Manualshelf

User's Manual

ManualsBrandsAerohive Networks ManualsElectronics802.11 a/b/g/n access point
11121314151617181920
Table Of Contents
Deployment Guide 105
EXAMPLE 3: PROVIDING GUEST ACCESS
Guest Access with Captive Web Portal
A captive web portal provides registered users with network access while containing unregistered users. Aerohive
offers two approaches to applying a captive web portal, one using external DHCP and DNS servers on the network
and the other using internal DHCP and DNS servers on the HiveAP itself. In the first approach, both registered and
unregistered users must be in the same VLAN because the DHCP and DNS servers that they use initially before they
register will be the same ones that they continue using after they register. In the second approach, you can separate
the unregistered and registered users into two separate VLANs because the unregistered users access the internal
DHCP and DNS servers on the HiveAPs, whereas the registered users access the external DHCP and DNS servers,
which can be in a different VLAN from the internal servers on the HiveAP.
Captive Web Portal with External DHCP and DNS Servers
With this approach, when the client of a previously unregistered visitor first associates with the guest SSID, the
HiveAP assigns the "Unregistered-Guests" user profile to the visitor. It allows DHCP and DNS traffic to pass through so
that the client can receive its address and TCP/IP assignments and resolve domain names to IP addresses. It also
allows ICMP traffic for diagnostic purposes. However, the HiveAP intercepts all HTTP and HTTPS traffic from that
client—and drops all other types of traffic—thereby limiting its network access to just the HiveAP with which it
associated. No matter what website the visitor tries to reach, the HiveAP directs the visitor’s browser to a
registration page. After the visitor registers, the HiveAP stores the clients MAC address as a registered user, applies
the "Guests" user profile to the visitor, and stops keeping the client captive; that is, the HiveAP no longer intercepts
HTTP and HTTPS traffic from that MAC address, but allows the client to access external web servers. The entire
process is shown in Figure 9.
Figure 9 Captive Web Portal Exchanges Using External DHCP and DNS Servers
Wireless Client Wireless Access Point DHCP Client DHCP Server
Association Using SSID “guest” Address and TCP/IP Assignments
Association Request
Association Response
1
2
DHCP Request
DHCP ACK
DHCP Discover
DHCP Offer
The client forms an association with the HiveAP
but the visitor has not yet registered. The
HiveAP allows DHCP, DNS, and ICMP traffic
through. It redirects all HTTP and HTTPS traffic
to its own web server and drops all other traffic.
The HiveAP allows DHCP traffic to pass
between the client of an unregistered user and
a DHCP server so that the client can receive
its IP address and TCP/IP assignments.