Here a short overview how to configure a basic wireless guest portal on a IdentiFi Wireless Appliance.
The screenshots are from a C5110 running V9.21.02.0014.
Network diagram:
Click "Configure" for the DHCP advanced options to set..
- DNS
- Gateway
- IP Range
2) Create Roles
Add a new role for the unauthenticated guest users (= clients that are connected to the SSID but haven't registered yet via the guest portal page).
Set "access control" to "Containment VLAN" and in the field "VLAN" choose the topology that was created in step 1).
In "Policy Rules" add the following rules to allow certain services to redirect the clients to the portal page.
- the IP of the topology = to access the portal page
- DHCP = for clients to get a IP from the DHCP server
- DNS = to allow name resolution, only if name resolution is allowed the clients will be redirected to the portal
- The reverse direction of the traffic
- Deny all as the last rule
!!! In/Out must be set correct and remove the checkmark from AP filtering !!!
In this scenario it would look like…
Add a new role for the authenticated guest users (= clients that are registered via the guest portal with a username/password).
Set "access control" to "Containment VLAN" and in the field "VLAN" choose the topology that was created in step 1).
In this example we allow all traffic to pass so there is no need to add rules in "Policy Rules".
!!! If you'd like to deny certain services add deny rules. !!!
3) Create a WLAN Service
- Set the "Default Topology" to your guest portal topology
- Select the AP that should provide the guest SSID
- In the advanced options it's might be a good idea to select "Block MU to MU traffic" = traffic between guest clients is denied
Set the "Mode" to "Guest Portal"
Enabled "WMM", "802.11e" and "Flexible Client Access"
4) Create a Virtual Network
Add a new VNS and select the the "WLAN Service" from 3) and the "Non-Authenticated" and "Authenticated" roles from 2).
6) Test
- Connect the wireless client to the guest_portal SSID
- Check the > Reports > Clients > By VNS > guest portal
○ You should see that the client has a IP of 10.12.5.X and is unauthenticated (= the lock on the left is open/grey)
- Open a web browser and put in any valid webpage address
!!! Http only, per default https is not allowed !!!
- You should get redirected to the captive portal webpage of the controller
- Put in the username and password and you should have access to the internet
- Check the > Reports > Clients > By VNS > guest portal
○ You should see that the client is now authenticated (= lock on the left closed/green)
The screenshots are from a C5110 running V9.21.02.0014.
Network diagram:
Click "Configure" for the DHCP advanced options to set..
- DNS
- Gateway
- IP Range
2) Create Roles
Add a new role for the unauthenticated guest users (= clients that are connected to the SSID but haven't registered yet via the guest portal page).
Set "access control" to "Containment VLAN" and in the field "VLAN" choose the topology that was created in step 1).
In "Policy Rules" add the following rules to allow certain services to redirect the clients to the portal page.
- the IP of the topology = to access the portal page
- DHCP = for clients to get a IP from the DHCP server
- DNS = to allow name resolution, only if name resolution is allowed the clients will be redirected to the portal
- The reverse direction of the traffic
- Deny all as the last rule
!!! In/Out must be set correct and remove the checkmark from AP filtering !!!
In this scenario it would look like…
Add a new role for the authenticated guest users (= clients that are registered via the guest portal with a username/password).
Set "access control" to "Containment VLAN" and in the field "VLAN" choose the topology that was created in step 1).
In this example we allow all traffic to pass so there is no need to add rules in "Policy Rules".
!!! If you'd like to deny certain services add deny rules. !!!
3) Create a WLAN Service
- Set the "Default Topology" to your guest portal topology
- Select the AP that should provide the guest SSID
- In the advanced options it's might be a good idea to select "Block MU to MU traffic" = traffic between guest clients is denied
Set the "Mode" to "Guest Portal"
Enabled "WMM", "802.11e" and "Flexible Client Access"
4) Create a Virtual Network
Add a new VNS and select the the "WLAN Service" from 3) and the "Non-Authenticated" and "Authenticated" roles from 2).
6) Test
- Connect the wireless client to the guest_portal SSID
- Check the > Reports > Clients > By VNS > guest portal
○ You should see that the client has a IP of 10.12.5.X and is unauthenticated (= the lock on the left is open/grey)
- Open a web browser and put in any valid webpage address
!!! Http only, per default https is not allowed !!!
- You should get redirected to the captive portal webpage of the controller
- Put in the username and password and you should have access to the internet
- Check the > Reports > Clients > By VNS > guest portal
○ You should see that the client is now authenticated (= lock on the left closed/green)
