Configuring Wireless Networks for Guest Users on IAPs

Instant Access Points (IAPs) support the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication method in which a web page is presented to the guest users, when they try to access the Internet in hotels, conference centers, or Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. hotspots Hotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet.. The web page also prompts the guest users to authenticate or accept the usage policy and terms. Captive portals are used at Wi-Fi hotspots and can be used to control wired access as well.

The captive portal solution for an IAP cluster consists of the following:

The IAP administrators can create a wired or WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. guest network based on captive portal authentication for guests, visitors, contractors, and any non-employee users who can use the enterprise Wi-Fi network. Administrators can also create guest accounts and customize the captive portal page with organization-specific logo, terms, and usage policy. With captive portal authentication and guest profiles, the devices associating with the guest SSID are assigned an initial role and are assigned IP addresses. When a guest user tries to access a URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. through HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., the captive portal webpage prompts the user to authenticate with a user name and password.

Splash Page Profiles

IAPs support the following types of splash page profiles:

  • Internal Captive Portal—Select this splash page to use an internal server for hosting the captive portal service. Internal captive portal supports the following types of authentication:
    • Internal Authenticated—When Internal Authenticated is enabled, a guest user who is pre-provisioned in the user database has to provide the authentication details.
    • Internal Acknowledged—When Internal Acknowledged is enabled, a guest user has to accept the terms and conditions to access the Internet.
  • External Captive portal—Select this splash page to use an external portal on the cloud or on a server outside the enterprise network for authentication.
  • Cloud Guest—Select this splash page to use the cloud guest profile configured through the Guest Management tab.

Creating a Wireless Network Profile for Guest Users

To create an SSID for guest users, complete the following steps:

  1. In the WebUI, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click the WLANs tab.

    The WLANs details page is displayed. For more information on Wireless Details page, see Viewing the Wireless SSIDs Table.

  5. In the WLANs page, click + Add SSID.

    The Create a New Network pane is displayed.

  6. Under General, enter a network name in the Name (SSID) text-box.
  7. If configuring a wireless guest profile, set the required WLAN configuration parameters described in Table 1.
  8. Click Next.

    The VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. details are displayed.

  9. Under VLANs, select any of the following options for Client IP Assignment:

Table 1: VLANs Assignment

Parameter

Description

Instant AP assigned

When this option is selected, the client obtains the IP address from the virtual controller. The virtual controller creates a private subnet Subnet is the logical division of an IP network. and VLAN on the IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network. For more information on DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  scopes and server configuration, see Configuring DHCP Pools and Client IP Assignment Modes on IAPs.

If this option is selected, specify any of the following options in Client VLAN Assignment:

  • Internal VLAN—Assigns IP address to the client in the same subnet as the IAPs. By default, the client VLAN is assigned to the native VLAN on the wired network.
  • Custom—Allows you to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. When this option is selected, select the scope from the VLAN ID drop-down list.

External DHCP server assigned

When this option is selected, specify any of the following options in Client VLAN Assignment:

  • Static—In VLAN ID, specify a VLAN ID for a single VLAN(s). If a large number of clients need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID.
    •  To show or hide the Named VLANs, click Show Named VLANs. Click Show Named VLANs to view the Named VLAN table. To add a new Named VLAN, complete the following steps:
      1. Click +Add Named VLAN. The Add Named VLAN window is displayed.
      2. Enter the VLAN Name and VLAN details, and then click OK.
  • Dynamic—Assigns the VLANs dynamically from a DHCP server.
    •  To add a new VLAN assignment rule, complete the following steps:
      1. Click + Add Rule in the VLAN Assignment Rules window. The New VLAN Assignment Rule page is displayed.
      2. Enter the Attribute, Operator, String, and VLAN details, and then click OK.
    • To delete a VLAN assignment rule, select a rule in the VLAN Assignment Rules window, and then click the delete icon.
    • To show or hide the Named VLANs, click Show Named VLANs. Click Show Named VLANs to view the Named VLAN table. To add a new Named VLAN, complete the following steps:
      1. Click +Add Named VLAN. The Add Named VLAN window is displayed.
      2. Enter the VLAN Name and VLAN details, and then click OK.
    • To delete, select a Named VLAN in the Named VLAN table, and then click the delete icon.
  • Native VLAN—Assigns the client VLAN is assigned to the native VLAN.

For more information, see Configuring VLAN Assignment Rule.

Configuring an Internal Captive Portal Splash Page Profile

To configure an internal captive portal profile, complete the following steps:

  1. In the WebUI, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click the WLANs tab.

    The WLANs details page is displayed.

  5. In the Wireless SSIDs table, select a guest SSID, and then click the edit icon.
  6. Under Security tab, in the Security Level, select Visitors and configure the following parameters:

    Table 2: Internal Captive Portal Configuration Parameters

    Parameter

    Description

    Type

    Select Internal Captive Portal from the drop-down list.

     

    Captive Portal Location

    Select Acknowledged or Authenticated from the drop-down list.

    Customize Captive Portal

    Under Splash Page, when Customize Captive Portal is clicked, use the editor to specify text and colors for the initial page that is displayed to the users connecting to the network. The initial page asks for user credentials or email, depending on the splash page type (Authenticated or Acknowledged) for which you are customizing the splash page design.

    Complete the following steps to customize the splash page design.

    • Policy text—To change the policy text, click the second square in the splash page, enter the required text in the Policy text box, and click OK. Ensure that the policy text does not exceed 255 characters.
    • Top banner title—Enter a title for the banner.
    • Header fill color—Specify a background color for the header.
    • Welcome text—To change the welcome text, click the first square box in the splash page, enter the required text in the Welcome text box, and click OK. Ensure that the welcome text does not exceed 127 characters.
    • Page fill color—To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette.
    • Redirect URL—To redirect users to another URL, specify a URL in Redirect URL.
    • Logo image—To upload a custom logo, click Choose Fileto upload. Ensure that the image file size does not exceed 16 KB. To delete an image, click Delete Logo.

    To preview the captive portal page, click Preview.

    To configure a captive portal proxy server or global proxy server to match your browser configuration, enter the IP address and port number in the Captive-portal proxy server IP and Captive Portal Proxy Server Port fields.

    Primary Server

    Select the required authentication server option from the drop-down list. Select an authentication server from the list if an external servers are already configured or to add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for IAPs.

    Users

    Create and manage users in the captive portal network. Only registered users of type Guest will be able to access this network.

    Encryption

    By default, this field is disabled. Turn on the toggle switch to enable and configure the following encryption parameters:

    1. Key Management—Specify an encryption and authentication key.
    2. Passphrase format—Specify a passphrase format.
    3. Passphrase—Enter a passphrase.
    4. Retype—Retype the passphrase to confirm.

    Key Management

    Select Open or Enhanced Open from the drop-down list.

    Advanced Settings

    Captive Portal Proxy Server IP

    Specify the IP address of the Captive Portal proxy server.

    Captive Portal Proxy Server Port

    Specify the port number of the Captive Portal proxy server.

    MAC Authentication

    Configure the following parameters:

    • Secondary Server—To add another server for authentication, configure another authentication server.
    • Load Balancing—Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring DHCP Server for Assigning IP Addresses to IAP Clients.

    To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users.

    To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for IAPs.

    Reauth Interval

    Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients.

    Accounting

    Select an accounting mode for posting accounting information at the specified Accounting interval. When the accounting mode is set to Authentication, the accounting starts only after client authentication is successful and stops when the client logs out of the network. If the accounting mode is set to Association, the accounting starts when the client associates to the network successfully and stops when the client disconnects. This is applicable for WLAN SSIDs only.

    Denylisting

    If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.

    Max Authentication Failures

    Sets a value for the maximum allowed authentication failures.

    Enforce DHCP

    Enforces WLAN SSID on IAP clients. When DHCP is enforced:

    • A layer-2 user entry is created when a client associates with an IAP.
    • The client DHCP state and IP address are tracked.
    • When the client obtains an IP address from DHCP, the DHCP state changes to complete.
    • If the DHCP state is complete, a layer-3 user entry is created.
    • When a client roams between the IAPs, the DHCP state and the client IP address is synchronized with the new IAP.

