How To Allow Secured Internet Access to Guest Users

Applicable Version: 10.02.0 Build 224 onwards

Applicable Models: Wi-Fi Models Only
Overview
Places like public hotspots and hotels have numerous Internet users that require temporary Internet
access just for a few days or hours. Maintaining such users becomes quite a hassle for
administrators. Furthermore, applying access restrictions upon these users is difficult. Cyberoam
allows the administrator to provide temporary access to Guest Users. This is mostly done via Wireless
Guest Access Points by deploying a Wireless LAN (WLAN). A good guest access system ensures
reliable and high-performance access to the Internet without the guest having to go through the
hassle of reconfiguring his/her PC to connect to the WLAN. A Guest Access Point must segregate
internal and guest traffic to provide ironclad security for the organizations LAN and servers. Since
guest access is provisioned on the same network infrastructure carrying internal traffic, this is a
significant challenge.
Scenario
Create a Wireless Access Point and allow controlled Internet access to Guest Users.
Configuration
Configuration is to be done from Cyberoam Web Admin Console using profile having read-write
administrative rights over relevant features. This configuration consists of Two (2) parts:

1. Configure Access Point for Guest User
2. Configure Guest User Authentication

Configure Access Point for Guest User
Step 1: Create Guest Zone
Go to Network > Interface > Zone and click Add to create a new zone using parameters given
below.


How To Allow Secured Internet Access to
Guest Users
How To Allow Secured Internet Access to Guest Users



Parameter Description

Parameter Value Description
Name GUEST
Name to identify the Zone.
Duplicate names are not allowed.
Type LAN Select Zone Type : LAN or DMZ
Appliance Access
Admin Services
HTTP: Disabled
HTTPS: Disabled
TELNET:Disabled
SSH: Disabled
Enable Admin Services that
should be allowed through this
zone.
Authentication Services
Windows/Linux Client: Enabled
Captive Portal: Enabled
Enable Authentication Services
that should be allowed through
Zone.
Network Services
DNS: Enabled
Ping: Enabled
Enable Network Services that
should be allowed through Zone.
Other Services
Web Proxy: Enabled
SSLVPN: Enabled
Enable Other Services that
should be allowed through Zone.



Click OK to create the GUEST Zone.

How To Allow Secured Internet Access to Guest Users



Step 2: Create Access Point in Guest Zone
Go to Network > Wireless LAN > Access Point and click Add to create a new Wireless Access
Point using the parameters given below.




Parameter Description

Parameter Value Description
Zone Guest
Specify the Zone in which Access
Point is to be created
IP Address 172.16.16.1 Specify IP Address
Netmask /24 (255.255.255.0) Specify Netmask
SSID Guest-WiFi
Specify the Service Set Identifier
(SSID) by which the WLAN is to be
identified
Broadcast SSID Enable
Enable if you want to broadcast the
SSID, i.e., make the WLAN
discoverable.
Security Mode WPA-PSK Select the Security Mode.
Encryption TKIP Select the Encryption Method
Pass Phrase cyberoam Enter the Pass Phrase
Group Key Update Disable
Enable if you want to generate new
security key after specified Timeout
Interval.
Timeout Interval 86400 (Default)
Specify the time interval after which
the security key expires.
Maximum Clients 255
Specify maximum number of clients
allowed to connect to the Access
Point


How To Allow Secured Internet Access to Guest Users





Click OK to create an Access Point. You are immediately asked to configure the DHCP Server linked
with this Access Point as shown below.



How To Allow Secured Internet Access to Guest Users



Step 3: DHCP Configuration
Click Configure DHCP Server >> to configure the DHCP Server linked to WLAN2 created in step 2.
Set parameters according to the table given below.

Parameter Description

Parameter Value Description
Name GUEST_DHCP Name to identify the Server.
Interface WLAN2 172.16.16.1 Select internal interface
Lease Type Dynamic Select Lease Type.
Lease IP Range 172.16.16.2 172.16.16.20
Specify range of IP addresses
that are to be leased.
Subnet Mask /24 (255.255.255.0) Specify Subnet Mask.
Domain Name Guest
Specify domain name that the
DHCP server will assign to the
DHCP Clients.
Gateway
Use Interface IP as Gateway:
Enabled
Specify IP address for default
Gateway or click Use Interface
IP as Gateway
Default Lease Time 1440 Specify Default Lease Time.
Max Lease Time 2880 Specify Maximum Lease Time
Conflict Detection Enabled
Enable Conflict detection to
check the IP before leasing i.e. if
enabled the already leased IP will
not be leased again.
DNS Server
Use Appliances DNS Settings:
Enabled
Click Use Appliances DNS
settings to use appliance DNS
server or specify IP address of
Primary and Secondary DNS
servers.


