1 ACCEPTED SOLUTION
Sorry Adam, I missed that you were using Classic. In Classic you'll want to leave the SSID on PPSK like you have it, then save that so you're looking at the Network policy page again. You should see a place to add "PSK User Groups", click on this and select both of the user groups you've made, one for internal and one for guest users.
Something to keep in mind, to make this work, each user group will need to be using a different attribute. When you open the group object check the "User Profile Attribute" that this group is using. Remember what the attribute is for the internal and guest users, you'll need to match these later.
Then you'll want to click on User Profile where you will see two tabs on the left hand side: Default and Authentication. The Default user profile will be for your internal users. Make sure that the default user profile is using the same attribute number as the internal user group object. The Authentication user profile will be for your guest users, and you can add the Guest Internal Access Only firewall object here as well if you'd like but expanding Firewall and choosing this object from the drop down menu under IP Firewall Policy> From-Access. Make sure the guest user profile is using the same attribute number as the guest user group.
Once you save both of the user profiles, you should see on the Network policy page that you have one SSID, two user groups, and two user profiles. When your internal users connect to the SSID, they will be assigned to the default user profile based on their user group attribute. When the guests connect they will be assigned to the guest user profile based on their user group attribute.
Does that help clear it up?
You could have both your internal users and your guest users connect to the 2.Connect SSID by adding both user groups to this SSID. Then, to give your guest users different permissions than your internal users, you would want to click the box next to "Apply a different user profile to various clients and user groups" in the PPSK SSID.
You'll want to make a different user profile for your guest users to connect to. I would suggest using the default IP Firewall object in the user profile called "Guest Internet Access Only" which will block the guest users from accessing internal resources but still allow them internet access.
Once you've made this second user profile, you'll want to make a new assignment rule so we can move guests to this user profile.
You have several options for what kind of assignment rule to make, I would recommend "User Group" for your case, and then select your guest user group from the menu. Save the rule once you are finished.
The end result of this set up will be that your internal users and guest users will use the SSID "Connect". When your internal users connect to this SSID, they will be given the default user profile and have the same access as before. Guest users will still have to register with the open SSID, but when your guest users connect to this SSID, they will be given the secondary user profile and will have to abide by those rules as long as they are connected.
Does that sound like what you're looking for?
