Configure a Hotspot
To give Internet access to your guests or customers, you can enable a hotspot on any trusted, optional, or custom Firebox interface. You can configure a hotspot for connections to wireless or wired interfaces on your Firebox, and you can enable different hotspots for different interfaces.
To use your hotspot, a guest user must open a browser while connected to the network that has the hotspot enabled. When the user tries to browse to the Internet, the custom hotspot page appears in the browser. To use the hotspot, the user must accept the specified terms and conditions.
You can also configure the hotspot to require user authentication. When you enable this option, guests must authenticate before they can connect to the Internet. You can also create a Walled Garden which is a list of IP addresses, IP ranges, networks, and domain names your guests can connect to before they authenticate. For example, you can allow guests to connect to you company website before they authenticate.
If your hotspot requires authentication, you must create a Guest Administrator user account. The Guest Administrator logs in to the WatchGuard Guest Administrator Portal to create and manage temporary hotspot user accounts and print hotspot credentials for guests.
To configure the hotspot settings from Fireware Web UI, select Authentication > Hotspot.
The Hotspots page appears with the Hotspots tab selected.
To configure hotspot settings from Policy Manager, select Setup > Authentication > Hotspot.
The Hotspot Configuration dialog box appears with the Hotspots tab selected.
The Hotspots configuration has three tabs:
- Hotspots — Configure hotspots, assign hotspots to interfaces, create an Authentication list, and manage Guest Administrator accounts
- External Guest Authentication — Configure a hotspot that authenticates guests to an external web server, and create a Walled Garden
- Settings — Configure settings that apply to all hotspots
Configure Hotspots
On the Hotspots tab, you can add, edit, or remove a hotspot. You can also assign a hotspot to an interface and manage Guest Administrator accounts. You can add more than one hotspot, and specify different authentication requirements and hotspot page settings for each hotspot. You must add a hotspot before you can enable it for an interface. If a hotspot requires authentication, you must also add at least one Guest Administrator account to create and manage user accounts.
Add a Hotspot
- In the Hotspots section, click Add.
- In the Hotspot Name text box, type a name for the hotspot.
- Configure the hotspot settings, including any Walled Garden settings as described in Configure Hotspot Settings.
- In the Hotspots section, click Add.
The Hotspot Settings dialog box appears.
- In the Hotspot Name text, box, type a name for the hotspot.
- Configure the hotspot settings, including any Walled Garden settings as described in Configure Hotspot Settings.
Edit a Hotspot
If you change hotspot authentication settings, all existing guest user accounts for that hotspot are removed.
- In the Hotspots list, select the hotspot.
- Click Edit.
- Configure the hotspot settings, including any Walled Garden settings as described in Configure Hotspot Settings.
- In the Hotspots list, select the hotspot.
- Click Edit.
- Configure the hotspot settings, including any Walled Garden settings as described in Configure Hotspot Settings.
Remove a Hotspot
If you remove a hotspot:, all existing guest user accounts for that hotspot are removed, and any interfaces that used the hotspot no longer have a hotspot enabled.
- From the Hotspots list, select the hotspot.
- Click Remove.
- From the Hotspots list, select the hotspot.
- Click Remove.
Enable a Hotspot for an Interface
After you add a hotspot, you can enable it for one or more interfaces. When you enable a hotspot for an interface, the hotspot is enabled for all connections (both wired and wireless) to that interface.
To enable a hotspot for connections to a WatchGuard AP device, the interface you enable the hotspot on depends on the SSID configuration. If the AP device SSID uses VLAN tagging, enable the hotspot for the VLAN interface that corresponds to the VLAN ID in the SSID. If the AP device SSID does not use VLAN tagging, enable the hotspot for the Firebox interfaces that all AP devices that use this SSID connect to.
- On the Hotspots page, from the Interfaces list, select one or more interfaces.
- From the Select Hotspot drop-down list, select the hotspot to enable for the selected interfaces.
- Click Save.
- In the Hotspot Configuration dialog box, click the Hotspot column for an interface.
A drop-down list appears in the Hotspot column for that interface. - From the drop-down list, select the hotspot to enable for the interface.
- Click OK.
When you enable hotspots for one or more interfaces, the Allow Hotspot-Users policy is automatically created in the Firebox configuration file. This policy allows outbound connections from all interfaces that have a hotspot enabled.
