Sample Authentication with Captive Portal

In the following example:

This example assumes a Policy Enforcement Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. Next Generation license is installed in the Mobility Master.

In this example, you create two user roles:

Creating a Guest User Role

The guest-logon user role consists of the following ordered policies:

  • block-internal-access is a policy that you create that denies user access to the internal networks.

Creating an Auth-guest User Role

The auth-guest user role consists of the following ordered policies:

  • drop-and-log is a policy that you create that denies all traffic and logs the attempted network access.

Configuring Policies and Roles

The following section describes how to configure roles and policies by creating a time range, creating aliases, creating a Guest-Logon-Access policy, Auth-Guest-Access policy, Block-Internal-Access policy, Drop-and-Log policy, and Auth-Guest role.

Creating a Time Range

The following procedure describes how to create the guest-logon-access policy:

  1. Login to the Mobility Master.
  2. In the Managed Networknode hierarchy, navigate to the Configuration > Roles & Policies > Policies tab.
  3. Select + to add the guest-logon-access policy.
  4. For Policy Name, enter guest-logon-access.
  5. For Policy Type, select Session.
  6. Click Submit.
  7. Select the newly created guest-logon-access policy.
  8. Click + under the Policies > guest-logon-access table.
  9. In the New Rule for guest-logon-access popup, select Access Control option and click OK.
  10. Under1 guest-logon-access > New forwarding Rules table, to add a new rule select the following options:
    1. For Source, select User.
    2. For Destination, select Any.
    3. For Service, select UDP. Enter the port range.
    4. For Action, select Deny.
    5. Click Submit.
    6. For the Time range, select + and enter the following for adding a new time range:
    • For Name, enter working-hours.
    • For Type, select Periodic and click +.
    • For Start Day, click Weekday.
    • For Start Time, enter 07:30.
    • For End Time, enter 17:00.
    • Click Submit.
  11. Add another new rule for the guest-logon-access:
    1. For Source, select Any.
    2. For Destination, select Any.
    3. For Service/app, select service.
    4. Select svc-dhcp for Service alias.
    5. For Action, select Permit.
    6. For Time Range, select working-hours.
    7. Click Submit.
  12. Click Pending Changes.
  13. In the Pending Changes window, select the check box and click Deploy changes.

Creating Aliases

The following step defines an alias representing the public DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. server addresses. Once defined, you can use the alias for other rules and policies.

The following procedure describes how to create a destination alias:

  1. In the Managed Network node hierarchy, navigate to the Configuration > Roles & Policies > Aliases tab.
  2. In Network Aliases, click +.
  3. Select an IP Version from the drop-down list.
  4. For Name, enter Public DNS.
  5. For Description, enter a description of the destination within 128 characters.
  6. Select Invert to specify that the inverse of the network addresses configured are used.
  7. For Items, click +.
  8. In the Add New Destination Add New User Rule window, for Rule Type, select Host. For IP Address, enter 64.151.103.120. Click OK.
  9. Click Submit.
  10. Click Pending Changes.
  11. In the Pending Changes window, select the check box and click Deploy changes.

Creating guest-logon-access policy

The following procedure describes how to create a guest-logon-access policy:

  1. Login to the Mobility Master.
  2. In the Managed device node hierarchy, navigate to the Configuration > Roles & policies> Policies page.
  3. Select + to add the guest-logon-access policy.
  4. For Policy Name, enter guest-logon-access.
  5. For Policy Type, select IPv4 Session.
  6. Click Submit.
  7. Select the newly created guest-logon-access policy.
  8. Click + under the Policies > guest-logon-access table.
  9. In the New Rule for guest-logon-access popup, select Access Control option and click OK.
  10. Under the Roles > guest-logon-access > New forwarding Rules table, to add a new rule select the following options:
    1. For Source, select User.
    2. For Destination, select Alias.
    3. For Destination Alias, select Public DNS.
    4. For Service, select svc-dns.
    5. For Action, select Source NAT.
    6. Under Time Range, select working-hours.
    7. Click Submit.
  11. Click Pending Changes.
  12. In the Pending Changes window, select the check box and click Deploy changes.

