Login
- Released At: 05-07-2024
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
|
|
|
H3C IMC EIA |
|
Guest Authentication Configuration Examples |
|
|
|
|
Software version: EIA 7.3 (E0623)
Document version: 5W110-20230627
Copyright © 2023 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Example: Configuring guest authentication using IMC EIA
Configuring guest settings on IMC EIA
Configuring the portal authentication page on IMC EIA
Configuring guest settings on IMC EIA
Configuring the BYOD authentication page on IMC EIA
QR code-based guest registration through portal and BYOD authentication
QR code-based guest registration through the guest manager self-service center
QR code-based guest registration through guest preregistration
Introduction
The following information provides an example of configuring QR code authentication to authenticate guests and illustrating the procedure that guests access wireless networks and pass QR code authentication. Scanning a QR code replaces the operations of guest preregistration, guest approval by guest manager, and username and password manual input. QR code authentication makes wireless network access more convenient for smart endpoint users.
Feature usage guide
Application scenarios
This example is applicable to scenarios where QR code authentication is used to authenticate guests on IMC EIA.
Prerequisites
The access device must support portal.
Example: Configuring guest authentication using IMC EIA
Network configuration
As shown in Figure 1, a company uses guest authentication to authenticate guests when the guests access the network. The switch acts as the access device.
Figure 1 Network diagram (portal)
Figure 2 Network diagram (BYOD)
Software versions used
This configuration example was created and verified on the following software versions:
· The version of the EIA server is EIA (E0623).
· The version of the access device is H3C WX5510EV7.
Procedures (portal)
To configure guest authentication, perform the following tasks:
· Configuring guest settings on IMC EIA
· Configuring the portal authentication page on IMC EIA
· Configuring the access device
Configuring the EIA server
Adding an access device
For the EIA server and the access device to cooperate with each other, add the access device to the EIA server.
To add the access device to the EIA server:
1. On the top navigation bar, click User.
2. From the left navigation pane, select User Access Policy > Access Device Management > Access Device, as shown in Figure 3.
Figure 3 Access device configuration page
3. On the page that opens, click Add.
Figure 4 Adding an access device
4. Use one of the following methods to add the access device:
¡ In the device list, click Select and select the access device from the IMC Platform.
¡ In the device list, click Add Manually and manually configure the access device.
Make sure the IP address of the access device meets the following requirements:
¡ If the nas-ip command is used in the RADIUS scheme on the access device, the IP address of the access device on the EIA server must be the IP address specified in the nas-ip command.
¡ If the nas-ip command is not used, the IP address of the access device on the EIA server must be one of the following IP addresses on the access device:
- The IP address of the interface connected to the EIA server.
- The IP address of the VLAN interface in the VLAN to which the interface connected to the EIA server belongs.
If you select the device from the IMC Platform, you cannot change the IP address of the device. If the IP address used by the device on the IMC Platform does not meet the above requirements, you can manually add the device.
In this example, the manual method is used. In the device list, click Add Manually. In the dialog box that opens, enter the IP address of the access device, and then click OK.
Figure 5 Manually adding the access device
5. Configure the following parameters:
¡ Authentication Port: Specify a port number for EIA to listen for RADIUS authentication packets. The authentication port must be the same as that specified in the RADIUS scheme on the access device. By default, the authentication port is 1812 on the EIA server and the access device.
¡ Accounting Port: Specify a port for EIA to listen for RADIUS accounting packets. The accounting port must be the same as that specified in the RADIUS scheme on the access device. By default, the accounting port is 1813 on the EIA server and the access device.
|
|
IMPORTANT: In the current software version, you must also use the EIA server as the accounting server if it has been used as the authentication server. |
¡ Shared Key/Confirm Shared Key: Specify a shared key and confirm it. The access device and the EIA server use the shared key to validate each other. The shared key must be the same as that configured in the RADIUS scheme on the access device. If you select Plaintext in the Displays Key in field on the User > User Access Policy > Service Parameters > System Settings > System Parameters page, enter the shared key in the Shared Key field. You do not need to confirm the shared key in this case. In this example, the shared key is movie.
¡ Use the default values for other parameters.
Figure 6 Configuring access device parameters
6. Click OK. The access device is displayed in the access device list.
Figure 7 Viewing the access device
Adding an access policy
Configure an access policy that does not have any access control settings.
