NXC5500/2500 - ZyXEL · ZyXEL – NXC Application Notes 1 Captive Portal with QR Code What is...

NXC5500/2500

Version 4.20Edition 2, 02/2015

Copyright © 2015 ZyXEL Communications Corporation

Application Note

Captive Portal with QR Code

ZyXEL – NXC Application Notes

1

Captive Portal with QR Code

What is Captive Portal with QR code?

The captive portal is a login page that is displayed when you access the Internet bylaunching the web browser, which would intercept the network traffic till you enterthe privileged account.

For example, some companies set the boundary of a captive portal for staff andvisitors before they can gain network to access for the Internet via a web browser. Toensure the management of network traffic and security, they need to get a privilegedaccount for passing the captive portal to use the network. In general, new employeeshave a privileged account after they report in for duty, but visitors need to ask for theprivileged account from an employee or administrator.

Assuming your company holds a business conference for dozens of customers. Howcould your company provide instant wireless access service for customers withoutcreating numerous accounts or changing the network configuration? A captive portalwith QR code could help you ease this confusion. There is no need for the IT togenerate an account for every customer. Instead, he can print a QR code and post iton the entrance of the meeting room or somewhere that customers could easily seeit. After customers use the mobile device to scan the QR code, customers could loginto the captive portal page automatically without keying account information. Inaddition, if your company requires more rigid IT security policies e.g. granting guestwireless access service requires employee authentication prior to the access, there isanother way for your company to use the QR code. Your company security guard oremployee who has registered to authenticate guest wireless access has the privilegeto scan the QR code from the login page of captive portal in the customer’s device.

The captive portal with QR code is a new feature that brings you convenient and fastpass in some scenarios for clients to access the Internet.

The NXC provides two authentication mechanisms with QR code for differentscenarios.


2

Scenario 1: Authenticator - assisted

Guest receives a QR code that is authenticated by an authenticator

A guest visits the ZyXEL Company and connects to the Guest SSID, but it shows thelogin page with QR code. The guest does not have the user name and password, sohe goes to find an employee who has privilege to authenticate the guest’s device toscan his QR code. After employee scan the QR and get the authentication message,then the guest can use Wi-Fi to access the Internet.


3

Scenario 2: Self - serviced

Guest directly scans QR code to pass the authentication

A guest visits the ZyXEL Company and he sees a QR code is posted on the table whenhe sits on the chair. The QR code notes “Welcome to ZyXEL”. After the guestconnects to the SSID and scans the QR code, he will get theauthentication message. Then, he can enjoy Wi-Fi service.


4

The Configuration of Captive Portal with QR code

Employees are the members of VLAN 10, which can access internet bypassing the authentication with enterprise security (802.1X). Guests arethe members of VLAN0, which can access the internet by employeeauthenticating the guest’s QR code.


Step 1: Go to Interface > VLAN > Add. Create two VLANs as the DHCP servers,separately VLAN0 and VLAN10. VLAN0 is for guest and VLAN10 is for employee using.

Step 2: Go to Zone > Edit. Set VLAN0 and VLAN10 be a LAN, therefore, themember of VLAN10 can access to the member of VLAN1. The employee in theVLAN10 can authenticate guest in the VLAN0.


5

Step 3: Create user information for guest and employees to login to the Captiveportal. Go to User/Group > User > Add.

*The User Type of guest must be “guest” or “user”.

There are two kinds of configuration for authentication by authenticator (employee)on the NXC and external radius server.

n Guest information: (No matter authenticator information locates in the NXC orexternal authentication server e.g. Radius or Active Directory server, guestaccount must be pre-configured on the NXC)

n Authenticator(Employee) information on the NXC


6

Set a group for employee accounts. Go to User/Group > User > Group > add.

n Authenticator (Employee) information on the external authentication (Radius)server

Add the information of external authentication server. Go to AAA Server > Radius >Add. (Note: Please confirm there is an existing authenticator account on theexternal authentication server.)


7

Step 4: Go to Auth. Method > Add.If the information of authenticator is on the NXC, then select the “local”authentication for employee’s enterprise security.

If the information of authenticator is on the external authentication server, then addan authenticated method and select the external authentication server foremployee’s enterprise security.


8

Step 5: Add an IP address range on the VLAN0 for guests that need to login to thecaptive portal and add the interface subnet of employee on the VLAN10. Go toAddress > Address > Add.

The IP address range for guest using need to login the captive portal:

The interface subnet of employees on the VLAN10:


9

Step 6: To prevent guest in the VLAN0 can access to the VLAN10, go to Firewall >Add. Add a firewall rule to deny guest access to the member of VLAN10.