How To Allow Secured Internet Access to Guest Users





Click OK to save DHCP Server settings.

Step 5: Update Firewall Rule to Secure WLAN Traffic
On creation of the GUEST Zone (as shown in step 1), Cyberoam automatically creates default rules
allowing traffic from GUEST to WAN as shown below.



How To Allow Secured Internet Access to Guest Users



Update Default Rule #Guest_WAN_AnyTraffic, to Drop all traffic that hits it. This is required if you
want to drop all unauthenticated traffic. Any Guest User trying to access Internet is forced to
authenticate enabling controlled Internet Access.



The above steps configure Internet Access Point for Guest Users.

Configure Guest User Authentication
Once the Internet Access Point is configured and all unauthenticated traffic is dropped to enforce user
authentication, administrator needs to configure the Guest User Authentication settings.
Step 1: Create and Assign Policies to Guest Group
Create a Guest Group to implement various policies upon the guest users included in that group. This
ensures controlled Internet access by guest users. To create a group, go to Identity > Groups >
Groups and click Add to create a new group with parameters given below.




Parameter Description

Parameter Value Description
Group Name Guest_Group Name to identify group.
Group Type Normal Select Group Type
Policies
Web Filter General Corporate Policy Select Web Filter policy from list.
Application Filter Allow All
Select Application Filter policy
from list.
How To Allow Secured Internet Access to Guest Users



Surfing Quota Unlimited Internet Access
Select Surfing Quota policy from
list.
Access Time
Allowed only during Work
Hours
Select Access Time policy from
list.
Data Transfer Daily 10 MB
Select Data Transfer policy from
list.
QoS None Select QoS policy from list.
SSLVPN No Policy Applied Select SSL VPN policy from list.
Spam Digest Enabled Configure Spam Digest.
MAC Binding Disabled
Enable/disable MAC Binding.
By binding User to MAC address,
you are mapping user with a
group of MAC addresses.
L2TP Disabled
Enable if group users can get
access through L2TP connection
PPTP Disabled
Enable if group users can get
access through PPTP connection
Login Restriction Any Node
Select the appropriate option to
specify the login restriction for the
user group




Click OK to create the group.
How To Allow Secured Internet Access to Guest Users



Step 2: Configure Guest User Settings
Go to Identity > Guest Users > General Settings and set parameters according to table given
below.

Parameter Description

Parameter Value Description
Username Prefix GUEST
Provide prefix to be used for Auto-Generation of
username for guest users.
Group Guest_Group
Select the group to which all guest users are
assigned.
Password Length 8
Specify the length of the auto-generated
password for Guest Users.
Password Complexity
Alphanumeric
Password
Select a type of password from the available
options to be used for complexity of an auto-
generated password
Auto Purge on Expiry Enabled
Check if you want users to be purged from
Cyberoam once their credentials expire.




Click Apply to save Guest User settings.

Step 3: Create Guest Users
Guest Users can be created in Two (2) ways:

1. Manually (by the Administrator)
2. Automatically

Create Guest Users Manually

This is the more commonly used method to create Guest Users. To create users manually, go to
Identity > Guest Users > Guest Users and click Add Single to create a single user OR Add
Multiple to create multiple users simultaneously. Here, as an example, we have created a single
user.

How To Allow Secured Internet Access to Guest Users





Mention the name, Email Address and validity of the user.



Click Add to create the user. You can also click Add and Print to print the user credentials after
creating the user.



Create Guest Users Automatically

Cyberoam also allows automatic creation of Guest Users. The users can register through Captive
Portal and their credentials are sent to them via SMS. To know how to configure automatic Guest
User creation, refer to the article Guest User Creation using Captive Portal.






Document Version: 2.0 16 January, 2014