To add an access policy:
1. On the top navigation pane, click User.
2. From the left navigation pane, select User Access Policy > Access Policy.
Figure 8 Access policy management page
3. Click Add. Because no access control is required, you only need to enter an access policy name and use the default values for other parameters.
Figure 9 Adding an access policy
|
|
NOTE: To deploy an authorization attribute, you must make sure the device supports that authorization attribute. To configure authentication binding information, you must make sure the device can upload the corresponding authentication binding information to the EIA server in RADIUS attributes. In this example, no authorization attributes are deployed and no authentication binding information is configured. |
4. Click OK. The access policy is displayed in the access policy list.
Figure 10 Viewing the access policy
Adding an access service
An access service contains a collection of policies for user authentication and authorization. In this example, no access control is required. You only need to add a simple access service that does not contain access control settings.
To add an access service:
1. On the top navigation pane, click User.
2. From the left navigation pane, select User Access Policy > Access Service.
Figure 11 Access service management page
3. Click Add. On the page that opens, configure the service name, service suffix, and default access policy, and use the default values for other parameters.
Figure 12 Adding an access service
4. Configure the following parameters:
¡ Service Name: Enter a service name. Make sure the name is unique on the EIA server.
¡ Service Suffix: Enter a service suffix, which identifies the name of the domain to be used for user authentication. Table 1 shows the relationship among the service suffix, the username used in authentication, the authentication domain on the device, and the username format configured in the RADIUS scheme in use.
Table 1 Service suffix selection
|
Username used in authentication |
Authentication domain on the access device |
Username format configured in the RADIUS scheme on the access device |
Service suffix on EIA |
|
X@Y |
Y |
user-name-format with-domain |
Y |
|
user-name-format without-domain |
No suffix |
||
|
X |
Default domain on the device |
user-name-format with-domain |
Default domain |
|
user-name-format without-domain |
No suffix |
¡ Service Group: Select a service group for permission access control. The service group contains accessible services. Only administrators and operators with permissions to access this service group can configure it and the services assigned to it.
¡ Default Access Policy: Select the access policy.
¡ Default Security Policy: Name of the security policy applied to users in access scenarios that are not included in the service. The security policy is used to check and monitor user endpoints for security issues and to automatically defend the network. This field is displayed only when the EAD component is installed.
¡ Default Internet Access Policy: Name of the Internet access configuration applied to users in access scenarios that are not included in the service.
¡ Default Max. Number of Bound Endpoints: Maximum number of endpoints to be bound to the same user account in access scenarios that are not included in the service. When endpoints bound to an account reach the maximum value, no more endpoints can access the network by using the account. This field is displayed only when the EIP component is installed.
¡ Default Max. Number of Online Endpoints: Maximum number of online endpoints using the same user account in access scenarios that are not included in the service. When online endpoints of an account reach the maximum value, no more endpoints can access the network by using the account.
¡ Daily Max. Online Duration: Total duration in a day that an account can access the network by using the service. When the limit is reached, the account is forced offline and is unable to access the network in the day. This parameter is an integer in the range of 0 to 1440 minutes. A value of 0 means not limited.
¡ Use the default values for other parameters.
5. Click OK. The access service is displayed in the access service list.
Figure 13 Viewing the access service
Adding an access user account
1. On the top navigation pane, click User.
2. From the left navigation pane, select Access User > All Access Users.
Figure 14 All Access Users page
3. Click Add.
Figure 15 Adding an access user account
Figure 16 Selecting the access service
4. Configure the following parameters:
¡ User Name and Identity Number: Enter the user name and identity number.
¡ Account Name: Enter an account name to uniquely identify the access user. The access user uses the account name to apply for and use services. The account name cannot be the same as that of any existing access user, and it cannot contain special characters #+/?%&=*'@\"[]()<>` or the tab key. In addition, its length cannot exceed 200 characters.
¡ Password/Confirm Password: Enter a password and confirm it.
¡ Use the default values for other parameters.
5. Click OK. The access user account is displayed in the access user account list.
Figure 17 Viewing the access user account
Configuring guest settings on IMC EIA
Configuring all access user accounts used by the reception personnel as guest managers
On the guest manager self-service center, a guest manager or super guest manager can approve a guest only if the guest has selected that guest manager or super guest manager during preregistration. However, all guest managers and super guest managers can approve any guests by scanning the approval QR codes of the guests.
