How To Allow Secured Internet Access to Guest Users
Applicable Version: 10.02.0 Build 224 onwards
Applicable Models: Wi-Fi Models Only Overview Places like public hotspots and hotels have numerous Internet users that require temporary Internet access just for a few days or hours. Maintaining such users becomes quite a hassle for administrators. Furthermore, applying access restrictions upon these users is difficult. Cyberoam allows the administrator to provide temporary access to Guest Users. This is mostly done via Wireless Guest Access Points by deploying a Wireless LAN (WLAN). A good guest access system ensures reliable and high-performance access to the Internet without the guest having to go through the hassle of reconfiguring his/her PC to connect to the WLAN. A Guest Access Point must segregate internal and guest traffic to provide ironclad security for the organizations LAN and servers. Since guest access is provisioned on the same network infrastructure carrying internal traffic, this is a significant challenge. Scenario Create a Wireless Access Point and allow controlled Internet access to Guest Users. Configuration Configuration is to be done from Cyberoam Web Admin Console using profile having read-write administrative rights over relevant features. This configuration consists of Two (2) parts:
1. Configure Access Point for Guest User 2. Configure Guest User Authentication
Configure Access Point for Guest User Step 1: Create Guest Zone Go to Network > Interface > Zone and click Add to create a new zone using parameters given below.
How To Allow Secured Internet Access to Guest Users How To Allow Secured Internet Access to Guest Users
Parameter Description
Parameter Value Description Name GUEST Name to identify the Zone. Duplicate names are not allowed. Type LAN Select Zone Type : LAN or DMZ Appliance Access Admin Services HTTP: Disabled HTTPS: Disabled TELNET:Disabled SSH: Disabled Enable Admin Services that should be allowed through this zone. Authentication Services Windows/Linux Client: Enabled Captive Portal: Enabled Enable Authentication Services that should be allowed through Zone. Network Services DNS: Enabled Ping: Enabled Enable Network Services that should be allowed through Zone. Other Services Web Proxy: Enabled SSLVPN: Enabled Enable Other Services that should be allowed through Zone.
Click OK to create the GUEST Zone.
How To Allow Secured Internet Access to Guest Users
Step 2: Create Access Point in Guest Zone Go to Network > Wireless LAN > Access Point and click Add to create a new Wireless Access Point using the parameters given below.
Parameter Description
Parameter Value Description Zone Guest Specify the Zone in which Access Point is to be created IP Address 172.16.16.1 Specify IP Address Netmask /24 (255.255.255.0) Specify Netmask SSID Guest-WiFi Specify the Service Set Identifier (SSID) by which the WLAN is to be identified Broadcast SSID Enable Enable if you want to broadcast the SSID, i.e., make the WLAN discoverable. Security Mode WPA-PSK Select the Security Mode. Encryption TKIP Select the Encryption Method Pass Phrase cyberoam Enter the Pass Phrase Group Key Update Disable Enable if you want to generate new security key after specified Timeout Interval. Timeout Interval 86400 (Default) Specify the time interval after which the security key expires. Maximum Clients 255 Specify maximum number of clients allowed to connect to the Access Point
How To Allow Secured Internet Access to Guest Users
Click OK to create an Access Point. You are immediately asked to configure the DHCP Server linked with this Access Point as shown below.
How To Allow Secured Internet Access to Guest Users
Step 3: DHCP Configuration Click Configure DHCP Server >> to configure the DHCP Server linked to WLAN2 created in step 2. Set parameters according to the table given below.
