How can I manually configure WGS (Wireless Guest Services)?

03/26/2020 830 20916

DESCRIPTION:

Wireless Guest Services (WGS) allows you to create access accounts for temporary use that allow wireless clients to log into your network. Guest accounts are typically limited to a pre-determined life span. After their life span, by default, the accounts are removed.

RESOLUTION:

Configuring the WLAN Zone

1. Log into the SonicWall management GUI, navigate to Manage | Network | Zones; Click the Edit icon for the WLAN zone. The Edit Zone window is displayed.
2. In the General tab, Uncheck Allow Interface Trust. Select any of the following settings to enable the SonicWall Security Services on the WLAN zone.
   
   
   1. 
   • Enforce Content Filtering Service - Enforces content filtering on multiple interfaces in the same Trusted, Public and WLAN zones.
   • Enforce Client AV Enforcement Service - Enforces managed anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWall Client Anti-Virus manages an anti-virus client application on all clients on the zone.
   • Enforce Client CF Service - Enforces Client Content Filtering on the Zone
   • Enable Gateway Anti-Virus - Enforces gateway anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWall Gateway Anti-Virus manages the anti-virus service on the SonicWall appliance.
   • Enable IPS - Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
   • Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
   • Enable App Control Service - Enforces Application Control on the Zone.
   • Under the Guest Services Tab you can choose from the following configuration options for Wireless Guest Services:
     
     
     • Check Enable Guest Services - enables guest services
     • Enable inter-guest communication - allows guests connecting to SonicPoints in this WLAN Zone to communicate directly with each other.
     • Bypass AV Check for Guests - allows guest traffic to bypass Anti-Virus protection.
     • Bypass Client CF Check for Guests - allows guest traffic to bypass Client Content Filter
     • Enable Dynamic Address Translation (DAT) - Wireless Guest Services (WGS) provides spur of the moment “hotspot” access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate, obtain IP settings from the DHCP services, and authenticate using any web-browser. Without DAT, if a WGS user is not a DHCP client, but instead has static IP settings incompatible with the WLAN network settings, network connectivity is prevented until the user’s settings change to compatible values. Dynamic Address Translation (DAT) is a form of Network Address Translation (NAT) that allows the firewall to support any IP addressing scheme for WGS users. For example, the WLAN interface is configured with its default address of 172.16.31.1, and one WGS client has a static IP Address of 192.168.0.10 and a default gateway of 192.168.0.1, while another has a static IP address of 10.1.1.10 and a gateway of 10.1.1.1, and DAT enables network communication for both of these clients.
     • Enable External Guest Authentication - requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.
       
       

        NOTE: View the SonicWall Lightweight Hotspot Messaging Tech Note for complete configuration of the Enable External Guest Authentication feature.

     • Enable Policy Page without authentication - redirects user to a custom policy page without authentication
     •  Custom Authentication Page - redirects users to a custom authentication page when they first connect to a SonicPoint in the WLAN zone.
     • Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK.
     • Post Authentication Page - directs users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the filed.
     • Bypass Guest Authentication - allows a SonicPoint running WGS to integrate into environments already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication. This feature should only be used when unrestricted WGS access is desired, or when another device upstream of the SonicPoint is enforcing authentication.
     • Redirect SMTP traffic to - redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to. 
     • Deny Networks - blocks traffic from the networks you name. Select the subnet, address group, or IP address to block traffic from.
     • Pass Networks - automatically allows traffic through the WLAN zone from the networks you select.
     • Max Guests - specifies the maximum number of guest users allowed to connect to the WLAN zone. The default is 10.
   • For this Example we just want to Enable Guest Services
   • Under the Wireless Settings heading, select the SonicPoint Provisioning Profile you want to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects to this zone, it will automatically be provisioned by the settings in the SonicPoint Provisioning Profile, unless you have individually configured it with different settings.
3. Click OK.

Assigning an available Interface to the WLAN Zone 

A Wireless interface is an interface that has been assigned to a Wireless zone and is used to support SonicWall SonicPoint secure access points.