To add a guest manager:
1. Use account admin or other administrator or operator account that has permissions to manage guest managers to log in to IMC.
2. On the top navigation pane, click User.
3. From the left navigation pane, select Guest > Guest Manager.
4. Click Add. On the page that opens, configure the following parameters:
¡ Guest Manager Type: Use the default option Guest Manager.
¡ Guest Maximum Validity Time: Set the value to 7 days.
5. Click Select in the Selected Access Users area. In the dialog box that opens, select the access user, and then click OK.
Figure 19 Selecting the access user
6. Click OK. The guest manager is displayed as shown in Figure 20.
Figure 20 Viewing the guest manager
Specifying the default guest manager
The default guest manager is used for auto-registration. It does not affect the QR code approval process. You can specify any guest manager as the default guest manager. This task is optional if the system already has the default guest manager.
In the guest manager list, click No in the Default Guest Manager column for a guest manager, as shown in Figure 21. The guest manager is specified as the default guest manager, as shown in Figure 22.
Figure 21 Specifying the default guest manager
Figure 22 Successfully specifying the default guest manager
Selecting guest services and specifying a guest service as the default guest service
1. From the left navigation pane, select Guest > Guest Service.
2. Click Add. On the page that opens, select the access service added in "Adding an access service," and then click OK.
Figure 24 Adding the access service as a guest service
3. In the guest service list, click No in the Default Guest Service column for the guest service, as shown in Figure 25. The guest service is specified as the default guest service.
Figure 25 Specifying the default guest service
Configuring a guest policy
1. From the left navigation pane, select Guest > Guest Policy. On the page that opens, click Add.
Figure 26 Adding the default access policy
2. Configure the following parameters:
¡ Policy Name: Enter a policy name.
¡ Guest Auto-Registration: Select Disable. If you select Enable, preregistered guests can be automatically registered without the approval of a guest manager. This option is not applicable to QR code-based approval scenarios.
¡ Display QR Code after Guest Preregistration: Select Yes.
3. Click OK.
Configuring the portal authentication page on IMC EIA
Configuring the portal server
1. On the top navigation pane, click User.
2. From the left navigation pane, select User Access Policy > Portal Service > Server.
Figure 27 Portal server configuration
3. In the Service Type List area, click Add.
Figure 28 Adding a service type
4. Configure the following parameters:
¡ Service Type ID: The device determines the authentication method according to the ID of the selected service type. Make sure the service type ID is the same as the service suffix of the added access service.
¡ Service Type: A service type ID is used by the device. Users might not understand what a service type ID means. You must enter a service type that is understandable to users for the service type ID. Service types will be displayed on the portal login page for users to select. This field can neither be null nor be identical with any existing service type. You can configure a maximum of 64 service types.
5. Click OK to return to the Server page. The service type is displayed in the service type list.
Figure 29 Viewing the service type
6. Click OK.
Configuring an IP address group
1. On the top navigation pane, click User.
2. From the left navigation pane, select User Access Policy > Portal Service > IP Group.
Figure 30 Configuring IP address groups
3. Click Add.
4. Enter an IP address group name. In this example, the name is 46.46.46.1. Enter the start and end IP addresses. All endpoints in the IP address range must be authenticated.
Figure 31 Adding an IP address group
5. Click OK to return to the IP Group page. The IP group is displayed in the IP group list.
Figure 32 Viewing the IP address group
Configuring device settings
1. On the top navigation pane, click User.
2. From the left navigation pane, select User Access Policy > Portal Service > Device.
Figure 33 Device configuration
3. Click Add.
4. Configure the following parameters:
¡ Device Name: Enter the device name. In this example, the device name is 46.46.46.1.
¡ IP Address: Enter the public IP address of the portal access device.
¡ Key/Confirm Key: Enter a key and confirm it. In this example, the key is movie. The key must be the same as that configured on the access device for the portal server.
¡ Access Method: Select Directly Connected from the Access Method list.
¡ Use the default values for other parameters.
Figure 34 Adding device information
5. Click OK. On the Device page, the device information is displayed in the device list.
Figure 35 Viewing the device information
6. In the portal device list, click the 
icon
for the portal device to open the port group configuration page.
