Captive Portal with QR Code

What is Captive Portal with QR code?

The captive portal is a login page that is displayed when you access
the Internet by launching the web browser, which would intercept the
network traffic till you enter the privileged account.
For example, some companies set the boundary of a captive portal
for staff and visitors before they can gain network to access for the
Internet via a web browser. To ensure the management of network
traffic and security, they need to get a privileged account for passing the
captive portal to use the network. In general, new employees have a
privileged account after they report in for duty, but visitors need to ask
for the privileged account from an employee or administrator.
Assuming your company holds a business conference for dozens of
customers. How could your company provide instant wireless access
service for customers without creating numerous accounts or changing
the network configuration? A captive portal with QR code could help
you ease this confusion. There is no need for the IT to generate an
account for every customer. Instead, he can print a QR code and post it
on the entrance of the meeting room or somewhere that customers
could easily see it. After customers use the mobile device to scan the QR
code, customers could login to the captive portal page automatically
without keying account information. In addition, if your company
requires more rigid IT security policies e.g. granting guest wireless access
service requires employee authentication prior to the access, there is
another way for your company to use the QR code. Your company
security guard or employee who has registered to authenticate guest
wireless access has the privilege to scan the QR code from the login page
of captive portal in the customers device.
The captive portal with QR code is a new feature that brings you
convenient and fast pass in some scenarios for clients to access the
Internet.
1

The NXC provides two authentication mechanisms with QR code for

different scenarios.

Scenario 1: Authenticator - assisted

Guest receives a QR code that is authenticated by an
authenticator
A guest visits the ZyXEL Company and connects to the Guest SSID,
but it shows the login page with QR code. The guest does not have the
user name and password, so he goes to find an employee who has
privilege to authenticate the guests device to scan his QR code. After
employee scan the QR and get the authentication message, then the
guest can use Wi-Fi to access the Internet.

Scenario 2: Self - serviced

Guest directly scans QR code to pass the authentication
A guest visits the ZyXEL Company and he sees a QR code is posted on
2

the table when he sits on the chair. The QR code notes Welcome to
ZyXEL. After the guest connects to the SSID and scans the QR code, he
will get the authentication message. Then, he can enjoy Wi-Fi service.

The Configuration of Captive Portal with QR code

Employees are the members of VLAN 10, which can access internet by
passing the authentication with enterprise security (802.1X). Guests are
the members of VLAN0, which can access the internet by employee
authenticating the guests QR code.

Scenario 1: Authenticator - assisted

Step 1: Go to Interface > VLAN > Add. Create two VLANs as the DHCP
servers, separately VLAN0 and VLAN10. VLAN0 is for guest and VLAN10 is
for employee using.

Step 2: Go to Zone > Edit. Set VLAN0 and VLAN10 be a LAN, therefore,
the member of VLAN10 can access to the member of VLAN1. The
employee in the VLAN10 can authenticate guest in the VLAN0.

Step 3: Create user information for guest and employees to login to the
Captive portal. Go to User/Group > User > Add.
*The User Type of guest must be guest or user.

There are two kinds of configuration for authentication by authenticator

(employee) on the NXC and external radius server.

Guest information: (No matter authenticator information locates in the NXC or

external authentication server e.g. Radius or Active Directory server, guest
account must be pre-configured on the NXC)

Authenticator(Employee) information on the NXC

Set a group for employee accounts. Go to User/Group > User > Group > add.

Authenticator (Employee) information on the external authentication (Radius)

server
Add the information of external authentication server. Go to AAA Server > Radius >
Add. (Confirm there is authenticator account on the external authentication server.)

Step 4: Go to Auth. Method > Add.

If the information of authenticator is on the NXC, then select the local
authentication for employees enterprise security.
6

If the information of authenticator is on the external authentication

server, then add an authenticated method and select the external
authentication server for employees enterprise security.

Step 5: Add an IP address range on the VLAN0 for guests that need to
login to the captive portal and add the interface subnet of employee on
the VLAN10. Go to Address > Address > Add.
The IP address range for guest using need to login the captive portal:

The interface subnet of employees on the VLAN10:

Step 6: To prevent guest in the VLAN0 can access to the VLAN10, go to

Firewall > Add. Add a firewall rule to deny guest access to the member
of VLAN10.

