topic Re: Guest WiFi - is there any way to secure it? in Aerohive Migrated Content

Guest WiFi - is there any way to secure it?

agroch — Sat, 15 Sep 2018 00:33:50 GMT

I wonder is there is a better way to expose Guest wifi. Currently we use self registration with registration period of 2 hours and scheduled to turn off that SSID at night. I know there is a way to do it with social login, but this is not the best option.

Is there a way for guest to somehow request a temporary key instead which is revoked after 2 hours for example?

Re: Guest WiFi - is there any way to secure it?

agroch — Sat, 15 Sep 2018 00:54:35 GMT

I have found this

https://thehivecommunity.aerohive.com/s/article/Self-Registration-PPSK-SSID-in-Hivemanager

but:

WiFi-End-Users register via this CWP, and then receive Credentials for the PPSK-SSID.

Receiving credentials by email?

Re: Guest WiFi - is there any way to secure it?

samantha_lynn — Mon, 17 Sep 2018 19:44:59 GMT

If you're using PPSK, you can choose how the credentials are delivered (email or text message). You can set up a PPSK user group without using Self Registration so that the credentials are given out and only last a certain time period after the first log in. After that, you can have the credentials expire and delete themselves, or you can set up an option for renewal on the customers side if you'd like. Does that sound like what you're looking for?

Re: Guest WiFi - is there any way to secure it?

agroch — Mon, 17 Sep 2018 19:53:23 GMT

Thank you Sam,

"If you're using PPSK, you can choose how the credentials are delivered (email or text message)"

Ok lets imagine I use PPSK with self registration CWP and there is a place to provide email address. And based on that the key is sent to the person requesting to have access to Guest - correct. I don't fully understand "how the credentials are delivered".

It would be nice if those credentials are delivered automatically by Aerohive Classic.

Re: Guest WiFi - is there any way to secure it?

samantha_lynn — Mon, 17 Sep 2018 20:44:12 GMT

Exactly, so the connection work flow for the end user is that they connect to the registration SSID, which takes them to a CWP page to enter their information, including their email address. Once they've submitted their information, they will receive an email at the address they submitted when they registered with the credentials they will use to connect to the PPSK SSID set up for your self registration guests. It is an automatic process for the credentials to be delivered to the user once they've registered.

Here is an example of the user group settings I'm referencing:

Re: Guest WiFi - is there any way to secure it?

agroch — Mon, 17 Sep 2018 21:08:54 GMT

But when they connect to CWP portal they don't have to have any keys in order to connect to Guest SSID at first place - correct? Or they do have to have already some pre shared key?

Re: Guest WiFi - is there any way to secure it?

samantha_lynn — Mon, 17 Sep 2018 21:13:38 GMT

The open SSID that they connect to when they need to register does not allow access to any page other than that CWP. So they don't need any credentials to get to the page to enter their information. Once they've entered that information, they would connect to the PPSK SSID. If they tried to connect to the Open SSID for any reason other than to register, they won't be able to access any internal resources or external addresses at all.

Re: Guest WiFi - is there any way to secure it?

agroch — Mon, 17 Sep 2018 21:20:46 GMT

Thank Sam, I have better picture of it now. I have 3 SSIDs currently:

1.Secure - 802.1X

2.Connect - PPSK

3.Guest -CWP -open

2.Connect is used by our internal managed devices. What would be the best to add Guest PPSK users? I dont want to create 4th SSID (Guest authenticated with PPSK).

Ideally, would nice to use 3.Guest with CWP and then with PPSK but I am worried its not possible. So letting Guest users they will receive PPKS key and should connect either to 2.Connect WiFi or create 4th SSID (which may not be the best idea) - Any advice?

Re: Guest WiFi - is there any way to secure it?

agroch — Mon, 17 Sep 2018 21:44:43 GMT

I also wonder if there is any step by step guide how to create that. I found instructions for NG, but not for Classic.

https://thehivecommunity.aerohive.com/s/article/Employee-Approval-with-Self-Registration-SSID-in-NG

Re: Guest WiFi - is there any way to secure it?

samantha_lynn — Mon, 17 Sep 2018 21:50:29 GMT

You could have both your internal users and your guest users connect to the 2.Connect SSID by adding both user groups to this SSID. Then, to give your guest users different permissions than your internal users, you would want to click the box next to "Apply a different user profile to various clients and user groups" in the PPSK SSID.

You'll want to make a different user profile for your guest users to connect to. I would suggest using the default IP Firewall object in the user profile called "Guest Internet Access Only" which will block the guest users from accessing internal resources but still allow them internet access.

Once you've made this second user profile, you'll want to make a new assignment rule so we can move guests to this user profile.

You have several options for what kind of assignment rule to make, I would recommend "User Group" for your case, and then select your guest user group from the menu. Save the rule once you are finished.

The end result of this set up will be that your internal users and guest users will use the SSID "Connect". When your internal users connect to this SSID, they will be given the default user profile and have the same access as before. Guest users will still have to register with the open SSID, but when your guest users connect to this SSID, they will be given the secondary user profile and will have to abide by those rules as long as they are connected.

Does that sound like what you're looking for?

Re: Guest WiFi - is there any way to secure it?

agroch — Mon, 17 Sep 2018 22:04:46 GMT

Hmm I don't see that option in my 2.Connect SSID in Classic Aerohive:

Re: Guest WiFi - is there any way to secure it?

agroch — Mon, 17 Sep 2018 22:06:32 GMT

here is th epicture

Re: Guest WiFi - is there any way to secure it?

samantha_lynn — Mon, 17 Sep 2018 22:30:44 GMT

Sorry Adam, I missed that you were using Classic. In Classic you'll want to leave the SSID on PPSK like you have it, then save that so you're looking at the Network policy page again. You should see a place to add "PSK User Groups", click on this and select both of the user groups you've made, one for internal and one for guest users.

Something to keep in mind, to make this work, each user group will need to be using a different attribute. When you open the group object check the "User Profile Attribute" that this group is using. Remember what the attribute is for the internal and guest users, you'll need to match these later.

Then you'll want to click on User Profile where you will see two tabs on the left hand side: Default and Authentication. The Default user profile will be for your internal users. Make sure that the default user profile is using the same attribute number as the internal user group object. The Authentication user profile will be for your guest users, and you can add the Guest Internal Access Only firewall object here as well if you'd like but expanding Firewall and choosing this object from the drop down menu under IP Firewall Policy> From-Access. Make sure the guest user profile is using the same attribute number as the guest user group.

Once you save both of the user profiles, you should see on the Network policy page that you have one SSID, two user groups, and two user profiles. When your internal users connect to the SSID, they will be assigned to the default user profile based on their user group attribute. When the guests connect they will be assigned to the guest user profile based on their user group attribute.

Does that help clear it up?