Configuring Wired Networks for Guest Users on IAPs

Instant Access Points (IAPs) support the captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication method in which a webpage is presented to the guest users, when they try to access the Internet in hotels, conference centres, or Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. hotspotsHotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet.. The webpage also prompts the guest users to authenticate or accept the usage policy and terms. Captive portals are used at Wi-Fi hotspots and can be used to control wired access as well.

The captive portal solution for an IAP cluster consists of the following:

• The captive portal web login page hosted by an internal or external server.
• The RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication or user authentication against internal database of the AP.
• The SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. broadcast by the IAP.

The IAP administrators can create a wired or WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. guest network based on captive portal authentication for guests, visitors, contractors, and any non-employee users who can use the enterprise Wi-Fi network. Administrators can also create guest accounts and customize the captive portal page with organization-specific logo, terms, and usage policy. With captive portal authentication and guest profiles, the devices associating with the guest SSID are assigned an initial role and are assigned IP addresses. When a guest user tries to access a URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. through HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., the captive portal webpage prompts the user to authenticate with a user name and password.

Splash Page Profiles

IAPs support the following types of splash page profiles:

• Internal Captive portal—Select this splash page to use an internal server for hosting the captive portal service. Internal captive portal supports the following types of authentication:
  • Internal Authenticated—When Internal Authenticated is enabled, a guest user who is pre-provisioned in the user database has to provide the authentication details.
  • Internal Acknowledged—When Internal Acknowledged is enabled, a guest user has to accept the terms and conditions to access the Internet.
• External Captive portal—Select this splash page to use an external portal on the cloud or on a server outside the enterprise network for authentication.
• Cloud Guest—Select this splash page to use the cloud guest profile configured through the Guest Management tab.
• None—Select to disable the captive portal authentication.

For information on how to create splash page profiles, see the following sections:

• Creating a Wired Network Profile for Guest Users
• Configuring an Internal Captive Portal Splash Page Profile
• Configuring an External Captive Portal Splash Page Profile
• Disabling Captive Portal Authentication

Creating a Wired Network Profile for Guest Users

To create a wired SSID for guest access, complete the following steps:

1. In the Network Operations app, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click Show Advanced.
5. Click the Interfaces tab.

   The Interfaces page is displayed.

6. Click the Wired accordion.
7. To create a new wired SSID profile, click +Add Port Profile.

   The Create a New Network pane is displayed.

8. Under General, enter the following information:
   1. Name—Enter a name.
   2. ports—Select port(s) form the drop-down list.
9. Click Next to configure the VLANs settings.

   The VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. details are displayed.

10. In the VLANs tab, select a type of mode from the Mode drop-down list.

11. Select any of the following options for Client IP Assignment:

    Table 1: VLANs Parameters

    Parameter	Description
    Instant AP assigned	Select this option to allow the Virtual Controller to assign IP addresses to the wired clients. When the Virtual Controller assignment is used, the source IP address is translated for all client traffic that goes through this interface. The Virtual Controller can also assign a guest VLAN to a wired client. If this option is selected, specify any of the following options in Client VLAN Assignment: Default—When the client VLAN must be assigned to the native VLAN on the network. Custom—To customize the client VLAN assignment to a specific VLAN, or a range of VLANs.
    External DHCP server assigned	Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected. On selecting this option, the New button to create a VLAN is displayed. Create a new VLAN if required.

Configuring an Internal Captive Portal Splash Page Profile

To configure internal captive portal profile, complete the following steps:

1. Open the guest SSID to edit and configure the following parameters in the Ports > Security page.

   Table 2: Internal Captive Portal Configuration Parameters

   Parameter	Description
   Captive Portal Type	Select any of the following from the drop-down list: Internal - Authenticated—When Internal Authenticated is selected, the guest users are required to authenticate in the captive portal page to access the Internet. The guest users who are required to authenticate must already be added to the user database. Internal - Acknowledged—When Internal Acknowledged is selected, the guest users are required to accept the terms and conditions to access the Internet. External—When External is selected, the guest users are required to enter the proxy server details such as IP address and captive portal proxy server port details. Also enter the details in Walled Garden, and Advanced section. Cloud Guest—When Cloud Guest is selected, the guest users are required to select the Guest Captive Portal Profile. None—Select this option if you do not want to set any splash page.
   Captive Portal Location	Select Acknowledged or Authenticated from the drop-down list.
   Splash Page Properties	Policy text for which you are customizing the splash page design. Perform the following steps to customize the splash page design. Top Banner Title—Enter a title for the banner. To preview the page with the new banner title, click Preview Splash Page. Header fill color—Specify a background color for the header. Welcome Text—To change the welcome text, click the first square box in the splash page, enter the required text in the Welcome Text box, and click OK. Ensure that the welcome text does not exceed 127 characters. Policy Text—To change the policy text, click the second square in the splash page, enter the required text in the Policy Text box, and click OK. Ensure that the policy text does not exceed 255 characters. Page Fill Color—To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette. Redirect URL—To redirect users to another URL, specify a URL in Redirect URL. Logo Image—To upload a custom logo, click Upload, browse the image file, and click upload image. Ensure that the image file size does not exceed 16 KB. To delete an image, click Delete. To preview the captive portal page, click Preview splash page. To configure a captive portal proxy server or global proxy server to match your browser configuration, enter the IP address and port number in the Captive-portal proxy server IP and Captive Portal Proxy Server Port fields.
   Encryption	By default, this field is disabled. Turn on the toggle switch to enable and configure the following encryption parameters: Key Management—Specify an encryption and authentication key. Passphrase format—Specify a passphrase format. Passphrase—Enter a passphrase and retype to confirm.
   Authentication	Configure the following parameters: MAC Authentication—To enable MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch. Secondary Server—To add another server for authentication, configure another authentication server. Load Balancing—Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring DHCP Server for Assigning IP Addresses to IAP Clients. To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs.
   Users	Create and manage users in the captive portal network. Only registered users of type Guest Employee will be able to access this network.
   Advanced Settings > MAC Authentication	To enable MAC address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch.
   Advanced Settings > Reauth Interval	Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients.
   Advanced Settings > Denylisting	If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
   Advanced Settings > Disable If Uplink Type Is	To exclude uplink, select an uplink type.

