Configuring Wireless Networks for Guest Users on IAPs

Instant Access Points (IAPs) support the captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication method in which a webpage is presented to the guest users, when they try to access the Internet in hotels, conference centers, or Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. hotspotsHotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet.. The webpage also prompts the guest users to authenticate or accept the usage policy and terms. Captive portals are used at Wi-Fi hotspots and can be used to control wired access as well.

The captive portal solution for an IAP cluster consists of the following:

• The captive portal web login page hosted by an internal or external server.
• The RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication or user authentication against internal database of the AP.
• The SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. broadcast by the IAP.

The IAP administrators can create a wired or WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. guest network based on captive portal authentication for guests, visitors, contractors, and any non-employee users who can use the enterprise Wi-Fi network. Administrators can also create guest accounts and customize the captive portal page with organization-specific logo, terms, and usage policy. With captive portal authentication and guest profiles, the devices associating with the guest SSID are assigned an initial role and are assigned IP addresses. When a guest user tries to access a URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. through HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., the captive portal webpage prompts the user to authenticate with a user name and password.

Splash Page Profiles

Instant APs support the following types of splash page profiles:

• Internal Captive portal—Select this splash page to use an internal server for hosting the captive portal service. Internal captive portal supports the following types of authentication:
  • Internal Authenticated—When Internal Authenticated is enabled, a guest user who is pre-provisioned in the user database has to provide the authentication details.
  • Internal Acknowledged—When Internal Acknowledged is enabled, a guest user has to accept the terms and conditions to access the Internet.
• External Captive portal—Select this splash page to use an external portal on the cloud or on a server outside the enterprise network for authentication.
• Cloud Guest—Select this splash page to use the cloud guest profile configured through the Guest Management tab.
• None—Select to disable the captive portal authentication.

To create splash page profiles, see the following sections:

• Creating a Wireless Network Profile for Guest Users

Creating a Wireless Network Profile for Guest Users

To create an SSID for guest users, complete the following steps:

1. In the Network Operations app, set the filter to a group that contains at least one AP.The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of access points is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the access points are displayed.

4. Click the WLANs tab.

   The WLANs details page is displayed.

5. In the WLANs page, click + Add SSID.

   The Create a New Network pane is displayed.

6. Under General, enter a network name in the Name (SSID) text-box.
7. If configuring a wireless guest profile, set the required WLAN configuration parameters described in Table 1.

8. Click Next.

   The VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. details are displayed.

9. Under VLANs, select any of the following options for Client IP Assignment:

   Table 1: VLANs Assignment

   Parameter	Description
   Instant AP assigned	When this option is selected, the client obtains the IP address from the virtual controller. The virtual controller creates a private subnetSubnet is the logical division of an IP network. and VLAN on the IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network. For more information on DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  scopes and server configuration, see Configuring DHCP Pools and Client IP Assignment Modes on IAPs. If this option is selected, specify any of the following options in Client VLAN Assignment: Internal VLAN—Assigns IP address to the client in the same subnet as the IAPs. By default, the client VLAN is assigned to the native VLAN on the wired network. Custom—Allows you to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. When this option is selected, select the scope from the VLAN ID drop-down list.
   External DHCP server assigned	When this option is selected, specify any of the following options in Client VLAN Assignment: Static—In VLAN ID, specify a VLAN ID for a single VLAN(s). If a large number of clients need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID. To show or hide the Named VLANs, click Show Named VLANs. Click Show Named VLANs to view the Named VLAN table. To add a new Named VLAN, complete the following steps: Click +Add Named VLAN. The Add Named VLAN window is displayed. Enter the VLAN Name and VLAN details, and then click OK. Dynamic—Assigns the VLANs dynamically from a DHCP server. To add a new VLAN assignment rule, complete the following steps: Click +Add Rule in the VLAN Assignment Rules window. The New VLAN Assignment Rule page is displayed. Enter the Attribute, Operator, String, and VLAN details, and then click OK. To delete a VLAN assignment rule, select a rule in the VLAN Assignment Rules window, and then click the delete icon. To show or hide the Named VLANs, click Show Named VLANs. Click Show Named VLANs to view the Named VLAN table. To add a new Named VLAN, complete the following steps: Click +Add Named VLAN. The Add Named VLAN window is displayed. Enter the VLAN Name and VLAN details, and then click OK. To delete, select a Named VLAN in the Named VLAN table, and then click the delete icon. Native VLAN—Assigns the client VLAN is assigned to the native VLAN. For more information, see Configuring VLAN Assignment Rule.

