WPA3, Enhanced Open and your guest WiFi captive portal

A regular phones the office in a mild panic. His IT guy has "upgraded the WiFi to WPA3 and turned on the new 6 GHz band", and now the landlord is convinced his guest network is broken because something somewhere mentioned that open WiFi is no longer allowed. No more free WiFi. No more email sign-ups. No more Friday-night newsletter that fills the quiz night. That was the fear, anyway.

None of it was true. The portal still worked. The email capture still worked. The only real change was a setting most people never look at. This is one of the most misunderstood corners of venue WiFi, so let me clear it up properly, first in plain English, then with the actual specs for whoever is doing the install.

The short version: encryption and your captive portal are two different layers that barely talk to each other. You can change one without touching the other. The longer version is worth your ten minutes, because the 6 GHz rules genuinely do bite, just not in the way the panic suggests.

The fear, and why it is misplaced

The worry usually arrives bundled with a new router or a Wi-Fi 6E / Wi-Fi 7 access point. Someone reads that "open networks are banned on the new band" and assumes their whole guest-WiFi-with-a-sign-up-page model is dead. It is not. What is banned is plain, unencrypted open WiFi on the 6 GHz band specifically. Everything you do on 2.4 GHz and 5 GHz, which is where the vast majority of guest phones connect anyway, carries on exactly as before.

And even on 6 GHz, "no password" WiFi still exists. It just gets encrypted automatically now, using a thing called Enhanced Open. Your guests will not notice. They tap to connect, your branded page appears, they enter an email, they get online. The mechanics under the bonnet changed. The guest experience did not.

A captive portal is a redirect and a consent screen. Encryption is a separate, lower layer. WPA3 does not know or care that a portal exists, and the portal does not know or care which encryption the network uses.

WPA2 vs WPA3 vs Enhanced Open in plain terms

Three terms get thrown around, so here is what each one actually does.

WPA2-Personal is the password-protected WiFi you have used for fifteen years. It is fine, but it has weaknesses. Its setup handshake can be captured out of the air and attacked offline, meaning someone can grab the data and try millions of password guesses on their own laptop later. It also has no forward secrecy: if your password is ever cracked, traffic captured in the past can be decrypted too.

WPA3-Personal fixes both. It swaps the old handshake for one called SAE (Simultaneous Authentication of Equals), a balanced PAKE based on the Dragonfly key exchange defined in RFC 7664. In plain terms, SAE never sends the password or a crackable hash over the air, so each guess at the password needs a fresh live attempt against the access point rather than an offline grind. It also gives every session its own unique key, so a future breach cannot unlock yesterday's traffic. SAE resists the offline dictionary attacks that WPA2 is vulnerable to.

Enhanced Open, also called OWE (Opportunistic Wireless Encryption), is the clever one for guest WiFi. It is encryption with no password and no credentials at all. The technical definition lives in RFC 8110, "Opportunistic Wireless Encryption," published March 2017 by the IETF, editors Dan Harkins and Warren Kumari. The Wi-Fi Alliance branded it as Wi-Fi CERTIFIED Enhanced Open in 2018. Under the hood it runs a Diffie-Hellman key exchange during association to derive a key, then the normal 4-way handshake, and encrypts traffic with AES. The guest does nothing different. They join an open-looking network, but the air between their phone and your access point is now scrambled.

For a venue, OWE is the best of both: the no-friction "just tap and join" feel of open WiFi, with the eavesdropping protection of a password-protected network. That matters in a busy cafe where the person at the next table is on the same network as you.

Why the captive portal lives above encryption

Here is the bit that settles the whole question. A captive portal works at the IP and HTTP-redirect layer: the guest's phone tries to load a page, the network intercepts that request and serves your branded splash instead, the guest accepts terms or enters an email, and the controller then authorises the device. The access point handles encryption. The portal handles the redirect, consent and data capture. They are different jobs done at different layers.

So whether the SSID is open, WPA2, WPA3 or OWE, the portal behaves the same. The encryption protects the link. The portal sits on top of that link doing its own thing. Vendors from Purple to Fortinet describe it the same way: the portal is independent of the link-layer security.

One honest caveat. Some older, badly written captive-portal implementations were built assuming plain open networks and do not handle OWE cleanly. That is a software-quality problem, not a law of physics. A portal built to work across modern security modes, which is the only kind worth running in 2026, redirects guests identically on open, WPA2, WPA3 and OWE. If you are choosing portal software, this is a question worth asking the vendor directly.

The 6 GHz rules nobody warned you about

This is where real rules apply, so do not skip it if you are deploying Wi-Fi 6E or Wi-Fi 7 kit. The Wi-Fi Alliance made WPA3 mandatory for every 6 GHz device, with no WPA2 backward compatibility at all. You cannot run a WPA2 SSID on 6 GHz. You cannot run a plain open SSID on 6 GHz either. All 6 GHz traffic is encrypted, full stop.

The allowed modes on 6 GHz are WPA3-Personal, WPA3-Enterprise, and Enhanced Open (OWE) for your password-free guest network. So your guest WiFi can absolutely live on 6 GHz; it just has to be OWE rather than naked open.