    WPA3 Transition

    Enable this option to allow transition from WPA3 to WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. and vice versa. The WPA3 Transition appears only when WPA3 is selected in the Key Management for Personal, Visitors, and Open level.

    Called Station ID Include SSID

    Appends the SSID name to the called station ID.

    Uppercase Support

    Select this option to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.

    Disable if uplink type is

    To exclude uplink(s), expand Disable if uplink type is, and turn on the toggle switch for the uplink type(s). For example, Ethernet, Wi-Fi, and 3G/4G.

    Fast Roaming

    Enable the following fast roaming features as per your requirement:

  7. Click Save Settings.

Configuring an External Captive Portal Splash Page Profile

You can configure external captive portal profiles and associate these profiles to a user role or SSID. You can create a set of captive portal profiles and associate these profiles with an SSID or a wired profile. You can configure up to eight external captive portal profiles.

When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID or wired profile, the users connecting to the SSID or wired network are assigned a role with the captive portal rule. The guest user role allows only DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. and DHCP traffic between the client and network, and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted.

To configure an external captive portal profile, complete the following steps:

  1. In the WebUI, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click the WLANs tab.

    The WLANs details page is displayed.

  5. In the Wireless SSIDs table, select a guest SSID, and then click the edit icon.
  6. Under Security tab, in the Security Level, select Visitors.
  7. Select the Splash Page type as External Captive Portal .
  8. Select a Captive Portal Profile. To add a new profile, click + and configure the following parameters:

    Table 3: External Captive Portal Profile Configuration Parameters

    Data Pane Item

    Description

    Name

    Enter a name for the profile.

    Authentication Type

    Select any one of the following types of authentication:

    • Radius Authentication—Select this option to enable user authentication against a RADIUS server.
    • Authentication Text—Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.

    IP or Hostname

    Enter the IP address or the host name of the external splash page server.

    URL

    Enter the URL of the external captive portal server.

    Port

    Enter the port number that is used for communicating with the external captive portal server.

    Use HTTPS

    Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected.

    Captive Portal Failure

    This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network.

    Server Offload

    Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.

    Prevent Frame Overlay

    Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.

    Auth Text

    If the External Authentication splash page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected.

    Use VC IP in Redirect URL

    Sends the IP address of the virtual controller in the redirection URL when external captive portal servers are used.

    This option is disabled by default.

    Redirect URL

    Specify a redirect URL if you want to redirect the users to another URL.

  9. Click OK.
  10. Configure the following External Captive Portal configuration Parameters:

Table 4: External Captive Portal Configuration Parameters

Parameter

Description

Primary Server

Primary Server—Sets a primary authentication server.

  • To use an internal server, select Internal server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users.
  • To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for IAPs.

users

Create and manage users in the captive portal network. Only registered users of type Guest will be able to access this network.

Encryption

By default, this field is disabled. Turn on the toggle switch to enable and configure the following encryption parameters:

  1. Key Management—Specify an encryption and authentication key.
  2. Passphrase format—Specify a passphrase format.
  3. Passphrase—Enter a passphrase.
  4. Retype—Retype the passphrase to confirm.

Key Management

Select Open or Enhanced Open from the drop-down list.

Advanced Settings

Captive Portal Proxy Server IP

Specify the IP address of the Captive Portal proxy server.

Captive Portal Proxy Server Port

Specify the port number of the Captive Portal proxy server.

MAC Authentication

Configure the following parameters:

  • MAC Authentication—To enable MAC address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch.
  • Secondary Server—To add another server for authentication, configure another authentication server.
  • Load Balancing—Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring DHCP Server for Assigning IP Addresses to IAP Clients.

To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users.

To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for IAPs.

Delimiter Character

Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.

Use IP for Calling Station ID

Set the toggle button to enable, to configure client IP address as calling station ID.