Step 7: Go to Captive Portal > Captive Portal > Authentication Policy

Summary. Scroll down to the page of the captive portal and select
defaultfor Authentication Method, and then add an authentication
policy.

Step 8: Select the IP address range for guests that will be forced to be
authenticated by the captive portal.
9

Step 9: Bring up the page of the Captive Portal and enable the captive
portal feature, and authentication with the QR code. Select
Authenticator - assisted and then apply the configuration.
Guest AccountSelect guest user ID.
QR Portal Address Select the VLAN group of authenticator.
* Authenticator must be able to access the members of VLAN of QR Portal Address
for guests; otherwise, the authenticator will be unable to authenticate guests.

Authenticator able to authenticate guests.

Employees are the authenticators, who can authenticate the guest to access the
INTERNET. Hence, QR Portal Address needs to be selected the VLAN10 that is the
VLAN of employee, and Authenticator needs to be selected a group of employees
who have privilege to authenticate.

The account information of authenticaor is on the NXC.

10

The account information of authenticaor is on the external authenticated server

11

Step 10: After AP deployment is ready, add the AP profiles for guest and
employee Wi-Fi service. Before setting the SSID, we need to set an
enterprise security for employee to use. Go to AP Profile > SSID >
Security List > Add.
If the information of authenticator is on the NXC, then select default
for Auth. Method that is local authentication for employees.

If the information of authenticator is on the external authentication

server, then select the auth. method that is directed to the
authentication server for employees.

12

Step 11: Go to AP Profile > SSID > Add. Create two SSID for guests and
employees.
* Set the forwarding mode with Local bridge when the traffic of AP would go
through the NXC directly.
* Set the forwarding mode with Tunnel mode when the traffic of AP might not go
through the NXC directly. The tunnel mode setting could force all the traffic to go into
the NXC and lead to the Captive portal.
The SSID for guests using is named QR_guest with VLAN ID 1

13

The SSID for employees using is named QR_employee with VLAN ID 10 and
enterprise security.

Step 12: Create a radio configuration for the AP. Go to AP Profile > Radio
> Add.

14

Step 13: Go to AP Management > Mgmt. AP List. Select the SSID to

provide Wi-Fi service for guests.

Step 14: Guest can use a mobile device to connect to the SSID and open
the webpage. It would show the page of the captive portal with QR code.
15

Step 15: Find the employee who is able to authenticate guests by

scanning the guests QR code. After scanning the QR code from the
guests device, the employees mobile device will show the result of the
authentication.

Step 16: Go to Login Users. You can see that the guest has obtained the
IP address, as well as who authenticated the guest.

16

 Scenario 2: Self serviced

For steps 1-8 please refer to the step 1-8 of scenario 1.
Step 9: Go to Captive Portal. Enable the captive portal feature and
authentication with QR code. Select Self-serviced. You can leave
the message in the Note Message and press Print Out, the QR
code would be show in the window.
QR Portal Address select the VLAN group ofguest.
* Please note that the IP address you select must be reachable by guest.
Note Message Write any information for printing with the QR code.

17

Step 10: Publish the QR code and then the guest could use a mobile
device to scan the QR code to pass the authentication.

Step 11: Go to AP Management > Mgmt. AP List. Select SSID to provide

Wi-Fi service for guests.

Step 12: Scan QR code and the mobile device will show the result of the
authentication.

18

Step 13: Go to Login Users. You can see who obtained the IP address by
QR code authentication.

The Flowchart of Authentication ofCaptive Portal

with QR code
Scenario 1: Authenticator - assisted

19

The process of scenario 1:

1. Guest connects to the SSID with captive portal authentication.
2. NXC receive the connected request from guest and leads to the page
of captive portal with QR code.
3. The employee (authenticator) uses a mobile device with an IP address
that has authentication ability to scan the QR code from the guests
device.
4. NXC receives the authentication request.
5. After NXC checks the authenticated request, it would send the
authenticated response to the employees mobile device.

Scenario 2: Self serviced

20

The process of scenario 2:

1. The employee (authenticator) produces the QR code for guests.
2. Guest connects the SSID with captive portal authentication.
3. Guest scans the QR code, which is published from the authenticator.
4. NXC receives the authenticated request from guest.
5. After NXC checks the authenticated request, it would send the
authenticated response to the guests mobile device.

21