There is a sharper trap in here. OWE transition mode is not allowed on 6 GHz, and not allowed when Wi-Fi 7 (EHT/MLO) is enabled. Transition mode is the trick that lets old devices that have never heard of OWE share a network with new ones: the access point quietly runs two SSIDs, a broadcast open one and a hidden OWE one, linked by a special element so newer phones use encryption while older ones still connect. It is genuinely useful on 2.4 and 5 GHz.

But per the WPA3 Specification v3.4, Section 11.3 (as documented by Cisco Meraki citing the spec), an access point running a 6 GHz BSS must not advertise the OWE Transition Mode element, and the same prohibition applies when EHT/MLO is on. The reason is simple once you see it: transition mode needs an open SSID to work, and open SSIDs are already banned on 6 GHz and on Wi-Fi 7. So only pure, non-transition OWE is valid there. The good news is pure OWE does work with Wi-Fi 7 multi-link operation: an independent lab test (mrn-cciew, January 2026) established Wi-Fi 7 MLO connections over OWE on Intel BE200 and Pixel 8 clients against Cisco and Meraki access points.

WPA2 vs WPA3 vs OWE vs open: comparison

The pattern is clear. For a guest SSID you want either plain open plus a portal on the lower bands, or OWE plus a portal everywhere including 6 GHz. Both pair with email capture exactly the same way.

The setup I would actually run

If a venue asked me how to configure a guest network today, this is the answer, and it works whether you run UniFi, TP-Link Omada, Meraki, Aruba or MikroTik.

• Guest SSID on 2.4 and 5 GHz: plain open plus your captive portal. Maximum compatibility with every old phone, tablet and games console that walks in.
• Guest SSID on 6 GHz: Enhanced Open (OWE) plus the same captive portal. Encrypted, password-free, spec-compliant.
• Staff SSID: WPA3-Personal with a strong passphrase, kept entirely separate from guests. Never share the staff password on a chalkboard.
• Do not enable OWE transition mode on 6 GHz or on Wi-Fi 7. Use pure OWE there.

The portal sits on top of all of this and authorises devices through the controller API, so you do not need to stand up a RADIUS server to make it work. One branded sign-up page, one consent flow, one mailing list, regardless of which band or encryption mode a given guest landed on.

MAC randomisation and repeat-visit tracking

This is the part of the encryption conversation that actually affects your marketing numbers, and it is worth understanding properly.

Phones used to broadcast a single permanent hardware address (the MAC address), which made it easy to count "this device came back three times this month". Modern phones deliberately hide it. Android 10 and later use a randomised MAC by default; the default is persistent randomisation, derived from the network profile, and it stays the same until a factory reset. Apple's Private Wi-Fi Address has been on by default since iOS 14.

Here is the catch for guest WiFi. On recent Apple systems (iOS 18 and the matching macOS/iPadOS/watchOS releases), the private address mode auto-selects. On secure networks (WPA2/WPA3 Personal and Enterprise) it uses a Fixed address, which is stable per network. But on "weaker authentication or encryption methods, such as WPA, OWE, WEP, captive portals, and open networks", Apple defaults to a Rotating address that, per Apple Support, changes to a new one every 2 weeks. Open, OWE and captive-portal networks all fall into that Rotating bucket.

So on exactly the kind of guest network you run, Apple devices change their visible MAC every fortnight. That quietly breaks long-term repeat-visit identification by MAC address. Counting a regular as the same person across months becomes unreliable, because their phone looks like a new device every two weeks.

This is precisely why MAC-based people-counting is a shaky foundation for venue marketing, and why email capture through the portal is the better play. An email address does not rotate. When a guest signs in with their email once, you have a stable, consented identity you actually own, independent of whatever the phone decides to do with its hardware address this week. The portal sidesteps the entire randomisation problem because it is not relying on the device's identity at all. It asks the human.

Where CaptiFi fits

CaptiFi is the marketing layer that sits on top of whatever network you already run. We do not sell, ship, wire or install hardware. We provide the branded captive portal, the email capture, and the Google review automation that runs above your existing access points, and it behaves identically whether your guest SSID is open, WPA2, WPA3 or OWE. The encryption is your network's job. Turning a connection into a subscriber is ours.

Because the portal works at the consent and identity layer, none of the encryption changes above touch it. Authorisation happens through the controller API, with no RADIUS server to maintain, and the whole thing is built for GDPR and PECR-compliant consent out of the box. Venues running CaptiFi typically capture 40 to 60 percent of connecting guests as email subscribers, often 300 to 500-plus emails per location per month, with around a 45 percent open rate on the automated welcome email. That is the number that survives MAC randomisation.

If you want the practical how-to, see how to capture emails from guest WiFi and the matching setup guide for your controller. For the wider hardware picture, the companion guides on Wi-Fi 6 vs 6E vs Wi-Fi 7 and choosing an access point are worth a read. You can start a 30-day free trial with no card from $69/mo, and it slots onto the network you already have.

Sources: IETF RFC 8110 and RFC 7664; Wi-Fi Alliance Enhanced Open materials; WPA3 Specification v3.4 §11.3 as cited by Cisco Meraki; Cisco, Aruba/HPE, Extreme Networks and Purple documentation; Android Open Source Project MAC randomisation docs; Apple Support security guide and article 102509; and the mrn-cciew Wi-Fi 7 OWE/MLO lab test (January 2026). CaptiFi figures are typical observed ranges, not guarantees. Specs and prices were correct at the time of writing, June 2026.