Understanding Guest Access
Read about and configure Guest Access in this topic.
This document describes the features and capabilities of the Guest Access visitor management system that is part of ExtremeCloud IQ.
Guest Access helps automate the guest experience on your wireless networks, providing scalable, easy-to-use guest management for single-site deployments and global enterprise networks.
Guest Access provides enterprise-grade security. System management and guest registration are protected by standards-based web encryption, and Guest Access to the wireless network is protected by enterprise grade Wi-Fi security – using either Extreme Networks's PPSK (Private Pre-Shared Key) technology to deliver unique encryption keys to every user and every device, or WPA2 Enterprise with user name and password credentials. These systems use RadSec to secure authentication between Extreme Networks access points and the authentication service, eliminating unprotected RADIUS calls over the Internet.
Guest Access oversees and grants wireless Internet access to guests through a special guest SSID. Guest Access is configured inside the ExtremeCloud IQ network policy configuration workflow.
For configuration instructions, and descriptions of common scenarios, see the "Extreme Guest Access Configuration Guide"
Guest Access Features
The following features are supported for Guest Access in this release:
- Guest Self-Registration: This feature allows guests to easily self-register and receive guest credentials (via email, on-screen, or SMS text message) using a standalone kiosk, through employee sponsorship, or through a captive web portal. For more information about the email and SMS templates, which you can customize, see "Notification Templates" and "Notification Templates"
- PPSK Self-Registration: This feature provides secure network access and management of employee personal devices. Employees connect to an open-registration wireless network, authenticate using their employee credentials, and receive a PPSK via a captive web portal. PPSKs can be cached in an on-device database (on the AP) or in the cloud. You can choose to grant PPSKs and tailor the experience (firewall, QoS, throughput rates) on a per-device basis. PPSK technology lets you revoke permission for a single user without affecting the entire network. PPSKs can be stored in the cloud, or on an Extreme Networks AP, providing flexibility, scalability, and local survivability.
- Guest Life Cycle Management: You can create multiple guest types, each with a different life cycle. You can also revoke access in real time.
How Guest Access Works
Guests usually have one very basic requirement: easy access to a wireless network, typically for a limited amount of time. Examples of industries where Guest Access plays an important role include hospitality (hotels, airports, cafes), enterprise (corporations), education (K-12, universities and colleges), retail, (shopping malls, brick and mortar stores), and healthcare (nursing homes, residential care, hospitals, patients and patient visitors).
Typical options for Guest Access include:
- An open WLAN (no authentication) with a use policy acceptance (UPA) page
- A secure WLAN that guests access using a Pre-Shared Key (PSK)
- An open WLAN with authentication through a captive web portal
- Extreme NetworksGuest Access offers another option: PPSK (Private Pre-Shared Key) for direct access to a guest SSID, or access through a customizable captive web portal.
Configure Guest Access in ExtremeCloud IQ
Guest Access is an integral part of the ExtremeCloud IQ configuration workflow. The typical configuration steps and where they are performed in the GUI are described here:
- A network admin assigns a guest management role in admin_name > Global Settings > Accounts > Account Management. See "Add an Admin Account".
- An admin or guest manager creates a guest SSID in the network policy: Configure > Network Policy > Wireless Connectivity > SSID. "Standard Wireless Network Settings".
- The guest SSID must contain a user group designated for guests. You can create User Groups in two places: Configure > Network Policy > Wireless Connectivity > SSID > User Groups, or as common objects in Configure > Users > User Management > User Groups. See "Add User Groups""User Groups" and "User Groups".
This illustration shows the User Group section in the SSID configuration workflow:
This illustration shows the User Groups page under Configure > Users:
- Create guest user accounts in Configure > Network Policy > Wireless Connectivity > SSID > User Groups > Users column in User Group table > Add, or as common objects in Configure > Users > User Management > Users. See "User Accounts" and "Users".
- Create employee groups for employee guest sponsorship at Config > Users > User Management > Employee Groups. See "Credential Distribution Groups" and "Credential Distribution Groups".
- Guest authentication, accounting and SMS logs can be viewed at admin_name > Global Settings > Logs. See "Accounting Logs", "Authentication Logs". and "SMS Logs".
Who Grants Guest Access
You can control administrative permission for Guest Access by assigning separate roles to people who will grant access, which allows you to customize permission and better control management access. There are five roles: administrator, operator, help desk, guest management, and observer. The administrator role has full access to all of the features within Guest Access, and is the only role that can create the other roles. For Guest Access, you can assign the role of Guest Manager to employees or users who can then create user accounts for guests, contractors, VIPs, and other visitors. Guest managers can view the guest management user interface, but cannot see the Dashboard, Monitor, Maps, Configure, or Tools tabs. For more information, see "Add an Admin Account".
Guest Access through a Captive Web Portal
ExtremeCloud IQ supports three types of captive web portals: Authentication, Self-registration, and Use Policy Acceptance. You can customize the look and feel of your captive web portal using colors, logos, and images.
Reference Apps for Guest Access
This release also includes one of a series of reference applications that can be used for Guest Access: the Kiosk App for iOS is an iPad or iPad mini app that is intended as a self-service option for visitors. It is available through the Apple App Store, and also as source code from the Extreme Networks Developer Portal (https://developer.aerohive.com).
Future releases will continue to introduce new apps as they are developed, including the Lobby Receptionist App that allows lobby personnel to register visitors and also supports automatic password refresh for entire locations, such as campuses and nursing homes.
Getting Started with Guest Access
To help you get started using Guest Access, see the "Extreme Guest Access Configuration Guide". This guide describes the configuration steps for two of the most commonly used Guest Access scenarios for this release:
- Scenario 1: Configure Guest Access in ExtremeCloud IQ. In this scenario, the admin or guest manager creates the guest SSID, user group, and users, and distributes login credentials directly from inside the ExtremeCloud IQ GUI.
- Scenario 2: Configure a captive web portal for guest self-registration. In this scenario, the admin or guest manager creates a guest SSID with a captive web portal where users can then self-register.
Scenarios will be added to the configuration guide on an ongoing basis as more features are introduced.
Copyright © Extreme Networks, Inc. 6480 Via Del Oro, San Jose CA, 95119 USA