Case Study Captive Portal with QR Code authenticator assisted Guest receives a QR code that is authenticated by an authenticator on the external RADIUS server QR Code Introduction The Captive Portal with QR Code is a new function on NXC controller 2500 / 5500 with firmware version 4.20. This new feature offers two convenient and fast methods to access the Internet. The first method is authenticator assisted. This means that the employees are the authenticators, who can authenticate the guest to access the Internet. The second method is self-serviced; in which employee (authenticator) produces the QR code and publishes it for guests. The guest can use a mobile device to scan the QR code to pass the authentication. The Captive portal with QR code can be utilized for some applications including private enterprises, hostility, schools, seminars, meetings and guests to access the network for the duration of their visit. Tasks Configure the WLAN controller NXC2500 / 5500 of the network interface Configure the WLAN controller NXC2500 /5500 with External RADIUS server. Configure the WLAN controller NXC2500 / 5500 of Captive Portal with QR Code. 1
Scenario Authenticator - assisted A guest connects to the Guest SSID with captive portal authentication. NXC receives the connected request from the guest and leads to the page of captive portal with QR code. The employee (authenticator) uses a mobile device with an IP address that has authentication ability to scan the QR code from the guest s device. NXC receives the authentication request. After NXC checks the authenticated request, it will send the authenticated response to the employee s mobile device. 2
The Configuration of Captive Portal with QR Code Authenticator - assisted Employees are the members of VLAN 10, which can access the Internet by passing the authentication with enterprise security (802.1X). Guests are the members of VLAN 20, which can access the Internet by the employee authenticating the guest s QR code. Step 1: Go to Interface > VLAN > Add. Create three VLANs as the DHCP servers, VLAN 0 is management VLAN. VLAN 10 is for employees, and VLAN 20 is for guest use. Step 2: Set GE2 to external interface to act as a DHCP client. 3
Set GE2 out of VLAN 0. 4
Step 3: Set a routing policy. 5
Step 4: Go to Zone > Edit. Set VLAN 10 and VLAN 20 be a WLAN, therefore, the members of VLAN 10 can access the members of VLAN 20. The employee in VLAN 10 can authenticate guests in the VLAN 20. 6
Step 5: Create user information for guests and employees to login to the Captive portal. Go to User/Group > User > Add. * The User Type of guest must be guest or user. QR-Guest ZT001, ZT002, and employees are authenticators on the external RADIUS server. 7
Set a group for authenticator (employee) accounts. Go to User/Group > User > Group > add. Edit the member of group list. Authenticator (Employee) information on the external authentication (RADIUS) server. 8
Step 6: Go to AAA server > RADIUS > Add > Edit. RADIUS Server configure the RADIUS server and port number: 1812 is default. 9
Confirm that there are authenticator accounts on the external authentication server. 10
Step 7: Go to Auth. Method > Add. Auth Method set to group Ext_RADIUS and local. If you enable QR code, local Auth. Server must be in Authentication Method. The guest account must be pre-configured on the NXC controller. 11
Step 8: Add an IP address range on VLAN 20 for guests that need to login to the captive portal, and add the interface subnet of the employee on VLAN 10. Go to Address > Address > Add. The IP address range for guest use need to login to the captive portal: The interface subnet of employees on VLAN 10: 12
Step 9: To prevent guests in VLAN 20 from accessing VLAN 10, go to Firewall > Add. Add a firewall rule to deny guest access to the member of VLAN 10. 13
Step 10: Go to Captive Portal > Captive Portal > Authentication Policy Summary. Select Auth_Ext_RADIUS for Authentication Method, and then add an authentication policy. 14
Step 11: Select the IP address range for guests that will be forced to be authenticated by the captive portal. Select the interface subnet for the employee VLAN interface. 15
Step 12: Enable the captive portal feature, and authentication with the QR code. Select Authenticator - assisted and then apply the configuration. Guest Account: Select the guest users. QR Portal Address: Select the VLAN interface of Authenticator. Authenticator: The group of authenticator to authenticate the guests. 16
Step 13: Configure AP Profile > SSID > Security List > Add. If the information of authenticator is on the external authentication server, then select the auth. method that is directed to the authentication server for employees. 17
Add one none security profile for guests. 18
Step 14: Go to AP Profile > SSID > Add. Create two SSIDs for guests and employees. The SSID for guests use is named Guest_QR with VLAN ID 20. The SSID for employee use is named Employee_1F with VLAN ID 10 and enterprise security. 19
Step 15: Create a radio configuration for the AP. Go to AP Profile > Radio > Add. 20
Step 16: Go to AP Management > AP Group Select the Radio AP profile and SSID profile to provide Wi-Fi service for guests and employees. 21
Step 17: Guests can use a mobile device to connect to the SSID and open the webpage. It would show the page of the captive portal with QR code. 22
Step 18: Find the employee who is able to authenticate guests by scanning the guest s QR code. After scanning the QR code from the guest s device, the employee s mobile device will show the result of the authentication. Step 19: Go to Login Users. You can see that the guest has obtained the IP address, as well as who was authenticated by the authenticator. Then, the guest can access the Internet. 23