Enabling Guest Provisioning

The Guest Provisioning feature lets you manage guests who need access to your company’s wireless network. This section describes how to:

Design and configure the Guest Provisioning page – Using the WebUI, the network administrator designs and configures the Guest Provisioning page that is used to create a guest account.
Configure a guest provisioning user – The network administrator configures one or more guest provisioning users. A guest provisioning user, such as a front desk receptionist, signs in guests at your company.
Using the Guest Provisioning page – The Guest Provisioning page is used by the guest provisioning user to create guest accounts for people who are visiting your company.

Configuring the Guest Provisioning Page

Use the Guest Provisioning Configuration page to create the Guest Provisioning page. This configuration page consists of three tabs: Guest Fields, Page Design and Email. You configure the information on all three tabs to create a Guest Provisioning page.

Guest Fields tab—lets you select the fields that appear on the Guest Provisioning page.
Page Design tab—lets you specify the company banner, heading, and text and background colors that appear on the Guest Provisioning page.
Email tab—lets you specify an email to be sent to the guest or sponsor (or both). Email messages can be sent automatically at account creation time and also may be sent manually by the administrator from the Guest Provisioning page.

In the WebUI

 

You can only create and design the Guest Provisioning page in the WebUI.

This section describes how to design a Guest Provisioning page using all three tabs.

Configuring the Guest Fields

1. Navigate to the Configuration > Management > Guest Provisioning page. The Guest Provisioning configuration page displays with the Guest Fields tab on top. This tab contains the following columns:
Internal Name—The unique identifier that is mapped to the label in the UI.
Label in UI—A customizable string that displays in both the main listing pane and details sheet on the Guest Provisioning page.
Display in Details—Fields with selected checkboxes appear in the Show Details popup-window.

 

If the guest_category, account_category, sponsor_category and optional_category fields are not checked, their respective sections do not appear on the Guest Provisioning page.

Display in Listing—Fields with selected checkboxes appear as columns in the management user summary page.

Figure 1  Guest Provisioning Configuration Page—Guest Fields Tab

Click to view a larger size.

2. Select the checkbox next to each field, described in Table 1, that you want to appear on the Guest Provisioning page. Optionally, you can customize the label that displays in the UI.
3. Click Preview Current Settings to view what the Guest Provisioning page looks like while you are designing it.
4. To save changes, click Apply.

 

Best practices is to check the Display in Listing field for only the most essential fields, so that the Guest Provisioning user does not have to scroll the guest listing horizontally to see all the columns.

 

Table 1: Guest Provisioning—Guest Field Descriptions

Guest Field

Description

guest_category

A guest is the person who needs guest access to the company’s wireless network. This is the label on the Guest Provisioning page for the guest information.

guest_username

Username for the guest.

guest_password

Password for the guest. (Must contain at least 1-6 characters and at least one digit.)

guest_fullname

Full name of the guest.

guest_company

Name of the guest's company.

guest_email

Guest's Email address.

guest_phone

Guest's phone number

comments

Optional comments about the guest's account status, meeting schedule and so on.

account_category

This is the label on the Guest Provisioning page for the account information.

creation-date

Date the account is created.

start_date

Date the guest account begins.

end_date

Date the guest account ends.

grantor

The username of the person of who created the guest account.

grantor_role

The authentication role of the grantor.

sponsor_category

A sponsor is the guest's primary contact for the visit. This is the label in the Guest Provisioning page for the sponsor information.

sponsor_username

 
 

Sponsor's work department

sponsor_email

Sponsor's Email address.

optional_category

This is the label in the Guest Provisioning page for the information in the optional fields that follow.

NOTE: The optional_category field can be used for another person, for example a “Supervisor.” You can enter username, full name, department and Email information into the optional fields. Or, you can use this category for some other purpose.

optional_field_1

optional_field_1 description

optional_field_2

optional_field_2 description

optional_field_3

optional_field_2 description

optional_field_4

optional_field_2 description

Configuring the Page Design

The Page Design tab lets you specify the company banner, heading, and text and background colors that appear on the Guest Provisioning page.

1. Navigate to the Configuration > Management > Guest Provisioning page and select the Page Design tab.

Figure 2  Guest Provisioning Configuration Page—Page Design Tab

Click to view a larger size.

2. Enter the filename which contains the company banner in the Banner field. Or, click Browse to search for the filename

 

Best practices is to use a logo or banner image that is 600 x 100 pixels (width x height). The WebUI does not apply the size restrictions when you upload an image file, but the image is resized to 600 x 100 pixels when it displays or is printed.

