Pulse Policy Secure. Guest Access Solution Configuration Guide. Product Release 5.2. Document Revision 1.0 Published:

Transcription

1 Pulse Policy Secure Guest Access Solution Configuration Guide Product Release 5.2 Document Revision 1.0 Published: by Pulse Secure, LLC. All rights reserved

2 Guest Access Solution Configuration Guide Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA by Pulse Secure, LLC. All rights reserved Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Pulse Policy Secure Enterprise Guest Access Solution Configuration Guide The information in this document is current as of the date on the title page. END USER LICENSE AGREEMENT The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at By downloading, installing or using such software, you agree to the terms and conditions of that EULA by Pulse Secure, LLC. All rights reserved 2

3 Table of Contents Table of Contents About the Documentation Documentation and Release Notes Supported Platforms Documentation Conventions Requesting Technical Support Self-Help Online Tools and Resources Opening a Case with PSGSC PART 1 Overview CHAPTER 1 Guest Access CHAPTER 2 Deployment Guest Access Solution with WLC Captive Portal with Juniper EX/SRX Firewall with GUAM Managed Users PART 2 Configuration CHAPTER 3 Configuration Settings on Pulse Policy Secure for Wireless LAN Controller Deployment Default Configuration Settings on Pulse Policy Secure Sign-In-Policies User Realms User Roles Location Groups Authentication Protocol Set Authentication Server Configuring RADIUS Client on Pulse Policy Secure Configuring SMTP and SMS gateway settings on Pulse Policy Secure SMTP Settings for Guest User Accounts SMS Gateway Settings for Guest User Accounts Configuring Guest Access Settings on Pulse Policy Secure Enabling Onboarding Feature Localization CHAPTER 4 Guest User Account Management Framework Using Task Guidance Configuring the Guest User Access Before You Begin Configuring the Local Authentication Server Configuring a Role for Guest User Account Managers Configuring a Role for Guest Users Configuring a Guest Realm Configuring Role Mapping Rules Configuring a Sign-In Policy for Guests Configuring Resource Access Policies for Guests Configuring a Guest User Account Manager Account Customizing Guest Self Registration Pages by Sample Files by Pulse Secure, LLC. All rights reserved 3

4 Guest Access Solution Configuration Guide Downloading the Sample Template Files Modifying the Sample Template Files Uploading Your Customized Files Using the Customized Pages Verifying the Customization Customizing Guest Login Page through Admin UI Modifying the settings in Pulse Policy Secure Admin UI Verifying the Customization Part 3 Configuring WLC CHAPTER 5 Configuring Cisco 2500 WLC Configuring Cisco WLC for Pulse Policy Secure GUAM and Guest Self-Registration Configuration required on Cisco WLC for Local AP mode Configuration Required on Cisco WLC in Remote AP mode CHAPTER 6 Configuring Cisco 3850 WLC Configuring Cisco WLC using Web GUI Configuring Cisco WLC using CLI CHAPTER 7 Configuring Aruba WLC Configuring Aruba WLC for Pulse Policy Secure Guest Self-Registration Configuration required on Aruba WLC for Campus Only mode External Captive Portal Configuration RFC 3576 server configuration WLAN Configuration for Remote Networking mode on Aruba WLC Configuring Aruba WLC in campus only mode using CLI Configuring Aruba WLC in Remote Networking mode using CLI Configuring Aruba Instant Access Point PART 4 Administration CHAPTER 8 Guest User Account Managers Creating Guest User Accounts Appendix Guest User Creating Login Credentials Scenario I Scenario II Glossary by Pulse Secure, LLC. All rights reserved

5 Table of Figures List of Figures Figure 1: Self-Registration work flow by a guest user Figure 2: Guest Access in WLC Environment Figure 3: Captive Portal with Juniper EX/SRX Firewall Figure 4: Sign-in-Polices Figure 5: Default Sign-in-Policy Figure 6: User Realms Figure 7: User Realms - Role Mapping Figure 8: Role Mapping Rule Figure 9: User Authentication Realms - General Figure 10: User Authentication Realms - Authentication Policy Figure 11: Browser settings Figure 12: Certificate Details Figure 13: Password Settings Figure 14: Host Checker Settings Figure 15: Limit Options Figure 16: RADIUS Request Policies Figure 17: Default Guest Admin Role Figure 18: Roles Figure 19: Roles - General - Overview Figure 20: Location Groups Figure 21: Default Location Group Figure 22: Authentication Protocols Figure 23: Default Authentication Protocol Set Figure 24: Authentication Servers Figure 25: Authentication Server Settings Figure 26: Authentication Server - Users Figure 27: Creating and configuring new RADIUS client-aruba WLC Figure 28: Creating and configuring new RADIUS client-cisco WLC Figure 29: Creating and Configuring RADIUS Return Attributes Policy for Aruba WLC Figure 30: Creating and Configuring RADIUS Return Attributes Policy for Cisco WLC Figure 31: SMTP settings Figure 32: Guest Access SMS Gateway Settings, Clickatell 2SMS as SMS Gateway Type Figure 33: Guest Access Configuration Figure 34: Sign-In Policies Figure 35: Enabling On-Boarding link Figure 36: Onboarding link displayed in guest environment on Pulse Policy Secure Login Page Figure 37: Guest Login Page Figure 38: Guest Access Configurations section - Update the marked fields in a localized language Figure 39: Updating the Guest User Info Field in a Localized language Figure 40: Guest Login Page in a Localized Language Figure 41: Task Guidance Figure 42: Guest User Auth Server Figure 43: GUAM User Role Configuration Figure 44: Guest User Role Configuration Figure 45: Guest Access User Realm Figure 46: Example Role Mapping Rules Figure 47: Sign-in Policy Figure 48: Resource Access Policy Allow All Figure 49: Resource Access Policy Deny Figure 50: GUAM User Account Figure 51: Custom Sign-in Page by Pulse Secure, LLC. All rights reserved 5

6 Guest Access Solution Configuration Guide Figure 52: Admin Console Sign-in Page Figure 53: GuestSelfRegistration.thtml Figure 54: Default Guest Self Registration Page Figure 55: Custom Guest Self Registration Page - field removed Figure 56: Customized Guest Self Registration Page - Mobile Number field modified as Contact Number.. 66 Figure 57: Sign-in Page Figure 58: Custom Template Uploaded Successfully Figure 59: Sign-in Policy Page Figure 60: Sign-in Policy Page Showing Customized Pages Figure 61: Customized Guest Self Registration Page Figure 62: Default Sign-In Page Figure 63: Modified Default Sign-In Page Figure 64: Sign-in Policy Figure 65: The default Guest Self Registration Login Page Figure 66: Customized Login Page Figure 67: Network Topology between Pulse Policy Secure and Cisco WLC Figure 68: Authentication server settings Figure 69: Accounting server settings Figure 70: Creating an IPv4 ACL Figure 71: Creating a WLAN Figure 72: WLAN - General settings Figure 73: WLAN Layer 2 settings Figure 74: WLAN Layer 3 settings Figure 75: WLAN AAA Server settings Figure 76: WLAN Advanced settings Figure 77: Mapping WLAN with the Local AP Figure 78: Authentication server settings Figure 79: Accounting server settings Figure 80: FlexConnect ACL list Figure 81: Creating a WLAN Figure 82: WLAN - General settings Figure 83: WLAN Layer 2 settings Figure 84: WLAN Layer 3 settings Figure 85: WLAN AAA Server settings Figure 86 WLAN Advanced settings Figure 87: Mapping WLAN Flexl AP Figure 88: Adding ACLs in FlexConnect Group Figure 89: CISCO Wireless Controller home page Figure 90: Security section Figure 91: Radius Servers Figure 92: Creating a Radius Server Figure 93: Radius Server Groups Figure 94: Creating a Radius Server Group Figure 95: Authentication list Figure 96: Creating a new Authentication list Figure 97: Accounting list Figure 98: Creating an Accounting list Figure 99: Authorization list Figure 100: Creating an Authorization list Figure 101: Webauth Parameter Map Figure 102: Creating a Webauth Parameter Map Figure 103: Default Webauth Parameter Map Figure 104: Access Control List by Pulse Secure, LLC. All rights reserved

7 Table of Figures Figure 105: Creating an Access Control List Figure 106: Creating a Sequence Number Figure 107: Connecting with Pulse Policy server IP address Figure 108: WLANs Figure 109: Creating a WLAN Figure 110: Newly created WLAN Figure 111: WLAN - General screen Figure 112: WLAN - Security - Layer Figure 113: WLAN - Security - Layer Figure 114: WLAN - Security - AAA Server Figure 115: WLAN - Advanced settings Figure 116: Network Topology between Pulse Policy Secure and Aruba WLC Figure 117: WLAN Configuration Figure 118: WLAN Configuration Specifying a Group Figure 119: WLAN Configuration Wirless LANs configuration Figure 120: Specifying a WLAN Figure 121: Forwarding Mode configuration Figure 122: Radio and VLAN configuration Figure 123: Internal Guest configuration Figure 124: Authentication and Encryption Figure 125: Captive Portal options Figure 126: Authentication Server configuration Figure 127: Specifying Roles and Policies Figure 128: Configuring Role Assignment Figure 129: WLAN configuration complete message Figure 130: WLAN configuration complete message with details Figure 131: Controller configured Figure 132: RADIUS Accounting Server Group Figure 133: L3 Authentication configuration Figure 134: RFC 3576 Server Configuration Figure 135: RFC Server - Key Details Figure 136: RFC Server - Adding a server Figure 137: Remote Networking configuration Figure 138: Group configuration Figure 139: RAP DHCP Settings Figure 140: RAP DNS Query Routing Figure 141: Configuring Wireless LANs Figure 142: Aruba Instant Home Page Figure 143: Creating a New WLAN Figure 144: VLAN Settings Figure 145: Security Settings Figure 146: Security Settings - Creating a New Server Figure 147: Security Settings Figure 148: Access Settings Figure 149: Access Settings - Creating a Role Figure 150: Access Settings - Creating a Rule Figure 151: Access Settings - Creating an Access Rule Figure 152: GUAM Page after Log In Figure 153: Guest User Create One User Page Figure 154: Guest User Create Many Users Page Figure 155: Multiple Users Created Popup Message Figure 156: Multiple users created - Displayed on the guest admin page Figure 157: Guest User Edit User Page by Pulse Secure, LLC. All rights reserved 7

8 Guest Access Solution Configuration Guide Figure 158: Guest User Edit User Successful popup with , SMS, and Print options Figure 159: Guest User Print Details Page Figure 160: Pulse Policy Secure Login page for guests Figure 161: Guest - Personal Details Figure 162: Guest s Username and Password created Figure 163: Guest using the credentials in Sign In page Figure 164: Pulse Policy Secure Login page for guests Figure 165: Guest - Personal Details Figure 166: Guest s Username and Password created Figure 167: Pulse Policy Secure Login page by Pulse Secure, LLC. All rights reserved

9 Table of Tables List of Tables Table 1: Notice Icons Table 2: Text and Syntax Conventions Table 3: Guest Access SMS Gateway Settings Table 4: Local Authentication Server Guest Access Configurations Table 5: Configuring a Role for GUAM User Table 6: Role Settings for Guest Users Table 7: Variables Table 8: Guidelines for Configuring a Customized Collection Table 9: Admin User Page - Field Descrioptions Table 10: Create One User Page Field Descriptions Table 11: Create Many Users Page - Field Descriptions by Pulse Secure, LLC. All rights reserved 9

10 Guest Access Solution Configuration Guide About the Documentation Documentation and Release Notes Supported Platforms Documentation Conventions Requesting Technical Support Documentation and Release Notes To obtain the latest version of all Pulse Secure technical documentation, see the product documentation page at Supported Platforms For the features described in this document, the following platforms are supported: MAG Series Documentation Conventions Table 1 defines notice icons used in this guide. Table 1: Notice Icons Icons Meaning Description Informational note Indicates important features or instructions Caution Indicates a situation that might result in loss of data or hardware damage Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser Tip Indicates useful information Best practice Alerts you to a recommended use or implementation by Pulse Secure, LLC. All rights reserved

