ExtremeIQ Cloud

About Guest Access

Guest Access helps automate the guest experience on your wireless networks, providing scalable, easy-to-use guest management for single-site deployments and global enterprise networks.

Guest Access provides enterprise-grade security. System management and guest registration are protected by standards-based web encryption, and Guest Access to the wireless network is protected by enterprise grade Wi-Fi security – using either PPSK (Private Pre-Shared Key) technology to deliver unique encryption keys to every user and every device, or WPA2 Enterprise with user name and password credentials. These systems use RadSec to secure authentication between Extreme Networks access points and the authentication service, eliminating unprotected RADIUS calls over the Internet.

Guest Access oversees and grants wireless Internet access to guests using a special guest SSID. Guest Access is configured inside the ExtremeCloud IQ network policy configuration workflow.

Guest Access Features

Guest Self-Registration: This feature allows guests to easily self-register and receive guest credentials (via email, on-screen, or an SMS text message) using a standalone kiosk, through employee sponsorship, or through a captive web portal. For more information about the credential notification templates, which you can customize, see Notification Templates and Notification Templates.
PPSK Self-Registration: This feature provides secure network access and management of employee personal devices. Employees connect to an open-registration wireless network, authenticate using their employee credentials, and receive a PPSK via a captive web portal. PPSKs can be cached in an on-device database (on the AP) or in the cloud. You can choose to grant PPSKs and tailor the experience (firewall, QoS, throughput rates) on a per-device basis. PPSK technology lets you revoke permission for a single user without affecting the entire network. PPSKs can be stored in the cloud, or on an Extreme AP, providing flexibility, scalability, and local survivability.
Guest Life Cycle Management: You can create multiple guest types, each with a different life cycle. You can also revoke access in real time.
Guest Credential Storage: Guest access login credentials can be stored in the cloud or locally on an Extreme Networks AP. When credentials are stored locally, user profiles are stored in the configuration and the user profile ID is mapped automatically. For credentials stored in the cloud (Service), both PPSK and RADIUS (802.1X) are supported, RadSec must be permitted between the device and ExtremeCloud IQ, and the Service cannot act as a RADIUS server for third party devices.

How Guest Access Works

Guests usually have one very basic requirement: easy access to a wireless network, typically for a limited amount of time. Examples of industries where Guest Access plays an important role include hospitality (hotels, airports, cafes), enterprise (corporations), education (K-12, universities and colleges), retail, (shopping malls, brick and mortar stores), and healthcare (nursing homes, residential care, hospitals, patients and patient visitors).

Typical options for Guest Access include:

An open WLAN (no authentication) with a UPA (use policy acceptance) window.
A secure WLAN that guests access using a Pre-Shared Key (PSK).
An open WLAN with authentication through a captive web portal.
Guest Access offers another option: PPSK (Private Pre-Shared Key) for direct access to a guest SSID, or access through a customizable captive web portal.

This table describes some strengths and weaknesses of these options:

Guest Access Workflows

Guest Access supports multiple workflows:

Administrator-Initiated: A network administrator can configure Users and User Groups. Each user (guest) is assigned to a specific User Group, which defines the type of credentials and where the credentials are stored (in the cloud, or on the device). for detailed configuration steps see "Scenario One: Configure Guest Access using HiveManager".
Employee-Initiated: Guests self-register using a captive web portal, and (optionally) their access can be approved by employees. The network admin creates an Employee Group to which employees are added and links the Employee Group to specific User Groups. Employees in this Employee Group are granted the role of Guest Manager and can create guest accounts for the linked User Groups. For this workflow, credentials are stored in the cloud (Service).
Guest Access with Self-Registration: In this workflow, the admin creates two SSIDs which are bound together: an open SSID and an SSID using secure PPSKs. Guests receive a notification identifying the open SSID where they log in and request credentials. The guest receives the login PPSK as a text message or through email and uses the PPSK to access the secure SSID. For detailed configuration steps, see "Scenario Two - Configure a Captive Web Portal for Guest Self-Registration".

Lobby admin-created Guest Access: An employee (lobby receptionist, for example) creates user accounts for guests.
API: Custom applications can be created using the APIs for visitor access.

Configure Guest Access Directly in HiveManager

Guest Access is an integral part of the ExtremeCloud IQ configuration workflow. The typical configuration steps are:

A network admin assigns a guest management role in admin_name > Global Settings > Accounts > Account Management. SeeAdmin Accounts.
Guest Management roles must be linked to Employee Groups.

An admin or guest manager creates a guest SSID in the network policy: Configure > Network Policy > Wireless Connectivity > SSID. See Standard Wireless Network Settings.