1. Navigate to Manage | Network | Interfaces.
2. Click on the Configure icon in the Configure column for the Interface you want to modify. The Edit Interface window is displayed. You can configure X2 through X9, Opt, a VLAN sub-interface or a PortShield interface.
3. In the Zone list, select WLAN or a custom Wireless zone.
4. Enter the IP address (172.16.31.1) and subnet mask (255.255.255.0) of the Zone in the IP Address and Subnet Mask fields.
5. In the SonicPoint Limit field, select the maximum number of SonicPoints allowed on this interface. (you can accept the default value)
6. Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
7. Uncheck all supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. (In this scenario, we are not allowing wireless clients to manage the SonicWall to ensure complete security).
8. Click OK.
   
   

Configuring SonicPoint Profiles (Wireless settings – enabling WPA-PSK encryption)

SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSID’s, and channels of operation. Once you have defined a SonicPoint profile, you can apply it to a Wireless zone.

1. Navigate to Manage | SonicPoints.| Base Settings
2. To add a new profile click Add below the list of SonicPoint provisioning profiles. To edit an existing profile, select the profile and click the edit icon in the same line as the profile you are editing. We will edit the SonicPointACe/ACi/N2 profile in this example.
3. In the General tab of the Edit Profile window, specify.

• Select Enable SonicPoint.
• Name Prefix: Enter a prefix for the names of all SonicPoints connected to this zone. When each SonicPoint is provisioned, it is given a name that consists of the name prefix and a unique number, for example: “SonicPoint 126008.”
• Country Code: Select the country where you are operating the SonicPoints. The country code determines which regulatory domain the radio operation falls under.
• On the Radio 0 Basic Tab, Configure the radio settings for the 5Ghz radio:
  • Select Enable Radio (You can select a schedule on which the radio operates as well)
  • SSID: Enter a recognizable string for the SSID of each SonicPoint using this profile. This is the name that will appear in clients’ lists of available wireless connections. ( EXAMPLE: SonicLAB).
    

     TIP:  If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another.

  • Authentication Type: Select WPA2–PSK
  • Cipher Type: Select AES
  • Passphrase: enter a Passphrase (Min 8 - Max 63 characters)
  • ACL Enforcement: Select this to enforce Access Control by allowing or denying traffic from specific devices. Select a MAC address group from the Allow List to automatically allow traffic from all devices with MAC addresses in the group. Select a MAC address group from the Deny List to automatically deny traffic from all devices with MAC addresses in the group. The deny list is enforced before the Allow list.
  • In the Radio 0 Advanced tab, configure the performance settings for the 802.11g radio. For most the advanced options, the default settings give optimum performance.
  • The settings in the Radio 1 Basic and Radio 1 Advanced tabs are similar to the settings in the Radio 0 Basic and Radio 0 Advanced tabs and the settings should match unless you want different settings for the 2.4Ghz network.

Connecting a SonicPoint Device to the SonicWall Appliance

1. Now go ahead and physically connect the SonicPoint LAN port to the WLAN Interface port on the SonicWall appliance.
   

    TIP:  If you had already connected the SonicPoint; unplug and plug-in the cable from the port, this will ensure that the SonicPoint provisioning profile is accurately synchronized.

2. Once it has synchronized it will show operational under Manage | SonicPoint | Base Settings

Configuring Guest Profiles (WGS Profiles)

You can create these accounts manually, as needed or generate them in batches. SonicOS includes profiles you can configure in advance to automate configuring guest accounts when you generate them

1.  Navigate to Manage | Users | Guest Services; Enable Show guest login status window with logout button. (A user login window on the users’s workstation is displayed whenever the user is logged in. Users must keep this window open during their login session. The window displays the time remaining in their current session. Users can log out by clicking the Logout button in the login status window).
   
   
   
2. You can edit the Default profile or click Add below the Guest Profile list to display the Add Guest Profile window.
   
   
   • Profile Name: Enter the name of the profile.
   • User Name Prefix: Enter the first part of every user account name generated from this profile.
   • Auto-generate user name: Check this to allow guest accounts generated from this profile to have an automatically generated user name. The user name is usually the prefix plus a two- or three-digit number.
   • Auto-generate password: Check this to allow guest accounts generated from this profile to have an automatically generated password. The generated password is an eight-character unique alphabetic string.
   • Enable Account: Check this for all guest accounts generated from this profile to be enabled upon creation.
   • Auto-Prune Account: Check this to have the account removed from the database after its lifetime expires.
   • Enforce login uniqueness: Check this to allow only a single instance of an account to be used at any one time. By default, this feature is enabled when creating a new guest account. If you want to allow multiple users to login with a single account, disable this enforcement by clearing the Enforce login uniqueness checkbox.
   • Account Lifetime: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation.
   • Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime
   • Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime.
   • Comment: Any text can be entered as a comment in the Comment field.
     
     
3. Click OK.
   
   

Configuring Guest Accounts (WGS Users)

You can add guest accounts individually or generate multiple guest accounts automatically. To Add an Account:

1.  Navigate to Manage | Users | Guest Accounts | click Add Guest(to create an Individual Account) or click Generate(to create Multiple Accounts) In theSettings tab of the Add Guest Account window, configure.
   
   
   • Profile: Select the Guest Profile from which to generate this account.
   • Name: Enter a name for the account or click Generate. The generated name is the prefix in the profile and a random two or three digit number.
   • Comment: Enter a descriptive comment.
   • Password: Enter the user account password or click Generate. The generated password is a random string of eight alphabetic characters.
   • Confirm Password: If you did not generate the password, re-enter.
2. In the Guest Services tab, configure.
   
   
   • Enable Guest Services Privilege: Check this for the account to be enabled upon creation.
   • Enforce login uniqueness: Check this to allow only one instance of this account to log into the security appliance at one time. Leave it unchecked to allow multiple users to access this account at once.
   • Automatically prune account upon account expiration: Check this to have the account removed from the database after its lifetime expires.
   • Account Expires: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation. This setting overrides the account lifetime setting in the profile.
   • Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime. This setting overrides the idle timeout setting in the profile.
   • Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime. This setting overrides the session lifetime setting in the profile.
3. Click OK.

Testing the Connection

• You should now see the SSID you created in Step 3 listed on your wireless client.
• When you connect it will prompt you for the passphrase created earlier as well.
• Once you have entered this it should be connected to the SonicPoint.
• When you launch a web browser and try to connect it will redirect you to a log in page
• Enter the credentials created earlier.
• You should now have access to the Internet.
• By default the WLAN does not have access the LAN. If you want the WLAN to be able to access LAN resources you will need to create access rules from WLAN to LAN.
  
  
  

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Configuring the WLAN Zone

1. Log into the SonicWall Management GUI, navigate to Network | Zones; Click Edit icon for the WLAN zone. The Edit Zone window is displayed.
2. In the General tab, Uncheck Allow Interface Trust. Select any of the following settings to enable the SonicWall Security Services on the WLAN Zone.
   
   
   1. 
   • Enforce Content Filtering Service - Enforces content filtering on multiple interfaces in the same Trusted, Public and WLAN zones.
   • Enforce Client AV Enforcement Service - Enforces managed anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWall Client Anti-Virus manages an anti-virus client application on all clients on the zone.
   • Enforce Client CF Service - Enforces Client Content Filtering on the Zone
   • Enable Gateway Anti-Virus - Enforces gateway anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWall Gateway Anti-Virus manages the anti-virus service on the SonicWall appliance.
   • Enable IPS - Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
   • Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
   • Enable App Control Service - Enforces Application Control on the Zone.
   • Under the Guest Services Tab you can choose from the following configuration options for Wireless Guest Services:
     
     
     • Check Enable Guest Services - enables guest services
     • Enable inter-guest communication - allows guests connecting to SonicPoints in this WLAN Zone to communicate directly with each other.
     • Bypass AV Check for Guests - allows guest traffic to bypass Anti-Virus protection.
     • Bypass Client CF Check for Guests - allows guest traffic to bypass Client Content Filter
     • Enable Dynamic Address Translation (DAT) - Wireless Guest Services (WGS) provides spur of the moment “hotspot” access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate, obtain IP settings from the DHCP services, and authenticate using any web-browser. Without DAT, if a WGS user is not a DHCP client, but instead has static IP settings incompatible with the WLAN network settings, network connectivity is prevented until the user’s settings change to compatible values. Dynamic Address Translation (DAT) is a form of Network Address Translation (NAT) that allows the firewall to support any IP addressing scheme for WGS users. For example, the WLAN interface is configured with its default address of 172.16.31.1, and one WGS client has a static IP Address of 192.168.0.10 and a default gateway of 192.168.0.1, while another has a static IP address of 10.1.1.10 and a gateway of 10.1.1.1, and DAT enables network communication for both of these clients.
     • Enable External Guest Authentication - requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.
       
       

        NOTE: View the SonicWall Lightweight Hotspot Messaging Tech Note for complete configuration of the Enable External Guest Authentication feature.

     • Enable Policy Page without authentication - redirects user to a custom policy page without authentication

     • Custom Authentication Page - redirects users to a custom authentication page when they first connect to a SonicPoint in the WLAN zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK.

     • Post Authentication Page - directs users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the filed.
     • Bypass Guest Authentication - allows a SonicPoint running WGS to integrate into environments already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication. This feature should only be used when unrestricted WGS access is desired, or when another device upstream of the SonicPoint is enforcing authentication.
     • Redirect SMTP traffic to - redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to. 
     • Deny Networks - blocks traffic from the networks you name. Select the subnet, address group, or IP address to block traffic from.
     • Pass Networks - automatically allows traffic through the WLAN zone from the networks you select.
     • Max Guests - specifies the maximum number of guest users allowed to connect to the WLAN zone. The default is 10.
   • For this Example we just want to Enable Guest Services
   • Under the Wireless Settings heading, select the SonicPoint Provisioning Profile you want to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects to this zone, it will automatically be provisioned by the settings in the SonicPoint Provisioning Profile, unless you have individually configured it with different settings.
     
     
3.  Click OK.

Assigning an available Interface to the WLAN Zone 

A Wireless interface is an interface that has been assigned to a Wireless zone and is used to support SonicWall SonicPoint secure access points.

1. Navigate to Network | Interfaces.
2. Click Configure icon in the Configure column for the Interface you want to modify. The Edit Interface window is displayed. You can configure X2 through X9, Opt, a VLAN sub-interface or a PortShield interface.
3. In the Zone list, select WLAN or a custom Wireless zone.
4. Enter the IP address (172.16.31.1) and subnet mask (255.255.255.0) of the Zone in the IP Address and Subnet Mask fields.
5. In the SonicPoint Limit field, select the maximum number of SonicPoints allowed on this interface. (you can accept the default value).
6. Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
7. Uncheck all supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. (In this scenario, we are not allowing wireless clients to manage the SonicWall to ensure complete security).
8. Click OK.
   
   

 

Configuring SonicPoint Profiles (Wireless settings – enabling WPA-PSK encryption)

SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSID’s, and channels of operation. Once you have defined a SonicPoint profile, you can apply it to a Wireless zone.

1. Navigate to SonicPoint | SonicPoints.
2. To add a new profile click Add below the list of SonicPoint provisioning profiles. To edit an existing profile, select the profile and click the edit icon in the same line as the profile you are editing. We will edit the SonicPointACe/ACi/N2 profile in this example
3. In the General tab of the Edit Profile window, specify:

• Select Enable SonicPoint.
• Name Prefix: Enter a prefix for the names of all SonicPoints connected to this zone. When each SonicPoint is provisioned, it is given a name that consists of the name prefix and a unique number, for example: “SonicPoint 126008.”
• Country Code: Select the country where you are operating the SonicPoints. The country code determines which regulatory domain the radio operation falls under.
• On the Radio 0 Basic Tab, Configure the radio settings for the 5Ghz radio:
  • Select Enable Radio (You can select a schedule on which the radio operates as well)
  • SSID: Enter a recognizable string for the SSID of each SonicPoint using this profile. This is the name that will appear in clients’ lists of available wireless connections. (For example: SonicLAB)
    
    

    TIP: If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another.

  • Authentication Type: Select WPA2–PSK
  • Cipher Type: Select AES
  • Passphrase: enter a Passphrase (Min 8 - Max 63 characters)
  • ACL Enforcement: Select this to enforce Access Control by allowing or denying traffic from specific devices. Select a MAC address group from the Allow List to automatically allow traffic from all devices with MAC addresses in the group. Select a MAC address group from the Deny List to automatically deny traffic from all devices with MAC addresses in the group. The deny list is enforced before the Allow list.
  • In the Radio 0 Advanced tab, configure the performance settings for the 802.11g radio. For most the advanced options, the default settings give optimum performance.
  • The settings in the Radio 1 Basic and Radio 1 Advanced tabs are similar to the settings in the Radio 0 Basic and Radio 0 Advanced tabs and the settings should match unless you want different settings for the 2.4Ghz network.

Connecting a SonicPoint Device to the SonicWall Appliance

1. Now go ahead and physically connect the SonicPoint LAN port to the WLAN Interface port on the SonicWall Appliance.
   

   TIP:  If you had already connected the SonicPoint; unplug and plug-in the cable from the port, this will ensure that the SonicPoint provisioning profile is accurately synchronized.

2. Once it has synchronized it will show operational under SonicPoint | SonicPoints.

Configuring Guest Profiles (WGS Profiles)

You can create these accounts manually, as needed or generate them in batches. SonicOS includes profiles you can configure in advance to automate configuring guest accounts when you generate them

1.  Navigate to Users | Guest Services; Enable Show guest login status window with logout button. (A user login window on the users’s workstation is displayed whenever the user is logged in. Users must keep this window open during their login session. The window displays the time remaining in their current session. Users can log out by clicking the Logout button in the login status window.)
   
   
   
2. You can edit the Default profile or click Add below the Guest Profile list to display the Add Guest Profile window.
   
   
   • Profile Name: Enter the name of the profile.
   • User Name Prefix: Enter the first part of every user account name generated from this profile.
   • Auto-generate user name: Check this to allow guest accounts generated from this profile to have an automatically generated user name. The user name is usually the prefix plus a two- or three-digit number.
   • Auto-generate password: Check this to allow guest accounts generated from this profile to have an automatically generated password. The generated password is an eight-character unique alphabetic string.
   • Enable Account: Check this for all guest accounts generated from this profile to be enabled upon creation.
   • Auto-Prune Account: Check this to have the account removed from the database after its lifetime expires.
   • Enforce login uniqueness: Check this to allow only a single instance of an account to be used at any one time. By default, this feature is enabled when creating a new guest account. If you want to allow multiple users to login with a single account, disable this enforcement by clearing the Enforce login uniqueness checkbox.
   • Account Lifetime: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation.
   • Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime
   • Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime.
   • Comment: Any text can be entered as a comment in the Comment field.
     
     
3. Click OK.
   
   

Configuring Guest Accounts (WGS Users)

You can add guest accounts individually or generate multiple guest accounts automatically. To Add an Account:

1.  Navigate to Users | Guest Accounts | click Add Guest(to create an Individual Account) or click Generate(to create Multiple Accounts) In theSettings tab of the Add Guest Account window, configure.
   
   
   • Profile: Select the Guest Profile from which to generate this account.
   • Name: Enter a name for the account or click Generate. The generated name is the prefix in the profile and a random two or three digit number.
   • Comment: Enter a descriptive comment.
   • Password: Enter the user account password or click Generate. The generated password is a random string of eight alphabetic characters.
   • Confirm Password: If you did not generate the password, re-enter.
     
     
2. In the Guest Services tab, configure.
   
   
   • Enable Guest Services Privilege: Check this for the account to be enabled upon creation.
   • Enforce login uniqueness: Check this to allow only one instance of this account to log into the security appliance at one time. Leave it unchecked to allow multiple users to access this account at once.
   • Automatically prune account upon account expiration: Check this to have the account removed from the database after its lifetime expires.
   • Account Expires: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation. This setting overrides the account lifetime setting in the profile.
   • Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime. This setting overrides the idle timeout setting in the profile.
   • Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime. This setting overrides the session lifetime setting in the profile.
3. Click OK.
   
   
   

Testing the Connection

• You should now see the SSID you created in Step 3 listed on your wireless client.
• When you connect it will prompt you for the passphrase created earlier as well.
• Once you have entered this it should be connected to the SonicPoint.
• When you launch a web browser and try to connect it will redirect you to a log in page.
• Enter the credentials created earlier.
• You should now have access to the Internet.
• By default the WLAN does not have access the LAN. If you want the WLAN to be able to access LAN resources you will need to create access rules from WLAN to LAN.