11 Table 2 defines the text and syntax conventions used in this guide. About the Documentation Table 2: Text and Syntax Conventions Convention Description Examples Bold text like this Fixed-width text like this Represents text that you type Represents output that appears on the terminal screen To enter configuration mode, type the configure command: user@host> configure user@host> show chassis alarms No alarms currently active Italic text like this Introduces or emphasizes important new terms. Identifies guide names. A policy term is a named structure that defines match conditions and actions. Junos OS CLI User Guide Identifies RFC and Internet draft titles RFC 1997, BGP Communities Attribute Italic text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Configure the machine s domain name: [edit] root@# set system domain-name domain-name Text like this Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components. To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE. < > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>; (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast multicast (string1 string2 string3) # (pound sign) [ ] (square brackets) Indicates a comment specified on the same line as the configuration statement to which it applies. Encloses a variable for which you can substitute one or more values. rsvp { # Required for dynamic MPLS only community name members [community-ids ] Indention and braces ( { } ) ; (semicolon) Identifies a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level. [edit] routing-options { static { route default { nexthop address; retain; } } } GUI Conventions Bold text like this Represents graphical user interface (GUI) items you click or select. In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel > (bold right angle bracket) Separates levels in a hierarchy of menu selections. In the configuration editor hierarchy, select Protocols>Ospf 2015 by Pulse Secure, LLC. All rights reserved 11

12 Guest Access Solution Configuration Guide Requesting Technical Support Technical product support is available through the Pulse Secure Global Support Center (PSGSC). If you have a support contract, then file a ticket with PSGSC. Product warranties For product warranty information, visit Self-Help Online Tools and Resources For quick and easy problem resolution, Pulse Secure, LLC has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: Search for known bugs: Find product documentation: Find solutions and answer questions using our Knowledge Base: Download the latest versions of software and review release notes: Search technical bulletins for relevant hardware and software notifications: Open a case online in the CSC Case Management tool: To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: Opening a Case with PSGSC You can open a case with PSGSC on the Web or by telephone. Use the Case Management tool in the CSC at Call toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see: by Pulse Secure, LLC. All rights reserved

13 PART 1 Overview Guest Access Deployment 2015 by Pulse Secure, LLC. All rights reserved 13

14 Guest Access Solution Configuration Guide by Pulse Secure, LLC. All rights reserved

15 CHAPTER 1 Guest Access Pulse Policy Secure is a complete guest access management solution and simplifies an organization's ability to provide secure, differentiated guest user access to their networks. The Guest Access feature enables a guest/contractor to access a special Self Registration URL and create their own guest account for internet access. This is an optional feature along with Guest User Account Manager (GUAM) based guest creation within the WLC based Guest Access deployment mode. Figure 1: Self-Registration work flow by a guest user 2015 by Pulse Secure, LLC. All rights reserved 15

16 Guest Access Solution Configuration Guide by Pulse Secure, LLC. All rights reserved

17 CHAPTER 2 Deployment Guest Access Solution with WLC In current scenarios, guest access solution for wireless network can be deployed with leading Wireless LAN controllers. In this deployment, customer can deploy wireless network with WLCs and wireless network for guests. Guest authentication can be done with external authentication server. Pulse Policy Secure Server can be positioned as external authentication server. Assumption for this deployment is customer has already deployed wireless network for guest using WLC and would like to have centralized authentication server. When wireless network is built with multiple vendors WLCs then it further becomes useful to have centralized authentication server. Figure 2: Guest Access in WLC Environment 2015 by Pulse Secure, LLC. All rights reserved 17

18 Guest Access Solution Configuration Guide Captive Portal with Juniper EX/SRX Firewall with GUAM Managed Users When a Pulse Policy Secure and an EX Series switch/srx firewall is deployed, users might not know that they must first sign into Pulse Policy Secure for authentication before they can access a protected resource behind the EX Series switch/srx firewall. To facilitate sign-in, you can configure a redirect policy on the EX Series switch/srx firewall to automatically redirect HTTP traffic destined for protected resources to Pulse Policy Secure. This feature is called captive portal. When the sign-in page for the Pulse Policy Secure is displayed, the user signs in, and access is granted to the protected resource. These user accounts can be created by Guest User Account Manager. Figure 3: Captive Portal with Juniper EX/SRX Firewall by Pulse Secure, LLC. All rights reserved

19 PART 2 Configuration Configuration Settings on Pulse Policy Secure for Wireless LAN Controller Deployment Guest User Account Management Framework 2015 by Pulse Secure, LLC. All rights reserved 19

20 Guest Access Solution Configuration Guide by Pulse Secure, LLC. All rights reserved

21 CHAPTER 3 Configuration Settings on Pulse Policy Secure for Wireless LAN Controller Deployment Default Configuration Settings on Pulse Policy Secure Configuring RADIUS Client on Pulse Policy Secure Configuring SMTP and SMS gateway settings on Pulse Policy Secure Configuring Guest Access Settings on Pulse Policy Secure This section describes the configuration that is required on Pulse Policy Secure to communicate with a Wireless LAN Controller (WLC) for Guest user management. Pulse Policy Secure server acts as RADIUS server that allows to centralize the authentication and accounting for the users. A Cisco or Aruba WLC needs to be added as RADIUS client on Pulse Policy Secure server. Guest user Self-Registration options need to be configured in the authentication server used for managing guest accounts (by default, this is Guest authentication) and in sign-in policy settings. Default Configuration Settings on Pulse Policy Secure Pulse Policy Secure has some default configuration settings for convenience of the Admin users. NOTE: The default configuration settings are available when you upgrade to Pulse Policy Secure 5.2, or when you install Pulse Policy Secure 5.2 version. The default settings are: Sign-in Policies User Realms User Roles Location Groups Authentication Protocol Sets Authentication Server Sign-In-Policies The */guestadmin/ and */guest/ are the default Sign-in-Polices in Pulse Policy Secure. A Sign-in Policy is mapped with a default Authentication Realm. To view the Sign-in-Polices: 1. On the Pulse Policy Secure main page select Authentication > Signing In > Sign-in Policies. The Sign-in Policies screen appears by Pulse Secure, LLC. All rights reserved 21

22 Guest Access Solution Configuration Guide Figure 4: Sign-in-Polices Figure 5: Default Sign-in-Policy 2. Click on a Sign-in Policy to view the settings. 3. You can make necessary changes or add realms in a Sign-in Policy and click Save Changes to save the settings. User Realms The Guest Admin and Guest are the default user realms in Pulse Policy Secure. A user realm is mapped with a default Role. NOTE: For a Guest Admin realm, Admin has to create the role mapping rule for the user name who has rights for creating Guest accounts. To view a user realm: 1. On the Pulse Policy Secure main page select Users > User Realms. The User Authentication Realms screen appears by Pulse Secure, LLC. All rights reserved

23 CHAPTER 3: Configuration Settings on Pulse Policy Secure for Wireless LAN Controller Deployment Figure 6: User Realms 2. Click on a User Authentication Realm to view the settings. Figure 7: User Realms - Role Mapping The Role Mapping screen of the Realm appears. Figure 8: Role Mapping Rule 3. Click an existing Rule of the Role to view the settings. 4. You can make necessary changes and click Save Changes to save the settings by Pulse Secure, LLC. All rights reserved 23

24 Guest Access Solution Configuration Guide 5. Click New Rule in the Role Mapping screen to add a new Rule to the Role and click Save Changes to save the Rule. 6. Click the General tab to view the settings. The General screen appears. Figure 9: User Authentication Realms - General 7. You can make necessary changes and click Save Changes to save the settings. 8. Click the Authentication Policy tab. The Source IP screen appears. Figure 10: User Authentication Realms - Authentication Policy 9. You can make necessary changes and click Save Changes to save the settings. 10. Click the Browser tab. The Browser settings are displayed by Pulse Secure, LLC. All rights reserved

25 Figure 11: Browser settings CHAPTER 3: Configuration Settings on Pulse Policy Secure for Wireless LAN Controller Deployment 11. You can make necessary changes and click Save Changes to save the settings. 12. Click Certificate. The certificate details of the Realm are displayed. Figure 12: Certificate Details 13. You can make necessary changes and click Save Changes to save the settings. 14. Click Password to view the password related settings. Password related setting options are displayed. Figure 13: Password Settings 2015 by Pulse Secure, LLC. All rights reserved 25

26 Guest Access Solution Configuration Guide 15. You can make necessary changes and click Save Changes to save the settings. 16. Click Host Checker. The Host Checker setting options are displayed. Figure 14: Host Checker Settings 17. You can make necessary changes and click Save Changes to save the settings. 18. Click Limits to set limits for a User Realm. The Limit options are displayed. Figure 15: Limit Options 19. You can make necessary changes and click Save Changes to save the settings. 20. Click RADIUS Request Policies. If any RADIUS Request Policy is available it is displayed by Pulse Secure, LLC. All rights reserved

27 Figure 16: RADIUS Request Policies CHAPTER 3: Configuration Settings on Pulse Policy Secure for Wireless LAN Controller Deployment 21. You can make necessary changes and click Save Changes to save the settings 2015 by Pulse Secure, LLC. All rights reserved 27

28 Guest Access Solution Configuration Guide User Roles The Guest Admin and Guest are the default user roles in Pulse Policy Secure. A user realm is mapped with a default Role. Figure 17: Default Guest Admin Role To view a User Role: 1. On the Pulse Policy Secure main page select Users > User Roles. The Roles screen appears. Figure 18: Roles 2. Click on a default User Role to view the settings. The General > Overview screen appears by Pulse Secure, LLC. All rights reserved

29 Figure 19: Roles - General - Overview CHAPTER 3: Configuration Settings on Pulse Policy Secure for Wireless LAN Controller Deployment 3. You can make necessary changes and click Save Changes to save the settings. You can go to other tabs of the User Role, to view the default settings and make necessary changes. Location Groups The Guest is the default Location Group configured in Pulse Policy Secure. A Location Group is mapped with a default Sign-in Policy and a default Realm. To view a Location Group: 1. On the Pulse Policy Secure main page select UAC > Network Access > Location Group. The Location Group screen appears. Figure 20: Location Groups 2. Click the Location Group to view the settings by Pulse Secure, LLC. All rights reserved 29

30 Guest Access Solution Configuration Guide Figure 21: Default Location Group 3. You can make necessary changes and click Save Changes to save the settings. Authentication Protocol Set The Guest is the default Authentication Protocol Set configured in Pulse Policy Secure. To view the Authentication Protocol: 1. On the Pulse Policy Secure main page select Authentication > Signing In > Authentication Protocol Sets. The Authentication Protocol screen appears. Figure 22: Authentication Protocols 2. Click the Authentication Protocol to view the settings by Pulse Secure, LLC. All rights reserved

31 Figure 23: Default Authentication Protocol Set CHAPTER 3: Configuration Settings on Pulse Policy Secure for Wireless LAN Controller Deployment 3. You can make necessary changes and click Save Changes to save the settings. Authentication Server The Guest Authentication is the default Authentication Server configured in Pulse Policy Secure. To view the Authentication Server: 1. On the Pulse Policy Secure main page select Authentication > Auth. Servers. The Authentication Servers screen appears. Figure 24: Authentication Servers 2. Click the default Authentication Server to view the settings. The options under the Settings tab appears by Pulse Secure, LLC. All rights reserved 31

32 Guest Access Solution Configuration Guide Figure 25: Authentication Server Settings 3. You can make necessary changes and click Save Changes to save the settings. 4. Click the Users tab to view the guest users list by Pulse Secure, LLC. All rights reserved

33 Figure 26: Authentication Server - Users CHAPTER 3: Configuration Settings on Pulse Policy Secure for Wireless LAN Controller Deployment This page displays all the users that are created by guest self-registration option and through the GUAM. 5. Click the Admin Users page to view the settings by Pulse Secure, LLC. All rights reserved 33

34 Guest Access Solution Configuration Guide Configuring RADIUS Client on Pulse Policy Secure The Radius Framework on Pulse Policy Secure is configured with the default settings. You have to configure only the Radius client and a RADIUS Return Attributes Policy. To configure RADIUS Client on Pulse Policy Secure: 1. Select UAC > Network Access > RADIUS Client > New RADIUS Client to create a new RADIUS client. The New RADIUS Client screen appears. Figure 27: Creating and configuring new RADIUS client-aruba WLC by Pulse Secure, LLC. All rights reserved

35 Figure 28: Creating and configuring new RADIUS client-cisco WLC CHAPTER 3: Configuration Settings on Pulse Policy Secure for Wireless LAN Controller Deployment 2. Configure a WLC and name accordingly as per your network preferences: Configure the Aruba WLC as RADIUS client and map with the default Location Group. Configure the Cisco WLC as RADIUS client and map with the default Location Group. 3. Click Save Changes to save the settings. 4. Select UAC > Network Access > RADIUS Attributes > Return Attributes > New Policy to create a new RADIUS Return Attribute policy. The New Policy screen appears by Pulse Secure, LLC. All rights reserved 35