Manage Guest Administrator User Accounts
If you add a hotspot that requires authentication, you must add at least one Guest Administrator. A Guest Administrator is a user account on your Firebox that has privileges to connect to the Guest Administration Portal on the Firebox and manage the list of guest user accounts that can connect to your hotspots.
You can manage Guest Administrator user accounts directly from the Hotspots tab. Or, you can manage Guest Administrator user accounts from the Users and Roles list on the Firebox. The instructions in this topic describe how to manage Guest Administrator user accounts from the Hotspots configuration. For information about how to manage Guest Administrator user accounts from the Users and Roles list that includes all administrative user accounts, go to Manage Users and Roles on Your Firebox.
Add a Guest Administrator Account
- In the Guest Administrators section of the Hotspots tab, click Add.
The Add Guest Administrator dialog box appears.
- In the User Name text box, type the user name for the Guest Administrator user account.
- From the Authentication Server drop-down list, select the authentication server for this user account.
- From the Role drop-down list, select Guest Administrator.
- (Firebox-DB only) In the Passphrase and Confirm Passphrase text boxes, type the passphrase for this Guest Administrator user account.
- Click OK.
The user account appears in the Wireless Guest Administrators list and Users and Roles list.
- Click Manage Guest Administrator Accounts.
The Login dialog box appears.
- In the Administrator User Name and Administrator Passphrase text boxes, type the credentials for a user account with Device Administrator privileges.
- From the Authentication Server drop-down list, select the correct authentication server for the user account you specified.
- Click OK.
The Manage Users and Roles dialog box appears. Only Guest Administrator user accounts appear in the list of users and roles. - Click Add.
The Add User dialog box appears. - In the User Name text box, type the user name for the user account.
- From the Authentication Server drop-down list, select the authentication server for this user account.
- From the Role drop-down list, select Guest Administrator.
- (Firebox-DB only) In the Passphrase and Confirm Passphrase text boxes, type the passphrase for this user account.
- Click OK.
The user account appears in the Manage Users and Roles list.
Edit a Guest Administrator User Account
When you edit a Guest Administrator user account, you can disable the user account, or change the passphrase only for users defined in the Firebox-DB authentication server. You cannot change the user name or the authentication server. To change the user name or the authentication server specified for a user account, you must remove the user from the Guest Administrators list in Fireware Web UI or from the Manage Users and Roles list in Policy Manager, and then add the user account again with the correct settings.
- From the Guest Administrators list, select a Guest Administrator user account.
- Click Edit.
The Edit Guest Administrator dialog box appears. - To disable the user account, from the Role drop-down list, select Disabled.
- To change the passphrase, in the Passphrase and Confirm Passphrase text boxes, type the new passphrase for this Guest Administrator user account.
- Click OK.
- Click Save.
- From the Manage Users and Roles list, select a Guest Administrator user account.
- Click Edit.
The Edit Guest Administrator dialog box appears. - To disable the user account, from the Role drop-down list, select Disabled.
- To change the passphrase, in the Passphrase and Confirm Passphrase text boxes, type the new passphrase for this Guest Administrator user account.
- Click OK.
Remove a Guest Administrator User Account
- From the Guest Administrators list, select a Guest Administrator user account.
- Click Remove.
A confirmation message appears. - Click OK.
The Guest Administrator user account is deleted from the Guest Administrators list and the Users and Roles list. - Click Save.
- From the Manage Users and Roles list, select a Guest Administrator user account.
- Click Remove.
A confirmation message appears. - Click Yes.
The Guest Administrator user account is deleted from the Manage Users and Roles list.
Enable External Guest Authentication
On the External Guest Authentication tab, you can configure one External Guest Authentication hotspot, which uses an external web server for hotspot user authentication.
When a user connects to the External Guest Authentication hotspot, the Firebox redirects the user to a page on an external web server. The external web server can perform user authentication, or collect information from hotspot users. After the hotspot user attempts to authenticate, the external web server sends the Firebox a result that indicates whether to allow the user to use the hotspot.
For more information, go to Configure an External Guest Authentication Hotspot.
Configure Hotspot Global Settings
On the Settings tab, you can configure settings that apply to all hotspots. These include settings for the maximum number of accounts a Guest Administrator can add, and user session timeout settings.
For more information, go to Configure Hotspot Global Settings