How To Allow Secured Internet Access to Guest Users
How To – Allow Secured Internet Access to Guest Users
How To – Allow Secured Internet Access to Guest Users
Applicable Version: 10.02.0 Build 224 on...
How To – Allow Secured Internet Access to Guest Users
How To – Allow Secured Internet Access to Guest Users
Applicable Version: 10.02.0 Build 224 onwards Applicable Models: Wi-Fi Models Only Overview Places like public hotspots and hotels have numerous Internet users that require temporary Internet access just for a few days or hours. Maintaining such users becomes quite a hassle for administrators. Furthermore, applying access restrictions upon these users is difficult. Cyberoam allows the administrator to provide temporary access to Guest Users. This is mostly done via Wireless Guest Access Points by deploying a Wireless LAN (WLAN). A good guest access system ensures reliable and high-performance access to the Internet without the guest having to go through the hassle of reconfiguring his/her PC to connect to the WLAN. A Guest Access Point must segregate internal and guest traffic to provide ironclad security for the organization’s LAN and servers. Since guest access is provisioned on the same network infrastructure carrying internal traffic, this is a significant challenge.
Scenario Create a Wireless Access Point and allow controlled Internet access to Guest Users.
Configuration Configuration is to be done from Cyberoam Web Admin Console using profile having read-write administrative rights over relevant features. This configuration consists of Two (2) parts: 1. Configure Access Point for Guest User 2. Configure Guest User Authentication
Configure Access Point for Guest User Step 1: Create Guest Zone Go to Network > Interface > Zone and click Add to create a new zone using parameters given below.
How To – Allow Secured Internet Access to Guest Users
Parameter Description Parameter
Value
Description
Name
GUEST
Name to identify the Zone. Duplicate names are not allowed.
Enable Admin Services that should be allowed through this zone.
Authentication Services
Enable Authentication Services Windows/Linux Client: Enabled that should be allowed through Captive Portal: Enabled Zone.
Network Services
DNS: Enabled Ping: Enabled
Enable Network Services that should be allowed through Zone.
Other Services
Web Proxy: Enabled SSLVPN: Enabled
Enable Other Services that should be allowed through Zone.
Appliance Access
Click OK to create the GUEST Zone.
How To – Allow Secured Internet Access to Guest Users
Step 2: Create Access Point in Guest Zone Go to Network > Wireless LAN > Access Point and click Add to create a new Wireless Access Point using the parameters given below.
Parameter Description Parameter
Value
Description
Zone
Guest
Specify the Zone in which Access Point is to be created
IP Address
172.16.16.1
Specify IP Address
Netmask
/24 (255.255.255.0)
Specify Netmask
SSID
Guest-WiFi
Specify the Service Set Identifier (SSID) by which the WLAN is to be identified
Broadcast SSID
Enable
Enable if you want to broadcast the SSID, i.e., make the WLAN discoverable.
Security Mode
WPA-PSK
Select the Security Mode.
Encryption
TKIP
Select the Encryption Method
Pass Phrase
cyberoam
Enter the Pass Phrase
Group Key Update
Disable
Enable if you want to generate new security key after specified Timeout Interval.
Timeout Interval
86400 (Default)
Specify the time interval after which the security key expires.
Maximum Clients
255
Specify maximum number of clients allowed to connect to the Access Point
How To – Allow Secured Internet Access to Guest Users
Click OK to create an Access Point. You are immediately asked to configure the DHCP Server linked with this Access Point as shown below.
How To – Allow Secured Internet Access to Guest Users
Step 3: DHCP Configuration Click Configure DHCP Server >> to configure the DHCP Server linked to WLAN2 created in step 2. Set parameters according to the table given below. Parameter Description Parameter
Value
Description
Name
GUEST_DHCP
Name to identify the Server.
Interface
WLAN2 – 172.16.16.1
Select internal interface
Lease Type
Dynamic
Select Lease Type.
Lease IP Range
172.16.16.2 – 172.16.16.20
Specify range of IP addresses that are to be leased.
Subnet Mask
/24 (255.255.255.0)
Specify Subnet Mask.
Domain Name
Guest
Specify domain name that the DHCP server will assign to the DHCP Clients.