36 Guest Access Solution Configuration Guide Figure 29: Creating and Configuring RADIUS Return Attributes Policy for Aruba WLC by Pulse Secure, LLC. All rights reserved

37 CHAPTER 3: Configuration Settings on Pulse Policy Secure for Wireless LAN Controller Deployment Figure 30: Creating and Configuring RADIUS Return Attributes Policy for Cisco WLC 5. Map with the default location group. Configure other return attributes and session-timeout attributes as required. 6. Click Save Changes to save the Return Attribute Policy. Configuring SMTP and SMS gateway settings on Pulse Policy Secure The SMTP and SMS configuration settings must be configured to enable guest users to create user accounts on their own. SMTP Settings for Guest User Accounts 1. On Pulse Policy Secure main page select System > Configuration > Guest Access > SMTP Settings. The SMTP Settings screen appears by Pulse Secure, LLC. All rights reserved 37

38 Guest Access Solution Configuration Guide Figure 31: SMTP settings 2. Enter the necessary details and click Save Changes. SMS Gateway Settings for Guest User Accounts Short Message Service (SMS) is delivered through an SMS gateway service that supports HTTP, HTTPS, and SMTP (Simple Mail Transport Protocol) delivery. You need to subscribe to an external service to be able to deliver guest details using SMS. The SMS gateway sends SMS in formatted text message using HTTP/HTTPS interface (SMS message) and can also allow message to be sent as an SMS. An example of an SMS gateway is clickatell.com. You should have a valid account with this third party. To create an account with Clickatell: 1. Go to and choose the appropriate API sub-product (connection method) you wish to use. 2. Click on the registration hyperlink. 3. Select the Account type you would like to use (Local or International). 4. Enter your personal information to complete the registration form. 5. Accept the Terms & Conditions. 6. Click Continue - An containing your login details such as account login name, password, and clientid will be sent to the address you have provided. 7. Activate your account When user has logged in, and user will be on the Clickatell Central landing page and HTTP API will be added to the account and client API ID will be issued to the account. A single account may have multiple API IDs associated with it. To enable the SMS gateway settings using Pulse Policy Secure: 1. On Pulse Policy Secure main page select System > Configuration > Guest Access > SMS Gateway Settings. The SMS Gateway Settings screen appears by Pulse Secure, LLC. All rights reserved

39 CHAPTER 3: Configuration Settings on Pulse Policy Secure for Wireless LAN Controller Deployment Figure 32: Guest Access SMS Gateway Settings, Clickatell 2SMS as SMS Gateway Type 2. Select the Enable SMS Gateway Settings check box. 3. Complete the configuration settings as described in the following Table. 4. Click Save Changes. 5. Click Send Test SMS. Table 3: Guest Access SMS Gateway Settings Settings Guidelines SMS Gateway Settings Select the gateway type: SMS Gateway Type Clickatell Select this option to send SMS as a text message. Clickatell 2SMS Select this option to use format as an SMS using SMTP. API product ID Specify the API product ID that you received from Clickatell during account creation. SMS Gateway Login Name Specify the SMS gateway login name. SMS Gateway Login password Specify the SMS gateway login password. (Optional) Select the following fields: Text Message (SMS) Format Guest Account Start Time Guest Account End Time 2015 by Pulse Secure, LLC. All rights reserved 39

40 Guest Access Solution Configuration Guide Settings Guidelines Guest Account Sign-in URL Wireless SSID The following options apply if you select Clickatell as gateway type. SMS Gateway URL Specify the SMS Gateway URL. (Default) or HTTPS Select this option to use a secure connection. If you don't select this option user will be notified about clear text transmission of guest user credentials. Use Proxy Server Select this option to access the internet or SMS gateway URL using a proxy server. Address Specify the address of the proxy server and its port. Username Specify the username of the proxy server. Password Specify the password of the proxy server. Send Test SMS Mobile Number Select the country name and then specify a valid phone number of the guest user. The phone number should not include country code or any special character such as +,*, and so on. The Pulse Policy Secure sends a test SMS with the login credentials to this mobile number through SMS. Source Mobile Number Specify the sender ID configured in Clickatell Account by Pulse Secure, LLC. All rights reserved

41 CHAPTER 3: Configuration Settings on Pulse Policy Secure for Wireless LAN Controller Deployment Configuring Guest Access Settings on Pulse Policy Secure 1. On Pulse Policy Secure main page select Authentication > Auth. Servers > System Local > Settings. Under Guest Access Configurations: Select the check box Enable Guest User Account Managers to administer Guest Accounts Under the Guest Self-Registration select Send guest user credentials via o SMS o o Click the SMS/ settings link and do the necessary settings. Figure 33: Guest Access Configuration Show credentials on screen after guest completes registration Maximum Account Validity Period for Self Registered Guest by default 24 hours is the default time period. You can change this as per the requirement. 2. On Pulse Policy Secure main page select Authentication >Signing In >Sign-In Policies by Pulse Secure, LLC. All rights reserved 41

42 Guest Access Solution Configuration Guide Figure 34: Sign-In Policies 3. Select the sign-in policy that is created earlier. Under Configure Guest settings select the check boxes: Use this signin policy for Guest and Guest admin to use specific pages Show Guest Self Registration link on the guest login page The Register as Guest link appears on the guest login page by Pulse Secure, LLC. All rights reserved

43 Enabling Onboarding Feature CHAPTER 3: Configuration Settings on Pulse Policy Secure for Wireless LAN Controller Deployment Enterprise onboarding feature provides automated onboarding of BYOD clients on premises (WLAN & LAN). Pulse Policy Secure enables personal devices to be automatically configured for corporate access. To enable this feature: 1. To enable this option in the Pulse Policy secure main page select Authentication > Signing In > Sign-in Policies. The Sign-in Polices tab displays the available sign-in policies. 2. Under the User URLs section select the default sign-in policy. The Sign-in Policy configuration screen appears. Figure 35: Enabling On-Boarding link 3. Select the Show On-Boarding link on guest login page check box. A drop-down list appears next to it. 4. Select a required URL. 5. Click Save Changes to save the settings by Pulse Secure, LLC. All rights reserved 43

44 Guest Access Solution Configuration Guide When this settings is done the Employees can onboard their device here link appears in an enterprise guest environment as shown in the following figure. Figure 36: Onboarding link displayed in guest environment on Pulse Policy Secure Login Page Localization In a localized guest user environment when a user tries to register as a guest all the fields are displayed in that particular localized language, except the Company Name and Host or Sponsor fields which are displayed in English language. NOTE: Here French language is used as an example. Figure 37: Guest Login Page To localize these two fields, an Admin user must enter the translated field names of Company Name and Host or Sponsor fields in the Guest Access Configurations section in Pulse Policy Secure. To make these changes: 1. In the Pulse Policy secure main page select Authentication > Auth.Servers. The Authentication Servers screen appears. 2. Select a default Authentication Server to make the changes by Pulse Secure, LLC. All rights reserved

45 CHAPTER 3: Configuration Settings on Pulse Policy Secure for Wireless LAN Controller Deployment The Settings tab of the Auth Server displays the settings. Figure 38: Guest Access Configurations section - Update the marked fields in a localized language 3. In the Guest Access Configurations section, enter the translated field names of Company Name and Host or Sponsor fields in the Guest User Info Fields box. Figure 39: Updating the Guest User Info Field in a Localized language 2015 by Pulse Secure, LLC. All rights reserved 45

46 Guest Access Solution Configuration Guide 4. Click Save Changes to save the settings. 5. In the enterprise guest environment when a guest tries to register, the Company Name and Host or Sponsor fields are displayed in the respective language. Figure 40: Guest Login Page in a Localized Language by Pulse Secure, LLC. All rights reserved

47 CHAPTER 4 Guest User Account Management Framework Using Task Guidance Configuring the Guest User Account Management Framework Customizing the Guest User Account Manager Pages Using Task Guidance The following figure shows the Task Guidance menu for enterprise guest access (EGA). You can use Task Guidance to navigate through the tasks required to configure EGA. NOTE: The Task Guidance is applicable only for Juniper SRX devices. To display Task Guidance: 1. Select the Guidance link at the top of the Web console. 2. Click System Setup to display guidance for setting the date and time, upgrading software, and installing licenses. 3. Click Guest Users to display guidance for configuring the local authentication server, user roles, user realms, sign-in policies, and resource access policies for guest users. Figure 41: Task Guidance 2015 by Pulse Secure, LLC. All rights reserved 47

48 Guest Access Solution Configuration Guide Configuring the Guest User Access This topic describes the elements of the Pulse Policy Secure guest access management feature. It includes the following information: Before You Begin Configuring the Local Authentication Server Configuring a Role for Guest User Account Managers Configuring a Role for Guest Users Configuring a Guest Realm Configuring Role Mapping Rules Configuring a Sign-In Policy for Guests Configuring Resource Access Policies for Guests Configuring a Guest User Account Manager Account Before You Begin This configuration example assumes the following tasks have been completed: Installed the MAG Series hardware. Upgraded the Access Control Service software to the latest version. Enabled Guest Access mode. Configured basic host and network settings. Keep in mind the following best practices: o Configure NTP. Synchronization to standard network clock is not only a requirement for meaningful logging but is also necessary for security features that examine time-based validity, such as SSL certificate security. Select System > Status to display the system status page; then click the Edit link next to System Date and Time to display the configuration page for NTP. o o o o Configure a hostname. Hostname is used to construct the HTTP redirect URL for the captive portal page presented to guest users. If hostname is not specified, the URL is based on the SSL certificate distinguished name (DN) in the SSL certificate associated with the external port. If none, the URL uses the IP address of the external port. We recommend specifying a hostname to create a more user friendly captive portal URL. Select System > Network > Overview to display the configuration page for hostname. Configure DNS. Guest users depend on the DNS servers you specify when they initially attempt to connect to the network. In addition, the captive portal HTTP redirect presents a hostname in the URL only if DNS can resolve the hostname. Select System > Network > Overview to display the configuration page for DNS. Configure SSL certificate security. Use SSL certificate security so that the guest users do not have to examine certificate warnings when they are redirected to the captive portal to sign in. Select System > Configuration > Certificates > Device Certificates to display the device certificate configuration page. You can use this page to import an SSL certificate that has been signed by a well-known certificate authority, such as VeriSign, Entrust, and the like. Use this page to associate the certificate with the external port by Pulse Secure, LLC. All rights reserved

49 CHAPTER 4: Guest User Account Management Framework Configuring the Local Authentication Server Select System > Authentication > Auth. Server and create a new local authentication server for guest users. The following figure shows a local authentication server configuration. Table 5 describes the guest access configuration. Figure 42: Guest User Auth Server 2015 by Pulse Secure, LLC. All rights reserved 49

50 Guest Access Solution Configuration Guide Table 4: Local Authentication Server Guest Access Configurations Settings Guidelines Enable Guest User Account Managers Select this option to allow guest user account managers (GUAM) to create guest user accounts on the local authentication server. Guest User Name Prefix Specify the prefix to be used in auto generated guest usernames. We recommend you retain the default guest_ so that you can rely on the naming convention in your role mapping rules. Guest User Info Fields Instructions for Guest User Account Manager Maximum Account Validity Period (Optional) Add line items to represent fields that you want to appear on the configuration page for creating guest user accounts. For example, you can create fields for Company Name, Host Person, Meal Preference, and so on. (Optional) Add instructions to the GUAM that appear on the GUAM sign-in page. You can use the following HTML tags to format the text: <b>, <br>, <font>, <noscript>, and <a href>. See Figure 153 and Figure 154 to see examples of how this text is displayed on the GUAM sign-in page. Specify the number of hours the account is valid. The default is 24 hours. Configuring a Role for Guest User Account Managers Select Users > User Roles and create a user roles for the GUAM user. The following figure shows the user role for the GUAM user. Table 5 describes the key settings for the GUAM user role. Figure 43: GUAM User Role Configuration by Pulse Secure, LLC. All rights reserved

51 CHAPTER 4: Guest User Account Management Framework Table 5: Configuring a Role for GUAM User Settings Guidelines Enable Guest User Management Rights Select this option, which is the key option to distinguish GUAM users from other users. When a user matching the GUAM role logs in, the user sees the Guest User Access Manager page.. Session Options Enable Session Options. In addition, click the Edit link to display the Session Options configuration page. Select the Allow VPN through Firewall option to allow guest users to use VPN technology to connect to their own corporate networks. If you do not enable this option, creating a VPN connection would result in disconnection because the VPN tunnel would prevent heartbeat traffic used by the Access Control Service in monitoring user sessions. NOTE: You must select the Allow VPN Through Firewall option only for Juniper SRX integration. It is not required for a WLC integration. If a heartbeat is not detected between a guest user and the MAG Series Gateway, the user receives notification of the failure. After a heartbeat failure has occurred, a retry occurs after 30 seconds. Subsequent failures result in a retry at 1.5 times the prior interval up to a maximum value of the initial heartbeat interval by Pulse Secure, LLC. All rights reserved 51