Called Station ID Type

Select one of the following options:

  • Access Point Group—Uses the VC ID as the called station ID.
  • Access Point Name—Uses the host name of the IAP as the called station ID.
  • VLAN ID—Uses the VLAN ID of as the called station ID.
  • IP Address—Uses the IP address of the IAP as the called station ID.
  • MAC address—Uses the MAC address of the IAP as the called station ID.
  • NOTE: The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled.

Reauth Interval

Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients.

Accounting

Select an accounting mode for posting accounting information at the specified Accounting interval. When the accounting mode is set to Authentication, the accounting starts only after client authentication is successful and stops when the client logs out of the network. If the accounting mode is set to Association, the accounting starts when the client associates to the network successfully and stops when the client disconnects. This is applicable for WLAN SSIDs only.

Denylisting

If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.

Max Authentication Failures

If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.

Enforce DHCP

If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.

WPA3 Transition

If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.

Called Station ID Include SSID

If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.

Uppercase Support

Turn on the toggle switch to enable to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.

Walled Garden

  • If required, create a list of domains that are denylisted and also a allowlist of websites that the users connected to this splash page profile can access.
  • Walled GardenDisable if uplink type is

    To exclude uplink(s), expand Disable if uplink type is, and turn on the toggle switch for the uplink type(s). For example, Ethernet, Wi-Fi, and 3G/4G.

    Walled GardenFast Roaming

    Enable the following fast roaming features as per your requirement:

    • 802.11k—Turn on the 802.11k toggle switch to enable 802.11k roaming. The 802.11k protocol enables IAPs and clients to dynamically measure the available radio resources. When 802.11k is enabled, IAPs and clients send neighbor reports, beacon reports, and link measurement reports to each other.
    • 802.11v—Turn on the 802.11v toggle switch to enable 802.11v based BSS transition. The 802.11v standard defines mechanisms for wireless network management enhancements and BSS transition management. It allows the client devices to exchange information about the network topology and RF environment. The BSS transition management mechanism enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination. It also helps the voice client identify the best AP to transition to as they roam.
    • RRM Quiet IE—Turn off the toggle switch to disable Quiet IE and disable transmission of the 802.11k Quiet IE information elements. When you enable RRM Quiet IE, the AP will advertise in beacon and probe responses the Quiet IE, that is used to silence the channel for measurement purposes. When an AP uses Quiet IE to schedule a quiet interval, stations will not transmit on that channel during the quiet interval.
    1. Click Next.

    Configuring a Cloud Guest Splash Page Profile

    To create a cloud guest network profile, see Configuring a Guest Splash Page Profile

    Associating a Cloud Guest Splash Page Profile to a Guest SSID

    To use the Cloud Guest splash page profile for the guest SSID, ensure that the Cloud Guest splash Page profile is configured through the Guest Access app.

    To associate a Cloud Guest splash page profile to a guest SSID, complete the following steps:

    1. In the WebUI, set the filter to a group containing at least one AP.

      The dashboard context for the group is displayed.

    2. Under Manage, click Devices > Access Points.

      A list of APs is displayed in the List view.

    3. Click the Config icon.

      The tabs to configure the APs are displayed.

    4. Click the WLANs tab.

      The WLANs details page is displayed.

    5. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon.
    6. Click the Security tab.
    7. Under Security tab, in the Security Level, select Visitors.
    8. Select Cloud Guest from the Type drop-down list.
    9. Select the splash page profile name from the Guest Captive Portal Profile list.
    10. Configure the following parameters:

    Table 5: Cloud Guest Configuration Parameters

    Parameter

    Description

    Encryption

    By default, this field is disabled. Turn on the toggle switch to enable and configure the following encryption parameters:

    1. Key Management—Specify an encryption and authentication key.
    2. Passphrase format—Specify a passphrase format.
    3. Passphrase—Enter a passphrase.
    4. Retype—Retype the passphrase to confirm.

    Key Management

    Select Open or Enhanced Open from the drop-down list.

    Advanced Settings

    Delimiter Character

    Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.