Gateway
Specify IP address for default Use Interface IP as Gateway: Gateway or click “Use Interface Enabled IP as Gateway”
Default Lease Time
1440
Specify Default Lease Time.
Max Lease Time
2880
Specify Maximum Lease Time
Conflict Detection
Enabled
Enable Conflict detection to check the IP before leasing i.e. if enabled the already leased IP will not be leased again.
DNS Server
Click “Use Appliance’s DNS settings” to use appliance DNS Use Appliance’s DNS Settings: server or specify IP address of Enabled Primary and Secondary DNS servers.
How To – Allow Secured Internet Access to Guest Users
Click OK to save DHCP Server settings.
Step 5: Update Firewall Rule to Secure WLAN Traffic On creation of the GUEST Zone (as shown in step 1), Cyberoam automatically creates default rules allowing traffic from GUEST to WAN as shown below.
How To – Allow Secured Internet Access to Guest Users
Update Default Rule #Guest_WAN_AnyTraffic, to Drop all traffic that hits it. This is required if you want to drop all unauthenticated traffic. Any Guest User trying to access Internet is forced to authenticate enabling controlled Internet Access.
The above steps configure Internet Access Point for Guest Users.
Configure Guest User Authentication Once the Internet Access Point is configured and all unauthenticated traffic is dropped to enforce user authentication, administrator needs to configure the Guest User Authentication settings.
Step 1: Create and Assign Policies to Guest Group Create a Guest Group to implement various policies upon the guest users included in that group. This ensures controlled Internet access by guest users. To create a group, go to Identity > Groups > Groups and click Add to create a new group with parameters given below.
Parameter Description Parameter
Value
Description
Group Name
Guest_Group
Name to identify group.
Group Type
Normal
Select Group Type
Web Filter
General Corporate Policy
Select Web Filter policy from list.
Application Filter
Allow All
Select Application Filter policy from list.
Policies
How To – Allow Secured Internet Access to Guest Users
Select Surfing Quota policy from list.
Surfing Quota
Unlimited Internet Access
Access Time
Allowed Hours
Data Transfer
Daily 10 MB
Select Data Transfer policy from list.
QoS
None
Select QoS policy from list.
SSLVPN
No Policy Applied
Select SSL VPN policy from list.
Spam Digest
Enabled
Configure Spam Digest.
MAC Binding
Disabled
Enable/disable “MAC Binding”. By binding User to MAC address, you are mapping user with a group of MAC addresses.
L2TP
Disabled
Enable if group users can get access through L2TP connection
PPTP
Disabled
Enable if group users can get access through PPTP connection
Login Restriction
Any Node
Select the appropriate option to specify the login restriction for the user group
Click OK to create the group.
only
during
Work Select Access Time policy from list.
How To – Allow Secured Internet Access to Guest Users
Step 2: Configure Guest User Settings Go to Identity > Guest Users > General Settings and set parameters according to table given below. Parameter Description Parameter
Value
Description
Username Prefix
GUEST
Provide prefix to be used for Auto-Generation of username for guest users.
Group
Guest_Group
Select the group to which all guest users are assigned.
Password Length
8
Specify the length of the password for Guest Users.
auto-generated
Alphanumeric Password Complexity Password
Select a type of password from the available options to be used for complexity of an autogenerated password
Auto Purge on Expiry Enabled
Check if you want users to be purged from Cyberoam once their credentials expire.
Click Apply to save Guest User settings.
Step 3: Create Guest Users Guest Users can be created in Two (2) ways: 1. Manually (by the Administrator) 2. Automatically Create Guest Users Manually This is the more commonly used method to create Guest Users. To create users manually, go to Identity > Guest Users > Guest Users and click Add Single to create a single user OR Add Multiple to create multiple users simultaneously. Here, as an example, we have created a single user.
How To – Allow Secured Internet Access to Guest Users
Mention the name, Email Address and validity of the user.
Click Add to create the user. You can also click Add and Print to print the user credentials after creating the user.
Create Guest Users Automatically Cyberoam also allows automatic creation of Guest Users. The users can register through Captive Portal and their credentials are sent to them via SMS. To know how to configure automatic Guest User creation, refer to the article Guest User Creation using Captive Portal.