Make sure you set "Captive portal strength" to "Block all access until sign-on is complete".

Hi Philip
Thanks for your input. I have already set this option. I apologize for not having included this in my description.

I recall that there is an option for the setting of the splash page frequency, so quite possibly if the IP lease is long enough, a specific, previously authorised user does not have to re-authenticate if the DHCP lease is still valid.

I do recall a situation at a village pub where the guest network handed out long IP leases and the regulars would keep the same IP pretty well indefinitely. Which made for some interesting analysis, particularly when it came to unnoticed coincidences. The management were usually weeks ahead of the village gossips.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Thanks for your input!
I have created a new SSID with the following settings:

Network access Open
Splash page Billig
Captive portal strength Block all access until sign-on is complete

Splash frequency Every half hour

The client (new one) can still connect to this SSID and browsing to http and https sites.

For the test I was able to download an iso file (2GB) from a website without any problems.

And the DHCP lease duration . . .

In case the system still "sees" a validated user returning

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

We use bridge mode with VLAN tagging. The lease is 8 hours.
The client i uesed for the test was a new one and hasn't had a IP-adress.