Configuring an Internal Captive Portal Splash Page Profile

To configure an internal captive portal profile, complete the following steps:

1. In the Network Operations app, set the filter to a group that contains at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of access points is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the access points are displayed.

4. Click the WLANs tab.

   The WLANs details page is displayed.

5. In the Wireless SSIDs table, select a guest SSID, and then click the edit icon.

6. Under Security tab, in the Security Level, select Captive Portal and configure the following parameters:

Table 2: Internal Captive Portal Configuration Parameters

Parameter	Description
Captive Portal Type	Select Internal from the drop-down list.
Captive Portal Location	Select Acknowledged or Authenticated from the drop-down list.
Customize Captive Portal	Under Splash Page, when Customize Captive Portal is clicked, use the editor to specify text and colors for the initial page that is displayed to the users connecting to the network. The initial page asks for user credentials or email, depending on the splash page type (Authenticated or Acknowledged) for which you are customizing the splash page design. Complete the following steps to customize the splash page design. Top banner title—Enter a title for the banner. Header fill color—Specify a background color for the header. Welcome text—To change the welcome text, click the first square box in the splash page, enter the required text in the Welcome text box, and click OK. Ensure that the welcome text does not exceed 127 characters. Policy text—To change the policy text, click the second square in the splash page, enter the required text in the Policy text box, and click OK. Ensure that the policy text does not exceed 255 characters. Page fill color—To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette. Redirect URL—To redirect users to another URL, specify a URL in Redirect URL. Logo image—To upload a custom logo, click Choose Fileto upload. Ensure that the image file size does not exceed 16 KB. To delete an image, click Delete Logo. To preview the captive portal page, click preview_splash_page. To configure a captive portal proxy server or global proxy server to match your browser configuration, enter the IP address and port number in the Captive-portal proxy server IP and Captive Portal Proxy Server Port fields.
Encryption	By default, this field is disabled. Turn on the toggle switch to enable and configure the following encryption parameters: Key Management—Specify an encryption and authentication key. Passphrase format—Specify a passphrase format. Passphrase—Enter a passphrase. Retype—Retype the passphrase to confirm.
Key Management	Select Open or Enhanced Open from the drop-down list.
Advanced Settings
Captive Portal Proxy Server IP	Specify the IP address of the Captive Portal proxy server.
Captive Portal Proxy Server Port	Specify the port number of the Captive Portal proxy server.
MAC Authentication	Configure the following parameters: MAC Authentication—To enable MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch. Secondary Server—To add another server for authentication, configure another authentication server. Load Balancing—Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring DHCP Server for Assigning IP Addresses to IAP Clients. To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs.
Reauth Interval	Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients.
Accounting	Select an accounting mode for posting accounting information at the specified Accounting interval. When the accounting mode is set to Authentication, the accounting starts only after client authentication is successful and stops when the client logs out of the network. If the accounting mode is set to Association, the accounting starts when the client associates to the network successfully and stops when the client disconnects. This is applicable for WLAN SSIDs only.
Denylisting	If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
Max Authentication Failures	If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
Enforce DHCP	If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
WPA3 Transition	If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
Called Station ID Include SSID	If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
Uppercase Support	If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
Disable if uplink type is	To exclude uplink(s), expand Disable if uplink type is, and turn on the toggle switch for the uplink type(s). For example, Ethernet, Wi-Fi, and 3G/4G.

1. Click Save Settings.

Configuring an External Captive Portal Splash Page Profile

You can configure external captive portal profiles and associate these profiles to a user role or SSID. You can create a set of captive portal profiles and associate these profiles with an SSID or a wired profile. You can configure up to eight external captive portal profiles.

When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID or wired profile, the users connecting to the SSID or wired network are assigned a role with the captive portal rule. The guest user role allows only DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. and DHCP traffic between the client and network, and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted.

To configure an external captive portal profile, complete the following steps:

1. In the Network Operations app, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click the WLANs tab.

   The WLANs details page is displayed.

5. In the Wireless SSIDs table, select a guest SSID, and then click the edit icon.
6. Under Security tab, in the Security Level, select Captive Portal.
7. Select the Splash Page type as External.
8. If required, configure a captive portal proxy server or a global proxy server to match your browser configuration by specifying the IP address and port number in the Captive Portal Proxy Server IP and Captive Portal Proxy Server Port fields.