52 Guest Access Solution Configuration Guide Settings Guidelines Click the Agent tab to display the agent configuration page. Ensure that the Install Agent for this role options is not selected. Agent Click the Agentless tab to display the agentless access configuration page. Ensure that the Install agent for this role options is not selected. Agentless by Pulse Secure, LLC. All rights reserved

53 CHAPTER 4: Guest User Account Management Framework Configuring a Role for Guest Users Select Users > User Roles and create a user roles for the guest user. The following figure shows the user role for the guest users. Table 6 describes the key settings for the guest user role. The user role configuration for guest users is similar to the role configuration for the GUAM user with one key difference: do not give the guest user role guest user account management rights. Figure 44: Guest User Role Configuration Table 6: Role Settings for Guest Users Settings Guidelines Enable Guest User Management Rights This option is specifically for the GUAM user. Do not enable this option for the guest user role. When a guest user without guest user management rights logs in, the guest user page does not include controls for adding guest users, which is what you want for guest users. The following page is displayed after a guest logs into the guest realm Session Enable Session Options. In addition, click the Edit link to display the Session Options configuration page. Select the Allow 2015 by Pulse Secure, LLC. All rights reserved 53

54 Guest Access Solution Configuration Guide Settings Options Guidelines VPN through Firewall option to allow guest users to use VPN technology to connect to their own corporate networks. If you do not enable this option, creating a VPN connection would result in disconnection because the VPN tunnel would prevent heartbeat traffic used by the Access Control Service in monitoring user sessions NOTE: You must select the Allow VPN through Firewall option only for Juniper SRX integration. It is not required for a WLC integration If a heartbeat is not detected between a guest user and the MAG Series Gateway, the user receives notification of the failure. After a heartbeat failure has occurred, a retry occurs after 30 seconds. Subsequent failures result in a retry at 1.5 times the prior interval up to a maximum value of the initial heartbeat interval. Agent Click the Agent tab to display the agent configuration page. Ensure that the Install Agent for this role options is not selected by Pulse Secure, LLC. All rights reserved

55 CHAPTER 4: Guest User Account Management Framework Settings Guidelines Agentless Click the Agentless tab to display the agentless access configuration page. Ensure that the Install agent for this role options is not selected by Pulse Secure, LLC. All rights reserved 55

56 Guest Access Solution Configuration Guide NOTE: Some role and realm restrictions are not available in Guest Access mode. For example, certificate restrictions. Use Task Guidance to help you determine which options are available. Configuring a Guest Realm Select Users > User Realms and create an authentication realm for guest access. The following figure shows the configuration for the user realm in this example. Figure 45: Guest Access User Realm Configuring Role Mapping Rules From the user realm configuration page, click the Role Mapping tab and create role mapping rules. The following figure shows the role mapping rules configuration for this example. Users matching the string and wildcard guest* (the default guest user prefix convention for the local authentication server) map to the Gu est role. The user named guam (not yet created in this example) maps to the GUAM role by Pulse Secure, LLC. All rights reserved

57 Figure 46: Example Role Mapping Rules Configuring a Sign-In Policy for Guests Select Authentication > Signing-In > Sign-In Policies to display the sign-in policies configuration page. Create a sign-in policy specifically for the guest user administrator and guest users. The following figure shows the policy used in this example. Note that it uses a user-defined URL named */guam/. The */ represents the Access Control Service host and the directory guam/ specifies a new, user-defined directory for managing guest access. The realm selected is the guest realm created previously. This example uses the default sign-in page by Pulse Secure, LLC. All rights reserved 57

58 Guest Access Solution Configuration Guide Figure 47: Sign-in Policy Configuring Resource Access Policies for Guests Select Pulse Policy Secure > Infranet Enforcer > Resource Access to display the resource access policies configuration page. In a Layer 2 bridge deployment, the resource access policy is like a firewall rule that determines what traffic is allowed through the MAG Series gateway once the guest user has authenticated. The following figure shows a policy that allows all traffic by users with the guest role by Pulse Secure, LLC. All rights reserved

59 CHAPTER 4: Guest User Account Management Framework Figure 48: Resource Access Policy Allow All 2015 by Pulse Secure, LLC. All rights reserved 59

60 Guest Access Solution Configuration Guide The following figure shows a more complex policy that you would configure to implement EGA features in a standard Pulse Policy Secure solution that has deployed Infranet Enforcers in front of corporate resources. Figure 49: Resource Access Policy Deny by Pulse Secure, LLC. All rights reserved

61 CHAPTER 4: Guest User Account Management Framework Configuring a Guest User Account Manager Account As noted previously, the limited administrator capabilities for the guest user account manager (GUAM) are derived from the role configuration. The user account can belong to an external authentication server as long as the rest of the access management framework is configured to map that user to the GUAM role. You might find it simpler to use the local authentication server to create GUAM user accounts. Select System > Authentication > Auth. Server to locate the local authentication server you have configured for guest access; then click the Users tab to display the user management pages. You can use these pages to create user accounts. The following figure shows the configuration for a GUAM user account in this example. The username guam matches the role mapping rule for the GUAM role. Figure 50: GUAM User Account Related Documentation Creating Guest User Accounts Using Task Guidance 2015 by Pulse Secure, LLC. All rights reserved 61

62 Guest Access Solution Configuration Guide Customizing Guest Self Registration Pages by Sample Files The guest Self Registration pages can be customized by modifying the sample.zip file. It includes the following information: Downloading the Sample Template Files Modifying the Sample Template Files Uploading Your Customized Files Using the Customized Pages Verifying the Customization NOTE: Customizing GUAM using sample template files is no more supported from the Pulse Policy Secure 5.2 release. Downloading the Sample Template Files The sample template zip file includes the following files which are added for the Pulse Policy Secure 5.2 release: GuestLoginPage.thtml GuestLogout.thtml GuestSelfRegistration.thtml GuestForgotPassword.thtml GuestSigninNotifPreAuth.thtml guest.css To download the sample template files: 1. On the Pulse Policy Secure main page select Authentication > Signing In > Sign in pages. The Signing In screen appears. Figure 51: Custom Sign-in Page 2. Click Upload Custom Pages. The Upload Custom Sign-In Pages screen appears. This page hosts the sample.zip files which can be used to customize the guest sign in pages by Pulse Secure, LLC. All rights reserved

63 Figure 52: Admin Console Sign-in Page CHAPTER 4: Guest User Account Management Framework 3. Click the Sample link in the Sample Template Files pane. 4. Download the latest sample.zip file. Modifying the Sample Template Files You can edit the HTML to modify the look and feel of your page. You can add, modify, or delete JavaScript functions and variables to customize the functionality presented on your page. This section provides examples of common customizations for Guest Self Registration pages. For a reference on the files, functions, and variables found in the templates included in the sample.zip file, see the Custom Sign-In Pages Developer Reference. Figure 53 shows the contents of the GuestSelfRegistration.thtml file. The JavaScript functions and variables used for the standard user interface controls that appear in the predefined pages are highlighted in bold. The following table describes some of the common variables used in the template and their meaning. Table 7: Variables Variable Definition I18N_FULL_NAME Field for entering the full name of guest user. I18N_USERNAME_ADMIN_ Field for entering the id of guest user. I18N_USER_ADMIN_MOBILE_NUMBER Field for entering mobile number of guest user. I18N_USER_ADMIN_REGISTER Register button in the Guest Self Registration page. Click the button after entering the user details. I18N_CANCEL Cancel button. Cancels the registration process and takes the user back to the Sign In page of Guest User. I18N_USERNAME_COLON Username: field. It displays the username in the confirmation box. I18N_PASSWORD_COLON Password: field. It displays the password in the confirmation box I18N_USER_ADMIN_CREATING_ACCOUNT Displays the message An account has been created for you in the confirmation box. Figure 53: GuestSelfRegistration.thtml <div id= "fndiv" class="form-group required"> <label for="fullname" class="col-sm-2 control-label"><% I18N_FULL_NAME %></label> <div id="fndiv2" class="col-sm-5"> <input type="text" class="form-control" id="fullname" name="fullname" placeholder="<% I18N_FULL_NAME %>" autofocus validate> </div> </div> 2015 by Pulse Secure, LLC. All rights reserved 63

64 Guest Access Solution Configuration Guide <div id= " div" class="form-group <%IF required == 1%> required <%END%>"> <label for=" " class="col-sm-2 control-label"><% I18N_USER_ADMIN_ %></label> <div id=" div2" class="col-sm-5"> <input type=" " class="form-control" id=" " name=" " placeholder="<% I18N_USER_ADMIN_ %>" validate> </div> </div> <div id= "mndiv" class="form-group <%IF smsrequired == 1%> required <%END%>"> <label for="mobilenumber" class="col-sm-2 control-label"><% I18N_USER_ADMIN_MOBILE_NUMBER %></label> <div id="mndiv1" class="col-sm-2"> <select id="cmbcountrycode" class="form-control" name="cmbcountrycode" <%disabled%>> <% FOREACH country = countrycode %> <option id="<% country.id %>" value="<% country.id %>" <%IF countryselected == country.id%> selected <%END%>> <% country.name %> </option> <%END%> </select> </div> <div id="mndiv2" class="col-sm-3"> <input type="tel" class="form-control" id="mobilenumber" name="mobilenumber" placeholder="<% I18N_USER_ADMIN_MOBILE_NUMBER %>" validate> </div> </div> Removing Fields You can remove fields from the user interface form by deleting the HTML and JavaScript that define them from the sample file. For example, to delete the option box, delete the following HTML and variables: Example <<div id= " div" class="form-group <%IF required == 1%> required <%END%>"> <label for=" " class="col-sm-2 control-label"><% I18N_USER_ADMIN_ %></label> <div id=" div2" class="col-sm-5"> <input type=" " class="form-control" id=" " name=" " placeholder="<% I18N_USER_ADMIN_ %>" validate> </div> </div> NOTE: Never delete or modify the following required variables: Guest_Includes signinagainurl LoginPageErrorMessage Specifies the error message. The device generates the error message in case of an error otherwise it will be empty preauthsntext In this example, * indicates the required fields. The following figure shows the Guest Self Registration Page before customization by Pulse Secure, LLC. All rights reserved

65 Figure 54: Default Guest Self Registration Page CHAPTER 4: Guest User Account Management Framework NOTE: You can add a field in the html to display messages The following figure shows the result of the customization NOTE: After making a modification in sample.zip file, you must upload the file to see the effect of the customization. To know about the process of uploading see Uploading Your Customized Files Figure 55: Custom Guest Self Registration Page - field removed Editing Fields You can edit fields in the user interface form by editing the HTML and JavaScript that define them from the sample file. For example, to edit the Mobile Number option box as Contact Number, edit the following HTML and variables: Script Before Editing <div id= "mndiv" class="form-group <%IF smsrequired == 1%> required <%END%>"> <label for="mobilenumber" class="col-sm-2 control-label"> <% I18N_USER_ADMIN_MOBILE_NUMBER %>Contact Number</label> <div id="mndiv1" class="col-sm-2"> <select id="cmbcountrycode" class="form-control" name="cmbcountrycode" <%disabled%>> <% FOREACH country = countrycode %> <option id="<% country.id %>" value="<% country.id %>" <%IF countryselected == country.id%> selected <%END%>> <% country.name %> </option> 2015 by Pulse Secure, LLC. All rights reserved 65

66 Guest Access Solution Configuration Guide <%END%> </select> </div> <div id="mndiv2" class="col-sm-3"> <input type="tel" class="form-control" id="mobilenumber" name="mobilenumber" placeholder="<% I18N_USER_ADMIN_MOBILE_NUMBER %>" validate> </div> </div> Script After Editing <div id= "mndiv" class="form-group <%IF smsrequired == 1%> required <%END%>"> <label for="mobilenumber" class="col-sm-2 control-label"> Contact Number</label> <div id="mndiv1" class="col-sm-2"> <select id="cmbcountrycode" class="form-control" name="cmbcountrycode" <%disabled%>> <% FOREACH country = countrycode %> <option id="<% country.id %>" value="<% country.id %>" <%IF countryselected == country.id%> selected <%END%>> <% country.name %> </option> <%END%> </select> </div> <div id="mndiv2" class="col-sm-3"> <input type="tel" class="form-control" id="mobilenumber" name="mobilenumber" placeholder="contact Number" validate> </div> </div> Figure 56: Customized Guest Self Registration Page - Mobile Number field modified as Contact Number Uploading Your Customized Files After you have edited the sample template files, save the files with the same name and add them to the sample.zip file by replacing the previous files. To upload the files to the system: 1. On the Pulse Policy Secure main page select Authentication > Signing In > Sign in pages. 2. Click Upload Custom Pages. The Upload Custom Sign-In Pages screen appears by Pulse Secure, LLC. All rights reserved

