Hi, personally, for your office, I would not touch captive portals at all - you are giv ing yourself a nice headache, single points of failure and a nice weak security model. go to 802.1X - and then configure your wireless AP to use the FreeRADIUS box (or boxes!) as the RADIUS authentication/accounting. you can then do all you rpoxy things etc just as a normal network. WPA2/AES with PEAP/MSCHAPv2 is very easy on pretty much all modern OS/clients if you are hellbent on doing captive portal...well, I'd say just roll your own. Linux.BSD box with ebtables/iptables 2 interfaces (one inside the captive , the other outside - with a bridg interface on which the apache server listens....about 30 lines of PERL which gives them a web page with login box - please use HTTPS for at least some security!) - and then PERL Auth::RADIUS to take user/pass details and pipe to RADIUS - the POD pretty much gives you the code you need. you can then tweak/customise as YOU need, rather then what somewhen else thinks you need...... 802.1X means you can cut out all the rubbish and have pure network access alan