Related Topics
Configure an External Guest Authentication Hotspot
After you configure your external web server for external guest authentication, you can configure an External Guest Authentication hotspot on your Firebox. Before you begin, make sure you understand the external authentication process and correctly configure your external web server for guest authentication.
In Fireware v11.12 or higher, you can create a Walled Garden to specify IP addresses, IP ranges, networks, and domain names that guests can connect to without authentication credentials. For example, you can allow guests to connect to your company website without authentication.
For more information, see About Hotspot External Guest Authentication.
If your Firebox runs Fireware v11.11 and lower, you can enable only one hotspot on one interface on your Firebox. Multiple hotspots are only supported in versions higher than v11.11. The configuration settings in lower versions of Fireware appear different, but the configuration settings are the same as for a single hotspot in higher versions of Fireware.
- Select Authentication > Hotspot.
The Hotspots page appears with the Hotspots tab selected. - Select the External Guest Authentication tab.
The External Guest Authentication Hotspot settings appear. - Select the Enable External Guest Hotspot check box.
- In the Shared Secret and Confirm text boxes, type the shared secret.
This must be the same shared secret the external web server uses to create the checksum value it sends with the access decision. - In the Authentication URL text box, type the URL of the authentication page on the external web server.
The Authentication URL must begin with https:// or http:// and must specify the IP address or domain name of the web server. A port number is not required, but you can choose to specify a custom port number.
For example, http://10.0.2.80:[port number]/auth.html or http://www.example.com/auth.html. - In the Authentication Failure URL text box, type the URL of the authentication failure page on the external web server.
The Authentication Failure URL must begin with https:// or http:// and must specify the IP address or domain name of the web server. A port number is not required, but you can choose to specify a custom port number.
For example, http://10.0.2.80:[port number]/failure.html or http://www.example.com/failure.html.
- Click Add.
- From the Choose Type drop-down list, select Host IPv4, Network IPv4, Host Range IPv4, or FQDN. For example, select FQDN.
- In the text box, type an IPv4 address, IPv4 network, IPv4 range, or FQDN. For example, type example.com.
- Click OK.
- To add more items to the Walled Garden, click Add.
- To apply the External Guest Authentication settings to an interface, select the Hotspots tab.
- From the Interfaces list, select an interface.
- Click Select Hotspot.
- Select External Guest Authentication.
- Click Save.
- Select Setup > Authentication > Hotspot.
- Select the External Guest Authentication tab.
The External Guest Authentication settings appear. - Select Enable External Guest Authentication.
- In the Shared Secret and Confirm text boxes, type the shared secret.
This must be the same shared secret the external web server uses to create the checksum value it sends with the access decision. - In the Authentication URL text box, type the URL of the authentication page on the external web server.
The Authentication URL must begin with https:// or http:// and must specify the IP address or domain name of the web server. A port number is not required, but you can choose to specify a custom port number.
For example, http://10.0.2.80:[port number]/auth.html or http://www.example.com/auth.html. - In the Authentication Failure URL text box, type the URL of the authentication failure page on the external web server.
The Authentication Failure URL must begin with https:// or http:// and must specify the IP address or domain name of the web server. A port number is not required, but you can choose to specify a custom port number.
For example, http://10.0.2.80:[port number]/failure.html or http://www.example.com/failure.html.
- From the Walled Garden area, click Add.
- From the Choose Type drop-down list, select Host IPv4, Network IPv4, Host Range IPv4, or FQDN. For example, select FQDN.
- In the text box, type an IPv4 address, IPv4 network, IPv4 range, or FQDN. For example, type example.com.
- Click OK.
- To add more items to the Walled Garden, click Add.
- To apply the External Guest Authentication settings to an interface, select the Hotspots tab.
- In the Interfaces list, click the Hotspot column for an interface.
A drop-down list appears in the Hotspot column for that interface.
- From the drop-down list, select the External Guest Authentication hotspot.
- Click OK.
When you enable external guest authentication, these policies are automatically created:
- Allow External Web Server — Allows TCP connections from users on the guest network to the external web server IP address and the port you use for hotspot external guest authentication.
- Allow Hotspot Session Mgmt — Allows connections from the external web server IP address to the Firebox.
- Allow Hotspot-Users — Allows connections from the hotspot to addresses external to the Firebox.
See Also
Configure a Web Server for Hotspot External Guest Authentication