Step 7: Go to Captive Portal > Captive Portal > Authentication Policy Summary.Scroll down to the page of the captive portal and select “default” for AuthenticationMethod, and then add an authentication policy.


10

Step 8: Select the IP address range for guests that will be forced to beauthenticated by the captive portal.

Step 9: Bring up the page of the Captive Portal and enable the captive portalfeature, and authentication with the QR code. Select “Authenticator - assisted” andthen apply the configuration.

n Guest Account–Select guest user ID.n QR Portal Address– Select the VLAN group of “authenticator”.

l Authenticator must be able to access the members of VLAN of QR PortalAddress for guests; otherwise, the authenticator will be unable toauthenticate guests.

n Authenticator– able to authenticate guests.

Employees are the authenticators, who can authenticate the guest to access theINTERNET. Hence, QR Portal Address needs to be selected the VLAN10 that is theVLAN of employee, and Authenticator needs to be selected a group of employeeswho have privilege to authenticate.


11

n The account information of authenticaor is on the NXC.

n The account information of authenticaor is on the external authenticated server


12

Step 10: After AP deployment is ready, add the AP profiles for guest and employeeWi-Fi service. Before setting the SSID, we need to set an enterprise security foremployee to use. Go to AP Profile > SSID > Security List > Add.

If the information of authenticator is on the NXC, then select “default” for Auth.Method that is local authentication for employees.


13

If the information of authenticator is on the external authentication server, thenselect the auth. method that is directed to the authentication server for employees.

Step 11: Go to AP Profile > SSID > Add. Create two SSID for guests and employees.n Set the forwarding mode with “Local bridge” when the traffic of AP would go

through the NXC directly.n Set the forwarding mode with “Tunnel mode” when the traffic of AP might not

go through the NXC directly. The tunnel mode setting could force all the trafficto go into the NXC and lead to the Captive portal.

The SSID for guests using is named “QR_guest” with VLAN ID 1


14

The SSID for employees using is named “QR_employee” with VLAN ID 10 andenterprise security.


15

Step 12: Create a radio configuration for the AP. Go to AP Profile > Radio > Add.

Step 13: Go to AP Management > Mgmt. AP List. Select the SSID to provide Wi-Fiservice for guests.


16

Step 14: Guest can use a mobile device to connect to the SSID and open thewebpage. It would show the page of the captive portal with QR code.

Step 15: Find the employee who is able to authenticate guests by scanning theguest’s QR code. After scanning the QR code from the guest’s device, the employee’smobile device will show the result of the authentication.


17

Step 16: Go to Login Users. You can see that the guest has obtained the IP address,as well as who authenticated the guest.

Scenario 2: Self – serviced

For steps 1-8 please refer to the step 1-8 of scenario 1.

Step 9: Go to Captive Portal. Enable the captive portal feature and authenticationwith QR code. Select “Self-serviced”. You can leave the message in the NoteMessage and press “Print Out”, the QR code would be show in the window.

n QR Portal Address – select the VLAN group of“guest”.* Please note that the IP address you select must be reachable by guest.

n Note Message – Write any information for printing with the QR code.


18

Step 10: Publish the QR code and then the guest could use a mobile device to scanthe QR code to pass the authentication.

Step 11: Go to AP Management > Mgmt. AP List. Select SSID to provide Wi-Fiservice for guests.


19

Step 12: Scan QR code and the mobile device will show the result of theauthentication.

Step 13: Go to Login Users. You can see who obtained the IP address by QR codeauthentication.


20

The Flowchart of Authentication of Captive Portal with QR code


The process of scenario 1:1. Guest connects to the SSID with captive portal authentication.2. NXC receive the connected request from guest and leads to the page of captive

portal with QR code.3. The employee (authenticator) uses a mobile device with an IP address that has

authentication ability to scan the QR code from the guest’s device.4. NXC receives the authentication request.5. After NXC checks the authenticated request, it would send the authenticated

response to the employee’s mobile device.


21

Scenario 2: Self – serviced

The process of scenario 2:1. The employee (authenticator) produces the QR code for guests.2. Guest connects the SSID with captive portal authentication.3. Guest scans the QR code, which is published from the authenticator.4. NXC receives the authenticated request from guest.5. After NXC checks the authenticated request, it would send the authenticated

response to the guest’s mobile device.

NXC5500/2500 - ZyXEL · ZyXEL – NXC Application Notes 1 Captive Portal with QR Code What is...

Documents

Transcript of NXC5500/2500 - ZyXEL · ZyXEL – NXC Application Notes 1 Captive Portal with QR Code What is...