HSG6 - VLAN Steering over captive portal login

In this scenario, we showcase how we can use captive portal features to dynamically steer users to their respective VLANs based on user profile. Traditionally, if we want to assign authorized users to different networks, we need to run multiple SSID to map to multiple VLAN and multiple portals for different profile of users. Then users need to choose their respective SSID to connect and sign-in to their respective network. This can be confusing to users and it's also very hard to maintain Wi-Fi configurations.

Our Dynamic VLAN assignment (VLAN steering) over captive portal authentication significantly simplifies wireless configuration and improves network security. You just need to provision a single SSID on wireless setting, and manage all users/VLAN/captive portal settings on HSG. HSG will work with AP to dynamically steer users to their respective VLAN upon successful authentication.

Pre-requisites

  • The AP/WLC must support MAC-based authentication and dynamic VLAN assignment, and point to HSG as RADIUS for authentication/accounting. Most of the enterprise AP already support this as a standard feature, eg. Cisco, Ruckus, Aruba, Ubiquity, etc.

Common use cases

  • Hotels, where you want to provide Personal Area Network (PAN) for each hotel guest.
  • Enterprises or institutions, where you want to do Network Access Control (NAC) for visitors and staff
  • Large hotspot venues (eg. airports, stadiums, dormitories etc), where you want to optimize user experience. eg. just enable captive portal for quarantine VLAN, and upon successful authentication, HSG will steer users to a pass-through VLAN with minimum processing overhead.

Demo scenario

In this demo scenario, we try to simulate above three cases:

  • For any new device associated to SSID, they will be assigned to a quarantine/default VLAN (VLAN100) and prompted with a captive portal login.
  • For visitors, they will register with SMS OTP and auto assigned to VLAN101-Visitor VLAN
  • For members, after login with member accounts, they will be assigned to VLAN102-Member VLAN
  • For hotel guest, after login with their PMS account (room no and last name), they will be assigned to their specific room VLAN (PAN)

NOTE: You can optionally further apply traffic-shaping/QoS for each VLAN to offer tiered access controls (network & user speed).

Deployment preparation

  • Connect HSG eth0 (WAN) to Internet (ISP link ONT or modem). NOTE: If you're using 10G ports for LAN and WAN, the port number is different, please consult vendor.
  • Connect HSG eth1 (LAN) to LAN switch
  • Connect HSG eth2 to management PC (configure PC with DHCP, then connect to mbox GUI using http://10.10.10.1, login with mboxadmin/Letthem0ut7&)
  • HSG eth3 is reserved for private LAN. It's pre-configured to issue DHCP IP.
  • Connect AP to LAN PoE switch
      • configure AP to broadcast desired SSID, use default VLAN1 as management VLAN for AP/WLC.
        • AP will be getting management IP from HSG from network 192.168.8.0/22
        • Configure AP/WLC to point to HSG as RADIUS server for MAC-based authentication (refer to respective vendor doc)
      • add all VLANs on switch (VLAN100, VLAN101, VLAN102, VLAN201, VLAN202), configure all switch-ports to be in trunk mode, and permit all VLANs for each port.

3-Step deployment from sample config

NOTE: please upgrade your box to firmware version 20191223-1600, and above (follow this guide to upgrade firmware)

  1. download sample config
  2. follow this video guide to deploy HSG by restoring from sample config
  3. follow this video guide to customize landing page and login options and create schedule reports.

Sample config default settings

  • the eth0(WAN) port is pre-configured to get dhcp IP from ISP ONT/modem (or upstream router). If you need to change interface IP/route, please follow this guide.
  • syslog server (user access logging) is enabled to collect DNS access logs and firewall logs, storing data up to last 3 days
  • user access records are stored up to last 90 days
  • user info (username and profile data) is kept unlimited
  • monthly auto backup is configured, keeping the last 3 backup files (see details on backup & restore)