Introduction This how-to explains how to configure a guest network with the Ubiquiti Unifi 4 platform with the built-in guest portal ...
Introduction
This how-to explains how to configure a guest network with the Ubiquiti Unifi 4 platform with the built-in guest portal option.
Note: In order for guest networks to function correctly, your Unifi controller has to be always on and accessible. I recommend setting it up to run as a service.
Steps (12 total)
See this how-to for detailed instructions on how to do this if you have not set up your equipment already
Using this method you don't need to be a networking expert to create segregated Guest access. It is as simple as checking a checkbox.
Login to your Unifi Controller and go to the Settings section. Then Check the box to Enable Guest Portal
You will now see a number of options. Let me explain each quickly.
Authentication. You have 4 choices here.
"No Authentication" - Creates an open network anyone can connect to
"Simple Password" - Creates a password protected network
"Hotspot" - Enables the built in Voucher system for generating and using one time access codes
"External Portal Server" - Enables Segregation but redirects to a 3rd party service of your choice for access control
"No Authentication" - Creates an open network anyone can connect to
"Simple Password" - Creates a password protected network
"Hotspot" - Enables the built in Voucher system for generating and using one time access codes
"External Portal Server" - Enables Segregation but redirects to a 3rd party service of your choice for access control
"Expiration" - is the time a client is allowed to remain on the network before being kicked off by the controller
"Landing Page" Redirect to the original url directs clients to the Unifi controller landing page when they join your network. Or you can specify a promotional page which will use a custom URL of your choosing
Portal Customization allows you to use custom Landing pages See the Ubiquiti Community for details on this
"Portal URL Hostname" allows you to create a friendly name to be used with your portal instead of using the Controller IP. This is useful if you plan to install your own Certificate and use HTTPS to avoid SSL warnings
I am going to use the "HotSpot" option in this example so I will choose HotSpot
This adds a subsection "HotSpot" in this section I am going to Enable Voucher-based authorization as I want to use one time use codes
Access Control allows you to specify what Guests should be able to access on your network. By default Unifi will allow access for DHCP and DNS to whatever device provides these services on your network.
Make sure you enter all Subnets you are using in Restricted Subnets. This is Key in ensuring guests will not be allowed to access resources you wish to keep private.
If there is something you wish to allow access on your Private network such as a printer you can specifically allow that device by creating and entry in the Allowed Subnets section using the format of 0.0.0.0/32 where 0.0.0.0 is the IP range and /32 the Mask
Save your Settings
Go to Wireless Networks and click the Create New Wireless Network button
Enter the SSID
Chose a security method. Open is normally used for a guest network. If you chose any other method you add one more layer that guest users must navigate through to access your network
Enable Guest Policy - This applies the Guest Policy we created above
Under Advanced options there is a "User Group" this allows you to create an apply "User Group Policies" to throttle bandwidth on your guest network if desired. I haven't created a policy and will leave this as default with no Throttling
Save your settings
You now have a working Guest network Congratulations!
However there is one more step. We need to generate the One Time Use codes to hand out to allow users to connect to our network
Go back to Guest Control and click on the "Go to Hotspot Manager" link
A new tab will open with the hotspot manager. This page allows you to manage your hotspot configuration and see basic usage info relating your guest traffic
We only care about 2 items in this section currently.
Vouchers and Operators
Vouchers and Operators
The Operator's login allows you to create an Operator account. An operator is a user who has the ability to log into the Hotspot Manager and create vouchers \ manage payments and take basic actions to manage the Guest network such as allow or block a guest. This is useful to give a Non IT person such as a Reception desk access to manage your guest network and authenticate guest users
The Create Vouchers item allows you to create batches of vouchers for guest authentication.
Let's Create a set of 10 One time use vouchers (each one with a unique code) with an 8 hour expiration.
Note the Time limit defines how long the client can gain network access once the code has been used. After 8 hours they will need a new code
At this point I would normally print the vouchers and leave them with a Receptionist to hand out as needed until they are all used up.
To print the vouchers simply press the Print Batch button and the entire batch (Valid vouchers only) will be printed to paper for distribution. As a Voucher is used it will be removed from this list.
You can reprint, revoke or create more vouchers at any time by coming back to this window
When a guest connects to your guest network and attempts to browse the internet they will be directed to a landing page. They will not be able to access the internet until they supply a valid voucher code. Once this is done they will be free to browse the internet. Congratulations. You have now configured your guest network
Conclusion
I only touched on one of many ways available (which is my personal favorite) for setting up a guest network with Unifi. I am sure you noticed there are other option including options that will allow you to charge for access.
For a full listing of all options please refer to the Unifi Controller Configuration Guide and the Ubiquiti Community.
For added security it is recomended that you also implement a VLAN configuration. This article does not talk about how to do this and only demonstrates a basic setup of a Guest Network with basic Segregation.
No comments
Post a Comment