Configuring Wired Networks for Guest Users on IAPs

Instant Access Points (IAPs) support the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication method in which a webpage is presented to the guest users, when they try to access the Internet in hotels, conference centers, or Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. hotspots Hotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet.. The webpage also prompts the guest users to authenticate or accept the usage policy and terms. Captive portals are used at Wi-Fi hotspots and can be used to control wired access as well.

The captive portal solution for an IAP cluster consists of the following:

• The captive portal web login page hosted by an internal or external server.
• The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication or user authentication against internal database of the AP.
• The SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. broadcast by the IAP.

The IAP administrators can create a wired or WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. guest network based on captive portal authentication for guests, visitors, contractors, and any non-employee users who can use the enterprise Wi-Fi network. Administrators can also create guest accounts and customize the captive portal page with organization-specific logo, terms, and usage policy. With captive portal authentication and guest profiles, the devices associating with the guest SSID are assigned an initial role and are assigned IP addresses. When a guest user tries to access a URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. through HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., the captive portal webpage prompts the user to authenticate with a user name and password.

Splash Page Profiles

IAPs support the following types of splash page profiles:

• Internal Captive portal—Select this splash page to use an internal server for hosting the captive portal service. Internal captive portal supports the following types of authentication:
  • Internal Authenticated—When Internal Authenticated is enabled, a guest user who is pre-provisioned in the user database has to provide the authentication details.
  • Internal Acknowledged—When Internal Acknowledged is enabled, a guest user has to accept the terms and conditions to access the Internet.
• External Captive portal—Select this splash page to use an external portal on the cloud or on a server outside the enterprise network for authentication.

Creating a Wired Network Profile for Guest Users

To create a wired SSID for guest access, complete the following steps:

1. In the WebUI, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click Show Advanced.
5. Click the Interfaces tab.

   The Interfaces page is displayed.

6. Click the Wired accordion.
7. To create a new wired SSID profile, click + Add Port Profile.

   The Create a New Network pane is displayed.

8. Under General, enter the following information:
   1. Name—Enter a name.
   2. ports—Select port(s) form the drop-down list.
9. Click Next to configure the VLANs settings.

   The VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. details are displayed.

10. In the VLANs tab, select a type of mode from the Mode drop-down list.
11. Select any of the following options for Client IP Assignment:

Table 1: VLANs Parameters

Parameter	Description
Instant AP assigned	Select this option to allow the Virtual Controller to assign IP addresses to the wired clients. When the Virtual Controller assignment is used, the source IP address is translated for all client traffic that goes through this interface. The Virtual Controller can also assign a guest VLAN to a wired client. If this option is selected, specify any of the following options in Client VLAN Assignment: Default—When the client VLAN must be assigned to the native VLAN on the network. Custom—To customize the client VLAN assignment to a specific VLAN, or a range of VLANs.
External DHCP server assigned	Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected. On selecting this option, the New button to create a VLAN is displayed. Create a new VLAN if required.

Configuring an Internal Captive Portal Splash Page Profile

To configure internal captive portal profile, complete the following steps:

1. In the Security page, set the button on the Security Level sliding bar to Visitors and configure the following parameters:

   Table 2: Internal Captive Portal Configuration Parameters

   Parameter	Description
   Type	Select any of the following from the drop-down list: Internal Captive Portal—When Internal Authenticated is selected, the guest users are required to authenticate in the captive portal page to access the Internet. The guest users who are required to authenticate must already be added to the user database. The guest users is then required to accept the terms and conditions to access the Internet. External Captive Portal —When this option is selected, the guest users are required to enter the proxy server details such as IP address and captive portal proxy server port details. Also enter the details in Walled Garden, and Advanced section.
   Captive Portal Location	Select Acknowledged or Authenticated from the drop-down list.
   Customize Captive Portal	Splash Page Properties: Policy text for which you are customizing the splash page design. Top Banner Title—Enter a title for the banner. To preview the page with the new banner title, click Preview Splash Page. Header fill color—Specify a background color for the header. Welcome Text—To change the welcome text, click the first square box in the splash page, enter the required text in the Welcome Text box, and click OK. Ensure that the welcome text does not exceed 127 characters. Page Fill Color—To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette. Redirect URL—To redirect users to another URL, specify a URL in Redirect URL. Logo Image—To upload a custom logo, click Choose File, browse the image file, and click Upload Logo. Ensure that the image file size does not exceed 16 KB. To delete an image, click Delete Logo. To preview the captive portal page, click Preview splash page.
   Primary Server	Select the server type from the drop-down list.
   Users	Create and manage users in the captive portal network. Only registered users of type Guest Employee will be able to access this network. Click Manage Users to view the existing usernames and user type. Click + Add User to add a new user. Enter the required field and select the user type as guest or employee from Type drop-down list.
   Advanced Settings > MAC Authentication	To enable MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch.
   Advanced Settings > Called Station ID Type	Select one of the following options: Access Point Group—Uses the VC ID as the called station ID. Access Point Name—Uses the host name of the IAP as the called station ID. VLAN ID—Uses the VLAN ID of as the called station ID. IP Address—Uses the IP address of the IAP as the called station ID. MAC address—Uses the MAC address of the IAP as the called station ID. NOTE: The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled.
   Advanced Settings > Use IP for Calling Station ID	Set the toggle button to enable, to configure client IP address as calling station ID.
   Advanced Settings > Reauth Interval	Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients.
   Advanced Settings > Walled Garden > Disable If Uplink Type Is	To exclude uplink, select an uplink type.