3. Enter the label for the guest listing (the one you used in the Guest Fields tab) in the Text field.
4. Enter the hex value for the color of the text in the Text Color field. The text in the header of the guest listing displays in this color.
5. Enter the hex value for the color of the background in the Background color field. This determines the color of the header of the guest listing.
6. Click Preview Current Settings to preview the Guest Provisioning page while you are designing it.
7. To save changes, click Apply.

Configuring Email Messages

You can specify an email to be sent to the guest or sponsor (or both). Email messages can be sent automatically at account creation time or sent manually by the network administrator or guest provisioning user from the Guest Provisioning page at any time.

1. Specify the SMTP server and port that processes the guest provisioning (also known as guest access) email. You can complete this step using the WebUI or CLI commands:
Configuring the SMTP Server and Port in the WebUI
Configuring an SMTP server and port in the CLI
2. Create the email messages. Complete this step using the WebUI:

Creating Email Messages in the WebUI

Configuring the SMTP Server and Port in the WebUI

1. Navigate to the Configuration > Management > SMTPpage.
2. Enter the IP address of the SMTP server to which the controller sends the guest provisioning email in the IP Address of SMTP server field.
3. Enter the number of the port through which the guest provisioning email passes in the Port field.
4. Click Apply and then Save Configuration.

Configuring an SMTP server and port in the CLI

The following command creates a guest-access email and sends guest user email through SMTP server IP address 1.1.1.1 on port 25.

(host) (config) #guest-access-email

(host) (Guest-access Email) #

(host) (Guest-access Email) #smtp-port 25

(host) (Guest-access Email) #smtp-server 1.1.1.1

Creating Email Messages in the WebUI

After you configured the SMTP server and port, follow these steps:

1. Navigate to the Configuration > Management > Guest Provisioning page and select the Email tab.

Figure 3  Guest Provisioning Configuration Page—Email Tab

Click to view a larger size.

2. To create a message for a guest or sponsor, customize the text in the Subject, From,s and Body fields as needed for both the Guest message and Sponsor message.
3. Optionally, select the Send automatically at account creation time checkbox when you want an email message to be sent to the guest and/or sponsor alerting them that a guest account has just been created.

 

Regardless of whether you select this option, the person responsible for managing the Guest Provisioning page may choose to send this email message manually at any time.

Figure 4 shows a sample email message that is sent to the guest after the guest account is created.

Figure 4  Sample Guest Account Email – Sent to Sponsor

Click to view a larger size.

4. To save changes, click Apply.

Configuring a Guest Provisioning User

The guest provisioning user has access to the Guest Provisioning Page (GPP) to create guest accounts within your company. The guest provisioning user is usually a person at the front desk who greets guests and creates guest accounts. Depending upon your needs, there are three ways to configure and authenticate a guest provisioning user:

Username and Password authentication — Allows you to configure a user in a guest provisioning role.
Smart Card authentication
Static authentication —Uses a configured certificate name and serial number to derive the user role. This authentication process uses a previously configured certificate name and serial number to derive the user role. This method does not use and external authentication server.
Authentication server — Uses an external authentication server to derive the management role. This is helpful if there is a large number of users who need to be deployed as guest provisioning users.

You can use the WebUI or CLI to create a Guest Provisioning user.

In the WebUI

This section describes how to configure a guest provisioning user. All three methods are described.

Username and Password Authentication Method

1. Navigate to the Configuration > Management > Administration page.
2. In the Management Users section, click Add.
3. In the Add User page select Conventional User Accounts.
4. In the User Name field, enter the name of the user who you want to configure as a guest provisioning user.
5. In the Password and Confirm Password fields, enter the user’s password and reconfirm it.
6. From the Role drop-down menu, select guest-provisioning.
7. Click Apply.

Static Authentication Method

 

Before using this method, make sure that the correct CA certificate is uploaded to the controller.

1. Navigate to the Configuration > Management > Administration page.
2. In the Management Users section, click Add.
3. In the Add User page, select Certificate Management.
4. Make sure that the Use external authentication server to authenticate check box is unchecked.
5. In the Username field, enter the name of the user who you want to configure as a guest provisioning user.
6. In the Rolefield, select guest-provisioning from the drop-down list.
7. Enter client certificate serial number in the Client Certificate Serial No. field.
8. Select the CA certificate you want to use from the Trusted CA Certificate Name drop-down menu.
9. Click Apply.