    Use IP for Calling Station ID

    Set the toggle button to enable, to configure client IP address as calling station ID.

    Called Station ID Type

    Select one of the following options:

    • Access Point Group—Uses the VC ID as the called station ID.
    • Access Point Name—Uses the host name of the IAP as the called station ID.
    • VLAN ID—Uses the VLAN ID of as the called station ID.
    • IP Address—Uses the IP address of the IAP as the called station ID.
    • MAC address—Uses the MAC address of the IAP as the called station ID.
    • NOTE: The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled.

    Enforce DHCP

    If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.

    Called Station ID Include SSID

    If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.

    Uppercase Support

    Turn on the toggle switch to enable to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.

    Disable if uplink type is

    To exclude uplink(s), expand Disable if uplink type is, and turn on the toggle switch for the uplink type(s). For example, Ethernet, Wi-Fi, and 3G/4G.

    Fast Roaming

    Enable the following fast roaming features as per your requirement:

    • 802.11k—Turn on the 802.11k toggle switch to enable 802.11k roaming. The 802.11k protocol enables IAPs and clients to dynamically measure the available radio resources. When 802.11k is enabled, IAPs and clients send neighbor reports, beacon reports, and link measurement reports to each other.
    • 802.11v—Turn on the 802.11v toggle switch to enable 802.11v based BSS transition. The 802.11v standard defines mechanisms for wireless network management enhancements and BSS transition management. It allows the client devices to exchange information about the network topology and RF environment. The BSS transition management mechanism enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination. It also helps the voice client identify the best AP to transition to as they roam.
    • RRM Quiet IE—Turn off the toggle switch to disable Quiet IE and disable transmission of the 802.11k Quiet IE information elements. When you enable RRM Quiet IE, the AP will advertise in beacon and probe responses the Quiet IE, that is used to silence the channel for measurement purposes. When an AP uses Quiet IE to schedule a quiet interval, stations will not transmit on that channel during the quiet interval.
    1. Click Next.

      When you clone an existing group, the unshared splash page profile in the existing group is not cloned to the new group. In the existing group, if an unshared splash page is associated with a guest network, then the splash page value is empty in the guest network of the new group.

    Configuring ACLs for Guest User Access

    To configure access rules for a guest network, complete the following steps:

    1. In the WebUI, set the filter to a group containing at least one AP.

      The dashboard context for the group is displayed.

    2. Under Manage, click Devices > Access Points.

      A list of APs is displayed in the List view.

    3. Click the Config icon.

      The tabs to configure the APs are displayed.

    4. Click the WLANs tab.

      The WLANs details page is displayed.

    5. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon.
    6. Click the Access tab.
    7. Under Access rules, select any of the following types of access control:
      • Unrestricted—Select this to set unrestricted access to the network.
      • Network Based—Select Network Based to set common rules for all users in a network. By default, Allow any to all destinations access rule is enabled. This rule allows traffic to all destinations. To define an access rule, complete the following steps:
        1. Click + and select appropriate options for Rule Type, Service, Action, Destination, and Options fields.
        2. Click Save.
      • Role Based—Select Role Based to enable access based on user roles.

    For role-based access control, complete the following steps:

    1. To create a user role:
      1. Click + Add Role in Role pane.
      2. Enter a name for the new role and click OK.
    2. To create access rules for a specific user role:
      1. Click + Add Rule in Access Rules for Selected Roles, and select appropriate options for Rule Type, Service, Action, Destination, and Options fields.
      2. Click Save.
    3. To create a role assignment rule:
      1. Under Role Assignment Rules, click + Add Role Assignment. The New Role Assignment Rule pane is displayed.
      2. Select appropriate options in Attribute, Operator, String, and Role fields.
      3. Click Save.
    4. To assign pre-authentication role, select the Assign Pre-Authentication Role check box and select a pre-authentication role from the drop-down list. Enforce Mac Auth Only Role
    5. Turn on the Enforce MAC Auth Only Role toggle switch, when MAC authentication is enabled for captive portal. After successful MAC authentication, the MAC Auth Only role is assigned to the client.

