This article will explain the importance and advantages of a guest networks, as well as how to create, configure and manage them.
NOTES & REQUIREMENTS:
In order for the Guest Portal to function, the UniFi Controller itself must be running at all times. Guests are redirected to the Controller to reach the guest portal, and the redirection will not be successful if the controller is not accessible.
Table of Contents
- Why a Guest Network?
- How to Create a Guest Network in UniFi Controller
- How to Configure Guest Control
- How to Limit Guest Bandwidth
- How to Manage Guest Networks
- LAN-wide Client Isolation
- Related Articles
In many networks public access has become a necessary and valuable feature. From hotels, to airports, to coffee shops, guest networks are fulfilling these needs while minimizing security risks and ensuring quality wireless for permanent users. UniFi empowers administrators with the tools to do everything from monetizing guest WiFi to advanced guest management. This article will explain how to configure a guest network and offer some best practices for managing these networks with UniFi.
Why a Guest Network?
Almost every wireless network will need to provide access to both permanent and temporary users. In order to ensure the security and success of the permanent local wireless network, it has become increasingly necessary to separate temporary users in their own network. This offers obvious benefits like not having to remember your network WPA key or having to find a creative way to say no to your neighbor, but also ensures that internal operations and resources are protected from guests who could otherwise exploit your network.
Guest networks offer a number of other advantages:
- Additional options for authorization like social logins
- Ability to present terms and conditions for network access
- Monetization capabilities
- Ability to limit bandwidth to guests
- Client isolation at AP level: use Port Isolation for network isolation
- Shorter terms of access to wireless
- And much more…
To help you capitalize on the benefits of this feature, the remainder of this article will explain how to set up a Guest Network and how to configure related settings.
How to Create a Guest Network in UniFi Controller
1. Open up your UniFi Controller and go to Settings > Wireless Networks.
2. To create a new guest network, select Create New Wireless Network, otherwise edit an existing network.
3. Provide a name to designate this network as a guest network.
4. Select the method to be used to authenticate the guest network. A security key may be used, while also leveraging the Guest Portal.
5. To make this new network a Guest Network, check the box "Apply guest policies…"
Next, this article will explain what makes up the Guest Policy associated with this setting, and how to configure these features.
How to Configure Guest Control
In the UniFi Controller, the Guest Control section is where administrators configure the custom Guest Portal and define what subnets they should and should not be able to access before and after authorization.
To do this:
1. Open the UniFi Controller.
2. Go to Settings > Guest Control.
3. If you want to require guests to interact with the portal click Enable Guest Portal. Doing so will open additional options including the authentication method associated with the Guest Portal, Expiration Term, etc.
4. Under Portal Customization choose between AngularJS and Legacy JSP. AngularJS allows you to tweak and preview Portal Customization options. Legacy JSP provides you with our classic, simple landing page for guests.
5. Access Control allows you to define subnets necessary for devices to be able to access before and after authorization. An example of a case in which Pre-Authorization Access can be useful is ensuring that devices can access the Guest Portal before being Authorized—to do this, simply define the subnet that contains the Guest Portal IP address. Similarly, if there is a subnet on the internal network you do not wish to allow your guests access to after connecting, you can use the Post-Authorization Restrictions to define these.
In many cases where the Portal is not accessible, not having the Access Control properly configured is often the cause.
How to Limit Guest Bandwidth
Another useful feature in the UniFi Controller is the ability to limit bandwidth allocation to different user groups. This may be important to ensure guests do not limit the productivity and speed available to permanent users/critical applications. To limit guest bandwidth follow the steps below:
1. Go to Settings > User Groups
2. Create a new User Group.
3. Define the desired bandwidth limit.
Next, to add this group to the Guest Network:
4. Go to Settings > Wireless Networks.
5. Select the corresponding Guest Network and expand Advanced Options
6. Click the dropdown box next to User Group and select the guest user group.
7. Click Save to apply the changes.
How to Manage Guest Networks
Once the Guest Network has been set up, it’s a good idea to test and evaluate function and performance to ensure guests won’t encounter difficulty and demand unnecessary assistance in connecting to WiFi. As you continue to operate your guest network, make sure that your guest network isn’t bogging down your private network. Evaluate security and ensure that the guest network poses minimal security risk. If changes are needed, these settings can be reconfigured and applied at anytime.
LAN-wide Client Isolation
Once you have your guest network set up on the WLAN (AP) side—it is necessary to make sure the LAN has sufficient isolation, while also allowing common services which may be required (printers, servers, etc.).
In addition to providing the desired client isolation, LAN-side controls on client isolation reduce/eliminate unnecessary broadcast/multicast data, which if left unchecked will have an adverse impact on installation with around 10 or more WLAN APs (see here for details).
The diagram below shows a generalized layout for network-wide (WLAN and LAN) client isolation, while still allowing network-wide core services.
Here’s how to set this up as shown in the above example in the UniFi controller:
- First, open the UniFi Controller that manages your network.
- Click the Devices tab on the left to see your devices.
- Click on the switch you want to enable port isolation on, and go to the Ports tab.
- Either select the ports individually you want to enable port isolation on, or click box to select all.
- Click Edit Selected at the bottom.
- Go to Advanced.
- Expand Advanced Options.
- Under Isolation, select Enable port isolation.
- Click Apply to finalize changes.
For more advanced configurations related to your guest network see the Related Articles below.