2. Click Save Settings.

Configuring an External Captive Portal Splash Page Profile

You can configure external captive portal profiles and associate these profiles to a user role or SSID. You can create a set of captive portal profiles in the Security > External Captive Portal data pane and associate these profiles with an SSID or a wired profile. You can also create a new captive portal profile under the Security tab of the WLAN wizard or a Wired Network pane. You can configure up to eight external captive portal profiles.

When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID or wired profile, the users connecting to the SSID or wired network are assigned a role with the captive portal rule. The guest user role allows only DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. and DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  traffic between the client and network, and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted.

To configure an external captive portal profile, complete the following steps:

1. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon.

   The Create a New Network pane is displayed.

2. Under Security tab, in the Security Level, select Captive Portal and configure the following parameters under Splash Page:
3. Select the Splash Page type as External.
4. If required, configure a captive portal proxy server or a global proxy server to match your browser configuration by specifying the IP address and port number in the Captive Portal Proxy Server IP and Captive Portal Proxy Server Port fields.

5. Select a captive portal profile. To add a new profile, click + and configure the following parameters:

   Table 3: External Captive Portal Profile Configuration Parameters

   Data Pane Item	Description
   Name	Enter a name for the profile.
   Type	Select any one of the following types of authentication: Radius Authentication—Select this option to enable user authentication against a RADIUS server. Authentication Text—Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.
   IP or Hostname	Enter the IP address or the host name of the external splash page server.
   URL	Enter the URL of the external captive portal server.
   Port	Enter the port number that is used for communicating with the external captive portal server.
   Use HTTPS	Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected.
   Captive Portal Failure	This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network.
   Server Offload	Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.
   Prevent Frame Overlay	Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.
   Automatic URL Allowlisting	On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically allowlisted.
   Auth Text	If the External Authentication Splash page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected.
   Redirect URL	Specify a redirect URL if you want to redirect the users to another URL.

6. Click Save.
7. On the external captive portal splash page configuration page, specify encryption settings if required.

8. Specify the following authentication parameters in Advanced Settings:

   • MAC Authentication—To enable MAC address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch.
   • Primary Server—Sets a primary authentication server.
     • To use an internal server, select Internal server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users.
     • To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs.
   • Secondary Server—To add another server for authentication, configure another authentication server.
   • Load Balancing—Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers.
9. If required, under Walled Garden, create a list of domains that are denylisted and also an allowlist of websites that the users connected to this splash page profile can access.
10. To exclude uplink, select an uplink type.

11. If MAC authentication is enabled, you can configure the following parameters:

    • Delimiter Character—Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.
    • Uppercase Support—Turn on the toggle switch to enable, to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
12. Configure the Reauth Interval. Specify a value for Reauth Interval. When set to a value greater than zero, IAPs periodically re-authenticate all associated and authenticated clients.
13. If required, enable denylisting. Set a threshold for denylisting clients based on the number of failed authentication attempts.
14. Click Save Settings.

Configuring ACLs for Guest User Access

To configure access rules for a guest network, complete the following steps:

1. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon.

   The Create a New Network pane is displayed.

2. Click the Access tab.
3. Under Access, select any of the following types of access control:
   • Unrestricted—Select this to set unrestricted access to the network.
   • Network Based—Select Network Based to set common rules for all users in a network. By default, Allow any to all destinations access rule is enabled. This rule allows traffic to all destinations. To define an access rule, complete the following steps:
     1. Click + and select appropriate options for Rule Type, Service, Action, Destination, and Options fields.
     2. Click Save.
   • Role Based—Select Role Based to enable access based on user roles.

     For role-based access control:

     1. Create a user role:
        1. Click New in Role pane.
        2. Enter a name for the new role and click OK
     2. Create access rules for a specific user role:
        1. Click + and select appropriate options for Rule Type, Service, Action, Destination, and Options fields.
        2. Click Save.
     3. Create a role assignment rule.
        1. Under Role Assignment Rule, click New. The New Role Assignment Rule pane is displayed.
        2. Select appropriate options in Attribute, Operator, String, and Role fields.
        3. Click Save.
4. Click Save Settings.

Disabling Captive Portal Authentication

To disable captive portal authentication, complete the following steps:

1. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon.

   The Create a New Network pane is displayed.

2. Click the Security tab.
3. Under Security, select None for Splash Page Type.
4. Click Save Settings.