2. Click Save Settings.

Configuring an External Captive Portal Splash Page Profile

You can configure external captive portal profiles and associate these profiles to a user role or SSID. You can create a set of captive portal profiles in the Security > External Captive Portal data pane and associate these profiles with an SSID or a wired profile. You can also create a new captive portal profile under the Security tab of the WLAN wizard or a Wired Network pane. You can configure up to eight external captive portal profiles.

When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID or wired profile, the users connecting to the SSID or wired network are assigned a role with the captive portal rule. The guest user role allows only DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. and DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  traffic between the client and network, and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted.

To configure an external captive portal profile, complete the following steps:

1. In the Security page, set the button on the Security Level sliding bar to Visitors and configure the following parameters:

   Table 3: External Captive Portal Profile Configuration Parameters

   Data Pane Item	Description
   Name	Enter a name for the profile.
   Authentication Type	Select any one of the following types of authentication: Radius Authentication—Select this option to enable user authentication against a RADIUS server. Authentication Text—Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.
   IP or Hostname	Enter the IP address or the host name of the external splash page server.
   URL	Enter the URL of the external captive portal server.
   Port	Enter the port number that is used for communicating with the external captive portal server.
   Use HTTPS	Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected.
   Captive Portal Failure	This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network.
   Server Offload	Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.
   Prevent Frame Overlayy	Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.
   Automatic URL Allowlisting	On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically allowlisted.
   Auth Text	If the External Authentication Splash page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected.
   Use VC IP in Redirect URL	Sends the IP address of the virtual controller in the redirection URL when external captive portal servers are used. This option is disabled by default.
   Redirect URL	Specify a redirect URL if you want to redirect the users to another URL.

2. Click OK.
3. Specify the following authentication parameters in Advanced Settings:
   • MAC Authentication—To enable MAC address based authentication for persona and open security levels, turn on the MAC Authentication toggle switch.
   • Primary Server—Sets a primary authentication server.
     • To use an internal server, select Internal server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users.
     • To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for IAPs.
   • Cloud Auth—To add another server for authentication, configure another authentication server.
4. If required, under Walled Garden, create a list of domains that are denylisted and also an allowlist of websites that the users connected to this splash page profile can access.
5. To exclude uplink, select an uplink type.
6. Configure the Reauth Interval. Specify a value for Reauth Interval. When set to a value greater than zero, IAPs periodically re-authenticate all associated and authenticated clients.
7. If required, enable denylisting. Set a threshold for denylisting clients based on the number of failed authentication attempts.
8. Click Next.

   The Access page is displayed.
   

Configuring ACLs for Guest User Access

To configure access rules for a guest network, complete the following steps:

1. Under Access, select any of the following types of access control:
   • Role Based—Select Role Based on the sliding bar to enable access based on user roles. For role-based access control, complete the following steps:
     • Create a user role:
     1. Click + Add Role in theRole pane.
     2. Enter a name for the new role and click OK.
     • Create access rules for a specific user role:
     1. Click + Add Rule and select appropriate options for Rule Type, Service, Action, Destination, and Options fields.
     2. Click OK.
     • Create a role assignment rule:
     1. Under Role Assignment Rule, click + Add Role Assignment. The New Role Assignment Rule pane is displayed.
     2. Select appropriate options in Attribute, Operator, String, and Role fields.
     3. Click Save.
   • Network Based—Select Network Based on the sliding bar to set common rules for all users in a network. By default, Allow any to all destinations access rule is enabled. This rule allows traffic to all destinations. To define an access rule, complete the following steps:
     1. Click + Add Rule and select appropriate options for Rule Type, Service, Action, Destination, and Options fields
     2. Click OK.
   • Unrestricted—Select this to set unrestricted access to the network.
2. For all the access control types, you can enable Downloadable Role. Downloadable roles can only function when radius server is configured for the selected wired profile. For more information, see Configuring Downloadable Roles.
3. Select Assign Pre-Authentication Role and select the role that you want to assign from the drop-down list.
4. Select Enforce Machine Authentication to specify authentication type for the assigned role.
5. Select Enforce Mac Auth Only Role to enforce mac authentication for the assigned role.
6. Click Next.

   The Summary page is displayed.

Viewing Wired Port Profile Summary

In the Summary tab, the Network Summary page displays all the settings configured in the General, VLANs, Security, and Access tabs. Click Finishto complete the network profile creation.