This article will explain the importance and advantages of a guest network, as well as how to create, configure and manage them.
NOTES & REQUIREMENTS:
In order for the Guest Portal to function, the UniFi Controller itself must be running at all times. Guests are redirected to the Controller to reach the guest portal, and the redirection will not be successful if the controller is not accessible.
Table of Contents
- Why a Guest Network?
- How to Create a Guest Network in UniFi Controller
- How to Configure Guest Control
- How to Use the Hotspot System
- How to Limit Guest Bandwidth
- How to Manage Guest Networks
- LAN-wide Client Isolation
- Related Articles
In many networks, public access has become a necessary and valuable feature. From hotels to airports to coffee shops, guest networks are fulfilling these needs while minimizing security risks and ensuring quality wireless for permanent users. UniFi empowers administrators with the tools to do everything from monetizing guest WiFi to advanced guest management. This article will explain how to configure a guest network and offer some best practices for managing these networks with UniFi.
Why a Guest Network?
Almost every wireless network will need to provide access to both permanent and temporary users. In order to ensure the security and success of the permanent local wireless network, it has become increasingly necessary to separate temporary users in their own network. This offers obvious benefits like not having to remember your network WPA key or having to find a creative way to say no to your neighbor, but also ensures that internal operations and resources are protected from guests who could otherwise exploit your network.
Guest networks offer a number of other advantages:
- Additional options for authorization like social logins
- Ability to present terms and conditions for network access
- Monetization capabilities
- Ability to limit bandwidth to guests
- Client isolation at AP level: use Port Isolation for network isolation
- Shorter terms of access to wireless
- And much more…
To help you capitalize on the benefits of this feature, the remainder of this article will explain how to set up a Guest Network and how to configure related settings.
How to Create a Guest Network in UniFi Controller
- Open up your UniFi Controller and go to Settings > Wireless Networks.
- To create a new guest network, select Create New Wireless Network, otherwise edit an existing network.
- Provide a name. This is what users will see when attempting to connect to your Wi-Fi network.
- Select the method to be used to authenticate the guest network. A security key may be used, while also leveraging the Guest Portal, or you can leave it Open.
- To make this new network a Guest Network, check the box "Apply guest policies…"
- Make sure the checkbox for Enable this wireless network is checked. If at some point you wish to disable this network without deleting it, this is where that could be accomplished as well. Click Save.
Next, this article will explain what makes up the Guest Policy associated with this setting, and how to configure these features.
How to Configure Guest Control
In the UniFi Controller, the Guest Control section is where administrators configure the custom Guest Portal and define what subnets they should and should not be able to access before and after authorization.
To configure Guest Control
1. Open the UniFi Controller to Settings > Guest Control.
2. Under Access Control, you can restrict and give access to hostnames or subnets as follows:
- In Pre-Authorization Access: Enable pre- and post-authorization guests to access specific hostnames or subnets (external and internal).
- In Post-Authorization Restrictions: Enable post-authorization restrictions to prevent guests from accessing specific hostnames or subnets.
3. If you want to require guests to interact with the portal check the box for Enable Guest Portal. Doing so will open additional options including the authentication method associated with the Guest Portal, Expiration Term, etc.
ATTENTION: In order for the Guest Portal to function you will need to buy or generate an SSL certificate for the UniFi Controller.
4. Under Portal Customization choose between AngularJS and Legacy JSP. AngularJS allows you to tweak and preview Portal Customization options. Legacy JSP provides you with our classic, simple landing page for guests.
User Tip: Customize your portal as little or as much as you want. For the background image, jpg format is recommended. An image of about 920px wide and 640px high is recommended. For the logo image, PNG format and 400px width and height is recommended.
5. As explained in step 2, the Access Control settings allow you to define subnets necessary for devices to be able to access before and after authorization. An example of a case in which Pre-Authorization Access can be useful is ensuring that devices can access the Guest Portal before being Authorized—to do this, simply define the subnet that contains the Guest Portal IP address. Similarly, if there is a subnet on the internal network you do not wish to allow your guests access to after connecting, you can use the Post-Authorization Restrictions to define these.
In many cases where the Portal is not accessible, not having the Access Control properly configured is often the cause.
How to Use the Hotspot System
Intended as a separate guest management platform, the UniFi Hotspot System comes freely integrated into the UniFi Controller software. UniFi Controller admins and hotspot operators can access the Hotspot System via the GO TO HOTSPOT MANAGER link in Settings > Guest Control > Hotspot section. Users will be redirected to another area of the UniFi Controller for hotspot management exclusively.
Built separately from the UniFi Controller management system (device configuration/adoption sections), trusted employees can be granted limited-access Hotspot accounts to perform actions on Guest users, including:
- Print vouchers
- Manage guest authorization
- Review payments
- Check guest authentication, and more
|Preview of UniFi Hotspot System where Operators can quickly create, customize & revoke vouchers for Internet access.|
NOTE: To go straight to the Hotspot Manager page open a new tab or window in a browser and type: https://<ip_or_hostname_of_controller>:8443/manage/hotspot/account/login/
How to Limit Guest Bandwidth
Another useful feature in the UniFi Controller is the ability to limit bandwidth allocation to different user groups. This may be important to ensure guests do not limit the productivity and speed available to permanent users/critical applications. To limit guest bandwidth follow the steps below:
1. Go to Settings > User Groups.
2. Click on Create a New User Group.
3. Define the desired bandwidth limit.
Next, to associate this group to the Guest Network:
4. Go to Settings > Wireless Networks.
5. Click on the corresponding Guest Network and expand Advanced Options.
6. Click the drop-down box next to User Group and select the guest user group.
7. Click Save to apply the changes.
How to Manage Guest Networks
Once the Guest Network has been set up, it’s a good idea to test and evaluate function and performance to ensure guests won’t encounter difficulty and demand unnecessary assistance in connecting to WiFi. As you continue to operate your guest network, make sure that your guest network isn’t bogging down your private network. Evaluate security and ensure that the guest network poses a minimal security risk. If changes are needed, these settings can be reconfigured and applied at any time.
LAN-Wide Client Isolation
Once you have your guest network set up on the WLAN (AP) side—it is necessary to make sure the LAN has sufficient isolation, while also allowing common services which may be required (printers, servers, etc.).
In addition to providing the desired client isolation, LAN-side controls on client isolation reduce/eliminate unnecessary broadcast/multicast data, which if left unchecked will have an adverse impact on installation with around 10 or more WLAN APs (see here for details).
The diagram below shows a generalized layout for network-wide (WLAN and LAN) client isolation, while still allowing network-wide core services.
Here's how to set this up as shown in the above example in the UniFi controller:
- First, open the UniFi Controller that manages your network.
- Click the Devices tab on the left to see your devices.
- Click on the switch you want to enable port isolation on, and go to the Ports tab.
- Either select the ports individually you want to enable port isolation on, or click box to select all.
- Click Edit Selected at the bottom.
- Go to Advanced.
- Expand Advanced Options.
- Under Isolation, select Enable port isolation.
- Click Apply to finalize changes.
For more advanced configurations related to your guest network see the Related Articles below.