Guest Network

A Guest Network is configured to provide access to non-enterprise users who require access to the Internet.

To create a Guest Network, follow these steps:

  1. Tap Active Networks tile on the Instant On mobile app home screen.
  2. Tap Add () and select the Wireless tab. This tab appears only when your site has both wired and wireless networks.
  3. Select Guest, under Usage to indicate that the network is for guest users.
  4. Enter a name for the guest network.
  5. Under Security, select one of the following security levels:
    • None—if you want the user to access this network without the requirement of entering a username or password.
    • Wi-Fi Enhanced Open—Wi-Fi Enhanced Open (OWE) is the open security type derived from WPA3. It runs concurrently with an equivalent legacy Open SSID. For more information, see Wi-Fi Enhanced Open (OWE).
    • WPA2 Personal—This option allows you to secure the network using a shared password (PSK) encryption. Enter a password of your choice in the Network password field.
    • WPA2 + WPA3 Personal—This is the default setting when creating a new guest network. This option allows you to secure the network using a shared password (PSK) encryption. Enter a password of your choice in the Network password field.
    • The Network password settings will be grayed out when only the 6 GHz radio spectrum is selected for the wireless network. For more information, see Radio.

  6. To configure a guest portal in addition to the security levels, enable the Guest portal toggle switch () and follow the instructions provided in Enabling Guest Portal.

To change the guest network status manually, follow these steps:

  1. Tap Networks () tile on the Instant On home page and select a guest network from the list. The Guest Details page is displayed.
  2. Slide the Inactive toggle switch () to the right set the network to Active ().
  3. Tap DONE. The network is marked as Active, and all network settings are made visible.

Wi-Fi Enhanced Open (OWE)

Wifi-Enhanced Open (OWE) is the open security type derived from WPA3. It runs concurrently with an equivalent legacy Open SSID. Essentially, 2 similar SSIDs are broadcast and OWE capable clients will connect to the OWE version of the SSID, while non-OWE clients will connect to the legacy version of the SSID. Enhanced open provides improved data encryption in open Wi-Fi networks and protects data from sniffing.

The option to configure OWE is available only when Open is chosen as a security choice for a Wireless Network.

To configure OWE on the Guest network, follow these steps:

  1. Ensure that the Security type for the Guest network is set to Open.
  2. Move the Wi-Fi Enhanced Open toggle switch to enabled ()
  3. Tap Done.

More Options

The More options drop-down in the Instant On mobile app allows you to configure following settings for clients on guest networks:

Enabling Guest Portal

Guest portal can be accessed using the Instant On mobile app. It is available to newly connected users in a Wi-Fi network, before they are granted broader access to network resources. Guest portals are commonly used to present a landing or login page which may require the guest to accept your terms and policies before connecting to the Internet. You can also use the Guest portal to add details about your business and advertise special deals. Instant On offers you the ability to customize Guest Portal with your business logo, pictures, legal terms and other details. To configure Guest portal service on the Instant On mobile app, follow these steps:

  1. Click Active Networks from the Instant On home page.
  2. Select an active Guest Network connection.
  3. Under Security, enable the Guest portal toggle switch ().
  4. Tap the () Customize guest portal link to modify the captive portal or splash page. The Guest Portal page is displayed.
  5. Tap the drop-down arrow at the top-right hand corner of the screen and select either Internal, External settings.
  6. Tap Ok.
  7. Based on your selection, enter values in the required fields. For more information, see:
  1. The changes are automatically saved.

Configuring Internal Captive Portal

You can configure an internal captive portal splash page when adding or editing a guest network created for your Instant On site. Following are the internal captive portal configuration parameters:

Table 1: Internal Captive Portal Configuration

Parameter Description

Background

Tap the box to view the color palette and choose a color for the background of the internal captive portal page.

Welcome Message

Design the welcome message by updating the following fields:

  • Text—Enter the text for the welcome message. Example: Welcome to Guest Network.
  • Font size—Drag the slider to set the size of the font.
  • Font color—Tap the box to view the color palette and choose a color for the font.
  • Font family—Choose a font type from the drop-down list.

Logo / Image

Tap the image icon to browse and upload an image from your device.

NOTE: Ensure that you upload the image only in the png, jpg, gif, or bmp formats.

Terms and Conditions

Design the terms and conditions section by updating the following fields:

Title text—Enter the title text. Example: Please read the Terms and Conditions before using the Guest Network.

Font size—Drag the slider to set the size of the font.

Font color—Tap the box to view the color palette and choose a color for the font.

Font family—Choose a font type from the drop-down list.

Terms content—Enter or paste your terms and conditions in the text box.

Agree text—Enter a comment in the text box. For example: I agree to the terms and conditions.