67 Figure 57: Sign-in Page CHAPTER 4: Guest User Account Management Framework 3. Click Browse and select the sample.zip file containing the custom templates and assets 4. Click Upload Custom Pages to upload the modified sample.zip file. The following table describes the guidelines for completing the configuration. Table 8: Guidelines for Configuring a Customized Collection Settings Guidelines Sign-In Pages. Name Specify the name for the sign-in page Page Type Specify the page type. Access is selected by default. Template File Select the template file in zipped format that contains the custom templates and assets Upload Skip validation checks during upload Select this option to skip the validation checks for the template file. Upload Custom Pages Select this option to upload the custom pages. The following figure shows that the template file is uploaded successfully. Figure 58: Custom Template Uploaded Successfully 2015 by Pulse Secure, LLC. All rights reserved 67

68 Guest Access Solution Configuration Guide Using the Customized Pages After you have uploaded the customized files, you must associate them with your Guest Self Registration sign-in page. To use the customized pages: 1. On the Pulse Policy Secure main page select Authentication > Signing-In > Sign-In Policies to display the sign-in policies configuration page. 2. Select the custom sign-in page from the Sign-in page drop-down list. Figure 59: Sign-in Policy Page 3. Click Save Changes by Pulse Secure, LLC. All rights reserved

69 CHAPTER 4: Guest User Account Management Framework In the following figure the Sign-In Policies page shows the customized Sign-In Page. Figure 60: Sign-in Policy Page Showing Customized Pages Verifying the Customization Sign in to the Guest Self Registration sign-in page as a guest user account manager and verify that the customizations you have made were applied. The following figure shows the customized Guest Self Registration page, without the ID field, and the Mobile Number field changed as Contact Number. Figure 61: Customized Guest Self Registration Page Related Documentation Creating Guest User Accounts Custom Sign-In Pages Developer Reference, Release 8.0/ by Pulse Secure, LLC. All rights reserved 69

70 Guest Access Solution Configuration Guide Customizing Guest Login Page through Admin UI Customizing through the Admin UI of Guest Self Registration is limited to the Login page. Modifying the settings in Pulse Policy Secure Admin UI To customize the Login page: 1. On the Pulse Policy Secure main page select Authentication > Signing-In > Sign-In Pages to display the Sign-in Pages tab. Select and open the Sign-In Page, which you are using. Figure 62: Default Sign-In Page 2. Make changes as per your requirement. In this example the following fields (marked in the above screen shot) are modified as shown in the following figure. Submit button Changed the field name as Submit Username Changed the filed name as Login ID Current appearance Changed the logo by Pulse Secure, LLC. All rights reserved

71 CHAPTER 4: Guest User Account Management Framework Figure 63: Modified Default Sign-In Page 3. Click Save Changes to save the settings. 4. Select Authentication > Signing-In > Sign-In Policies and open the Sign-in Policy which you are using. Figure 64: Sign-in Policy 5. From the Sign-in page drop-down list, select the Sign-In Page which you have modified. 6. Click Save Changes to save the settings by Pulse Secure, LLC. All rights reserved 71

72 Guest Access Solution Configuration Guide Verifying the Customization To verify the changes you have made in the Pulse Policy Secure Admin UI, access the guest URL which is mapped with the Admin UI. Figure 65: The default Guest Self Registration Login Page The following screen shot is the login page after making modification in the Admin UI. Figure 66: Customized Login Page by Pulse Secure, LLC. All rights reserved

73 Part 3 Configuring WLC Configuring Cisco 2500 WLC Configuring Cisco 3850 WLC Configuring Aruba WLC 2015 by Pulse Secure, LLC. All rights reserved 73

74 Guest Access Solution Configuration Guide by Pulse Secure, LLC. All rights reserved

75 CHAPTER 5 Configuring Cisco 2500 WLC Configuring Cisco WLC for Pulse Policy Secure GUAM and Guest Self-Registration Configuration required on Cisco WLC for Local AP mode Configuration Required on Cisco WLC in Remote AP mode Configuring Cisco WLC for Pulse Policy Secure GUAM and Guest Self-Registration This section explains the steps to configure Cisco 2500 WLC for deploying Pulse Policy Secure GUAM and Guest Self-Registration feature. Figure 67: Network Topology between Pulse Policy Secure and Cisco WLC Configuration required on Cisco WLC for Local AP mode Configuring RADIUS server 1. Login to Cisco WLC. Select Security > AAA > RADIUS. Configure Pulse Policy Secure server as authentication and accounting servers. Support for RFC Enable this option to trigger RADIUS disconnect when required by Pulse Secure, LLC. All rights reserved 75

76 Guest Access Solution Configuration Guide Figure 68: Authentication server settings Figure 69: Accounting server settings Using CLI Before creating the radius server, you need to allot an index number to it which is not currently in use. To find out the index numbers which are currently in use in WLC, use the following command show radius summary Go through the authentication servers and accounting servers section in the displayed output. Use an unused index number for adding radius authentication or accounting server. config radius auth add <RADIUS auth server ID> <RADIUS server IP> 1812 ascii <password> config radius auth disable < RADIUS auth server ID > config radius auth rfc3576 enable < RADIUS auth server ID > config radius auth enable < RADIUS auth server ID > config radius acct add <RADIUS acct server ID > <RADIUS server IP> 1813 ascii <password> Configuring ACLs 1. On the CISCO WLC main screen go to Security > Access Control Lists. Create an IPv4 ACL list to allow DNS, DHCP and Pulse Policy Secure (Traffic) by Pulse Secure, LLC. All rights reserved

77 CHAPTER 5: Configuring Cisco 2500 WLC Figure 70: Creating an IPv4 ACL Using CLI To see all of the ACLs that are configured on the controller enter the following command: show acl summary To create an ACL with name test config acl create test To create a rule in the test ACL config acl rule add test 1 # Creating Rule No 1 config acl rule protocol test 1 17 # 17 is UDP protocol config acl rule source port range test # 68 is DHCP client port number config acl rule action test 1 permit # Allow access config acl rule add test 2 # Creating Rule No 2 config acl rule protocol test 2 17 config acl rule source port range test # 67 is DHCP server port number config acl rule action test 2 permit config acl rule add test 3 # Creating Rule No 3 config acl rule protocol test 3 17 config acl rule source port range test # Port 53 for DNS config acl rule action test 3 permit config acl rule add test 4 # Creating Rule No 4 config acl rule protocol test 4 17 config acl rule destination port range test config acl rule action test 4 permit config acl rule add test 5 # Creating Rule No 5 config acl rule source address test config acl rule action test 5 permit config acl rule add test 6 # Creating Rule No 6 config acl rule destination address test config acl rule action test 6 permit 2015 by Pulse Secure, LLC. All rights reserved 77

78 Guest Access Solution Configuration Guide Configuring WLAN Figure 71: Creating a WLAN 1. On the CISCO WLC main screen select WLANs tab and create a new WLAN. 2. Select to General tab and enable Status checkbox Figure 72: WLAN - General settings 3. Select Security > Layer 2 in WLANs tab. Select None from the Layer 2 Security dropdown list. Figure 73: WLAN Layer 2 settings 4. Select Security > Layer3 in WLANs tab by Pulse Secure, LLC. All rights reserved

79 CHAPTER 5: Configuring Cisco 2500 WLC From the Layer 3 security drop-down list select 'Web Policy'. For Preauthentication ACL, associate the ACL that is created earlier for IPv4. Over-ride Global Config - Select the Enable check box. From the Web auth type drop-down list select External (Re-direct to external server) URL Enter the Pulse Policy secure (Guest sign-in URL) for redirection URL. Figure 74: WLAN Layer 3 settings 5. Select Security > AAA Servers tab. Configure RADIUS server for authentication and accounting. Figure 75: WLAN AAA Server settings 6. Select the Interim Update check box by Pulse Secure, LLC. All rights reserved 79

80 Guest Access Solution Configuration Guide NOTE: Instead of management port, if some other Interface/Interface Group (G) is selected during WLAN creation then Radius Server Overwrite interface option must be enabled. 7. Select Advanced tab and enable Allow AAA Override checkbox. Figure 76: WLAN Advanced settings Using CLI Before creating a new WLAN verify the existing WLANs on the WLC using the following command and use an unused index id for the new WLAN show wlan summary To create a new WLAN config wlan create <WLAN_ID> <Profile name> <SSID> Ex:- config wlan create 10 Test Test # Test is the WLAN name and SSID config wlan interface <WLAN_ID> <interface-name> Ex:- config wlan interface 10 management # assigning the WLAN to management port config wlan security wpa disable <WLAN_ID> config wlan security web-auth enable <WLAN_ID> config wlan custom-web global disable <WLAN_ID> config wlan custom-web ext-webauth-url <ext-webauth-url> <WLAN_ID> config wlan custom-web webauth-type external <WLAN_ID> by Pulse Secure, LLC. All rights reserved

81 CHAPTER 5: Configuring Cisco 2500 WLC config wlan security web-auth acl <WLAN_ID> <ACL_name> config wlan radius_server auth add <WLAN_ID> <Radius_auth_server_ID> config wlan radius_server acct add <WLAN_ID> <Radius_acct_server_ID> config wlan radius_server overwrite-interface enable <WLAN_ID> ( This command is required only if instead of management, some other interface is configured for WLAN. Please check steps 2 and 5) config wlan radius_server acct interim-update enable <WLAN_ID> config wlan radius_server acct interim-update <Interval> <WLAN_ID> config wlan aaa-override enable <WLAN_ID> config wlan enable <WLAN_ID> Configuring AP Group 1. On the CISCO WLC main screen go to WLANs > Advanced > AP Groups screen and map WLAN to the Local AP (Campus Only mode) group. Figure 77: Mapping WLAN with the Local AP Using the CLI config wlan apgroup interface-mapping add <APgroup Name> <WLAN ID> <interfacename> NOTE: default-group which comes by default is not editable.so the above command cannot be used with it. Save the config using the following command: save config 2015 by Pulse Secure, LLC. All rights reserved 81

82 Guest Access Solution Configuration Guide Configuration Required on Cisco WLC in Remote AP mode Configuring RADIUS server 1. Login to Cisco WLC. Go to Security > AAA > RADIUS. Configure Pulse Policy Secure server as authentication and accounting server. Support for RFC Enable this option to trigger RADIUS disconnect when required. NOTE: Support for RFC3576 for RADIUS disconnect does not work properly with Cisco 2500, 5500, 7500, and 8500 series. Figure 78: Authentication server settings Figure 79: Accounting server settings Using the CLI Before creating the radius server, you need to allot an index number to it which is not currently in use. To find out the index numbers which are currently in use in WLC, use the following command show radius summary Go through the authentication servers and accounting servers section in the displayed output. Use an unused index number for adding radius authentication or accounting server by Pulse Secure, LLC. All rights reserved

83 CHAPTER 5: Configuring Cisco 2500 WLC config radius auth add <RADIUS auth server ID> <RADIUS server IP> 1812 ascii <password> config radius auth disable < RADIUS auth server ID > config radius auth rfc3576 enable < RADIUS auth server ID > config radius auth enable < RADIUS auth server ID > config radius acct add <RADIUS acct server ID > <RADIUS server IP> 1813 ascii <password> Configuring FlexConnect ACLs Figure 80: FlexConnect ACL list 1. Select Security > Access Control Lists > FlexConnect ACLS. Create a FlexConnect ACL list to allow DNS, DHCP and Pulse Policy Secure (Traffic). Using the CLI To see all of the ACLs that are configured on the controller enter the following command: show flexconnect acl summary To create a new ACL config flexconnect acl create <ACL name> To create rules in the newly created ACL config flexconnect acl rule add <ACL name> <Rule number1> config flexconnect acl rule protocol <ACL name> <Rule number1> 17 # 17 is UDP config flexconnect acl rule source port range <ACL name> <Rule number1> # 68 is DHCP client port number config flexconnect acl rule action <ACL name> <Rule number1> permit # Allow access config flexconnect acl rule add <ACL Name> <Rule number2> config flexconnect acl rule protocol <ACL name> <Rule number2> 17 config flexconnect acl rule source port range <ACL name> <Rule number2> # 67 is DHCP server port number config flexconnect acl rule action <ACL name> <Rule number2> permit config flexconnect acl rule add <ACL name> <Rule number3> config flexconnect acl rule protocol <ACL name> <Rule number3> 6 config flexconnect acl rule source port range <ACL name> <Rule number3> # Port 53 for DNS config flexconnect acl rule action <ACL name> <Rule number3> permit config flexconnect acl rule add <ACL name> <Rule number4> 2015 by Pulse Secure, LLC. All rights reserved 83

