How To Allow Secured Internet Access to

Guest Users

How To Allow Secured Internet Access to Guest Users

Applicable Version: 10.02.0 Build 224 onwards

Applicable Models: Wi-Fi Models Only
Overview
Places like public hotspots and hotels have numerous Internet users that require temporary Internet
access just for a few days or hours. Maintaining such users becomes quite a hassle for
administrators. Furthermore, applying access restrictions upon these users is difficult. Cyberoam
allows the administrator to provide temporary access to Guest Users. This is mostly done via Wireless
Guest Access Points by deploying a Wireless LAN (WLAN). A good guest access system ensures
reliable and high-performance access to the Internet without the guest having to go through the
hassle of reconfiguring his/her PC to connect to the WLAN. A Guest Access Point must segregate
internal and guest traffic to provide ironclad security for the organizations LAN and servers. Since
guest access is provisioned on the same network infrastructure carrying internal traffic, this is a
significant challenge.

Scenario
Create a Wireless Access Point and allow controlled Internet access to Guest Users.

Configuration
Configuration is to be done from Cyberoam Web Admin Console using profile having read-write
administrative rights over relevant features. This configuration consists of Two (2) parts:
1. Configure Access Point for Guest User
2. Configure Guest User Authentication

Configure Access Point for Guest User

Step 1: Create Guest Zone
Go to Network > Interface > Zone and click Add to create a new zone using parameters given
below.

How To Allow Secured Internet Access to Guest Users

Parameter Description
Parameter

Value

Description

Name

GUEST

Name to identify the Zone.

Duplicate names are not allowed.

Type

LAN

Select Zone Type : LAN or DMZ

Admin Services

HTTP: Disabled
HTTPS: Disabled
TELNET:Disabled
SSH: Disabled

Enable Admin Services that

should be allowed through this
zone.

Authentication Services

Enable Authentication Services

Windows/Linux Client: Enabled
that should be allowed through
Captive Portal: Enabled
Zone.

Network Services

DNS: Enabled
Ping: Enabled

Enable Network Services that

should be allowed through Zone.

Other Services

Web Proxy: Enabled

SSLVPN: Enabled

Enable Other Services that

should be allowed through Zone.

Appliance Access

Click OK to create the GUEST Zone.

How To Allow Secured Internet Access to Guest Users

Step 2: Create Access Point in Guest Zone

Go to Network > Wireless LAN > Access Point and click Add to create a new Wireless Access
Point using the parameters given below.

Parameter Description
Parameter

Value

Description

Zone

Guest

Specify the Zone in which Access

Point is to be created

IP Address

172.16.16.1

Specify IP Address

Netmask

/24 (255.255.255.0)

Specify Netmask

SSID

Guest-WiFi

Specify the Service Set Identifier

(SSID) by which the WLAN is to be
identified

Broadcast SSID

Enable

Enable if you want to broadcast the

SSID, i.e., make the WLAN
discoverable.

Security Mode

WPA-PSK

Select the Security Mode.

Encryption

TKIP

Select the Encryption Method

Pass Phrase

cyberoam

Enter the Pass Phrase

Group Key Update

Disable

Enable if you want to generate new

security key after specified Timeout
Interval.

Timeout Interval

86400 (Default)

Specify the time interval after which

the security key expires.

Maximum Clients

255

Specify maximum number of clients

allowed to connect to the Access
Point

How To Allow Secured Internet Access to Guest Users

Click OK to create an Access Point. You are immediately asked to configure the DHCP Server linked
with this Access Point as shown below.

How To Allow Secured Internet Access to Guest Users

Step 3: DHCP Configuration

Click Configure DHCP Server >> to configure the DHCP Server linked to WLAN2 created in step 2.
Set parameters according to the table given below.
Parameter Description
Parameter

Value

Description

Name

GUEST_DHCP

Name to identify the Server.

Interface

WLAN2 172.16.16.1

Select internal interface

Lease Type

Dynamic

Select Lease Type.

Lease IP Range

172.16.16.2 172.16.16.20

Specify range of IP addresses

that are to be leased.

Subnet Mask

/24 (255.255.255.0)

Specify Subnet Mask.

Domain Name

Guest

Specify domain name that the

DHCP server will assign to the
DHCP Clients.

Gateway

Specify IP address for default

Use Interface IP as Gateway:
Gateway or click Use Interface
Enabled
IP as Gateway

Default Lease Time

1440

Specify Default Lease Time.

Max Lease Time

2880

Specify Maximum Lease Time

Conflict Detection

Enabled

Enable Conflict detection to

check the IP before leasing i.e. if
enabled the already leased IP will
not be leased again.

DNS Server

Click Use Appliances DNS

settings to use appliance DNS
Use Appliances DNS Settings:
server or specify IP address of
Enabled
Primary and Secondary DNS
servers.

How To Allow Secured Internet Access to Guest Users

Click OK to save DHCP Server settings.

Step 5: Update Firewall Rule to Secure WLAN Traffic

On creation of the GUEST Zone (as shown in step 1), Cyberoam automatically creates default rules
allowing traffic from GUEST to WAN as shown below.

How To Allow Secured Internet Access to Guest Users

Update Default Rule #Guest_WAN_AnyTraffic, to Drop all traffic that hits it. This is required if you
want to drop all unauthenticated traffic. Any Guest User trying to access Internet is forced to
authenticate enabling controlled Internet Access.

The above steps configure Internet Access Point for Guest Users.

Configure Guest User Authentication

Once the Internet Access Point is configured and all unauthenticated traffic is dropped to enforce user
authentication, administrator needs to configure the Guest User Authentication settings.

Step 1: Create and Assign Policies to Guest Group

Create a Guest Group to implement various policies upon the guest users included in that group. This
ensures controlled Internet access by guest users. To create a group, go to Identity > Groups >
Groups and click Add to create a new group with parameters given below.

Parameter Description
Parameter

Value

Description

Group Name

Guest_Group

Name to identify group.

Group Type

Normal

Select Group Type

Web Filter

General Corporate Policy

Select Web Filter policy from list.

Application Filter

Allow All

Select Application Filter policy

from list.

Policies

How To Allow Secured Internet Access to Guest Users

Select Surfing Quota policy from

list.

Surfing Quota

Unlimited Internet Access

Access Time

Allowed
Hours

Data Transfer

Daily 10 MB

Select Data Transfer policy from

list.

QoS

None

Select QoS policy from list.

SSLVPN

No Policy Applied

Select SSL VPN policy from list.

Spam Digest

Enabled

Configure Spam Digest.

MAC Binding

Disabled

Enable/disable MAC Binding.

By binding User to MAC address,
you are mapping user with a
group of MAC addresses.

L2TP

Disabled

Enable if group users can get

access through L2TP connection

PPTP

Disabled

Enable if group users can get

access through PPTP connection

Login Restriction

Any Node

Select the appropriate option to

specify the login restriction for the
user group

Click OK to create the group.

only

during

Work Select Access Time policy from

list.

How To Allow Secured Internet Access to Guest Users

Step 2: Configure Guest User Settings

Go to Identity > Guest Users > General Settings and set parameters according to table given
below.
Parameter Description
Parameter

Value

Description

Username Prefix

GUEST

Provide prefix to be used for Auto-Generation of

username for guest users.

Group

Guest_Group

Select the group to which all guest users are

assigned.

Password Length

Specify the length of the

password for Guest Users.

auto-generated

Alphanumeric
Password Complexity
Password

Select a type of password from the available

options to be used for complexity of an autogenerated password

Auto Purge on Expiry Enabled

Check if you want users to be purged from

Cyberoam once their credentials expire.

Click Apply to save Guest User settings.

Step 3: Create Guest Users

Guest Users can be created in Two (2) ways:
1. Manually (by the Administrator)
2. Automatically
Create Guest Users Manually
This is the more commonly used method to create Guest Users. To create users manually, go to
Identity > Guest Users > Guest Users and click Add Single to create a single user OR Add
Multiple to create multiple users simultaneously. Here, as an example, we have created a single
user.

How To Allow Secured Internet Access to Guest Users

Mention the name, Email Address and validity of the user.

Click Add to create the user. You can also click Add and Print to print the user credentials after
creating the user.

Create Guest Users Automatically

Cyberoam also allows automatic creation of Guest Users. The users can register through Captive
Portal and their credentials are sent to them via SMS. To know how to configure automatic Guest
User creation, refer to the article Guest User Creation using Captive Portal.

Document Version: 2.1 7 November, 2014