Parameter Description
Parameter Value Description Name GUEST_DHCP Name to identify the Server. Interface WLAN2 172.16.16.1 Select internal interface Lease Type Dynamic Select Lease Type. Lease IP Range 172.16.16.2 172.16.16.20 Specify range of IP addresses that are to be leased. Subnet Mask /24 (255.255.255.0) Specify Subnet Mask. Domain Name Guest Specify domain name that the DHCP server will assign to the DHCP Clients. Gateway Use Interface IP as Gateway: Enabled Specify IP address for default Gateway or click Use Interface IP as Gateway Default Lease Time 1440 Specify Default Lease Time. Max Lease Time 2880 Specify Maximum Lease Time Conflict Detection Enabled Enable Conflict detection to check the IP before leasing i.e. if enabled the already leased IP will not be leased again. DNS Server Use Appliances DNS Settings: Enabled Click Use Appliances DNS settings to use appliance DNS server or specify IP address of Primary and Secondary DNS servers.
How To Allow Secured Internet Access to Guest Users
Click OK to save DHCP Server settings.
Step 5: Update Firewall Rule to Secure WLAN Traffic On creation of the GUEST Zone (as shown in step 1), Cyberoam automatically creates default rules allowing traffic from GUEST to WAN as shown below.
How To Allow Secured Internet Access to Guest Users
Update Default Rule #Guest_WAN_AnyTraffic, to Drop all traffic that hits it. This is required if you want to drop all unauthenticated traffic. Any Guest User trying to access Internet is forced to authenticate enabling controlled Internet Access.
The above steps configure Internet Access Point for Guest Users.
Configure Guest User Authentication Once the Internet Access Point is configured and all unauthenticated traffic is dropped to enforce user authentication, administrator needs to configure the Guest User Authentication settings. Step 1: Create and Assign Policies to Guest Group Create a Guest Group to implement various policies upon the guest users included in that group. This ensures controlled Internet access by guest users. To create a group, go to Identity > Groups > Groups and click Add to create a new group with parameters given below.
Parameter Description
Parameter Value Description Group Name Guest_Group Name to identify group. Group Type Normal Select Group Type Policies Web Filter General Corporate Policy Select Web Filter policy from list. Application Filter Allow All Select Application Filter policy from list. How To Allow Secured Internet Access to Guest Users
Surfing Quota Unlimited Internet Access Select Surfing Quota policy from list. Access Time Allowed only during Work Hours Select Access Time policy from list. Data Transfer Daily 10 MB Select Data Transfer policy from list. QoS None Select QoS policy from list. SSLVPN No Policy Applied Select SSL VPN policy from list. Spam Digest Enabled Configure Spam Digest. MAC Binding Disabled Enable/disable MAC Binding. By binding User to MAC address, you are mapping user with a group of MAC addresses. L2TP Disabled Enable if group users can get access through L2TP connection PPTP Disabled Enable if group users can get access through PPTP connection Login Restriction Any Node Select the appropriate option to specify the login restriction for the user group
Click OK to create the group. How To Allow Secured Internet Access to Guest Users
Step 2: Configure Guest User Settings Go to Identity > Guest Users > General Settings and set parameters according to table given below.
Parameter Description
Parameter Value Description Username Prefix GUEST Provide prefix to be used for Auto-Generation of username for guest users. Group Guest_Group Select the group to which all guest users are assigned. Password Length 8 Specify the length of the auto-generated password for Guest Users. Password Complexity Alphanumeric Password Select a type of password from the available options to be used for complexity of an auto- generated password Auto Purge on Expiry Enabled Check if you want users to be purged from Cyberoam once their credentials expire.
Click Apply to save Guest User settings.
Step 3: Create Guest Users Guest Users can be created in Two (2) ways:
1. Manually (by the Administrator) 2. Automatically
Create Guest Users Manually
This is the more commonly used method to create Guest Users. To create users manually, go to Identity > Guest Users > Guest Users and click Add Single to create a single user OR Add Multiple to create multiple users simultaneously. Here, as an example, we have created a single user.
How To Allow Secured Internet Access to Guest Users
Mention the name, Email Address and validity of the user.
Click Add to create the user. You can also click Add and Print to print the user credentials after creating the user.
Create Guest Users Automatically
Cyberoam also allows automatic creation of Guest Users. The users can register through Captive Portal and their credentials are sent to them via SMS. To know how to configure automatic Guest User creation, refer to the article Guest User Creation using Captive Portal.