HSG6 - VLAN Steering over captive portal login
In this scenario, we showcase how we can use captive portal features to dynamically steer users to their respective VLANs based on user profile. Traditionally, if we want to assign authorized users to different networks, we need to run multiple SSID to map to multiple VLAN and multiple portals for different profile of users. Then users need to choose their respective SSID to connect and sign-in to their respective network. This can be confusing to users and it's also very hard to maintain Wi-Fi configurations.
Our Dynamic VLAN assignment (VLAN steering) over captive portal authentication significantly simplifies wireless configuration and improves network security. You just need to provision a single SSID on wireless setting, and manage all users/VLAN/captive portal settings on HSG. HSG will work with AP to dynamically steer users to their respective VLAN upon successful authentication.
Pre-requisites
The AP/WLC must support MAC-based authentication and dynamic VLAN assignment, and point to HSG as RADIUS for authentication/accounting. Most of the enterprise AP already support this as a standard feature, eg. Cisco, Ruckus, Aruba, Ubiquity, etc.
Common use cases
Hotels, where you want to provide Personal Area Network (PAN) for each hotel guest.
Enterprises or institutions, where you want to do Network Access Control (NAC) for visitors and staff
Large hotspot venues (eg. airports, stadiums, dormitories etc), where you want to optimize user experience. eg. just enable captive portal for quarantine VLAN, and upon successful authentication, HSG will steer users to a pass-through VLAN with minimum processing overhead.
Demo scenario
In this demo scenario, we try to simulate above three cases:
For any new device associated to SSID, they will be assigned to a quarantine/default VLAN (VLAN100) and prompted with a captive portal login.
For visitors, they will register with SMS OTP and auto assigned to VLAN101-Visitor VLAN
For members, after login with member accounts, they will be assigned to VLAN102-Member VLAN
For hotel guest, after login with their PMS account (room no and last name), they will be assigned to their specific room VLAN (PAN)
NOTE: You can optionally further apply traffic-shaping/QoS for each VLAN to offer tiered access controls (network & user speed).
Deployment preparation
Connect HSG eth0 (WAN) to Internet (ISP link ONT or modem). NOTE: If you're using 10G ports for LAN and WAN, the port number is different, please consult vendor.
Connect HSG eth1 (LAN) to LAN switch
Connect HSG eth2 to management PC (configure PC with DHCP, then connect to mbox GUI using http://10.10.10.1, login with mboxadmin/Letthem0ut7&)
HSG eth3 is reserved for private LAN. It's pre-configured to issue DHCP IP.
Connect AP to LAN PoE switch
configure AP to broadcast desired SSID, use default VLAN1 as management VLAN for AP/WLC.
AP will be getting management IP from HSG from network 192.168.8.0/22
Configure AP/WLC to point to HSG as RADIUS server for MAC-based authentication (refer to respective vendor doc)
add all VLANs on switch (VLAN100, VLAN101, VLAN102, VLAN201, VLAN202), configure all switch-ports to be in trunk mode, and permit all VLANs for each port.
3-Step deployment from sample config
NOTE: please upgrade your box to firmware version 20191223-1600, and above (follow this guide to upgrade firmware)
follow this video guide to deploy HSG by restoring from sample config
follow this video guide to customize landing page and login options and create schedule reports.
Sample config default settings
the eth0(WAN) port is pre-configured to get dhcp IP from ISP ONT/modem (or upstream router). If you need to change interface IP/route, please follow this guide.
syslog server (user access logging) is enabled to collect DNS access logs and firewall logs, storing data up to last 3 days
user access records are stored up to last 90 days
user info (username and profile data) is kept unlimited
monthly auto backup is configured, keeping the last 3 backup files (see details on backup & restore)