9. Select a captive portal profile. To add a new profile, click + and configure the following parameters:

   Table 3: External Captive Portal Profile Configuration Parameters

   Data Pane Item	Description
   Name	Enter a name for the profile.
   Type	Select any one of the following types of authentication: Radius Authentication—Select this option to enable user authentication against a RADIUS server. Authentication Text—Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.
   IP or Hostname	Enter the IP address or the host name of the external splash page server.
   URL	Enter the URL of the external captive portal server.
   Port	Enter the port number that is used for communicating with the external captive portal server.
   Use HTTPS	Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected.
   Captive Portal Failure	This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network.
   Server Offload	Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.
   Prevent Frame Overlay	Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.
   Automatic URL Allowlisting	On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically allowlisted.
   Auth Text	If the External Authentication splash page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected.
   Redirect URL	Specify a redirect URL if you want to redirect the users to another URL.

10. Click Save.
11. On the external captive portal splash page configuration page, specify encryption settings if required.

12. Specify the following authentication parameters under Advanced Settings:

    • MAC Authentication—To enable MAC address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch.
    • Primary Server—Sets a primary authentication server.
      • To use an internal server, select Internal server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users.
      • To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs.
    • Secondary Server—To add another server for authentication, configure another authentication server.
    • Load Balancing—Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers.
13. If required, under Walled Garden, create a list of domains that are denylisted and also a allowlist of websites that the users connected to this splash page profile can access.
14. To exclude uplink, select an uplink type.

15. If MAC authentication is enabled, you can configure the following parameters:

    • Delimiter Character—Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.
    • Uppercase Support—Turn on the toggle switch to enable to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
16. Configure the Reauth Interval. Specify a value for Reauth Interval. When set to a value greater than zero, IAPs periodically re-authenticate all associated and authenticated clients.
17. If required, enable denylisting. Set a threshold for denylisting clients based on the number of failed authentication attempts.
18. Click Save Settings.

Associating a Cloud Guest Splash Page Profile to a Guest SSID

To use the Cloud Guest splash page profile for the guest SSID, ensure that the Cloud Guest splash Page profile is configured through the Guest Access app.

To associate a Cloud Guest splash page profile to a guest SSID, complete the following steps:

1. In the Network Operations app, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click the WLANs tab.

   The WLANs details page is displayed.

5. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon.
6. Click the Security tab.
   1. Under Splash Page, select Cloud Guest from the Captive Portal Type drop-down list.
   2. Select the splash page profile name from the Guest Captive Portal Profile list, and then click Next.
   3. To enable encryption, turn on the Encryption toggle switch and configure the following encryption parameters:
   4. Key Management—Specify an encryption and authentication key.
   5. Passphrase format—Specify a passphrase format.
   6. Passphrase—Enter a passphrase.
   7. Retype—Retype the passphrase to confirm.
   8. To exclude uplink, expand Disable if uplink type is and select an uplink type. For example, Ethernet, Wi-Fi, and 3G/4G.
   9. Click Next.
7. Click Save Settings.

Configuring ACLs for Guest User Access

To configure access rules for a guest network, complete the following steps:

1. In the Network Operations app, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click the WLANs tab.

   The WLANs details page is displayed.

5. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon.
6. Click the Access tab.
7. Under Access rules, select any of the following types of access control:
   • Unrestricted—Select this to set unrestricted access to the network.
   • Network Based—Select Network Based to set common rules for all users in a network. By default, Allow any to all destinations access rule is enabled. This rule allows traffic to all destinations. To define an access rule, complete the following steps:
   • Click + and select appropriate options for Rule Type, Service, Action, Destination, and Options fields.
   • Click Save.
   • Role Based—Select Role Based to enable access based on user roles.

For role-based access control, complete the following steps:

1. To create a user role:
   1. Click +Add Role in Role pane.
   2. Enter a name for the new role and click OK.
2. To create access rules for a specific user role:
   1. Click +Add Rule in Access Rules for Selected Roles, and select appropriate options for Rule Type, Service, Action, Destination, and Options fields.
   2. Click Save.
3. To create a role assignment rule:
   1. Under Role Assignment Rules, click +Add Role Assignment. The New Role Assignment Rule pane is displayed.
   2. Select appropriate options in Attribute, Operator, String, and Role fields.
   3. Click Save.
4. To assign pre-authentication role, select the Assign Pre-Authentication Role check-box and select a pre-authentication role from the drop-down list.
5. Click Save Settings.

