Wireless Web-Auth, Guest Access

Web-Auth in Wi-Fi  allows to connect with your LAN network without wire over Mobile, Laptop to access Internet for Guest user with seamless Roaming without any wire connectivity. It is LAN technology which is used to connect Home, Campus, Building and Corporate network. Same as Corporate LAN user, need to provide Wi-Fi access to Guests as well via Web-Authentication and Guest access portal

In Previous Part we have discussed about WI-FI Solutioning, Designing, Planning, Connectivity, WLC Implementation and AP Registration process. Now we will discuss about User connection process and other WLC configuration and Wi-Fi Feature and technology which is use to fine tune the wireless Network.

Here we will not discuss any bookish or theoretical thing, we only discuss and share practical experience. Also here I am not referring any vendor Specific Config or feature. These are Basic configuration which needs to configure in all WLC. For any specific Vendor Hardware or WLC please refer their configuration Guide.

WLC Basic Configuration parameters

After all physical installation and network connectivity completed, now time to configure WLC.

IP Schema and VLAN details

Correct IP Schema with right VLAN is very much required and this is first and most important part to configure WLC or any network. Below is sample Vlan and IP Schema table which we should have handy before going to configure WLC and Access Points.

Web-Auth, Guest, IP Schema and VLAN details
Web-Auth, Guest, IP Schema and VLAN details
  1. These VLAN will be configured for WLC Interfaces and WLAN ( SSID) mapping.
  2. Needs to create WLAN or SSID ( Service Set Identifier), In our case these are Kbrosis_Guest & Kbrosis_USER.
  3. Best practice is to keep Guest SSID and Corporate User SSID separate for Security.
  4. For Guest Access WEB-Auth needs to be configure.
  5. Create DHCP Scope in WLC, So User can get IP from Dynamically.
  6. Configure WLC High Availability
  7. Integrate WLC with ISE or AD or any other Authentication server for Corporate user login authentication on LAN Network.
  8. Configure WEB-Auth for Guest Access
  9. Make ensure that sufficient License should be there in WLC for AP Count or AP registration.
  10. Configure all Security Parameter. ( will discuss in details) & Allow Ports on Firewall
  11. Native VLAN and trunks ports should be configured properly.
  12. Routing should be on place so user can access Internet and other services seamlessly.
SSID Configuration

SSID is nothing but a name of your wireless network, which is showing on your Phone, Laptop and then you select it to connect with Wi-Finetwork.

It configured on WLC only with some parameter, like, Name, Vlan, Security etc.

Below are the Parameter which we need to consider during SSID creation or configuration.

 

SSID Config
SSID Config

 

Once SSID created then we need to make below basic configuration:

  1. Enable it
  2. Enable Broadcast
  3. Map with Interface which we have created on WLC ( for Guest and Corporate user Vlan)
  4. Apply L2 and L3 security — WPA+WPA2
  5. Encryption– WPA2 + AES or TKIP or PSK
  6. Authentication- 802.1x
WLAN Security parameters
WLAN Security parameters
  1. Layer-3 Security— WEB-Auth or captive portal for Guest access with its WEB-Auth Parameter like Authentication, Passthorugh etc.
  2. Add AAA server details / IP with Port for authentication.
  3. Apply QOS( if applicable for any specific Service
  4. Advance Configuration for Flex Connect, Local and Central Switching, AP Grouping.

Configure all Access Points

Once WLC implemented and configure and Access points are registered with WLC, then need to configure Access points with some basic configuration and features that allow to user connect with Access points via SSID to access Internet and Intranet.

  1. Give AP name to identify the AP details. AP name should be combination of AP Number and Location so during troubleshooting it should be identify easily that which AP number at which location.
  2. Admin Status should be enable.
  3. Select AP mode ( Local or Flex-connect)
  4. If AP took IP, Subnet and gateway then, make it Static, so every AP have dedicated IP and it will not change every time when AP reboots.
  5. Configure primary and Secondary WLC IP address ( for HA) and AP failover.
  6. AP mapped with SSIDs

Now we will discuss for User connection and authentication Process to Access Points to access WIFI.

There are different process to connect with Wi-Fi for Corporate user and Guest user. First we will discuss how corporate user will connect with LAN vi Wi-Fi.

Corporate User connectivity requirement:

  1. Corporate user should use their Local Credential (username and Password)
  2. User should be Authenticate with Authentication Server like AAA (AD) server or ISE.
  3. User Should be allow to access all LAN network and services same as LAN Wired network.

How Authentication works for Corporate or Local user?

Beacon / Mgmt Frame: In Management Frame, beacon frame used to help clients find the network. Beacon Frame is hello packet between two AP / users. When the client hears the beacon frame, it get information about the cell.

A beacon frame also includes the SSIDs that the AP supports, the rates that are supported, and six fields called Parameter Set that indicate modulation methods and such.

AP Send Beacons in every 2 Seconds.

User communicating with AP
User communicating with AP
  1. When any Client start discovering/Scanning for any Wi-Fi network. Client found access Points details via beacons send by Access Point
  2. User send a probe Request about any SSID to AP.
  3. As we have already configured SSIDs and mapped with AP with respective Interface, So AP send probe response with Available / Configure SSIDs.
  4. Once user click on Corporate SSID to join, AP check that Which interface is assigned with this SSID and what security parameters are configured.
  5. For Corporate SSID, User will get pop up for enter his username and Password.
  6. AP will send the request to AAA server ( configured in WLC) for Authentication.
  7. AAA response back with authentication.
  8. User will get IP from DHCP from Corporate SSID Vlan subnet
  9. Once user will get IP address then user will connect with Wi-Fi network.

Web -Auth

As for Security concerns, its best practice to keep Wi-Fi access for Guest Separate, so Guest can not reach out to LAN services and can only access the Internet.

We can also setup some time frame also. As you have observed that in Hotel you got some username and Password or OTP on mobile numbers for some time duration, after that your access has been expired or revoked.

That’s the beauty of WEB-Auth in Wireless technology.

  1. Need to create an interface for Guest WLAN / SSID
  2. There should be separate IP Schema and VLAN
  3. For Guest SSID we need to select Security as WEB-AUTH
  4. Need to create username and Password for every user.
  5. Also need to configure a Captive Portal or Welcome page.
  6. Once user will click on Guest SSID, user will be redirect to WEB Authentication Page, where user need to enter username and password.
  7. AP will send the details to WLC.
  8. WLC will check the user details ( username and password) which is already created in WLC, if match user allows to access Internet over Guest SSID.

 

Visit to our site : https://www.kbrosistechnologies.com/

Watch more Video  https://www.youtube.com/channel/UCpcd6IshE1caAbf9EdJd3gw 

https://www.youtube.com/channel/UCTbOmLTSlHggEBkt5wFGNRA

FAQ

What is Beacon / Mgmt Frame?

In Management Frame, beacon frame used to help clients find the network. Beacon Frame is hello packet between two AP / users. When the client hears the beacon frame, it get information about the cell

What is SSID?

On the AP, the network is associated with a MAC address. This network or workgroup that your clients connect to is called a Service Set Identifier (SSID). So on an AP, the SSID is a combination of MAC address and network name.

Please Share

Related Posts