This is an example of using a ZyWALL/USG to configure guest WiFi accounts to allow limited wireless access to the Internet using only HTTP, HTTPS, and DNS protocols.
SETUP/STEP BY STEP PROCEDURE:
Set Up the WiFi Guest Account, Address Range and Service Rule on the ZyWALL/USG:
1. In the ZyWALL/USG, go to CONFIGURATION > Object > User/Group > User. Click Add to configure the User Name, the guest Wi-Fi user and set User Type to guest. Set a secured Password (4-31 characters) and enter it again for confirmation.
Set the Authentication Timeout Settings to be Use Manual Settings to enter the number of minutes this user has to renew the current session before the user is logged out. After that hit the “OK”-button
2. In the ZyWALL/USG, go to CONFIGURATION > Object > Address/Geo IP. Click Add to create an Address Rule for guest Wi-Fi user access subnet. In this example, AP is connected to the ZyWALL/USG LAN interface 192.168.2.0/24. Configure the Name for you to identify the Wi-Fi guest subnet. Set the Network to be 192.168.2.0 and set the Netmask to be 255.255.255.0. Click OK.
Note: The IP adresses wich are used are only exampels please use your own IP adresses
3. In the ZyWALL/USG, go to CONFIGURATION > Object > Service > Service Group. Click Add to create a Service Group Rule that allowed protocols for guest Wi-Fi user. Configure the Name for you to identify the Service Group. Set HTTP, HTTPS and DNS to be in the same member group and click OK.
Set Up the Web Authentication on the ZyWALL/USG:
- In the ZyWALL/USG, go to CONFIGURATION > Web Authentication > Web Authentication Policy Summary. Click Add to configure policy to redirect HTTP traffic to the user login screen. Configure the Description (Optional) for you to identify the auth. Policy. Then, scroll down the Source Address list to choose the newly created wifi-guest. Set the Authentication to be required. Select Force User Authentication.
- In the ZyWALL/USG, go to CONFIGURATION > Web Authentication > Global Settings and select Enable Web Authentication.
Set Up the Security Policy on the ZyWALL/USG:
- In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy. Click Add. Configure a Name for you to identify the Security Policy profile. Set From: LAN and to: any (Excluding ZyWALL). Set Service to be the Service Group Rule (wifi_guest_access in this example). Set User to be the Wi-Fi guest user (wifi_guest_access in this example). Select Log type to log alert in order to view the result later.
Test the Result:
- Using a mobile device to connect to the AP which is connected to the ZyWALL/USG. When you try to access the Internet, it will redirect to the user login screen.
- The access session page will appear.
- Go to the ZyWALL/USG Monitor > System Status > Login Users, you will see current login user list shown as below.
- Attempt to access FTP server (prohibited service in this example) and it gets an error message.
- Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message shown as below. The access to FTP service port 21 is blocked in this example.