NXC5500/2500 Version 4.20 Edition 2, 02/2015 Application Note Captive Portal with QR Code Copyright 2015 ZyXEL Communications Corporation
Captive Portal with QR Code What is Captive Portal with QR code? The captive portal is a login page that is displayed when you access the Internet by launching the web browser, which would intercept the network traffic till you enter the privileged account. For example, some companies set the boundary of a captive portal for staff and visitors before they can gain network to access for the Internet via a web browser. To ensure the management of network traffic and security, they need to get a privileged account for passing the captive portal to use the network. In general, new employees have a privileged account after they report in for duty, but visitors need to ask for the privileged account from an employee or administrator. Assuming your company holds a business conference for dozens of customers. How could your company provide instant wireless access service for customers without creating numerous accounts or changing the network configuration? A captive portal with QR code could help you ease this confusion. There is no need for the IT to generate an account for every customer. Instead, he can print a QR code and post it on the entrance of the meeting room or somewhere that customers could easily see it. After customers use the mobile device to scan the QR code, customers could login to the captive portal page automatically without keying account information. In addition, if your company requires more rigid IT security policies e.g. granting guest wireless access service requires employee authentication prior to the access, there is another way for your company to use the QR code. Your company security guard or employee who has registered to authenticate guest wireless access has the privilege to scan the QR code from the login page of captive portal in the customer s device. The captive portal with QR code is a new feature that brings you convenient and fast pass in some scenarios for clients to access the Internet. The NXC provides two authentication mechanisms with QR code for different scenarios. 1
Scenario 1: Authenticator - assisted Guest receives a QR code that is authenticated by an authenticator A guest visits the ZyXEL Company and connects to the Guest SSID, but it shows the login page with QR code. The guest does not have the user name and password, so he goes to find an employee who has privilege to authenticate the guest s device to scan his QR code. After employee scan the QR and get the authentication message, then the guest can use Wi-Fi to access the Internet. 2
Scenario 2: Self - serviced Guest directly scans QR code to pass the authentication A guest visits the ZyXEL Company and he sees a QR code is posted on the table when he sits on the chair. The QR code notes Welcome to ZyXEL. After the guest connects to the SSID and scans the QR code, he will get the authentication message. Then, he can enjoy Wi-Fi service. 3
The Configuration of Captive Portal with QR code Employees are the members of VLAN 10, which can access internet by passing the authentication with enterprise security (802.1X). Guests are the members of VLAN0, which can access the internet by employee authenticating the guest s QR code. Scenario 1: Authenticator - assisted Step 1: Go to Interface > VLAN > Add. Create two VLANs as the DHCP servers, separately VLAN0 and VLAN10. VLAN0 is for guest and VLAN10 is for employee using. Step 2: Go to Zone > Edit. Set VLAN0 and VLAN10 be a LAN, therefore, the member of VLAN10 can access to the member of VLAN1. The employee in the VLAN10 can authenticate guest in the VLAN0. 4
Step 3: Create user information for guest and employees to login to the Captive portal. Go to User/Group > User > Add. *The User Type of guest must be guest or user. There are two kinds of configuration for authentication by authenticator (employee) on the NXC and external radius server. Guest information: (No matter authenticator information locates in the NXC or external authentication server e.g. Radius or Active Directory server, guest account must be pre-configured on the NXC) Authenticator(Employee) information on the NXC 5
Set a group for employee accounts. Go to User/Group > User > Group > add. Authenticator (Employee) information on the external authentication (Radius) server Add the information of external authentication server. Go to AAA Server > Radius > Add. (Note: Please confirm there is an existing authenticator account on the external authentication server.) 6
Step 4: Go to Auth. Method > Add. If the information of authenticator is on the NXC, then select the local authentication for employee s enterprise security. If the information of authenticator is on the external authentication server, then add an authenticated method and select the external authentication server for employee s enterprise security. 7
Step 5: Add an IP address range on the VLAN0 for guests that need to login to the captive portal and add the interface subnet of employee on the VLAN10. Go to Address > Address > Add. The IP address range for guest using need to login the captive portal: The interface subnet of employees on the VLAN10: 8