Creating an Auth-Guest-Access Policy

The following procedure describes how to configure the auth-guest-access policy:

  1. Login to the Mobility Master.
  2. In the Managed Networknode hierarchy, navigate to the Configuration > Roles & Policies > Policies tab.
  3. Select + to create the policy.
  4. For Policy Name, enter auth-guest-access.
  5. For Policy Type, select Session.
  6. Click Submit.
  7. Select the newly created auth-guest-access policy.
  8. Click + under the Policies > auth-guest-access Roles table.
  9. In the New Rule for auth-guest-access popup, select Access Control option and click OK.
  10. Under auth-guest-access > New forwarding Rules, to add a new rule select the following options:
    1. For Source, select User.
    2. For Destination, select Any.
    3. For Service, select UDP. Enter the port range.
    4. For Action, select Deny.
    5. Click Submit.
  11. Repeat the steps 8 and 9 and in auth-guest-access > New forwarding Rules, select the following options to add another rule.
    1. For Source, select Any.
    2. For Destination, select Any.
    3. For Service/app, select Service.
    4. Select svc-dhcp for Service alias.
    5. For Action, select Permit.
    6. For Time Range, select working-hours.
    7. Click Submit.
  12. Repeat the steps 8 and 9 and under auth-guest-access > New forwarding Rules, select the following options to add another rule.
    1. For Source, select User.
    2. For Destination, select Alias.
    3. For Destination Alias, select Public DNS from the drop-down list.
    4. For Service/app, select Service.
    5. Select svc-dns for Service Alias.
    6. For Action, select Source NAT.
    7. For Time Range, select working-hours.
    8. Click Submit.
  13. Repeat steps 8 and 9 and under auth-guest-access > New forwarding Rules, select the following options to add another rule.
    1. For Source, select User.
    2. For Destination, select Any.
    3. For Service/app, select Service.
    4. Select svc-http for Service alias.
    5. For Action, select Source NAT.
    6. For Time Range, select working-hours.
    7. Click Submit.
  14. Repeat the steps 8 and 9 and under auth-guest-access > New forwarding Rules table, select the following options to add another rule.
    1. For Source, select User.
    2. For Destination, select Any.
    3. For Service/app, select service.
    4. Select svc-https for Service alias.
    5. For Action, select Source NAT.
    6. For Time Range, select working-hours.
    7. Click Submit.
  15. Click Submit.
  16. Click Pending Changes.
  17. In the Pending Changes window, select the check box and click Deploy changes.

Creating an Block-Internal-Access Policy

It is recommended to first create a destination alias Internalnetwork and then create a block-internal-access policy. If the destination alias Internalnetwork is already created, the user can directly create a block - internal - access policy and skip the procedure given below.

The following procedure describes how to create a block-internal-access policy:

  1. In the Managed Network node hierarchy, navigate to the Configuration > Roles & Policies > Aliases tab.
  2. In Network Aliases, click +.
  3. Select an IP Version from the drop-down list.
  4. For Name, enter Internalnetwork
  5. For Description, enter a description of the destination within 128 characters.
  6. Select Invert to specify that the inverse of the network addresses configured are used.
  7. For Items, click +.
  8. In the Add New Destination Add New User Rule window, for Rule Type, select Network. For IP Address, enter 10.0.0.0. For Network Mask or Range, enter 255.0.0.0. Click OK.
  9. Click Submit.
  10. Click Pending Changes.
  11. In the Pending Changes window, select the check box and click Deploy changes.

The following procedure describes how to create the block-internal-access policy:

  1. Login to the Mobility Master.
  2. In the Managed Networknode hierarchy, navigate to the Configuration > Roles & Policies > Policies tab.
  3. Select + to add a new policy.
  4. For Policy Name, enter block-internal-access.
  5. For Policy Type, select Session.
  6. Click Submit.
  7. Select the newly created block-internal-access policy.
  8. Click + under the Policies > block-internal-access table.
  9. In the New Rule for block-internal-access popup, select Access Control option and click OK.
  10. Under the block-internal-access > New forwarding Rules table, to add a new rule select the following options:
    1. For Source, select User.
    2. For Destination, select Alias.
    1. For Destination Alias, select Internalnetwork.
    2. For Service, select Any.
    3. For Action, select Deny.
    4. Click Submit.
  11. Click Submit.
  12. Click Pending Changes.
  13. In the Pending Changes window, select the check box and click Deploy changes.

