How to Set Up Guest WiFi Network Accounts
This is an example of using ZyWALL/USG to configure guest WiFi accounts to allow limited wireless access to the Internet using only HTTP, HTTPS, and DNS protocols. For the wireless network setup, please see the tutorial about How to Set Up WiFi with ZyXEL AP.
Set Up the WiFi Guest Account, Address Range and Service Rule on the ZyWALL/USG
1. In the ZyWALL/USG, go to CONFIGURATION > Object > User/Group > User > Add A User to configure the User Name the guest Wi-Fi user and set User Type to guest. Set a secured Password (4-31 characters) and enter it again for confirmation.
Set the Authentication Timeout Settings to be Use Manual Settings to enter the number of minutes this user has to renew the current session before the user is logged out.
CONFIGURATION > Object > User/Group > User > Add A User
2. In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create the guest Wi-Fi user access subnet. In this example, AP is connected to ZyWALL/USG LAN interface 192.168.2.0/24. Configure the Name for you to identify the Wi-Fi guest subnet. Set the Network to be 192.168.2.0 and set the Netmask to be 255.255.255.0. Click OK.
CONFIGURATION > Object > Address > Add Address Rule
3. In the ZyWALL/USG, go to CONFIGURATION > Object > Service > Service Group > Add Service Group Rule to create the allowed protocols for guest Wi-Fi user. Configure the Name for you to identify the Service Group. Set HTTP, HTTPS and DNS to be in the same member group and click OK.
CONFIGURATION > Object > Service > Service Group > Add Service Group Rule
Set Up the Web Authentication on the ZyWALL/USG
1. In the ZyWALL/USG, go to CONFIGURATION > Web Authentication > Web Authentication Policy Summary > Auth. Policy Add to configure policy to redirect HTTP traffic to the user login screen. Configure the Description (Optional) for you to identify the auth. Policy. Then, scroll down the Source Address list to choose the newly created wifi-guest. Set the Authentication to be required. Select Force User Authentication.
CONFIGURATION > Web Authentication > Web Authentication Policy Summary > Auth. Policy Add
2. In the ZyWALL/USG, go to CONFIGURATION > Web Authentication > General Settings and select Enable Web Authentication.
CONFIGURATION > Web Authentication > General Settings
Set Up the Security Policy on the ZyWALL/USG
1. In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy > Add corresponding. Configure a Name for you to identify the Security Policy profile. Set From: LAN and To: any (Excluding ZyWALL). Set Service to be the Service Group Rule (wifi_guest_access in this example). Set User to be the Wi-Fi guest user (wifi_guest_access in this example). Select Log type to log alert in order to view the result later.
CONFIGURATION > Security Policy > Policy > Add corresponding
Test the Result
1. Using a mobile device to connect to the AP which is connected to the ZyWALL/USG. When you try to access the Internet, it will redirect to the user login screen.
2. Type the Wi-Fi guest User Name and Password, click Login.
3. The access session page will appear.
4. Go to the ZyWALL/USG Monitor > System Status > Login Users, you will see current login user list shown as below.
Monitor > System Status > Login Users
5. Attempt to access FTP server (prohibited service in this example) and it gets an error message.
6. Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message shown as below. The access to FTP service port 21 is blocked in this example.
Monitor > Log
What Can Go Wrong?
1. If you see [notice] log shown as below, the Wi-Fi guest traffic is blocked by the priority 1 Security Policy. The ZyWALL/USG checks the security policy in order and applies the first security policy to the matched traffic. If the Wi-Fi guest traffic matches a policy that comes earlier in the list, it may be unexpectedly blocked. Please change your policy setting or move the Wi-Fi guest policy to the higher priority.