Step 6: To prevent guest in the VLAN0 can access to the VLAN10, go to Firewall > Add. Add a firewall rule to deny guest access to the member of VLAN10. Step 7: Go to Captive Portal > Captive Portal > Authentication Policy Summary. Scroll down to the page of the captive portal and select default for Authentication Method, and then add an authentication policy. 9
Step 8: Select the IP address range for guests that will be forced to be authenticated by the captive portal. Step 9: Bring up the page of the Captive Portal and enable the captive portal feature, and authentication with the QR code. Select Authenticator - assisted and then apply the configuration. Guest Account Select guest user ID. QR Portal Address Select the VLAN group of authenticator. Authenticator must be able to access the members of VLAN of QR Portal Address for guests; otherwise, the authenticator will be unable to authenticate guests. Authenticator able to authenticate guests. Employees are the authenticators, who can authenticate the guest to access the INTERNET. Hence, QR Portal Address needs to be selected the VLAN10 that is the VLAN of employee, and Authenticator needs to be selected a group of employees who have privilege to authenticate. 10
The account information of authenticaor is on the NXC. ZyXEL NXC Application Notes The account information of authenticaor is on the external authenticated server 11
Step 10: After AP deployment is ready, add the AP profiles for guest and employee Wi-Fi service. Before setting the SSID, we need to set an enterprise security for employee to use. Go to AP Profile > SSID > Security List > Add. If the information of authenticator is on the NXC, then select default for Auth. Method that is local authentication for employees. 12
If the information of authenticator is on the external authentication server, then select the auth. method that is directed to the authentication server for employees. Step 11: Go to AP Profile > SSID > Add. Create two SSID for guests and employees. Set the forwarding mode with Local bridge when the traffic of AP would go through the NXC directly. Set the forwarding mode with Tunnel mode when the traffic of AP might not go through the NXC directly. The tunnel mode setting could force all the traffic to go into the NXC and lead to the Captive portal. The SSID for guests using is named QR_guest with VLAN ID 1 13
The SSID for employees using is named QR_employee with VLAN ID 10 and enterprise security. 14
Step 12: Create a radio configuration for the AP. Go to AP Profile > Radio > Add. Step 13: Go to AP Management > Mgmt. AP List. Select the SSID to provide Wi-Fi service for guests. 15
Step 14: Guest can use a mobile device to connect to the SSID and open the webpage. It would show the page of the captive portal with QR code. Step 15: Find the employee who is able to authenticate guests by scanning the guest s QR code. After scanning the QR code from the guest s device, the employee s mobile device will show the result of the authentication. 16
Step 16: Go to Login Users. You can see that the guest has obtained the IP address, as well as who authenticated the guest. Scenario 2: Self serviced For steps 1-8 please refer to the step 1-8 of scenario 1. Step 9: Go to Captive Portal. Enable the captive portal feature and authentication with QR code. Select Self-serviced. You can leave the message in the Note Message and press Print Out, the QR code would be show in the window. QR Portal Address select the VLAN group of guest. * Please note that the IP address you select must be reachable by guest. Note Message Write any information for printing with the QR code. 17
Step 10: Publish the QR code and then the guest could use a mobile device to scan the QR code to pass the authentication. Step 11: Go to AP Management > Mgmt. AP List. Select SSID to provide Wi-Fi service for guests. 18
Step 12: Scan QR code and the mobile device will show the result of the authentication. Step 13: Go to Login Users. You can see who obtained the IP address by QR code authentication. 19
The Flowchart of Authentication of Captive Portal with QR code Scenario 1: Authenticator - assisted The process of scenario 1: 1. Guest connects to the SSID with captive portal authentication. 2. NXC receive the connected request from guest and leads to the page of captive portal with QR code. 3. The employee (authenticator) uses a mobile device with an IP address that has authentication ability to scan the QR code from the guest s device. 4. NXC receives the authentication request. 5. After NXC checks the authenticated request, it would send the authenticated response to the employee s mobile device. 20
Scenario 2: Self serviced The process of scenario 2: 1. The employee (authenticator) produces the QR code for guests. 2. Guest connects the SSID with captive portal authentication. 3. Guest scans the QR code, which is published from the authenticator. 4. NXC receives the authenticated request from guest. 5. After NXC checks the authenticated request, it would send the authenticated response to the guest s mobile device. 21