Configuring Wired Networks for Guest Users on Instant APs
Instant APs support the captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication method in which a webpage is presented to the guest users, when they try to access the Internet in hotels, conference centres, or Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. hotspotsHotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet.. The webpage also prompts the guest users to authenticate or accept the usage policy and terms. Captive portals are used at Wi-Fi hotspots and can be used to control wired access as well.
The captive portal solution for an Instant AP cluster consists of the following:
The captive portal web login page hosted by an internal or external server.
The RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. authentication or user authentication against internal database of the AP.
The SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. broadcast by the Instant AP.
The Instant AP administrators can create a wired or WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. guest network based on captive portal authentication for guests, visitors, contractors, and any non-employee users who can use the enterprise Wi-Fi network. Administrators can also create guest accounts and customize the captive portal page with organization-specific logo, terms, and usage policy. With captive portal authentication and guest profiles, the devices associating with the guest SSID are assigned an initial role and are assigned IP addresses. When a guest user tries to access a URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. through HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., the captive portal webpage prompts the user to authenticate with a user name and password.
Splash Page Profiles
Instant APs support the following types of splash page profiles:
—Select this splash page to use an internal server for hosting the captive portal service. Internal captive portal supports the following types of authentication:
—When is enabled, a guest user who is pre-provisioned in the user database has to provide the authentication details.
—When is enabled, a guest user has to accept the terms and conditions to access the Internet.
—Select this splash page to use an external portal on the cloud or on a server outside the enterprise network for authentication.
—Select this splash page to use the cloud guest profile configured through the tab.
—Select to disable the captive portal authentication.
For information on how to create splash page profiles, see the following sections:
Creating a Wired Network Profile for Guest Users
To create a wired SSID for guest access, complete the following steps:
1. In the app, set the filter to a group that contains at least one AP.
The dashboard context for the group is displayed.
2. Under , click > .
A list of access points is displayed in the view.
3. Click the icon.
The tabs to configure the access points are displayed.
4. Click , and click the tab.
The Interfaces details page is displayed.
5. Click the accordion.
6. To create a new wired SSID profile, click .
The pane is displayed.
7. Under , enter the following information:
a. —Enter a name.
b. —Select port(s) form the drop-down list.
8. Click Next to configure the settings.
9. In the tab, select a type of mode from the drop-down list.
10. Select any of the following options for :
|
Parameter |
Description |
|---|---|
|
|
Select this option to allow the Virtual Controller to assign IP addresses to the wired clients. When the Virtual Controller assignment is used, the source IP address is translated for all client traffic that goes through this interface. The Virtual Controller can also assign a guest VLAN to a wired client. If this option is selected, specify any of the following options in : —When the client VLAN must be assigned to the native VLAN on the network. —To customize the client VLAN assignment to a specific VLAN, or a range of VLANs. |
|
|
Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected. On selecting this option, the button to create a VLAN is displayed. Create a new VLAN if required. |
Configuring an Internal Captive Portal Splash Page Profile
To configure internal captive portal profile, complete the following steps:
1. Open the guest SSID to edit and configure the following parameters in the > page.
|
Parameter |
Description |
|---|---|
|
|
Select any of the following from the drop-down list: Internal - Authenticated—When is selected, the guest users are required to authenticate in the captive portal page to access the Internet. The guest users who are required to authenticate must already be added to the user database. Internal - Acknowledged—When is selected, the guest users are required to accept the terms and conditions to access the Internet. —When is selected, the guest users are required to enter the proxy server details such as IP address and captive portal proxy server port details. Also enter the details in , and section. —When is selected, the guest users are required to select the . —Select this option if you do not want to set any splash page. |
|
|
Select or from the drop-down list. |
|
|
) for which you are customizing the splash page design. Perform the following steps to customize the splash page design. —Enter a title for the banner. To preview the page with the new banner title, click . —Specify a background color for the header. —To change the welcome text, click the first square box in the splash page, enter the required text in the Welcome Text box, and click OK. Ensure that the welcome text does not exceed 127 characters. —To change the policy text, click the second square in the splash page, enter the required text in the Policy Text box, and click OK. Ensure that the policy text does not exceed 255 characters. —To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette. —To redirect users to another URL, specify a URL in . —To upload a custom logo, click , browse the image file, and click . Ensure that the image file size does not exceed 16 KB. To delete an image, click . To preview the captive portal page, click splash page. To configure a captive portal proxy server or global proxy server to match your browser configuration, enter the IP address and port number in the and fields. |
|
|
By default, this field is disabled. Turn on the toggle switch to enable and configure the following encryption parameters: —Specify an encryption and authentication key. —Specify a passphrase format. —Enter a passphrase and retype to confirm. |
|
|
Configure the following parameters:Configure the following parameters: —To enable MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address based authentication for and security levels, turn on the toggle switch. To use an internal server, select and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click . For information on configuring external servers, see Configuring Authentication and Security Profiles on Instant APs. —To add another server for authentication, configure another authentication server. —Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring DHCP Pools and Client IP Assignment Modes on Instant APs. |
|
|
Create and manage users in the captive portal network. Only registered users of type will be able to access this network. |
|
> |
|
|
> |
|
|
> |
If you are configuring a wireless network profile, turn on the toggle switch to blacklist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only. |
