This article explains how to create, configure, and manage a guest network, along with the optional guest portal and hotspot system.
- How to create a UniFi Guest Network
- How to configure Guest Control and Guest Portal
- UniFi Hotspot System
- How to limit Guest Bandwidth
- LAN-Wide client isolation
Guest Networks exist independently from the Guest Portal and/or Hotspot System, which are built-in tools for guest authentication, authorization & accounting. A user on a guest network will face different access restrictions from those faced by the trusted, "corporate" users on default UniFi networks. An administrator can create a guest network, but not enable the guest portal for authentication, or the hotspot, which is a guest management system for free or paid use of the network. On the other hand, to use a guest portal or hotspot system, a guest network must be enabled and configured. This article will explain how to configure all three.
Guest user traffic, by default, receives the following restriction:
- Pre & post-authorization access restriction to RFC 1918 Private LAN IP ranges, as configured, under the Guest Control Settings tab.
- Client Isolation: Unicast messages between guest clients on the same local network is blocked. By default, this means that guest traffic is only intended to pass upstream or downstream, such as for internet use.
- In order for the Guest Portal to function the UniFi Network application must be running at all times. Guests are redirected to the application to reach the guest portal, and the redirection will not be successful if the application is not accessible. See our Related Article on SELFRUN for options.
- To block broadcast and multicast traffic between wireless clients on separate APs, use the "Block LAN to WLAN Multicast and Broadcast Data" option under the SSID settings. This will prevent ingress (from LAN) multicast and broadcast data from being transmitted out of the SSID (WLAN).
How to Create a UniFi Guest Network
- Open UniFi Network and go to Settings > WiFi.
- To create a new guest network, select Add New WiFi Network, otherwise edit an existing network.
- Provide a name. This is the WiFi (SSID) name users will see on their device's WiFi network list when attempting to connect.
- Select the method to be used to authenticate the guest network. A security key may be used, while also leveraging the Guest Portal, or you can leave it Open.
- To make this new network a Guest Network, check the box "Apply guest policies…"
- Make sure the checkbox for Enable this wireless network is checked. If at some point you wish to disable this network without deleting it, this is where that could be accomplished as well. Click Save.
At this point, the administrator has a working guest network, but more settings can be configured. The next section will explain how to set some guest control and create the guest portal, which is what the network's guest users will see when they attempt to access the network.
How to Configure Guest Control and Guest Portal
In the UniFi Network application, the Guest Control section is where administrators configure the custom guest portal and define what subnets they should and should not be able to access before and after authorization.
To Configure Guest Control:
1. Open the UniFi Network application to Settings > Guest Control.
2. Under Access Control, you can restrict and give access to hostnames or subnets as follows:
- In Pre-Authorization Access: Enable pre- and post-authorization guests to access specific hostnames or subnets (external and internal).
- In Post-Authorization Restrictions: Enable post-authorization restrictions to prevent guests from accessing specific hostnames or subnets.
To Configure the Guest Portal:
3. In order to require guests to interact with the guest portal, check the box for Enable Guest Portal. Doing so will open additional options including the authentication method associated with the Guest Portal, Expiration Term, etc.
4. Under Portal Customization choose between AngularJS and Legacy JSP. AngularJS allows for adjustments and previewing the Portal Customization options. Legacy JSP provides a basic landing page for guests.
5. As explained in step 2, the Access Control settings will define subnets necessary for devices to be able to access before and after authorization. An example of a case in which Pre-Authorization Access can be useful is ensuring that devices can access the guest portal before being Authorized—to do this, simply define the subnet that contains the guest portal IP address. Similarly, if there is a subnet on the internal network you do not wish to allow your guests access to after connecting, you can use the Post-Authorization Restrictions to define these.
When troubleshooting cases where users report not being able to access the guest portal, the most common cause seen is not having the Access Control properly configured.
UniFi Hotspot System
Intended as a separate guest management platform, the UniFi Hotspot System comes freely integrated into the UniFi Network software. UniFi Network admins and hotspot operators can access the Hotspot System via the GO TO HOTSPOT MANAGER link found at the right of the screen in the UniFi Network application's Settings > Guest Control > Hotspot section. Users will be redirected to another area of the application for hotspot management exclusively.
Built separately from the UniFi Network management system (device configuration/adoption sections), trusted employees can be granted limited-access Hotspot accounts to perform actions on Guest users, including:
- Print vouchers
- Manage guest authorization
- Review payments
- Check guest authentication, and more
To create a new voucher, within the Hotspot Management page go to the Vouchers section and click Create Vouchers. Admins can use the Vouchers page to customize, create, and revoke vouchers for Internet access.
https://<ip-or-hostname-of-network-application>:8443/manage/hotspot/account/login/. Remember to substitute
<ip-or-hostname-of-network-application>with the IP address of the device hosting the UniFi Network application.
How to Limit Guest Bandwidth
Another useful feature in the UniFi Network application is the ability to limit bandwidth allocation to different user groups. This may be important to ensure guests do not limit the productivity and speed available to permanent users/critical applications. To limit guest bandwidth follow the steps below:
1. Go to Settings > User Groups.
2. Click on Create a New User Group.
3. Define the desired bandwidth limit.
Next, to associate this group to the Guest Network:
4. Go to Settings > Wireless Networks.
5. Click on the corresponding Guest Network and expand Advanced Options.
6. Click the drop-down box next to User Group and select the guest user group.
7. Click Save to apply the changes.
LAN-Wide Client Isolation
Once the guest network is set up on the WLAN (AP) side—it is necessary to make sure the LAN has sufficient isolation, while also allowing common services which may be required (printers, servers, etc.).
In addition to providing the desired client isolation, LAN-side controls on client isolation reduce/eliminate unnecessary broadcast/multicast data, which if left unchecked will have an adverse impact on installation with around 10 or more WLAN APs (see here for details).
The diagram below shows a generalized layout for network-wide (WLAN and LAN) client isolation, while still allowing network-wide core services.
Here's how to set this up as shown in the above example in UniFi Network:
- First, open the UniFi Network application that manages your network.
- Click the Devices tab on the left to see your devices.
- Click on the switch you want to enable port isolation on, and go to the Ports tab.
- Either select the ports individually you want to enable port isolation on, or click box to select all.
- Click Edit Selected at the bottom.
- Go to Advanced.
- Expand Advanced Options.
- Under Isolation, select Enable port isolation.
- Click Apply to finalize changes.
For more advanced configurations related to your guest network see the Related Articles below.