Figure 36 Portal port group list
7. Click Add. On the page that opens, configure the following parameters:
¡ Port Group Name: Enter a name for the port group. In this example, the name is portal.
¡ Authentication Type: Select CHAP.
¡ Default Authentication Page: Select PHONE - QR Code Registration and Authentication(PHONE).
¡ Use the default values for other parameters.
Figure 37 Portal port group configuration
8. Click OK.
Configuring the access device
The access device controls user access. A user can access the network only after it passes authentication.
In this example, Telnet to the access device from the CLI of a Windows system and configure the access device.
To configure the access device:
1. Enter system view.
<WX5510E-160> system-view
System View: return to User View with Ctrl+Z.
2. Configure RADIUS scheme allpermit:
# Create RADIUS scheme allpermit and enter its view.
[WX5510E-160] radius scheme allpermit
New Radius scheme
# Specify the EIA server as both the authentication server and accounting server, and configure the authentication port, accounting port, authentication shared key, and accounting shared key. The authentication port, accounting port, authentication shared key, and accounting shared key must be the same as those configured in "Adding an access device."
[WX5510E-160-radius-allpermit] primary authentication 172.19.202.241 1812
[WX5510E-160-radius-allpermit] primary accounting 172.19.202.241 1813
[WX5510E-160-radius-allpermit] key authentication simple movie
[WX5510E-160-radius-allpermit] key accounting simple movie
# Include the ISP domain name in the usernames sent to the EIA server.
[WX5510E-160-radius-allpermit] user-name-format with-domain
[WX5510E-160-radius-allpermit] quit
3. Configure ISP domain portal:
# Create ISP domain portal and enter its view. The name of the ISP domain must be the same as the service suffix configured in "Adding an access service."
[WX5510E-160] domain portal
# Apply RADIUS scheme allpermit to the ISP domain for portal user authentication, authorization, and accounting.
[WX5510E-160-isp-portal] authentication portal radius-scheme allpermit
[WX5510E-160-isp-portal] authorization portal radius-scheme allpermit
[WX5510E-160-isp-portal] accounting portal radius-scheme allpermit
[WX5510E-160-isp-portal] quit
4. Configure the portal authentication server:
# Set the server name to myportal.
[WX5510E-160] portal server myportal
New portal server added.
# Specify the IP address of the EIA server and configure a key. The key must be the same as that configured in "Configuring device settings."
[WX5510E-160-portal-server-myportal] ip 172.19.202.241 key simple movie
[WX5510E-160-portal-server-myportal] quit
5. Configure the URL of the portal Web server as http://172.19.202.241:8080/portal. The URL must be the same as the URL specified in the Portal Page area on the server. For more information, see "Configuring the portal server" and Figure 27.
[WX5510E-160] portal web-server myportal
New portal web-server added.
[WX5510E-160-portal-websvr-myportal] url http:// 172.19.202.241:8080/portal
[WX5510E-160-portal-websvr-myportal] quit
6. Configure the VLAN interface of VLAN 50 to which GigabitEthernet 1/0/16 belongs:
# Assign an IP address to the VLAN interface and configure DHCP server settings.
[WX5510E-160] interface Vlan-interface 50
[WX5510E-160-Vlan-interface50] ip address 46.46.46.1 255.255.255.0
[WX5510E-160-Vlan-interface50] dns server 1.2.1.12
[WX5510E-160-Vlan-interface50] dhcp select relay
[WX5510E-160-Vlan-interface50] dhcp relay server-address 172.19.202.250
# Enable direct portal authentication.
[WX5510E-160-Vlan-interface50] portal enable method direct
# Specify portal Web server myportal.
[WX5510E-160-Vlan-interface50] portal apply web-server myportal
# Configure the BAS-IP attribute carried in the portal packets sent to the portal authentication server. The BAS-IP must be the same as the IP address specified in "Configuring device settings."