The guest SSID must contain a user group designated for guests. You can create User Groups in two places: Configure > Network Policy > Wireless Connectivity > SSID > User Groups, or as common objects in Configure > Users > User Management > User Groups. See Add User Groups and User Groups.

This illustration shows the User Group section in the SSID configuration workflow:

This illustration shows the User Groups window under Configure > Users:

Create guest user accounts in Configure > Network Policy > Wireless Connectivity > SSID > User Groups > Users column in User Group table > Add, or as common objects in Configure > Users > User Management > Users. See User Accounts and Users.

Create employee groups for employee guest sponsorship at Config > Users > User Management > Employee Groups. See Credential Distribution Groups and Credential Distribution Groups.

Guest authentication, accounting and SMS logs can be viewed by navigating to admin_name > Global Settings > Logs. See Accounting Logs, Authentication Logs. and SMS Logs.

This image shows the Accounting Logs window.

This image shows the Authentication Logs window.

This image shows the SMS Logs window.

How Guest Access is Granted

Administrative permission for Guest Access is controlled by Role Based Access Control, which allows you to customize permission and better control management access. There are five roles: administrator, operator, help desk, guest management, and observer. The administrator role has full access to all of the features within Guest Access, and is the only role that can create other roles. For Guest Access, you can assign the role of guest manager to employees or users who can then create user accounts for guests, contractors, VIPs, and other visitors. Guest managers can view the guest management user interface, but cannot see the Onboard, Dashboard, Manage, Configure, and tabs. See Admin Accounts for more information on role-based access control.

Guest Access through a Captive Web Portal

ExtremeCloud IQ supports three types of captive web portals: Authentication, Self-registration, and Use Policy Acceptance. You can customize the look and feel of your captive web portal using colors, logos, and images, and multiple languages.

Reference Apps for Guest Access

This release also introduces the first of a series of reference applications that can be used for Guest Access: the Kiosk App for iOS is an iPad or iPad mini app that is intended as a self-service option for visitors. It is available through the Apple App Store, and also as source code from the Extreme Networks Developer Portal (https://developer.aerohive.com).

Future releases will continue to introduce new apps as they are developed, including the Lobby Receptionist App that allows lobby personnel to register visitors and also supports automatic password refresh for entire locations, such as campuses and nursing homes.

Configuring Guest Access Common Scenarios

This guide describes the configuration steps for common Guest Access scenarios:

Scenario 1: Configure Guest AccessinExtremeCloud IQ. In this scenario, the admin creates a guest SSID, user group with users, and distributes PPSK login credentials automatically directly from the ExtremeCloud IQ workflow.
Scenario 2: Configure a captive web portal where guests can self-register. In this scenario, the admin creates a guest SSID with a captive web portal, where users can then self-register.

These scenarios assume that the network admin is doing the configuration steps. However, the admin might want to appoint someone else to act as guest manager, (any employee, for example, such as the lobby receptionist) by adding a guest management role. The guest manager can create. revoke, and view guest user accounts and PPSKs for the user groups they can access as defined in the employee group to which they belong. The steps for adding a guest manager are shown below.

Adding a Guest Management Account

To assign the Guest Management role, navigate to admin_name > Global Settings > Accounts > Account Management. Select , and at the top of the Add New User window, select Create a new user account. You must also create an Employee Group and connect it to guest management accounts.

In the Enter Account Details section, enter the following information.

Email Address: Enter a valid email address for the person to whom you are assigning this role. The email address can contain from 3 to 128 characters and must contain only valid email characters and punctuation. The person acting as the guest manager receives an email with their user name and instructions on how to set up their password.
Name: Enter the name of the person in this role. The name can contain up to 128 characters, including spaces.

In the Preferences section, select a period of time after which any sessions for this user will expire (Idle Session Timeout). The default is 30 minutes, and the range is from 5 to 240 minutes (4 hours).

Step 1, Choose Role: Select Guest Management. Since you cannot assign a location to a Guest Management Role, Step 2 does not apply.
Select Save & Close.
Create an Employee User Group. Navigate to Configure > Users > User Management > Employee Groups. Select and enter the following information:

Group Name: Enter a name for this employee group.

Admin Account: Select Guest Management Role User from the drop-down list.

Guest Management User: Enter the valid email addresses of the guest managers that you want to associate with this employee group.

Enable User Groups: Select the check boxes for all of the guest user groups for which members of this employee group can create guest accounts.

Select Save.