84 Guest Access Solution Configuration Guide config flexconnect acl rule protocol <ACL name> <Rule number4> 6 config flexconnect acl rule destination port range <ACL name> <Rule number4> config flexconnect acl rule action <ACL name> <Rule number4> permit #port 53 for DNS config flexconnect acl rule add <ACL name> <Rule number5> config flexconnect acl rule source address <ACL name> <Rule number5> <PPS IP> <Subnetmask> config flexconnect acl rule action <ACL name> <Rule number5> permit config flexconnect acl rule add <ACL name> <Rule number6> config flexconnect acl rule destination address <ACL name> <Rule number6> <PPS IP> <Subnetmask> config flexconnect acl rule action <ACL name> <Rule number6> permit Configuring WLAN Figure 81: Creating a WLAN 1. Go to WLANs tab and create a new WLAN. 2. Navigate to General tab and enable Status checkbox. Figure 82: WLAN - General settings 3. Go to Security > Layer 2 in WLAN settings. From the Layer 2 Security drop-down list Select None by Pulse Secure, LLC. All rights reserved

85 CHAPTER 5: Configuring Cisco 2500 WLC Figure 83: WLAN Layer 2 settings 4. Go to Security > Layer3 in WLANs tab. From the Layer 3 security drop-down list select 'Web Policy'. For Preauthentication ACL, associate the FlexConnectACL that is created earlier. Over-ride Global Config - Select the Enable check box. From the Web auth type drop-down list select External (Re-direct to external server) URL Enter the Pulse Policy secure (Guest sign-in URL) for redirection URL. Figure 84: WLAN Layer 3 settings 5. Go to Security > AAA Servers in WLANs tab. Configure RADIUS server for authentication and accounting by Pulse Secure, LLC. All rights reserved 85

86 Guest Access Solution Configuration Guide Figure 85: WLAN AAA Server settings 6. Select the Interim Update check box. NOTE: Instead of management port, if some other Interface/Interface Group (G) is selected during WLAN creation then Radius Server Overwrite interface option must be enabled. 7. Select Advanced tab and enable Allow AAA Override checkbox by Pulse Secure, LLC. All rights reserved

87 CHAPTER 5: Configuring Cisco 2500 WLC Figure 86 WLAN Advanced settings Using the CLI Before creating a new WLAN verify the existing WLANs on the WLC using the following command and use an unused index id for the new WLAN show wlan summary To create a new WLAN: config wlan create <WLAN_ID> <Profile name> <SSID> eg: config wlan create 10 Test Test # Test is the WLAN name and SSID config wlan interface <WLAN_ID> <interface-name> eg: config wlan interface 10 management # assigning the WLAN to management port config wlan security wpa disable <WLAN_ID> config wlan security web-auth enable <WLAN_ID> config wlan custom-web global disable <WLAN_ID> config wlan custom-web ext-webauth-url <ext-webauth-url> <WLAN_ID> config wlan custom-web webauth-type external <WLAN_ID> config wlan security web-auth flexacl <WLAN_ID> <ACL_name> config wlan radius_server auth add <WLAN_ID> <Radius_auth_server_ID> config wlan radius_server acct add <WLAN_ID> <Radius_acct_server_ID> config wlan radius_server overwrite-interface enable <WLAN_ID> ( This command is required only if instead of management, some other interface is configured for WLAN. Please check steps 2 and 5) config wlan radius_server acct interim-update enable <WLAN_ID> config wlan radius_server acct interim-update <Interval> <WLAN_ID> config wlan aaa-override enable <WLAN_ID> config wlan enable <WLAN_ID> Configuring AP Group 1. On the CISCO WLC main screen go to WLANs > Advanced > AP Groups screen and map Figure 87: Mapping WLAN Flexl AP WLAN Flexl AP (Remote AP mode) group by Pulse Secure, LLC. All rights reserved 87

88 Guest Access Solution Configuration Guide Using the CLI config wlan apgroup interface-mapping add <APgroup Name> <WLAN ID> <interfacename> NOTE: default-group which comes by default is not editable.so the above command cannot be used with it. Save the config using the following command: save config Adding ACLs in FlexConnect Group To add ACLs in FlexConnect Group: 1. Select Wireless >FlexConnect Groups. Click on the required FlexConnect Group and select ACL Mapping > Policies. Add all the required FlexConnect ACLs to this group. This configuration is required when admin wants to push ACL name using RADIUS return attributes from Pulse Policy Secure. Figure 88: Adding ACLs in FlexConnect Group Using the CLI To see all of the flexconnect groups that are configured on the controller enter the following command: show flexconnect group summary To add policy ACLs in the flexconnect group use the following command: config flexconnect group <flex-group> policy acl add <flexconnect_acl> Save the config using the following command: save config by Pulse Secure, LLC. All rights reserved

89 CHAPTER 6 Configuring Cisco 3850 WLC Configuring Cisco WLC using Web GUI Configuring Cisco WLC using CLI Configuring Cisco WLC using Web GUI You can configure CISCO WLC 3850 by performing the steps as stated below: 1. Create a RADIUS server. 2. Create a Radius Server Group and map with the newly created RADIUS server 3. Create an Authentication list and map with the newly created Radius Server Group. 4. Create an Accounting list and map with the newly created Radius Server Group. 5. Create an Authorization list and map with the newly created Radius Server Group. 6. Create a Webauth Parameter Map 7. Create an Access List 8. Create a Sequence Number 9. Create a Wireless SSID To configure the CISCO WLC 3850: 1. Login to CISCO WLC. The CISCO Wireless Controller home page appears. Figure 89: CISCO Wireless Controller home page 2. From the Configuration drop-down list select Security. The options under the Security section are displayed by Pulse Secure, LLC. All rights reserved 89

90 Guest Access Solution Configuration Guide Figure 90: Security section Figure 91: Radius Servers 3. Select AAA > Radius > Servers to create a Radius server. The Radius Server screen appears. 4. Click New to create a Radius server by Pulse Secure, LLC. All rights reserved

91 CHAPTER 6: Configuring Cisco 3850 WLC Figure 92: Creating a Radius Server 5. Enter relevant details and click Apply at the right top corner of the page. A new RADIUS server is created. 6. Select AAA > Server Groups > Radius to create a Radius Server Group. The Radius Server Groups screen appears. Figure 93: Radius Server Groups 7. Click New The Radius Server Group > New screen appears by Pulse Secure, LLC. All rights reserved 91

92 Guest Access Solution Configuration Guide Figure 94: Creating a Radius Server Group 8. Enter a name in the Name field. From the Available Servers box select the server which you have created in step 5 and click the button to move it to the Assigned Servers box. 9. Click Apply to save the Radius Server Group. 10. Select AAA > Method List > Authentication to create an Authentication list. The Authentication screen appears. Figure 95: Authentication list 11. Click New. The Authentication > New screen appears. Figure 96: Creating a new Authentication list by Pulse Secure, LLC. All rights reserved

93 CHAPTER 6: Configuring Cisco 3850 WLC Figure 97: Accounting list 12. Enter the details in the fields as follows: In the Method List Name field enter webauth_radius For Type, select login For Group Type select group Select the wirelessradius server group that you have created earlier from the Available Server Groups box and click to move it to the Assigned Server Groups box. 13. Click Apply to save the Authentication. 14. Select AAA > Method List > Accounting to create an Accounting list. The Accounting screen appears. 15. Click New to create an Accounting list. Figure 98: Creating an Accounting list The Accounting > New screen appears. 16. Enter the details in the fields as follows: In the Method List Name field enter webauth_radius. For Type, select network. Select the wirelessradius server group that you have created earlier from the Available Server Groups box and click to move it to the Assigned Server Groups box. 17. Click Apply to save the Accounting list. 18. Select AAA > Method Lists > Authorization to create an Authorization list. The Authorization screen appears by Pulse Secure, LLC. All rights reserved 93

94 Guest Access Solution Configuration Guide Figure 99: Authorization list 19. Click New to create an Authorization list. The Authorization > New screen appears. Figure 100: Creating an Authorization list 20. Enter the details in the fields as follows: In the Method List Name field enter webauth_radius. For Type, select network. For Group Type select group. Select the wirelessradius server group that you have created earlier from the Available Server Groups box and click to move it to the Assigned Server Groups box. 21. Click Apply to save the Authorization list. 22. Select Web Auth > Webauth Parameter Map to create a Webauth Parameter Map. The Webauth Parameter Map screen appears by Pulse Secure, LLC. All rights reserved

95 CHAPTER 6: Configuring Cisco 3850 WLC Figure 101: Webauth Parameter Map 23. Click New to create a Webauth Parameter Map. The Webauth Parameter Map > New screen appears by Pulse Secure, LLC. All rights reserved 95

96 Guest Access Solution Configuration Guide Figure 102: Creating a Webauth Parameter Map 24. Enter the details in the fields as follows: In the Parameter map name field enter vt_web. In Maximum HTTP connections(1-200) enter 30. In Init-State Timeout ( in seconds) enter 120. In Fin-Wait Timeout ( in millisecond) enter 3000 In Redirect for login field enter - This is the Pulse Policy Secure URL to which a guest is redirected when tried to access a website. In Portal IPv4 address enter Click Apply to save the Webauth Parameter Map. NOTE: A default Webauth Parameter Map is created a shown in the following figure by Pulse Secure, LLC. All rights reserved

97 CHAPTER 6: Configuring Cisco 3850 WLC Figure 103: Default Webauth Parameter Map 26. Select ACL > Access Control List to create an Access Control List. The Access Control Lists screen appears by Pulse Secure, LLC. All rights reserved 97

98 Guest Access Solution Configuration Guide Figure 104: Access Control List 27. Click Add New. The New Access List screen appears. Figure 105: Creating an Access Control List 28. In the Name field enter REDIRECT-ACL and then click Apply at the right top corner. The New Sequence Number screen appears by Pulse Secure, LLC. All rights reserved

99 CHAPTER 6: Configuring Cisco 3850 WLC Figure 106: Creating a Sequence Number 29. Enter relevant details and click Apply. Allow traffic to the Pulse Policy server IP address Figure 107: Connecting with Pulse Policy server IP address Figure 108: WLANs 30. On the main menu select Configuration > Wireless to create a Wireless SSID. The WLANs screen appears. 31. Click New. The WLANs > Create New screen appears by Pulse Secure, LLC. All rights reserved 99

100 Guest Access Solution Configuration Guide Figure 109: Creating a WLAN 32. Click Apply. Figure 110: Newly created WLAN The WLAN is created and displayed in WLANs screen. 33. Click the WLAN to configure. Figure 111: WLAN - General screen The General tab options of the WLAN appears by Pulse Secure, LLC. All rights reserved

101 CHAPTER 6: Configuring Cisco 3850 WLC 34. Select the options as shown in the above figure and then click Apply to save the configurations. 35. Click the Security tab. The options under Security > Layer2 appears. Figure 112: WLAN - Security - Layer2 36. Select the options as shown in the above figure and then click Apply to save the configurations. 37. Click Layer3 The options under Layer3 appears. Figure 113: WLAN - Security - Layer3 38. Select the options: For Webauth Authentication List select webauth_radius which you have created earlier. For Preauthentication IPv4 ACL select REDIRECT-ACL which you have created earlier. 39. Click Apply to save the configurations. 40. Click AAA Server. The options under AAA Server appears by Pulse Secure, LLC. All rights reserved 101

102 Guest Access Solution Configuration Guide Figure 114: WLAN - Security - AAA Server 41. From the Accounting Method drop-down list select webauth_radius which you have created earlier. Click Apply to save the configurations. 42. Click Advanced. The options under Advanced appears. Figure 115: WLAN - Advanced settings 43. Select the check box Allow AAA Override, so that radius attribute sent from Pulse Policy Secure can be applied. Select other options as shown in the above figure and then click Apply to save the configurations by Pulse Secure, LLC. All rights reserved

