, Manage Conferences, and Manage Whitelistings — are additionally gated by an Access Policy. Activation makes the module available; the policy decides who sees it.- Go to Captive Portal → Access Policies.
- Identify which policy matches the guest (default unless an email pattern or other rule routes them elsewhere).
- Open the relevant Sign-In Permissions or Self-Service Permissions sub-tab and confirm the module’s master toggle is on.
3. Are the module’s prerequisites in place?
Some modules need external pieces:- SMS needs an SMS provider configured on this Context.
- SAML SSO needs valid IdP metadata imported and attribute mapping set up.
- RADIUS needs a reachable external RADIUS server (see RADIUS diagnostics).
- Conference and Event Access need at least one entry created.
4. Is the guest’s device blocked?
A device block prevents all modules from completing for that MAC.- Check Sign In Modules → Blacklistings for the guest’s MAC.
- If found, review the block entry. Contact support if it’s not clear why it was added.
Module-specific patterns
Self-Provisioning by Email
- Verification email doesn’t arrive. Check the guest’s spam folder and confirm the configured sender domain is allow-listed on the guest’s mail provider.
- Email pattern rejects valid addresses. The Access Policy’s email pattern is an allow-list, not a deny-list. If the guest’s domain isn’t on it, they can’t sign in.
SMS
- Code doesn’t arrive. Check the configured SMS provider is actually delivering — per-message logs live with the provider, not in Sign In.
- Wrong country code. The default country code is pre-selected on the portal; guests from other countries have to change it.
SAML SSO
- “Invalid signature” on the ACS callback. The IdP’s signing certificate in the metadata is out of date. Re-download and re-upload.
- Guest authenticates but no login record appears. The attribute mapping is wrong — usually the email attribute. Check the SAML log view for the received assertion and confirm the attribute names match.
- Browser loops back to the portal. The IdP hostname isn’t in the walled garden and can’t be reached pre-auth.
Meeting Host
- Visitor stuck on “waiting for approval”. The host didn’t click the Approve button in the email, or the email didn’t arrive. Check whether the host received the notification. Admins can manually approve from the admin tab as a workaround.
- Host not found. If autocomplete is on and the host’s email isn’t suggested, the host’s address isn’t in the recognised-hosts set.
Conference / Event Access / Password Subscription
- “Invalid code”. The guest’s code has expired (check the entry’s
active window) or was typo’d. Codes with visual ambiguity (
O/0,l/1) are a common culprit. - Code worked for someone else but not this guest. Access Policy device limits may have been reached for that code.
Whitelist
- Device not recognised. MAC randomization is the most common reason — see Captive-portal detection.
- Entry expired. Check the entry’s Length policy; timeout and end-date entries can silently lapse.
When the dashboard disagrees with what the guest sees
If the guest says “I’m still connected” but the Dashboard shows the session as revoked, an upstream firewall or previous cache may be serving them. Ask the guest to refresh and retry a site they haven’t visited before. If it loads, the guest was on cached data; if it doesn’t, the revoke is in effect.Related
Captive-portal detection
When the portal never pops up.
RADIUS diagnostics
External RADIUS backend problems.