Policies_WGS_ExternalAuthentication_Snwls

Configuring External Authentication

External Guest Authentication allows the administrator to specify an external database for wireless guest authentication. This authentication requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.

To configure external authentication, perform the following steps:

Note: External Authentication is not supported in SonicOS Enhanced.

  1. Select a wireless SonicWALL appliance running SonicOS Standard.
  2. Expand the WGS tree and click External Authentication. The External Authentication page displays.




  3. Check the Enable External Guest Authentication checkbox to enable the external authentication feature and configure the tabs as follows:

Configuring General Settings

  1. Enter a Secure Communications Port and select a Client Redirect Protocol for client redirect. This port and protocol (HTTP or HTTPS) is used by the SonicWALL security appliance when performing the initial internal client redirect via the “Please wait while you are being redirected” page, prior to redirection to the LHM server.
  2. Select the Web Server Protocol (HTTP or HTTPS) running on your LHM server from the pull-down list.
  3. Enter the IP or resolvable FQDN of the LHM server in the Host field.
  4. Enter the TCP port of operations for the selected protocol on the LHM server in the Port field.
  5. Enter the duration of time, in seconds, before the LMH server is considered unavailable in the Connection Timeout field. On timeout the client will be presented with the “Server Down” message configured on the “Web Content” tab.
  6. Select the Enable Message Authentication checkbox to use HMAC digest and embedded querystring in communication with the LHM server. This option is useful if you are concerned about message tampering when HTTP is used to communicate with the LHM server.
  7. When using Message Authentication, select the Authentication Method from the pull-down menu. You can select from MD5 or SHA1.
  8. When using Message Authentication enter a Shared Secret. The shared secret for the hashed MAC, if used, also needs to be configured on the LHM server scripts.

Configuring Settings for Auth Pages

To configure the session and idle timeout settings, perform the following steps:

Note: These pages may each be a unique page on the LHM server, or they may all be the same page with a separate event handler for each status message.

  1. Click the Auth Pages tab.




  2. Enter a Login Page. This is the first page to which the client is redirected (e.g. “lhm/accept/default.aspx”).
  3. Enter a Session Expiration Page. This is the page to which the client is redirected when the session expires (e.g. “lhm/accept/default.aspx?cc=2”). After a session expires, the user must create a new LHM session.
  4. Enter an Idle Timeout Page. This is the page to which the client is redirected when the idle timer is exceeded (e.g.“lhm/accept/default.aspx?cc=3”). After the idle timer is exceeded, the user can log in again with the same credentials as long as there is time left of the session.
  5. Enter a Max Session Page. This is the page to which the client is redirected when the maximum number of sessions has been reached (e.g. “lhm/accept/default.aspx?cc=4”).

Configuring Web Content Settings

To configure the Web content for external authentication:

  1. Click the Web Content tab.




  2. Select Use Default or select Customize and enter a Redirect Message in the text box. This is the message that will be presented to the client (usually for no more than one second) explaining that the session is being redirected to the LHM server. This interstitial page is used (rather than going directly to the LHM server) so that the SonicWALL security appliance can verify the availability of the LHM server.
  3. Select Use Default or select Customize and enter a Server Down Message in the text box. This is the message that will be presented to the client if the Redirector determines that the LHM server in unavailable.

Configuring Advanced Settings

To configure the advanced settings for external authentication:

  1. Click the Advanced tab.




  2. Check Enable Auto-Session Logout checkbox and configure the two corresponding fields to set the time increment and the page to which the SonicWALL security appliance will POST when a session is logged out (either automatically or manually).
  3. Check the Enable Server Status Check Checkbox and configure the two corresponding fields to set the time increment and the page to which the SonicWALL will POST to determine the availability of components on or behind (e.g. a back-end database) the LHM server.
  4. Check the Session Synchronization checkbox and configure the two corresponding fields to set the time increment and the page to which the SonicWALL will POST the entire Guest Services session table. This allows the LHM server to synchronize the state of Guest Users for the purposes of accounting, billing, or mere curiosity.
  5. When you are finished configuring External Authentication, click the Update button to apply your changes.