Creating a Drop-and-Log Policy

The following procedure describes how to create the drop-and-log policy:

  1. Login to the Mobility Master.
  2. In the Managed Networknode hierarchy, navigate to the Configuration > Roles & Policies > Policies tab.
  3. Click + to add a new policy.
  4. For Policy Name, enter drop-and-log.
  5. For Policy Type, select Session.
  6. Click Submit.
  7. Select the newly created drop-and-log policy.
  8. Click + under the Policies > drop-and-log table.
  9. In the New Rule for drop-and-log popup, select Access Control option and click OK.
  10. Under drop-and-log > New forwarding Rules, to add a new rule select the following options:
    1. For Source, select User.
    2. For Destination, select Any.
    3. For Service, select Any.
    4. For Action, select Deny.
    5. Select the Log checkbox from Options.
    6. Click Submit.
  11. Click Submit.
  12. Click Pending Changes.
  13. In the Pending Changes window, select the check box and click Deploy changes.

Creating a Guest Role

The following procedure describes how to create a guest role:

  1. Login to the Mobility Master.
  2. In the Managed Networknode hierarchy, navigate to the Configuration > Roles & Policies > Roles tab.
  3. Click + to add a new role.
  4. Enter guest-logon as a New Role.
  5. Select the role name you just created and click Show Advanced View.
  6. Click + under the guest-logon role > Policies tab.
  7. In the New Policy popup, select the Add an existing policy option.
  8. Select the policy name as guest-logon from the drop-down list
  9. Click Submit.
  10. Similarly, add block-internal-access policy for the role guest-logon.
  11. Click Submit.
  12. Click Pending Changes.
  13. In the Pending Changes window, select the check box and click Deploy changes.

Creating an Auth-Guest Role

The following procedure describes how to create the guest-logon role:

  1. Login to the Mobility Master.
  2. In the Managed Networknode hierarchy, navigate to the Configuration > Roles & Policies > Roles tab.
  3. Click + to add a new role.
  4. Enter auth-guest as a New Role.
  5. Select the role name you just created and click Show Advanced View.
  6. Click + under the auth-guest role> Policies tab.
  7. In the New Policy pop-up, select the Add an existing policy option.
  8. Select the policy name cplogout from the drop-down list
  9. Click Submit.
  10. Similarly, add guest-logon-access, block-internal-access, auth-guest-access, drop-and-log policies for the role auth-guest.
  11. Click Submit.
  12. Click Pending Changes.
  13. In the Pending Changes window, select the check box and click Deploy changes.

The following set of CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configures sample roles and policies:

Defining a Time Range

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command creates a time range:

(host) [md] (config) #time-range working-hours periodic

weekday 07:30 to 17:00

Creating Aliases

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands create aliases:

(host) [md] (config) #netdestination “Internal Network
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0

network 192.168.0.0 255.255.0.0

(host)(config) #netdestination “Public DNS”

host 64.151.103.120

host 216.87.84.209

Creating a Guest-Logon-Access Policy

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands create a guest-logon-access policy:

(host)(config) #ip access-list session guest-logon-access

user any udp 68 deny

any any svc-dhcp permit time-range working-hours

user alias “Public DNS” svc-dns src-nat time-range working-hours

Creating an Auth-Guest-Access Policy

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands create an auth-guest-access policy:

(host) [md] (config) #ip access-list session auth-guest-access

user any udp 68 deny

any any svc-dhcp permit time-range working-hours

user alias “Public DNS” svc-dns src-nat time-range working-hours

user any svc-http src-nat time-range working-hours

user any svc-https src-nat time-range working-hours

Creating a Block-Internal-Access Policy

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command creates a block-internal-access policy:

(host) [md] (config) #ip access-list session block-internal-access

user alias “Internal Network” any deny

Creating a Drop-and-Log Policy

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command creates a drop-and-log policy:

(host) [md] (config) #ip access-list session drop-and-log

user any any deny log

Creating an Auth-Guest Role

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands create an auth-guest role:

(host) [md] (config) #user-role auth-guest

(host) [md] (config-submode)#access-list session captiveportal

(host) [md] (config-submode)#access_list cplogout position 1
(host) [md] (config-submode)#access_list guest-logon-access position 2

(host) [md] (config-submode)#access_list block-internal-access position 3

(host) [md] (config-submode)#access_list auth-guest-access position 4

(host) [md] (config-submode)#access_list drop-and-log position 5