|
> |
To exclude uplink, select an uplink type. |
2. Click .
Configuring an External Captive Portal Splash Page Profile
You can configure external captive portal profiles and associate these profiles to a user role or SSID. You can create a set of captive portal profiles in the > data pane and associate these profiles with an SSID or a wired profile. You can also create a new captive portal profile under the tab of the WLAN wizard or a Wired Network pane. You can configure up to eight external captive portal profiles.
When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID or wired profile, the users connecting to the SSID or wired network are assigned a role with the captive portal rule. The guest user role allows only DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. and DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. traffic between the client and network, and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted.
To configure an external captive portal profile, complete the following steps:
1. Under tab, in the table, select a guest SSID and click the edit icon.
The pane is displayed.
2. Under tab, in the , select and configure the following parameters under :
3. Select the Splash Page type as .
4. If required, configure a captive portal proxy server or a global proxy server to match your browser configuration by specifying the IP address and port number in the and fields.
5. Select a captive portal profile. To add a new profile, click and configure the following parameters:
6. Click .
7. On the external captive portal splash page configuration page, specify encryption settings if required.
8. Specify the following authentication parameters in :
—To enable MAC address based authentication for and security levels, turn on the toggle switch.
—Sets a primary authentication server.
To use an internal server, select and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users.
To add a new server, click . For information on configuring external servers, see Configuring Authentication and Security Profiles on Instant APs.
—To add another server for authentication, configure another authentication server.
—Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers.
9. If required, under , create a list of domains that are blacklisted and also a white list of websites that the users connected to this splash page profile can access.
10. To exclude uplink, select an uplink type.
11. If MAC authentication is enabled, you can configure the following parameters:
—Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the Instant AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.
—Turn on the toggle switch to enable, to allow the Instant AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
12. Configure the . Specify a value for Reauth Interval. When set to a value greater than zero, Instant APs periodically re-authenticate all associated and authenticated clients.
13. If required, enable blacklisting. Set a threshold for blacklisting clients based on the number of failed authentication attempts.
14. Click .
Configuring a Cloud Guest Splash Page Profile
For information on how to create a cloud guest network profile, see Configuring a Guest Access Splash Page Profile
Associating a Cloud Guest Splash Page Profile to a Guest SSID
To use the Cloud Guest Splash page profile for the guest SSID, ensure that the Cloud Guest Splash Page profile is configured through the app.
To associate a Cloud Guest splash page profile to a guest SSID, complete the following steps:
1. Under tab, in the table, select a guest SSID and click the edit icon.
The pane is displayed.
2. Click the tab.
a. Select from the list.
b. Select the splash page profile name from the list, and then click .
c. To enable encryption, turn on the toggle switch and configure the encryption parameters.
d. To exclude uplink, select , , or option from accordion.
e. Click .
3. Click .
Configuring ACLs for Guest User Access
To configure access rules for a guest network, complete the following steps:
1. Under tab, in the table, select a guest SSID and click the edit icon.
The pane is displayed.
2. Click the tab.
3. Under , select any of the following types of access control:
Unrestricted—Select this to set unrestricted access to the network.
Network Based—Select Network Based to set common rules for all users in a network. By default, Allow any to all destinations access rule is enabled. This rule allows traffic to all destinations. To define an access rule, complete the following steps:
a. Click and select appropriate options for , , , , and fields.
b. Click Save.
Role Based—Select Role Based to enable access based on user roles.
For role-based access control:
1. Create a user role:
a. Click in pane.
b. Enter a name for the new role and click .
2. Create access rules for a specific user role:
a. Click and select appropriate options for , , , , and fields.
b. Click Save.
3. Create a role assignment rule.
a. Under , click . The pane is displayed.
b. Select appropriate options in , , , and fields.
c. Click .
4. Click .
Disabling Captive Portal Authentication
To disable captive portal authentication, complete the following steps:
1. Under tab, in the table, select a guest SSID and click the edit icon.
The pane is displayed.
2. Click the tab.
3. Under , select None for Splash Page Type.
4. Click Save Settings.