103 CHAPTER 6: Configuring Cisco 3850 WLC Configuring Cisco WLC using CLI Configuring RADIUs server: radius server <RADIUS-Profile-Name> address ipv4 <RADIUS-Server-IP> auth-port <auth-port> acct-port <acct-port> key <RADIUS-Shared-Secret> Configuring server group: aaa group server radius <Server-group-name> server name <RADIUS-Server-name> Configuring AAA method lists: aaa authentication login <authentication-list-name> group <Server-group-name> aaa authorization network <authorization-list-name> group <Server-group-name> aaa accounting network <accounting-list-name> action-type start-stop group <Server-group-name> Configuring Webauth Parameter-map: parameter-map type webauth <Webauth-name> type webauth redirect for-login <PPS-guest-URL> redirect portal ipv4 <PPS-IP> Configuring IPv4 extended ACL: ip access-list extended <ACL-Name> permit ip any host <PPS-IP> permit ip host <PPS-IP> any permit udp any eq domain any deny ip any any Configuring WLAN profile: wlan <wlan-profile-name> <wlan-id> <ssid-name> aaa-override accounting-list <accountung-list-name> client vlan <vlan-id> ip access-group web <ipv4-acl> no security wpa security web-auth security web-auth authentication-list <authentication-list-name> security web-auth parameter-map <parameter-map name> no shutdown 2015 by Pulse Secure, LLC. All rights reserved 103

104 Guest Access Solution Configuration Guide by Pulse Secure, LLC. All rights reserved

105 CHAPTER 7 Configuring Aruba WLC Configuring Aruba WLC for Pulse Policy Secure Guest Self-Registration Configuration required on Aruba WLC for Campus Only mode External Captive Portal Configuration RFC 3576 server configuration WLAN Configuration for Remote Networking mode on Aruba WLC Configuring Aruba WLC in campus only mode using CLI Configuring Aruba WLC in Remote Networking mode using CLI Configuring Aruba WLC for Pulse Policy Secure Guest Self-Registration This sections explains the steps to configure Aruba WLC for deploying Pulse Policy Secure GUAM and Guest Self- Registration feature. Figure 116: Network Topology between Pulse Policy Secure and Aruba WLC Configuration required on Aruba WLC for Campus Only mode WLAN Configuration for Campus Only mode 1. Login to Aruba WLC. Select Configuration > Wizards > WLAN/LAN Wizard. The Welcome to the WLAN/LAN Configuration Wizard appears by Pulse Secure, LLC. All rights reserved 105

106 Guest Access Solution Configuration Guide Figure 117: WLAN Configuration 2. Select Campus Only option and click Begin. The Specify Group to Configure screen appears Figure 118: WLAN Configuration Specifying a Group 3. On Specify Group to Configure screen select an existing AP group or create a new AP group and click Next. The Ready to Configure Wireless LANs for Group screen appears by Pulse Secure, LLC. All rights reserved

107 CHAPTER 7: Configuring Aruba WLC Figure 119: WLAN Configuration Wirless LANs configuration Figure 120: Specifying a WLAN 4. Click Continue button. The Specify Wireless LAN (WLAN) for Group default screen appears 5. On Specify Wireless LAN (WLAN) for Group default screen, select a group from the AP Groups list. In the WLANS for list select an existing WLAN, or Click New to create a new WLAN 6. Click Next. The Specify Forwarding Mode for Guest_Aruba in Group default screen appears 2015 by Pulse Secure, LLC. All rights reserved 107

108 Guest Access Solution Configuration Guide Figure 121: Forwarding Mode configuration 7. On Specify Forwarding Mode for Guest_Aruba in Group default screen, under Forward Mode, select Tunnel option and click Next. The Specify Radio Type and VLAN for Guest_Aruba in Group default screen appears. Figure 122: Radio and VLAN configuration 8. On Specify Radio Type and VLAN for Guest_Aruba in Group default screen select: 9. Click Next. Radio Type - Select all from the drop-down list VLAN - Select required options from the drop-down list and click the arrow button to include in the VLAN box. The Specify whether WLAN is for Internal or Guest use for Guest_Aruba in Group default screen appears by Pulse Secure, LLC. All rights reserved

109 CHAPTER 7: Configuring Aruba WLC Figure 123: Internal Guest configuration 10. On, Specify whether WLAN is for Internal or Guest use for Guest_Aruba in Group default screen specify the purpose of the WLAN. Select Guest option for WLAN use and click Next. The Specify Authentication and Encryption for Guest_Aruba in Group default screen appears. Figure 124: Authentication and Encryption 11. On Specify Authentication and Encryption for Guest_Aruba in Group default screen move the slider to Captive portal with authentication via credentials option and click Next. The Specify Captive Portal Options for Guest_Aruba in Group default screen appears by Pulse Secure, LLC. All rights reserved 109

110 Guest Access Solution Configuration Guide Figure 125: Captive Portal options 12. On Specify Captive Portal Options for Guest_Aruba in Group default screen, click Next. The Specify Authentication Server for Guest_Aruba in Group default screen appears. Figure 126: Authentication Server configuration 13. On Specify Authentication Server for Guest_Aruba in Group default screen, specify Pulse Policy Secure server as the authentication server and click Next. The Specify Roles & Policies for Guest_Aruba in Group default screen appears by Pulse Secure, LLC. All rights reserved

111 CHAPTER 7: Configuring Aruba WLC Figure 127: Specifying Roles and Policies 14. On Specify Roles & Policies for Guest_Aruba in Group default screen, configure the roles and click Next. The Configure Role Assignment for Guest_Aruba in Group default screen appears by Pulse Secure, LLC. All rights reserved 111

112 Guest Access Solution Configuration Guide Figure 128: Configuring Role Assignment 15. On Configure Role Assignment for Guest_Aruba in Group default screen, click Next. The WLAN Configuration is Complete screen appears. Figure 129: WLAN configuration complete message 16. Click Finish to complete the configuration. The WLAN Configuration is Complete screen appears displaying the summary of the configuration by Pulse Secure, LLC. All rights reserved

113 CHAPTER 7: Configuring Aruba WLC Figure 130: WLAN configuration complete message with details 17. Click Finish. Figure 131: Controller configured The Controller Has Been Configured screen appears. 18. Click Finish. The system refreshes and takes you to the Configuration tab. 19. Select Security > Authentication > AAA Profiles and click on RADIUS Accounting Server Group. Select an appropriate server group for RADIUS Accounting Server Group by Pulse Secure, LLC. All rights reserved 113

114 Guest Access Solution Configuration Guide Figure 132: RADIUS Accounting Server Group by Pulse Secure, LLC. All rights reserved

115 CHAPTER 7: Configuring Aruba WLC External Captive Portal Configuration 1. In Aruba WLC select Configuration > Security > Authentication > L3 authentication. The L3 authentication screen appears. Figure 133: L3 Authentication configuration 2. Click Captive Portal Authentication Profile. The list expands. Select the corresponding profile of the above configured WLAN. Select the check box Add switch IP addressin the redirection URL. In the Login page box enter the Pulse Policy Secure guest access URL that is configured as part of Pulse Policy Secure configuration. 3. Click Apply to save the configuration. RFC 3576 server configuration Figure 134: RFC 3576 Server Configuration 1. In Aruba WLC go to Configuration > Security > Authentication > Servers tab. A list of configured servers is displayed. 2. Click the RFC 3576 Server and add Pulse Policy Secure as RFC 3576 server, for supporting disconnect messages by Pulse Secure, LLC. All rights reserved 115

116 Guest Access Solution Configuration Guide Figure 135: RFC Server - Key Details 3. Click on the RFC server that is newly created to provide the key. 4. Select Security > Authentication > AAA Profiles. Go to AAA profile and click on RFC 3576 Figure 136: RFC Server - Adding a server server. Add the server that is newly created in step by Pulse Secure, LLC. All rights reserved

117 CHAPTER 7: Configuring Aruba WLC WLAN Configuration for Remote Networking mode on Aruba WLC 1. Login to Aruba WLC. Select Configuration > Wizards >WLAN/LAN Wizard. The Welcome to the WLAN/LAN Configuration Wizard screen appears. Figure 137: Remote Networking configuration Figure 138: Group configuration 2. Select Remote Networking option and click Begin. The Specify Group to Configure screen appears. 3. On Specify Group to Configure screen, select an AP group and click Next. The Specify RAP DHCP settings for Group qa-remote screen appears by Pulse Secure, LLC. All rights reserved 117

118 Guest Access Solution Configuration Guide Figure 139: RAP DHCP Settings 4. On Specify RAP DHCP settings for Group qa-group screen, configure: DHCP pool start DHCP pool end DHCP pool netmask Default router DNS server VLAN ID DHCP Lease time Select the required option and set the limit. 5. Click Next. The Specify RAP DNS Query Routing for Groups qa-group appears. Figure 140: RAP DNS Query Routing 6. On the Specify RAP DNS Query Routing for Groups qa-group screen click Next by Pulse Secure, LLC. All rights reserved

119 CHAPTER 7: Configuring Aruba WLC Figure 141: Configuring Wireless LANs The Ready to Configure Wired LANs, and Wireless LANs for Group screen appears. 7. On Ready to Configure Wired LANs, and Wireless LANs for Group screen, click Wireless LANs Wizard link. 8. Follow the Steps 4-18 of Campus Only mode to complete Wireless WLAN configuration. 9. Follow External Captive Portal Configuration of Campus Only mode to configure Captive Portal for Remote Networking mode. 10. Follow RFC 3576 Configuration of Campus Only mode to configure Pulse Policy Secure as RFC 3576 server. Configuring Aruba WLC in campus only mode using CLI To configure Aruba WLC for Guest Access in campus only mode via command-line interface, access the CLI in config mode and issue the following commands. Configuring RADIUS server: aaa authentication-server radius <RADIUS-profile-name> host <PPS ip-address> key <password> Configuring Server Group: aaa server-group <server-group-name> auth-server <RADIUS-profile-name> Configuring AAA profile: aaa profile <AAA-profile-name> Configuring SSID profile: wlan ssid-profile <ssid-profie-name> essid <ssid-name> ssid-enable no hide-ssid opmode opensystem Configuring Captive portal: aaa authentication captive-portal <CP-profile-name> login-page <PPS-guest-URL> 2015 by Pulse Secure, LLC. All rights reserved 119

120 Guest Access Solution Configuration Guide switchip-in-redirection-url server-group <server-group-name> user-logon no guest_logon default-role guest Creating a User-role: user-role <Role-Name> captive-portal <CP-profile-name> access-list session logon-control access-list session captiveportal Attaching initial-role to AAA profile: aaa profile <AAA-profile-name> initial-role <role-name> Configuring Firewall policy rules for PPS: ip access-list session captiveportal host <PPS-IP> any any permit position 1 any host <PPS-IP> any permit position 2 Configuring Virtual-AP and associating SSID profile: wlan virtual-ap <vap-profile-name> forward-mode tunnel vlan <vlan-id> ssid-profile <ssid-profile-name> aaa-profile <AAA-profile-name> Configuring AP group and associating Virtual-AP profile: ap-group default # If it is other ap-group, give as required. virtual-ap <vap-profile-name> Configuring RFC-3576 server: aaa rfc-3576-server <PPS-IP> key <password> Attaching RFC-3576 server to AAA profile: aaa profile <aaa-profile-name> rfc-3576-server <PPS-IP> Attaching RADIUS accounting server group to AAA profile: aaa profile <aaa-profile-name> radius-accounting <server-group-name> Configuring Aruba WLC in Remote Networking mode using CLI To configure Aruba WLC for Guest Access in Remote Networking mode via command-line interface, access the CLI in config mode and issue the following commands. Configuring RADIUS server: aaa authentication-server radius <RADIUS-profile-name> host <PPS ip-address> key <password> Configuring Server Group: aaa server-group <server-group-name> auth-server <RADIUS-profile-name> Configuring AAA Profile: aaa profile <AAA-profile-name> by Pulse Secure, LLC. All rights reserved