[WX5510E-160-Vlan-interface50] portal bas-ip 46.46.46.1
# Specify ISP domain portal for portal authentication.
[WX5510E-160-Vlan-interface50] portal domain portal
[WX5510E-160-Vlan-interface50] quit
7. Configure a wireless service template:
# Create service template market and enter its view.
[WX5510E-160-wlan-st-market] wlan service-template market
# Specify an SSID and a VLAN for the service template.
[WX5510E-160-wlan-st-market] ssid ss_market_portal
[WX5510E-160-wlan-st-market] vlan 50
# Enable the service template.
[WX5510E-160-wlan-st-market] service-template enable
8. Configure a manual AP:
# Create manual AP inode1, specify its model and serial number, and configure the other AP settings.
[WX5510E-160] wlan ap inode1 model WA4320i-ACN
[WX5510E-160-wlan-ap-inodel] serial-id 210235A1GQC172001181
[WX5510E-160-wlan-ap-inodel] priority 5
[WX5510E-160-wlan-ap-inodel] statistics-interval 50
[WX5510E-160-wlan-ap-inodel] client idle-timeout 3600
[WX5510E-160-wlan-ap-inodel] nas-id 12334434
[WX5510E-160-wlan-ap-inodel] wlan nat-detect disable
[WX5510E-160-wlan-ap-inodel] vlan 1
[WX5510E-160-wlan-ap-inodel] client-proximity-sensor ap-udp-server 1.2.7.7 port 7777
[WX5510E-160-wlan-ap-inodel] interval 20
# Bind service template market to radio 1 and radio 2, configure the radio settings, and enable the radios.
[WX5510E-160-wlan-ap-inodel] radio 1
[WX5510E-160-wlan-ap-inodel-radio-1] max-power 15
[WX5510E-160-wlan-ap-inodel-radio-1] radio enable
[WX5510E-160-wlan-ap-inodel-radio-1] service-template market
[WX5510E-160-wlan-ap-inodel-radio-1] wips enable
[WX5510E-160-wlan-ap-inodel-radio-1] client-proximity-sensor enable
[WX5510E-160-wlan-ap-inodel-radio-1] spectrum-analysis enable
[WX5510E-160-wlan-ap-inodel-radio-1] quit
[WX5510E-160-wlan-ap-inodel] radio 2
[WX5510E-160-wlan-ap-inodel-radio-2] channel auto unlock
[WX5510E-160-wlan-ap-inodel-radio-2] max-power 15
[WX5510E-160-wlan-ap-inodel-radio-2] radio enable
[WX5510E-160-wlan-ap-inodel-radio-2] service-template market
[WX5510E-160-wlan-ap-inodel-radio-2] wips enable
[WX5510E-160-wlan-ap-inodel-radio-2] client-proximity-sensor enable
[WX5510E-160-wlan-ap-inodel-radio-2] spectrum-analysis enable
[WX5510E-160-wlan-ap-inodel-radio-2] quit
[WX5510E-160-wlan-ap-inodel] provision
[WX5510E-160-wlan-ap-inodel] gigabitethernet 1
[WX5510E-160-wlan-ap-inodel] gigabitethernet 2
Procedures (BYOD)
To configure guest authentication, perform the following tasks:
· Configuring guest settings on IMC EIA
· Configuring the BYOD authentication page on IMC EIA
· Configuring the access device
Configuring the EIA server
For more information, see "Configuring the EIA server."
The suffix of the BYOD access service is market, which is different from that of portal authentication.
Configuring guest settings on IMC EIA
For more information, see "Configuring guest settings on IMC EIA."
Configuring the BYOD authentication page on IMC EIA
1. On the top navigation pane, click User.
2. From the left navigation pane, select User Access Policy > Customize Terminal Pages > Page Push Policy.
Figure 38 Page Push Policy page
3. Click Add. On the page that opens, configure the following parameters:
¡ Policy Name: Enter a policy name. In this example, the policy name is mac.
¡ Authentication Method: Select the MAC option. Only one page push policy can use this option.
¡ Default Authentication Page: Select PHONE - QR Code Registration and Authentication(PHONE).
Figure 39 Adding a page push policy
4. Click OK.
Configuring the access device
The access device controls user access. A user can access the network only after it passes authentication.
In this example, Telnet to the access device from the CLI of a Windows system and configure the access device.
To configure the access device:
1. Enter system view.
<WX5510E-160> system-view
System View: return to User View with Ctrl+Z.
2. Configure RADIUS scheme market:
# Create RADIUS scheme market and enter its view.
[WX5510E-160] radius scheme market
New Radius scheme
# Specify the EIA server as both the authentication server and accounting server, and configure the authentication port, accounting port, authentication shared key, and accounting shared key. The authentication port, accounting port, authentication shared key, and accounting shared key must be the same as those configured in "Adding an access device."
