A VNS' non-authenticated role controls the access of stations until the station completes authentication. The role can be as restrictive or open as necessary. If the station is expected to authenticate, then the role may need to grant it access to resources required to complete the authentication. For example if the station is expected to perform captive portal authentication then the non-authenticated role must allow the station to:
The administrator may grant unauthenticated stations access to other resources, but the recommended default action of a non-authenticated role is to drop all traffic that does not match a rule.
Defining non-authenticated roles allows administrators to identify destinations that a mobile user is allowed to access without incurring an authentication redirection. Typically, the recommended default rule is Deny All. However, administrators should define a rule set that permits users to access essential services:
Any HTTP streams requested by the client for denied targets is redirected to the specified location.
The non-authenticated role should allow access to the Captive Portal page IP address, as well as to any URLs for the header and footer of the Captive Portal page. This filter should also allow network access to the IP address of the DNS server and to the network address—the gateway of the Topology. The gateway is used as the IP for an internal Captive Portal page. An external Captive Portal provides a specific IP definition of a server outside the wireless network.
Redirection and Captive Portal credentials apply to HTTP traffic only. A wireless device user attempting to reach websites other than those specifically allowed in the non-authenticated filter is redirected to the allowed destinations. Most HTTP traffic outside of that defined in the non-authenticated filter is redirected.
Note
Although non-authenticated role definitions are used to assist in the redirection of HTTP traffic for restricted or denied destinations, the non-authenticated filter is not restricted to HTTP operations. The filter definition is general. Any traffic, other than HTTP, that the filter does not explicitly allow is discarded by the controller.The non-authenticated filter is applied to sessions until they successfully complete authentication. The authentication procedure results in an adjustment to the user's applicable Policy Rule for the access role.
Typically, default filter ID access is less restrictive than a non-authenticated profile. It is the administrator‘s responsibility to define the correct set of access privileges.
Note
Administrators must ensure that the non-authenticated filter allows access to the corresponding authentication server: