Set up your Guest networks!

Zyxel_Judy Posts: 903  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer


Providing WiFi access to customers has become part of the basic needs in today’s business demands, being a must for cafes, restaurants, chain stores and essential in sectors such as education and hospitality. But the need is not solved by just providing a WiFi connectivity, administrators need to ensure that the networks are built upon secure layers that allow businesses to keep both, guest and internal networks isolated and secured.

This document will guide users to set up their guest and intranet network using the Nebula Control Center, pointing out the different methods that Nebula offers.

Tuning up your existing networks

NCC provides a convenient wizard that will optionally allow you to set both, the internal or employee WiFi network and the guest WiFi network within simplified settings. The options here are simplified and the WiFi networks can be further set up following the next steps:

SSID Advanced settings

Once you are up and running, your Wi-Fi authentication settings can be changed at any time, simply get into Configure > Access Points > SSID advanced settings, select the SSID that you wish to change and check the different Network access options available:

  • Security option: these methods define how the Wi-Fi users are associated to the network.
    • WPA2 Pre-shared key: a simple, easy way with passphrase security and AES encryption.
    • MAC authentication: ensures that only the pre-defined devices’ MAC address will be allowed to associate. It supports RADIUS and Nebula Cloud Authentication Servers (NCAS)
    • WPA2 Enterprise with 802.1x: with EAP authentication and AES encryption supporting RADIUS server and NCAS.

For guest WiFi in environments like chains stores, restaurants, etc., it’s suggested to set Open or WPA2-PSK (providing password easily) for ease of authentication. Hotels and schools might add an extra layer of association as MAC authentication. For internal networks, it’s recommended to set WPA2 Enterprise with 802.1x or WPA2-PSK with MAC authentication to guarantee security.

Captive portal

Web authentication page displayed to Wi-Fi users prior broader access to network resources.

  • Click-to-continue: users have to agree to terms or network message by clicking the “Agree” button.
  • Nebula Cloud Authentication: requiring user to enter username/ password or allowing them to self-register an account. A service provided by Nebula, which accounts can be managed on Site-wide > Cloud authentication.
  • Facebook social login: uses a Facebook APP that provides user’s Facebook account information (email, gender, locale and age rank).
  • My Radius server: requiring users to enter a username/ password that has been defined in the company’s Radius server.

It’s highly recommended to set a captive portal authentication for a guest network. Click-to-continue is the simplest way for both admins and users, and it’s recommended when there’s no need to control who’s getting access. Facebook social login is a good method to gather information from the WiFi users and use it for marketing purpose if desired.

In environments such as hotels, schools or even enterprises (internal networks), the Nebula cloud authentication or My Radius server are the ideal solutions as the users’ DB can be easily controlled by the network admin.

Once the users are connected and authenticated, you could check the authentication information used in Clients.

AP guest features

Nebula provides a set of features that help to build an isolated guest network:

  • Configure > Access Points > SSID advanced settings
    • Intra-BSS traffic blocking: prevent traffic between wireless clients connected to the same BSSID. Note that 2.4 Ghz and 5Ghz are defined as different BSSIDs.
    • L2 isolation: limits wireless clients to only communicate with devices which MAC addresses have been added to the L2 isolation list, therefore, listing the gateway’s MAC address is necessary to ensure connectivity to internet. Note that L2 isolation has a limitation, if the gateway’s MAC address is added, any VLAN interface also configured on the same port group of gateway will be reachable.
  • Configure > WiFi SSID settings
    • Guest network: an easier way to enable Guest Network on the SSID. The AP adds the gateway’s MAC address of its management VLAN automatically; if the SSID uses a VLAN configured in another gateway/server or port group, the MAC address must be added.

Captive portal more options and themes

Configure > Access Points > SSID advanced settings > Sign-in method

While setting up the captive portal, NCC provides more granular options that might be useful to tune your guest network.

  • Walled garden: configurable per SSID, it allows inputting URLs that users can access before captive portal authenticating.
  • Self-registration: only available with NCAS. It defines if users are allowed to create accounts through captive portal. If allowed, manual authorized require network admin to authorize the account created by the user; auto authorized allows users to authenticate as soon as they create the account. If not allowed, network admin needs to create the account manually in Configure > Cloud authentication.
  • Simultaneous login limit: This can restrict the login devices at a time. It could be one device or multiple devices. Click Model list to know about the number can set here.
  • Strict policy: use this option to decide if users are allowed to access HTTPS websites before captive portal authenticating, or block all access until users successfully authenticate.
  • Reauth time:  The agreement page will pop out again when the lease time is expired. We can choose the follow site-wide setting or assign a definite time for it.
  • NCAS disconnect behavior: When Nebula Cloud Authentication Server is unreachable, which mode would you want to implement. 

Configure > Access Points > Captive portal customization

Nebula also offers the option to customize the captive portal with different themes for businesses or hotels requiring greeting message, logo or link to external URL, where you can type in your desired marketing messages or terms and conditions to welcome your guests.

It is recommended to set self-registration with auto authorized in environments where admin control is hard or not needed, such as restaurants, cafes, chain stores, etc. Not allowing self-registration can be implemented in environments such as hotels, where accounts can be created while user checks-in. Block all access with strict policy option is overall recommended to force users to authenticate through captive portal, and to ensure that mobile phone’s Captive Network Assistant (CNA) will pop-up.

Lastly, captive portal might be a powerful tool to advertise or deliver a message to users; hence, choosing the right authentication method for your business is essential, along with the right customized design to engage users easily.