[WX5510E-160-radius-allpermit] primary authentication 172.19.202.241 1812
[WX5510E-160-radius-allpermit] primary accounting 172.19.202.241 1813
[WX5510E-160-radius-allpermit] key authentication simple movie
[WX5510E-160-radius-allpermit] key accounting simple movie
# Include the ISP domain name in the usernames sent to the EIA server.
[WX5510E-160-radius-allpermit] user-name-format with-domain
[WX5510E-160-radius-allpermit] quit
3. Configure ISP domain market:
# Create ISP domain market and enter its view. The name of the ISP domain must be the same as the service suffix configured in "Adding an access service."
[WX5510E-160] domain market
# Apply RADIUS scheme market to the ISP domain for portal user authentication, authorization, and accounting.
[WX5510E-160-isp-portal] authentication portal radius-scheme market
[WX5510E-160-isp-portal] authorization portal radius-scheme market
[WX5510E-160-isp-portal] accounting portal radius-scheme market
[WX5510E-160-isp-portal] quit
4. Configure a wireless service template:
# Create service template market3 and enter its view.
[WX5510E-160] wlan service-template market3
# Specify an SSID and a VLAN for the service template.
[WX5510E-160-wlan-st-market3] ssid ss_market_mac
[WX5510E-160-wlan-st-market3] vlan 97
# Set the authentication mode to MAC authentication, and specify ISP domain market for MAC authentication.
[WX5510E-160-wlan-st-market3] client-security authentication-mode mac
[WX5510E-160-wlan-st-market3] mac-authentication domain market
# Enable the service template.
[WX5510E-160-wlan-st-market3] service-template enable
5. Configure a manual AP:
# Create manual AP inode1, specify its model and serial number, and configure the other AP settings.
[WX5510E-160] wlan ap inode1 model WA4320i-ACN
[WX5510E-160-wlan-ap-inodel] serial-id 210235A1GQC172001181
[WX5510E-160-wlan-ap-inodel] priority 5
[WX5510E-160-wlan-ap-inodel] statistics-interval 50
[WX5510E-160-wlan-ap-inodel] client idle-timeout 3600
[WX5510E-160-wlan-ap-inodel] nas-id 12334434
[WX5510E-160-wlan-ap-inodel] wlan nat-detect disable
[WX5510E-160-wlan-ap-inodel] vlan 1
[WX5510E-160-wlan-ap-inodel] client-proximity-sensor ap-udp-server 1.2.7.7 port 7777 interval 20
# Bind service template market3 to radio 1 and radio 2, configure the radio settings, and enable the radios.
[WX5510E-160-wlan-ap-inodel] radio 1
[WX5510E-160-wlan-ap-inodel-radio-1] max-power 15
[WX5510E-160-wlan-ap-inodel-radio-1] radio enable
[WX5510E-160-wlan-ap-inodel-radio-1] service-template market3
[WX5510E-160-wlan-ap-inodel-radio-1] wips enable
[WX5510E-160-wlan-ap-inodel-radio-1] client-proximity-sensor enable
[WX5510E-160-wlan-ap-inodel-radio-1] spectrum-analysis enable
[WX5510E-160-wlan-ap-inodel-radio-1] radio 2
[WX5510E-160-wlan-ap-inodel-radio-2] channel auto unlock
[WX5510E-160-wlan-ap-inodel-radio-2] max-power 15
[WX5510E-160-wlan-ap-inodel-radio-2] radio enable
[WX5510E-160-wlan-ap-inodel-radio-2] service-template market3
[WX5510E-160-wlan-ap-inodel-radio-2] wips enable
[WX5510E-160-wlan-ap-inodel-radio-2] client-proximity-sensor enable
[WX5510E-160-wlan-ap-inodel-radio-2] spectrum-analysis enable
[WX5510E-160-wlan-ap-inodel] quit
[WX5510E-160-wlan-ap-inodel] provision
[WX5510E-160-wlan-ap-inodel] gigabitethernet 1
[WX5510E-160-wlan-ap-inodel] gigabitethernet 2
Verifying the configuration
This section contains the following guest authentication methods:
· QR code-based guest registration through portal and BYOD authentication
· QR code-based guest registration through the guest manager self-service center
· QR code-based guest registration through guest preregistration
QR code-based guest registration through portal and BYOD authentication
A guest connecting to a wireless network
On a smart endpoint, a guest connects to an SSID. If portal authentication is used, connect to SSID ss_market_portal. If BYOD authentication is used, connect to SSID ss_market_mac.
