Guest Access in Wireless LAN


This article explores the ways in which the guests can be given access to wireless networks, whether they could be authenticated, whether their access can be restricted to certain services in the network and whether usage statistics and logs can be generated for guests.

A wireless network, in the context of this article consists of three components: Controller, Access Points and laptops/clients with Wi-Fi adaptors. So, we assume that wireless access is already given for the employees using such a system in the network, and we will restrict our discussion to handling the guest access – people who may require temporary network access for a short duration of time.

In the past, the networks were kept open and anyone in the vicinity could access the internet etc. As you can guess, this is not a very good idea! So, people started to have strict authentication through LDAP/AD etc. However there was one issue that was bothering people, how to give temporary guest access to certain people which will restrict them to certain services in the network without creating a profile for them in the AD etc. This can now be solved through most of the existing wireless controllers.

The controller lets you set up a separate SSID for guests (probably in a separate VLAN too). So, when the guests come to your office, they see Guest SSID when they scan for available networks. The controller allows you to set up a captive portal (browser based) – in some controllers, this is an external service where it interacts with an external server to bring it up, in some of them the captive portal is built in. So, now the guest gets a customized captive portal (like a web-page interface) where he sees your company logo, terms of network usage and a user name and password field prompting them to enter them to continue. This user name and password can be a common one or can be generated by the receptionist (who has their own mini-admin page for doing them. These passwords can be set up to be automatically de-activated at the end of the day, for example. One important reason why the passwords must be unique for every guest is that, their activity can be logged and usage stats reported based on it.

So, now the guest has entered their user names and passwords and entered the network. The controller at this point of time ensures that the guest is restricted to the separate network and given access only to certain services like http and https. That is what is required by most of the guests, and more services can be added if required. The guest access can be restricted to a certain timing – from 8 AM in the mornings to 8 PM in the evenings – most of the controllers let you do this. A few controllers also let the administrator to limit the bandwidth available for guests, as they should not choke the internet bandwidth which is currently being used by the employees.

In most of the guest access solutions provided by the wireless controller vendors, there would not be any need to re-configure the guest laptops or modify the LDAP/AD settings etc. But this might be added as an additional module requiring a separate server (or a software license upgrade) that has an additional cost to it.

excITingIP.com

You could stay up to date on the various computer networking technologies by subscribing to this blog using your email address in the box mentioned as “Get email updates when new articles are published”