GuestAir Integration Guide

WatchGuard Fireware OS integrates with GuestAir® to turn your Wi-Fi hotspot into a secure and highly-customizable captive portal. This integration enables additional authentication methods to capture guest information. In this case, when a client tries to get access to a web page, the Firebox redirects the request to the GuestAir authentication system.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

Set Up a GuestAir Zone

  1. Log in to the GuestAir admin UI.

  1. Select Zones and click New.
  2. In the Title text box, type the name of your zone.

  1. Select the Connectivity tab.
  2. Type a Shared Secret and a Post Authentication URL.
  3. Specify a Management IP Override address only if the Firebox is behind another firewall or NAT device that will NAT its IP address before its packets reach GuestAir.

  1. Select the Auth Settings tab.
  2. From the Auth Method drop-down list, select the authentication method to use.

  1. On the Customize Pages tab you can create a hotspot template for the Zone. Click Click here to create or modify template to create a Zone Landing Page.

  1. Click the Load New Template icon from the menu bar to load a new template.
  2. From the File Browser list, double-click one of the pre-loaded templates available to you to select and load it.

  1. Click (Apply Changes).
  2. Save the changes to the Zone page.
  3. Click Save and close. The Zone is created. In this example, you can see that the ID is set to 280.

Set Up Firebox External Guest Authentication

  1. Connect to your Firebox with WatchGuard System Manager and open Policy Manager.

    You can also use Fireware Web UI to complete this procedure.

  2. Select Setup > Authentication > Hotspot.
  3. Click Enable hotspot on an interface and select the interface you want to use from the drop-down list. In this example, we use Optional-2.
  4. From the Hotspot Type drop-down list, select External Guest Authentication.
  5. Type and confirm a Shared Secret. This must be same shared secret you used on the GuestAir Zone Connectivity tab.
  6. In the Authentication URL text box, type the URL of the authentication page on the external GuestAir web server.
  7. In the Authentication Failure URL text box, type the URL of the authentication failure page on the external GuestAir web server. In the screenshot below, x.x.x.x represents the GuestAir server the user has access to, for example: in Germany.

  1. Save the configuration to your Firebox.

Test Hotspot External Guest Authentication

To make sure that external guest authentication is working through GuestAir, open a web browser and connect to any web page. The GuestAir authentication page appears in the hotspot user’s browser. Users do not see this authentication page unless a template has been loaded as described in steps 6-8 of the previous section.