Smart Card Authentication Method

1. Navigate to the Configuration > Management > General page.
2. In the WebUI Management Authentication Method section, select Client Certificate.
3. Click Apply.
4. Navigate to the Configuration > Management > Administration page.
5. In the Management Authentication Servers section, select guest-provisioning from the Default Role drop-down menu.
6. Select the Mode checkbox.
7. Select the server group from the Server Group drop-down menu.
8. Click Apply.
9. In the Management Users section, click Add to display the Configuration > Management > Add User page.
10. Select Certificate Management, WebUI Certificate and Use external authentication server to authenticate.
11. Select the trusted CA certificate you want to use from the Trusted CA Certificated Name drop-down menu.
12. Click Apply and Save Configuration.

In the CLI

Username and Password Method

This example creates a user named Paula and assigns her the role of guest provisioning.

(host) (config)# mgmt-user Paula guest-provisioning

Static Authentication Method

This example uses the CA certificate mycertificate with the serial number 1234 to authenticate user Laura in the guest provisioning role.

(host) (config)# mgmt-user webui-cacert mycertificate serial 1234 Laura guest-provisioning

Smart Card Authentication Method

This example shows that using previously configured certificate (1234), authentication and authorization are automatically configured using an authentication server.

(host) (config) #web-server mgmt-auth username/password certificate

(host) (config) #mgmt-user webui-cacert <certificate_name>

(host) (config) #aaa authentication mgmt

(host) (config) # server-group "internal"

(host) (config) #mgmt-user webui-cacert default

(host) (config) #mgmt-user webui-cacert 1234

Customizing the Guest Access Pass

In the WebUI, you can customize the pop-up window that displays the guest account information. You may want to do this before the Guest Provisioning user creates guest accounts.

1. Navigate to the Configuration > Security > Access Control > Guest Access page.
2. Click Browse to insert a logo or other banner information on the window.

 

Best practices is to use a logo or banner image that is 600 x 100 pixels (width x height). The WebUI does not apply the size restrictions when you upload an image file, but the image is resized to 600 x 100 pixels when it displays or is printed.

3. You can enter text for the Terms and Conditions portion of the window.
4. Click Submit to save your changes. Click Preview Pass to preview the window. (See Figure 5.)

Figure 5  Customized Guest Account Information Window

Click to view a larger size.

Creating Guest Accounts

After the Guest Provisioning user is created, that person can log in to the controller using the preconfigured username and password. The Guest Provisioning page displays. (See Figure 7.) This is a sample page as the fields may differ based on how the network administrator designed the page.

 

Starting with ArubaOS 3.4 release, a guest user account that is created by a guest provisioning user can only be viewed, modified or deleted by the guest provisioning user who created the account or the network administrator. A guest user account that is created by the network administrator can only be viewed, modified or deleted by the network administrator.

Figure 6  Creating a Guest Account—Guest Provisioning Page

Click to view a larger size.

 

 

If you do not want multiple guest users to share the same guest account concurrently, navigate to the Captive Portal Authentication and select the “Allow only one active user session” option. If a guest user authenticates successfully but the controller detects there is already a guest session with the same guest username, the second login is rejected.

Guest Provisioning User Tasks

The Guest Provisioning user creates guest accounts by filling in information on the Guest Provisioning page. Tasks include creating, editing, manually sending email, enabling, printing, disabling and deleting guest accounts. The Guest Provisioning user can also manually send emails to either the guest or sponsor.

To create a new guest account, the Guest Provisioning user clicks New to display the New Guest window. (See Figure 7.) After filling in information into the fields, click Create. The guest account now displays on the Guest Provisioning page.

If you manually configure the user name and password, note the following:

User name entries support alphanumeric characters, however the percent sign (%) and trailing the back slash are not allowed.
Passwords must have a minimum of six characters. You can use special characters for the password.
Click on the Account Start and End fields to change the account start and end times. The default account start to end time setting is eight hours.

Figure 7  Creating a Guest Account—New Guest Window

Click to view a larger size.

To see details about an existing user account, highlight an existing account and select the Show Details checkbox. The Show Details popup-window displays. (See Figure 8.) The Guest Provisioning user can send out Email from this window to either the guest or the sponsor. When you send an email from the Details pop-up window, a pop-up message confirming that the email was successfully processed displays

Figure 8  Creating a Guest Account—Show Details Pop-up Window

Click to view a larger size.