    6. Click Next.

    Configuring Captive Portal Roles for an SSID

    You can configure an access rule to enforce captive portal authentication for SSIDs with 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication enabled. You can configure rules to provide access to an external captive portal, internal captive portal, so that some of the clients using this SSID can derive the captive portal role.

    The following conditions apply to the 802.1X and captive portal authentication configuration:

    • If captive portal settings are not configured for a user role, the captive portal settings configured for an SSID are applied to the client's profile.
    • If captive portal settings are not configured for a SSID, the captive portal settings configured for a user role are applied to the client's profile.
    • If captive portal settings are configured for both SSID and user role, the captive portal settings configured for a user role are applied to the profile of the client.

    To create a captive portal role for the Internal and External splash page types:

    1. In the WebUI, set the filter to a group containing at least one AP.

      The dashboard context for the group is displayed.

    2. Under Manage, click Devices > Access Points.

      A list of APs is displayed in the List view.

    3. Click the Config icon.

      The tabs to configure the APs are displayed.

    4. Click the WLANs tab.

      The WLANs details page is displayed.

    5. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon.
    6. Click the Access tab.
    7. Under Access rules, select Role Based.
    8. Click + Add Rule in Access Rules for Selected Roles.
    9. In the Add Rules window, specify the following parameters.

      Table 6: Access Rule Configuration Parameters

      Data Pane Item

      Description

      Rule Type

      Select Captive Portal from the drop-down list.

      Splash Page Type

      Select a splash page type from the drop-down list.

      Internal

      If Internal is selected as Splash Page Type drop-down list, complete the following steps:

      • Top banner title—Enter a title for the banner. To preview the page with the new banner title, click Preview splash page.
      • Header fill color—Specify a background color for the header.
      • Welcome text—To change the welcome text, click the first square box in the splash page, enter the required text in the Welcome text box, and click OK. Ensure that the welcome text does not exceed 127 characters.
      • Policy text—To change the policy text, click the second square in the splash page, enter the required text in the Policy text box, and click OK. Ensure that the policy text does not exceed 255 characters.
      • Page fill color—To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette.
      • Redirect URL—To redirect users to another URL, specify a URL in Redirect URL.
      • Logo image—To upload a custom logo, click Choose Fileto upload. Ensure that the image file size does not exceed 16 KB. To delete an image, click Delete Logo.

      To preview the captive portal page, click preview_splash_page.

      External

      If External is selected as Splash Page Type drop-down list, complete the following steps:

      • Captive Portal Profile—Select a profile from the drop-down list.

      To create a profile, click the + icon and enter the following information in the External Captive Portal window.

      • Name—Enter a name for the profile.
      • Authentication Type—From the drop-down list, select either RADIUS Authentication (to enable user authentication against a RADIUS server) or Authentication Text (to specify the authentication text to returned by the external server after a successful user authentication).
      • IP OR Hostname—Enter the IP address or the hostname of the external splash page server.
      • URL—Enter the URL for the external splash page server.
      • Port—Enter the port number for communicating with the external splash page server.
      • Captive Portal Failure—This field allows you to configure Internet access for the guest clients when the external captive portal server is not available. From the drop-down list, select Deny Internet to prevent clients from using the network, or Allow Internet to allow the guest clients to access Internet when the external captive portal server is not available.
      • Server offload—Turn on the toggle switch to offload the server.
      • Prevent Frame Overlay—Turn on the toggle switch to prevent frame overlay.
      • Use VC IP in Redirect URL—Turn on the toggle switch to use the virtual controller IP address as a redirect URL.
      • Auth TEXT—Indicates the authentication text returned by the external server after a successful user authentication.
      • Redirect URL—Specify a redirect URL to redirect the users to another URL.

      To edit a profile, click the edit icon and modify the parameters in the External Captive Portal window.

    10. Click Ok. The enforce captive portal rule is created and listed as an access rule.
    11. Click Save Settings.

    The client can connect to this SSID after authenticating with user name and password. After the user logs in successfully, the captive portal role is assigned to the client.