Generating a QR code for guest registration
On the smart endpoint of the guest, open a Web browser. If portal authentication is used, enter 2.2.2.2 in the address bar. If BYOD authentication is used, enter 172.19.202.241:8080/byod in the address bar. The QR code registration and authentication page opens. The system automatically finishes guest preregistration and displays a QR code, as shown in Figure 40 and Figure 41.
|
|
IMPORTANT: If the guest closes the browser after the QR code is generated and then re-opens the browser and accesses the network, a new guest is preregistered and a new QR code is generated. A large number of preregistered guests will be generated if the guest repeatedly closes and opens the browser and accesses the network. |
Figure 40 Portal QR code for guest registration
Figure 41 BYOD QR code for guest registration
Using a guest manager account to approve the guest
1. On a smart endpoint, a guest manager opens the browser and uses the embedded QR code scanning tool to scan the QR code and approve the guest.
|
|
IMPORTANT: Make sure the network connected to the guest manager can reach the internal network where the EIA server is deployed. Do not use the operator network of the smart endpoint. |
2. Use the smart endpoint of the guest manager to scan the QR code on the smart endpoint of the guest. The guest manager self-service center opens on the smart endpoint of the guest manager.
¡ If the guest manager has not logged in to the center, the login page opens as shown in Figure 42. On this page, enter the account and password of the guest manager. The approval page opens as shown in Figure 43.
¡ If the guest manager has logged in to the center, the approval page opens after the QR code is scanned, as shown in Figure 43.
Figure 42 Login page for the guest manager self-service center
3. Click Approve. The guest is registered as shown in Figure 44.
Figure 44 Registering the guest successfully
4. The guest comes online automatically or manually.
¡ If the guest manager approves the guest within 1 minute after the approval QR code is generated, the guest automatically passes authentication and comes online in 5 seconds after being approved.
¡ If the guest manager does not approve the guest within 1 minute after the approval QR code is generated, the smart endpoint of the guest will display a failure message. For the guest to come online, click the failure message link.
QR code-based guest registration through the guest manager self-service center
Using a guest manager to register a guest
1. On a smart endpoint, a guest manager enters the URL of the guest manager self-service center in the address bar of a Web browser to open the self-service center. In this example, the URL is http://172.19.202.241:8080/selfservice/mlogin.jsf.
Figure 45 Login page for the guest manager self-service center
2. Enter the account and password of the guest manager. The guest registration page opens, as shown in Figure 46.
Figure 46 Guest registration page
3. Click Guest Registration at the bottom of the guest registration page, and then click Mobile Registration. Enter a phone number, and then click Register. An authentication QR code is generated, as shown in Figure 47.
Figure 47 Authentication QR code
The guest connecting to a wireless network
On a smart endpoint, the guest connects to an SSID. If portal authentication is used, connect to SSID ss_market_portal. If BYOD authentication is used, connect to SSID ss_market_mac.
The guest scanning the QR code to complete authentication and come online
1. The guest opens a Web browser and opens the embedded QR code scanning tool of the Web browser.
2. Use the smart endpoint of the guest to scan the authentication QR code on the smart endpoint of the guest manager. The authentication success page opens.
QR code-based guest registration through guest preregistration
1. A guest accesses the user self-service center page at http://172.19.202.241:8080/selfservice/logon.jsf, as shown in Figure 48. On this page, click Preregister Guest. The guest preregistration page opens, as shown in Figure 49.
Figure 48 User self-service center
Figure 49 Guest preregistration page
2. Configure the parameters, and then click OK. A preregistered guest is generated with a QR code, as shown in Figure 50.
Figure 50 QR code for guest registration
3. The guest manager scans the QR code to approve the guest registration. The process is the same as that in "The guest scanning the QR code to complete authentication and come online." After the approval, the guest can click the QR code in Figure 50 to come online.
Viewing online users
On the User > Guest > All Guests page, view online guests.