Importing Multiple Guest Entries

The Guest Provisioning user can manually create individual guest entries, as previously described, or import multiple guest entries into the database from a CSV file. This is useful and more efficient if you want to enter multiple guest entries at once. To import multiple guest entries, you need to:

1. Create a CSV file that contains the guest entries
2. Import the CSV file into the database

Creating Multiple Guest Entries in a CSV File

Create a CSV file that contains multiple guest entries. Each field in an entry needs to be separated by a comma and each entry needs to end with a carriage return. The order of the fields is:

Guest’s first name (required)
Guest’s last name (required)
Guest’s email address (optional)
Guest’s phone number (optional)
Guest’s user ID (optional)
Guest’s password (optional)
Sponsor’s first name (optional)
Sponsor’s last name (optional)
Sponsor’s email address (optional)

See Figure 9 for an example of how guest entries need to be formatted in a CSV file.

Figure 9  CVS File Format—Guest Entries Information

Click to view a larger size.

Note the following limitations when creating guest entries in a CVS file:

None of the field values can have a comma
There is no format checking on field. Only the local-userdb-guest CLI command will validate proper format.
Any extra columns, beyond the 9th column, are discarded.
The WebUI only supports characters that the CLI supports.
If a guest’s user ID is not provided, then it is automatically generated based on the numeric suffix in the Import Guest List window. See Figure 10.
We recommend a maximum of 250 entries per CSV file.

Importing the CSV File into the Database

To import a CSV file that contains multiple guest entries, the Guest Provisioning user must follow these steps:

1. Log in to the WebUI using the username and password assigned to the Guest Provisioning user.
2. Click on Import. The Import Guest List pop-up window displays. See Figure 10.

Figure 10  Importing a CSV file that contains Guest Entries

Click to view a larger size.

3. Click Browse to locate for the CSV file you want to import.
4. Click Import. A window displays that lets you open CSV file in text format. (See Figure 11.) Open the text file to see a summary of the number of users and error messages if users are not imported.

Figure 11  Displaying the Guest Entries Log File

Click to view a larger size.

5. Click Import. A window displays that lets you open CSV file in text format. (See Figure 11.)
6. Open the text file. (See Figure 12.) Note that because no user ID is entered in the CSV file, a guest ID (username) is automatically generated based on the default value in the Suffix for auto-generated field. Make changes or corrections to the guest entry information in text file. A user can also change the start time and end time from this window. Save and exit the file.

Figure 12  Viewing and Editing Guest Entries in the Log File

Click to view a larger size.

7. Click Cancel to close the Import Guest List window. Guest entries are now displayed in the Guest Provisioning page.

Figure 13  Viewing Multiple Imported Guest Entries—Guest Provisioning Page

Click to view a larger size.

Printing Guest Account Information

To print guest account information:

1. Highlight the guest account you want to print and click Print. The Print info for guest window displays.
2. Click Print password if you want to print the guest password on the badge. Then enter or generate a new password for the guest. This modifies the existing guest password. (See Figure 14.)
3. Optionally, click Print policy text if you want your company policy text to appear on the print out.
4. Click Show preview to view the information before it is printed.
5. Click Print to print the guest account information.

Figure 14  Printing Guest Account Information

Click to view a larger size.

Optional Configurations

This section describes guest provisioning options that the administrator can configure.

 

These options are not configurable by the guest provisioning user.

Restricting one Captive Portal Session for each Guest

You can restrict one captive portal session for each guest. When a new captive portal request is received and passes authentication, all users are checked and compared with user names. If a user with the same name already exists and this option is enabled, the second login is denied.

 

If a guest logs in from one system (and does not log out) and tries to log in again from another system, that guest has to wait for the initial session to expire.

1. Navigate to the Configuration > Advanced Services> All s page.
2. Select Wireless Lan.
3. Under Wireless Lan, select and open Captive Portal Authentication.
4. Add a new or select and existing
5. Select the Allow only one active user session check box.
6. Click Apply.

Using the CLI to restrict one Captive Portal session for each guest

(host)(config)# aaa authentication captive-portal <> single-session

Setting the Maximum Time for Guest Accounts

You can set the maximum expiration time (in minutes) for guest accounts. If the guest-provisioning user attempt to add a guest account that expires beyond this time period, an error message is displayed and the guest account is created with the maximum time you configured.

 

If you set the maximum expiration time, it applies to all users in the internal database whether they are guests or not.

Using the WebUI to set the maximum time for guest accounts

1. Navigate to the Configuration > Security > Authentication page.
2. Select Internal DB.
3. Under Internal DB Maintenance, enter a value in Maximum Expiration.
4. Click Apply.

Using the CLI to set the maximum time for guest accounts

(host)# local-userdb maximum-expiration <minutes>