121 CHAPTER 7: Configuring Aruba WLC Configuring SSID Profile: wlan ssid-profile <ssid-profie-name> essid <ssid-name> ssid-enable no hide-ssid opmode opensystem Configuring Captive Portal: aaa authentication captive-portal <CP-profile-name> login-page <PPS-guest-URL> switchip-in-redirection-url server-group <server-group-name> user-logon no guest_logon default-role guest Creating a User-role: user-role <Role-Name> captive-portal <CP-profile-name> access-list session logon-control access-list session captiveportal Attaching initial-role to AAA profile: aaa profile <AAA-profile-name> initial-role <role-name> Configuring Firewall policy rules for PPS: ip access-list session captiveportal host <PPS-IP> any any permit position 1 any host <PPS-IP> any permit position 2 Configuring Virtual-AP and associating SSID profile: wlan virtual-ap <vap-profile-name> forward-mode tunnel vlan <vlan-id> ssid-profile <ssid-profile-name> aaa-profile <AAA-profile-name> Configuring DHCP server on Remote AP: ap system-profile <name> rap-dhcp-default-router <ipaddr> rap-dhcp-dns-server <ipaddr> rap-dhcp-lease <days> rap-dhcp-pool-start <ipaddr> rap-dhcp-pool-end <ipaddr> rap-dhacp-pool-netmask <netmask> rap-dhcp-server-vlan <vlan> Configuring AP group and associating Virtual-AP profile: ap-group default # If it is other ap-group, give as required. virtual-ap <vap-profile-name> ap-system-profile <name> Configuring RFC-3576 server: aaa rfc-3576-server <PPS-IP> key <password> Attaching RFC-3576 server to AAA profile: aaa profile <aaa-profile-name> 2015 by Pulse Secure, LLC. All rights reserved 121

122 Guest Access Solution Configuration Guide rfc-3576-server <PPS-IP> Attaching RADIUS accounting server group to AAA profile: aaa profile <aaa-profile-name> radius-accounting <server-group-name> Configuring Aruba Instant Access Point To configure Aruba Instant Access Point: 1. Login to the Aruba Instant Access portal. Figure 142: Aruba Instant Home Page The Aruba Instant page appears. 2. Click New to create a new SSID. The New WLAN window appears by Pulse Secure, LLC. All rights reserved

123 CHAPTER 7: Configuring Aruba WLC Figure 143: Creating a New WLAN 3. In the WLAN Settings tab: In the New (SSID) field enter a name for the SSID. In the Primary usage options select Guest. 4. Click Next. The VLAN tab options appears. Figure 144: VLAN Settings 5. Keep the DHCP setting as per your network design by Pulse Secure, LLC. All rights reserved 123

124 Guest Access Solution Configuration Guide Client IP assignment here Network Assigned is chosen. For Client VLAN assignment here Default. is chosen 6. Click Next. The Security tab options appears. Figure 145: Security Settings 7. In the Security Level section do the following: From the Security page type drop-down list select External. From the Captive portal profile drop-down list select New The New screen appears. Enter the details as shown in the above figure and then click OK. The newly created captive portal appears in the Captive portal profile drop-down list by Pulse Secure, LLC. All rights reserved

125 CHAPTER 7: Configuring Aruba WLC Figure 146: Security Settings - Creating a New Server 8. From the Auth server 1 drop-down list select New. The New Server screen appears. Create a server pointing to Pulse Policy Secure server. Enter the details as shown in the above figure and then click OK. The configured Security tab options appears as in the following figure by Pulse Secure, LLC. All rights reserved 125

126 Guest Access Solution Configuration Guide Figure 147: Security Settings 9. Click Next. The Access tab options appears by Pulse Secure, LLC. All rights reserved

127 CHAPTER 7: Configuring Aruba WLC Figure 148: Access Settings 10. In the Access Rules section: Move the slider to Role-based, Under the Roles section, click New to create a new role pre-logon. Figure 149: Access Settings - Creating a Role 2015 by Pulse Secure, LLC. All rights reserved 127

128 Guest Access Solution Configuration Guide 11. Under the Access Rules section click New to create an access rule for the role. The New Rule window appears. Figure 150: Access Settings - Creating a Rule 12. Select the options as shown in the above figure. From the Destination drop-down list select to a particular server. In the IP box enter the Pulse Policy Secure server s IP address. Click OK. The Access Rule appears in the Access Rules for list box. Figure 151: Access Settings - Creating an Access Rule 13. Select the Assign pre-authentication role check box and then select pre-logon from the drop-down list. 14. Click Finish to complete the settings by Pulse Secure, LLC. All rights reserved

129 PART 4 Administration Guest User Account Managers 2015 by Pulse Secure, LLC. All rights reserved 129

130 Guest Access Solution Configuration Guide by Pulse Secure, LLC. All rights reserved

131 CHAPTER 8 Guest User Account Managers Creating Guest User Accounts Creating Guest User Accounts When the guest user account manager (GUAM) logs in through the sign-in page for the guest realm, an interface is presented for creating accounts as shown in the following figure. Figure 152: GUAM Page after Log In Table 9: Admin User Page - Field Descrioptions Settings Guidelines Create One User Click to create one user Create Many Users Click to create multiple users Delete Helps to delete the selected users Delete All Helps to delete all the users on the page. Show / hide columns Select the option to hide or show specific columns. This icon helps to delete the record of the guest user. This icon helps to reset the password of the guest user. This icon helps to edit the details of the guest user. Search Helps you to search for guest/s with specific names. From this page, the GUAM user can add users one-at-a-time or in bulk by Pulse Secure, LLC. All rights reserved 131

132 Guest Access Solution Configuration Guide The following figure shows the page for adding a single guest user. Table 10 describes the user configuration. Figure 153: Guest User Create One User Page Table 10: Create One User Page Field Descriptions Settings Guidelines Username Specify an account username. If the local authentication server has been configured with a prefix for guest accounts, the username box is populated with the next username in the prefix-based sequence. We recommend you retain the guest_ prefix so that you can rely on the naming convention in your role mapping rules. Full Name Specify the name of the guest. Password A strong password is generated automatically, or you can specify a different password. After you have saved the configuration, the system displays the password characters as asterisks (*) instead of blanks or cleartext. NOTE: The password cannot be decrypted later unless the appropriate option is set when you create a local authentication server. Mobile Number Select the country name and then specify a valid phone number of the guest user. The Policy Secure sends the login credentials to this mobile number through SMS. Specify an address you can use to contact the guest if necessary. Start Time By default the Now option is displayed. You can specify a start time for the account activity period by clicking on the drop-down and selecting from the calendar menu. By default After 24 hours is displayed. You can specify an end of the account activity period. Click on the drop-down menu and select from the calendar menu. Once a user account has expired, it is deleted from the system. End Time The process that deletes the guest user account runs every ten minutes. There may be a delay of some minutes before the account is purged. Even if the time or date on the system is moved ahead past the expiration time, the account could still be valid until the purge process runs. One-time user accounts are not affected by the ten-minute delay: one-time accounts are deleted immediately after the user exits by Pulse Secure, LLC. All rights reserved

133 CHAPTER 8: Guest User Account Managers Settings Guidelines Company Name Enter the name of the company of the guest. Host or Sponsor Enter whether the guest is a Host or Sponsor. One-time use Select this option if you want the account deleted immediately after the guest user exits the browser or signs out. Enabled Select this option to enable the account Require user to change password at next sign in Select this option to prompt the user to change the configured password. NOTE: This option will not be supported in GUAM for WLC case. This option should not be enabled. Even if enabled, it will not have any effect. The following figure shows the page for adding many users. Table 11 describes the user configuration. Figure 154: Guest User Create Many Users Page The guest usernames and passwords are created by the system as you click in the Username text box by Pulse Secure, LLC. All rights reserved 133

134 Guest Access Solution Configuration Guide Table 11: Create Many Users Page - Field Descriptions Settings Guidelines Username Specify the prefix to be used for the multiple accounts you are creating. If the local authentication server has been configured with a guest prefix, it is populated here. When configuring the local authentication server, the default prefix is guest_. We recommend you retain the default guest_ so that you can rely on the naming convention in your role mapping rules. Full Name Enter the full name of the guest. Password A strong password is generated automatically, or you can specify a different password. After you have saved the configuration, the system displays the password characters as asterisks (*) instead of blanks or cleartext. NOTE: The password cannot be decrypted later unless the appropriate option is set when you create a local authentication server. Start Time By default the Now option is displayed. You can specify a start time for the account activity period by clicking on the drop-down and selecting from the calendar menu By default After 24 hours is displayed. You can specify an end of the account activity period. Click on the drop-down menu and select from the calendar menu. Once a user account has expired, it is deleted from the system. End Time The process that deletes the guest user account runs every ten minutes. There may be a delay of some minutes before the account is purged. Even if the time or date on the system is moved ahead past the expiration time, the account could still be valid until the purge process runs. One-time user accounts are not affected by the ten-minute delay: one-time accounts are deleted immediately after the user exits. Company Name Enter the name of the company of the guest. (Optional) Host or Sponsor Enter whether the guest is a Host or Sponsor. (Optional) One-time use Select this option if you want the account deleted immediately after the guest user exits the browser or signs out Enabled Select this option to enable the account. Require user to change password at next sign in Select this option to prompt the user to change the configured password NOTE: This option will not be supported in GUAM for WLC case. This option should not be enabled. Even if enabled, it will not have any effect. After the GUAM user clicks the Create button the following popup is displayed. Figure 155: Multiple Users Created Popup Message Select SMS and click OK to send the credentials to the guests mobiles. Click Print to generate a printout of the credentials by Pulse Secure, LLC. All rights reserved

135 CHAPTER 8: Guest User Account Managers Figure 156: Multiple users created - Displayed on the guest admin page From the GUAM page, the GUAM user can click Edit icon of a guest user account to modify the guest user account details. The following figure shows the Edit User window. Figure 157: Guest User Edit User Page 2015 by Pulse Secure, LLC. All rights reserved 135

136 Guest Access Solution Configuration Guide After clicking Save Changes the following popup appears. Figure 158: Guest User Edit User Successful popup with , SMS, and Print options From the GUAM page, the GUAM user can click Print to generate a printable record of the guest user account. The following figure shows the print details page. Figure 159: Guest User Print Details Page by Pulse Secure, LLC. All rights reserved

137 Appendix Guest User Creating Login Credentials Once Pulse Policy Secure is integrated with an existing WLC, and if a guest using the guest SSID tries to access a website, the guest is redirected to the Pulse Policy Secure login page. The guest user can create the login credentials. Using these credentials the guest user can access any of the websites permitted by the Admin user. Scenario I When a guest tries to create login credentials, the User ID and Password are displayed on the monitor. Settings required on Pulse Policy Secure: To enable this option in the Pulse Policy secure main page select Authservers > Guest Authentication > Settings In the Guest Access Configurations section select the check box: Show credentials on screen after guest completes registration A guest user tries to access a website. The guest user is redirected to the Pulse Policy Secure Login page. Figure 160: Pulse Policy Secure Login page for guests To create login credentials: 1. Click the Register as guest link. The following page appears by Pulse Secure, LLC. All rights reserved 137

138 Guest Access Solution Configuration Guide Figure 161: Guest - Personal Details 2. Enter a name in the Full Name field, and then click Register. A popup box appears, which displays the newly created username and password. Figure 162: Guest s Username and Password created 3. Click OK. The guest is redirected to the Pulse Policy Secure login page where the user credentials are populated in the Username and Password fields. Figure 163: Guest using the credentials in Sign In page 4. Click Sign In. The guest is redirected to the website which the guest tried to access earlier by Pulse Secure, LLC. All rights reserved

139 Scenario II When a guest tries to create login credentials, the guest receives the credentials through and SMS. Settings required on Pulse Policy Secure: To enable this option in the Pulse Policy secure main page select Authservers > Guest Authentication > Settings In the Guest Access Configurations section select the check boxes: Appendix Send guest user credentials via o SMS o A guest user tries to access a website. The guest user is redirected to the Pulse Policy Secure Login page. Figure 164: Pulse Policy Secure Login page for guests To create login credentials: 1. Click the Register as guest link. The following page appears. Figure 165: Guest - Personal Details 2. Enter details in all the mandatory fields: Full Name - Enter your full name Enter a valid address 2015 by Pulse Secure, LLC. All rights reserved 139

140 Guest Access Solution Configuration Guide Mobile Number Enter your mobile number to receive an SMS 3. Click Register. The pop message An account has been created for you is displayed. Figure 166: Guest s Username and Password created NOTE: The guest user credentials are sent to the and also an SMS is delivered to the mobile number entered by the guest. The ID entered in the text box is by default used to create Username of the guest. 4. Click OK. Figure 167: Pulse Policy Secure Login page The guest is redirected to the Pulse Policy Secure login page. 5. Check your or SMS and enter the details. 6. Click Sign In. The guest is redirected to the website which the guest tried to access earlier by Pulse Secure, LLC. All rights reserved