Font color—Tap the box to view the color palette and choose a color for the font.

Font family—Choose a font type from the drop-down list.

Accept Button

Design the Accept Button by updating the following fields:

  • Text—Enter the text for the accept button. Example: I agree to the terms and conditions.
  • Redirect URL—Specify the custom URL to which users should be redirected after clicking the accept button.
  • Border radius—Drag the slider to set the border radius of the accept button.
  • Background color—Tap the box to view the color palette and choose a color for the background.
  • Font color—Tap the box to view the color palette and choose a color for the font.
  • Font family—Choose a font type from the drop-down list.

Configuring External Captive Portal

You can configure an external captive portal for your guest network by configuring RADIUS authentication and accounting parameters

Customizing Captive Portal

To customize the external captive portal, follow these steps:

  1. Select External from the Guest Portal page.

  2. The Custom external captive portal offers two types of user accessibility to the Internet through the guest portal under Guest user access. Choose one of the following options.

    • User authentication (default)—Users are required to enter their credentials in the guest portal page to access the Internet. The credentials entered by the user are sent to the RADIUS server for validation. This is the default setting for the custom external captive portal.
    • Guest portal acknowledgement—The guest portal must return a predefined string Aruba.InstantOn.Acknowledge to grant user access to the Internet. When selected, a predefined authentication text is returned by the external server after successful user authentication.
  3. Configure the following external captive portal configuration parameters:

    Table 2: External Captive Portal Configuration

    Parameter Description

    Server URL

    Enter the URL for the external captive portal server.

    Redirect URL

    Specify a redirect URL if you want to redirect the users to another URL.

    Allowed domains

    Slide the toggle switches to enabled () to allow access to social network domains. Enter a domain name in the New domain name and click to add additional domains. This allows unrestricted access to additional domains.

    Require RADIUS Message Authenticator

    Slide the toggle switch to enabled () for the AP to discreetly discard packets from the RADIUS servers that does not have the Message Authenticator.

    RADIUS Accounting

    Slide the toggle switch to enabled () to ensure the Instant On AP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable.

    Primary RADIUS Server

    Configure a primary RADIUS server for authentication by updating the following fields:

    • Server IP address or domain name—Enter the IP address or fully qualified domain name of the external RADIUS server.
    • Shared secret—Enter a shared key for communicating with the external RADIUS server.

     

    Tap the More RADIUS parameters link to configure the following parameters:

    • Server timeout—Specify a timeout value in seconds. The value determines the timeout for one RADIUS request. The Instant On AP retries to send the request several times (as configured in the Retry count) before the user gets disconnected.
    • Retry count—Specify a number between 1 and 5. Indicates the maximum number of authentication requests that are sent to the server group, and the default value is 3 requests.
    • Authentication port—Enter the authorization port number of the external RADIUS server within the range of 1–65,535. The default port number is 1812.
    • Accounting port—Enter the accounting port number within the range of 1–65,535. This port is used for sending accounting records to the RADIUS server. The default port number is 1813.

     

    Configure the following settings under Network Access Attributes, if you wish to proxy all RADIUS requests from the Instant On AP to the client.

    • NAS identifier—Enter a string value for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server.
    • NAS IP address—Select one of the following options if your Instant On devices are configured in a private network mode. The options below determine how the RADIUS authentication takes place across all networks.

    Use device IP (default)—This is the default setting. The RADIUS requests and NAS IP address will originate from each device authenticating the clients.

    Use a single IP—The RADIUS and NAS IP address will originate from a single IP address representing the site. Enter the NAS IP address for the site.

    NOTE: This option is grayed out if the Instant On AP is configured as a primary Wi-Fi router on the network. In which case each AP in the network will send RADIUS requests to the server with a matching Source IP address and NAS IP address.

    Secondary RADIUS Server

    To configure a Secondary RADIUS Server, slide the toggle switch to the right ().

    NOTE: The configuration parameters for the Secondary RADIUS Server and the Primary RADIUS Server are the same.

    Network Access Attributes

    This option is available only if User authentication (default) is selected under Guest user access. Configure the following parameters under network access attributes:

    • NAS Identifier—Enter a string value for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server.
    • NAS IP Address—Tap on NAS IP Address and select one of the following options if your Instant On devices are configured in a private network mode. The options below determine how the RADIUS authentication takes place across all networks. This option is grayed out if the Instant On AP is configured as a primary Wi-Fi router on the network. In which case each AP in the network will send RADIUS requests to the server with a matching Source IP address and NAS IP address.
    1. Use device IP (default)—This is the default setting. The RADIUS requests and NAS IP address will originate from each device authenticating the clients.
    2. Use a single IP—The RADIUS and NAS IP address will originate from a single IP address representing the site. Enter the NAS IP address for the site.