Scenario One: Configure Guest Access using HiveManager

In this scenario, the ExtremeCloud IQ admin, or manager, knows in advance which guests will be arriving and what their requirements are. For example, a school principal wants to allow only teachers and staff to connect to the guest network with their phones. In this case, the principal asks the admin or guest manager to create a user group for teachers and staff, and separate user accounts for each teacher and staff member. For a business that is having construction done on their premises, the contractors need limited access to the Internet, but not the employee network. In this case the admin or guest manager creates a user group for contractors and individual user accounts for each contractor. The login credentials for each guest are stored in the cloud, and are automatically sent as soon as the user account has been created and saved.

The steps the admin or guest manager takes to create the user group and user accounts are shown here:

Create a Guest SSID

In ExtremeCloud IQ, navigate to Configure > Network Policy. Create a new network policy for guest management, and then select Next. For complete instructions on how to create a new network policy, see the online Help.
You can also use an existing network policy. To create the guest SSID in an existing network policy, select the check box for the network policy and select Next.
In the Wireless Connectivity section, select to create a new SSID. Complete the fields on the New SSID window:

SSID Name: Enter a name for the guest SSID. The name can contain up to 32 characters without spaces.
SSID Broadcast Name: This is typically the same as the SSID Name. This field auto-populates with the SSID Name by default.
Broadcast SSID using: Select both 802.11 options.

In the SSID Usage section, enter the following information:

Authentication: Select Private Pre-Shared Key.
Key Management: Select WPA2-(WPA2 Personal)-PSK.
Encryption method: Select CCMP (AES).
Select the check box for Number of clients that can use each PPSK, and enter a number in the box. By default, this box is checked and the number is 1. Raising this number allows one guest to use a single PPSK for multiple devices.
Enable Captive Web Portal: Do not enable a captive web portal for this scenario.

For more information about how to create guest SSIDs, see Standard Wireless Network Settings.

Create a User Group

In the Authentications Settings section, select to create a new user group. Complete the fields in the New User Group window:

User Group Name: Enter a name for the user group. The name can contain up to 32 characters without spaces.
Password database location: Select Service. Login credentials (PPSKs) are stored in the cloud and distributed automatically via the chosen delivery method chosen for your user accounts.
Password type: Select PPSK.
Description: Enter a description for this user group (optional).

In the Password Settings section, enter the following information:

Generate Password Using: Select letters, numbers, or special characters or any combination of the three. Letters is selected by default, and if you do not check either of the other options, your password will contain only letters. If none of the check boxes are selected, the password will contain only letters.
Enforcement options: Select an enforcement option from the drop-down (optional): Some companies have password policies that require a mix of capital letters, number and special characters. The drop-down gives you the flexibility to enforce that policy during PPSK creation.
PPSK Generation Method: Select Password Only from the drop-down list. The User String option lets you attach a string of characters to the generated password. For example, if you enter Extreme - the generated passwords will then be Extreme123pe091r, Extreme1241po4, for example.

In the Expiration Settings section, enter the following information:

Require Authentication After: For this scenario, leave this setting at the default of 1800 seconds. This option allows you to enforce time-limited access. After authentication, Wi-Fi access is granted for the specified time, after which the user is re-authenticated. You can also use this feature to force clients to generate new encryption keys every so often to mitigate decryption attacks.
Using this feature might put an additional burden on the RADIUS server.
Account Expiration: Select Never Expire or Valid During Dates from the drop-down list. If you select Valid During Dates, you can then select start and end dates for the accounts assigned to this user group.
Deliver Settings: Select a notification delivery method for members of this user group. You can select Text Messages (SMS)or Email or both. A standard template is applied by default for either method and cannot be changed here.

Select Save. You are returned to the SSID window. Scroll down to the User Group table in the Authentication Settings section, where you will add users to this group (see the next section).

Note

For more information about configuring user groups, see Add User Groups.

Add Users to the User Group

Add Users. In the User Groups table, for a specific User Group, in the # of Users column, select Add to add user accounts to this group.

Create accounts in user group: This field automatically changes to show the name of the user group to which you are adding this user account.
Name: Enter a name for the user. The name can contain up to 32 characters without spaces.
Organization: Enter the name of the organization to which this user belongs.
Purpose of Visit: Enter the reason this user is visiting.
Email Address: Enter a valid email address for this user.
Phone Number: Enter a valid phone number for this user.
Password: Enter a password (PPSK) for this user. This password is automatically sent to the user via text or email, depending on the delivery method that is configured for the user group.
Confirm Password: Retype the password for confirmation (you can clear the Obscure secret box to see what you are typing). To have the password automatically generated, select Generate.
Description: Enter a description for this user (optional).

In the Deliver Password section, select the check box for the delivery method for this user group and enter either a valid phone number (for text messages) or a valid email address. If you configured both methods, you must enter a phone number and a valid email address here as well.
Important: Be careful to Save after you create each user, when you are done with the User Group, and again when you are finished with the SSID configuration. If you forget to save, your user group and user account information will be lost. Make sure everything that you have configured appears in the User Group table in the SSIDAuthentication Settings section. If the table is correct, and you are finished with the SSID, scroll to the bottom of the SSID window and select Save.