Configuring Captive Portal Roles for an SSID

You can configure an access rule to enforce captive portal authentication for SSIDs with 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication enabled. You can configure rules to provide access to an external captive portal, internal captive portal, so that some of the clients using this SSID can derive the captive portal role.

The following conditions apply to the 802.1X and captive portal authentication configuration:

• If captive portal settings are not configured for a user role, the captive portal settings configured for an SSID are applied to the client's profile.
• If captive portal settings are not configured for a SSID, the captive portal settings configured for a user role are applied to the client's profile.
• If captive portal settings are configured for both SSID and user role, the captive portal settings configured for a user role are applied to the profile of the client.

To create a captive portal role for the Internal and External splash page types:

1. In the Network Operations app, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click the WLANs tab.

   The WLANs details page is displayed.

5. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon.
6. Click the Access tab.
7. Under Access rules, select Role Based.
8. Click +Add Rule in Access Rules for Selected Roles.

9. In the Add Rules window, specify the following parameters.

   Table 4: Access Rule Configuration Parameters

   Data Pane Item	Description
   Rule Type	Select Captive Portal from the drop-down list.
   Splash Page Type	Select a splash page type from the drop-down list.
   Internal	If Internal is selected as Splash Page Type drop-down list, complete the following steps: Top banner title—Enter a title for the banner. To preview the page with the new banner title, click Preview splash page. Header fill color—Specify a background color for the header. Welcome text—To change the welcome text, click the first square box in the splash page, enter the required text in the Welcome text box, and click OK. Ensure that the welcome text does not exceed 127 characters. Policy text—To change the policy text, click the second square in the splash page, enter the required text in the Policy text box, and click OK. Ensure that the policy text does not exceed 255 characters. Page fill color—To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette. Redirect URL—To redirect users to another URL, specify a URL in Redirect URL. Logo image—To upload a custom logo, click Choose Fileto upload. Ensure that the image file size does not exceed 16 KB. To delete an image, click Delete Logo. To preview the captive portal page, click preview_splash_page.
   External	If External is selected as Splash Page Type drop-down list, complete the following steps: Captive Portal Profile—Select a profile from the drop-down list. To create a profile, click the + icon and enter the following information in the External Captive Portal window. Name Authentication Type—From the drop-down list, select either RADIUS Authentication (to enable user authentication against a RADIUS server) or Authentication Text (to specify the authentication text to returned by the external server after a successful user authentication). IP OR Hostname—Enter the IP address or the hostname of the external splash page server. URL—Enter the URL for the external splash page server. Port—Enter the port number for communicating with the external splash page server. Captive Portal Failure—This field allows you to configure Internet access for the guest clients when the external captive portal server is not available. From the drop-down list, select Deny Internet to prevent clients from using the network, or Allow Internet to allow the guest clients to access Internet when the external captive portal server is not available. Automatic URL Allowlisting—Turn on the toggle switch to enable or disable automatic allowlisting of URLs. On selecting this for the external captive portal authentication, the URLs allowed for the unauthenticated users to access are automatically allowlisted. The automatic URL allowlisting is disabled by default. Server offload—Turn on the toggle switch to offload the server. Prevent Frame Overlay—Turn on the toggle switch to prevent frame overlay. Use VC IP in Redirect URL—Turn on the toggle switch to use the virtual controller IP address as a redirect URL. Auth TEXT—Indicates the authentication text returned by the external server after a successful user authentication. Redirect URL—Specify a redirect URL to redirect the users to another URL. To edit a profile, click the edit icon and modify the parameters in the External Captive Portal window.

10. Click Save. The enforce captive portal rule is created and listed as an access rule.
11. Click Save Settings.

The client can connect to this SSID after authenticating with user name and password. After the user logs in successfully, the captive portal role is assigned to the client.

Disabling Captive Portal Authentication

To disable captive portal authentication, perform the following steps:

1. In the Network Operations app, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click the WLANs tab.

   The WLANs details page is displayed.

5. In the Wireless SSIDs table, select a guest SSID, and then click the edit icon.
6. Under Security tab, in the Security Level, select Captive Portal.
7. Under Splash Page, select None from the Captive Portal Type drop-down list.
8. Click Save Settings.