When you complete the configuration for a user account and select Save, the user automatically receives the PPSK and login information in either an email or text message (or both), depending on the configured delivery method.

For more information about creating guest user accounts, see User Accounts.

Scenario Two - Configure a Captive Web Portal for Guest Self-Registration

In this scenario, the network admin creates an open guest SSID, and a secure PPSK SSID with a captive web portal and a UPA (use policy agreement). Guests log in to the open SSID and are redirected to the secure SSID captive web portal where they agree to the terms of the UPA, or enter credentials, or both. Configure this scenario using the following steps:

Create a PPSK-Enabled Guest SSID

In ExtremeCloud IQ, navigate to Configure > Network Policy. Complete the fields on the New Network Policy window, and then select Next.
You can also use an existing network policy. To create the guest SSID in an existing network policy, select the check box for the network policy, and then select Next.
In the Wireless Connectivity section, select to create a new SSID. Complete the fields on the New SSID window:

SSID Name: Enter a name for the guest SSID. The name can contain up to 32 characters without spaces.
SSID Broadcast Name: This name is typically the same as the SSID Name. This field auto-populates with the SSID name by default.
Broadcast SSID using: Select both 802.11 options.

In the SSID Usage section, enter the following information:

SSID Authentication: Select Private Pre-Shared Key.
Enable Captive Web Portal: Turn this feature On.

Create a Self-Registration-Enabled User Group

In the SSID Authentications Settings section, select to create a new user group. Complete the fields in the New User Group window.

User Group Name: Enter a name for the user group. The name can contain up to 32 characters without spaces.
Password database location: Select Service.
Password type: Select PPSK.
Description: Enter a description for this user group (optional).
Enable CWP Register: Select the check box for the captive web portal option.

In the Password Settings section, enter the following information:

Generate Password Using: Select letters, numbers, or special characters or any combination of the three. Letters is selected by default, and if you do not check either of the other options, your password will contain only letters. If none of the check boxes are selected, the password will contain only letters.
Enforcement options: Select an enforcement option from the drop-down (optional): Some companies have password policies that require a mix of capital letters, number and special characters. The drop-down gives you the flexibility to enforce that policy during PPSK creation.
PSK Generation Method: Select Password Only from the drop-down list. The User String option lets you attach a string of characters to the generated password. For example, if you enter Test, the generated passwords will then be Test123pe091r, Test1241po4, and so on, for example.

In the Expiration Settings section, enter the following information:

Require Authentication After: This option allows you to enforce time-limited access. After authentication, Wi-Fi access is granted for the specified time, after which the user is re-authenticated. You can also use this feature to force clients to generate new encryption keys every so often to mitigate decryption attacks. 1800 seconds (30 minutes) is the default.
Using this feature might put an additional burden on the RADIUS server.
Account Expiration: Select Never Expire or Valid During Dates from the drop-down list. If you select Valid During Dates, you will be given the option to select start and end dates for the accounts assigned to this user group.
Deliver Settings: Select the notification delivery method that you want for users who will be members of this user group. You can select Text Messages (SMS)or Email or both. A standard template is applied by default for either method and cannot be changed here.

Select Save. Make sure you save both the new user group and the SSID.

For more information about configuring user groups, see Add User Groups.

Create an Open SSID

Return to the Wireless Connectivity section of the workflow, and select to create an open SSID. Complete the fields on the New SSID window:

SSID Name: Enter a name for the guest SSID. The name can contain up to 32 characters without spaces.
SSID Broadcast Name: This name is typically the same as the SSID Name. This field auto-populates with the SSID Name by default.
Broadcast SSID using: Select both 802.11 options.

In the SSID Usage section, enter the following information:

Authentication: Select Open.

In the select features for this captive web portal section, turn on Enable Self-Registration and Return Extreme Private PSK.

Default Captive Web Portal: Select to create a captive web portal. In the New Captive Web Portal window, enter the following information:

Name: Enter a name of to 32 characters without spaces.

In the PPSK Settings section, bind this SSID to the secure SSID you created earlier using the following settings:

Choose Access SSID (Private PSK): Select the name of the self-registration SSID you created earlier from the drop-down list.
Choose a PPSK Server: Select Cloud PPSK Registration Server from the drop-down list.

As a best practice, in the Advanced Settings section, select the check box to enable HTTPS for security. This encrypts the traffic between the client and the captive web portal.
Remember to select Save.
Deploy the network policy to the APs on which you will run Guest Access.