Access Point Network Access Enforcement

Applies To: WatchGuard Cloud-managed Access Points (AP130, AP330, AP332CR, AP430CR, AP432)

Network Access Enforcement provides an extra layer of security when a wireless client connects to the corporate wireless network.

When you enable Network Access Enforcement for an access point wireless network:

  • A wireless client must have a WatchGuard Endpoint Security product installed (Advanced EPDR, EPDR, EDR, EDR Core, or EPP) before the device can connect to the wireless network.
  • If the wireless client fails the network access enforcement validation, the client cannot connect to the wireless network.

This enables you to keep unmanaged devices off your secure Wi-Fi networks such as your corporate network. Your corporate networks are more secure because only endpoints unlikely to be compromised by malware can connect.

How It Works

When a wireless client tries to connect to an access point SSID with Network Access Enforcement enabled:

  1. A splash page appears to the wireless client while the access point validates WatchGuard Endpoint Security protection on the device.

The splash page uses the branding image settings configured in your WatchGuard Cloud account branding. You can customize the splash page logo and background image in the Custom Branding page.

Screen shot of the Network Access Enforcement validation splash page

The splash page might only appear briefly or not at all if the validation completes and succeeds quickly.

  1. The access point checks that the wireless client has a WatchGuard Endpoint Security product installed and that the wireless client is associated with the account specified in WatchGuard Cloud and in the WatchGuard Endpoint Security settings.
  2. If the validation succeeds, the wireless client is allowed to connect to the wireless network SSID, and is redirected to your configured landing page URL.

If the validation fails, the wireless client is not allowed access to the wireless network except for sites defined in your Walled Garden list.

Screen shot of the Network Access Enforcement validation failure splash page

The default session timeout after validation is 24 hours. After this time, the access point must validate the wireless client again to allow the device to connect to the wireless network.

Before You Begin

To use Network Access Enforcement with a cloud-managed access point, make sure you meet these requirements:

  • Access points must have a valid WatchGuard Standard or USP Wi-Fi Management license.
  • Access points must run firmware v2.1 or higher.
  • Access points that use Network Access Enforcement must be managed in the same WatchGuard Cloud account.
  • The WatchGuard Cloud account must have a WatchGuard Endpoint Security license. For more information, go to About Endpoint Security Licenses.
  • Wireless clients must have WatchGuard Advanced EPDR, EPDR, EDR, EDR Core, or EPP installed, running, and with real-time protection activated. For more information, go to About WatchGuard Endpoint Security.
  • Devices with WatchGuard Advanced EPDR, EPDR, EDR, or EPP installed must have Advanced Protection enabled in hardening or lock mode, or file antivirus enabled and running. Devices with WatchGuard EDR Core installed must have Advanced Protection enabled. These are the default security settings.
  • Wireless clients you want to enable network access enforcement for must run:
    • Windows 8.1 or higher
    • macOS Catalina 10.15 or higher

iOS, Android, and Linux devices are not supported.

  • Access points and wireless clients must be able to communicate on TCP port 33000.
  • You cannot use Network Access Enforcement at the same time as the Captive Portal or Dynamic VLANs features on an access point SSID.
  • If you use Network Access Enforcement with WPA2 or WPA3 Enterprise authentication with a RADIUS server, make sure the RADIUS server does not use an IP address in the reserved IP address range (172.16.0.0/12) used by the Captive Portal feature to present a Network Access Enforcement splash page to the end user.

Enable Network Access Enforcement on an Access Point

You must perform these steps to enable Network Access Enforcement on an Access Point:

Enable Network Access Enforcement in Endpoint Security

Before you enable Network Access Enforcement for a cloud-managed access point wireless network, you must first enable and configure network access enforcement in WatchGuard Endpoint Security.

The WatchGuard Endpoint Security configuration for Network Access Enforcement requires the Account UUID and Authentication Key of the WatchGuard Cloud account that manages your devices.

This information is available on the Administration > My Account page in WatchGuard Cloud. We recommend you record this information before you proceed with the Network Access Enforcement configuration in Endpoint Security.

Screen shot of the Network Access Enforcement UUID and Authentication Key for a WatchGuard Cloud account

To configure Network Access Enforcement, from WatchGuard Endpoint Security:

  1. In WatchGuard Cloud, select Configure > Endpoints.
  2. Select Settings.
  3. From the left pane, select Network Services.

Screen shot of Network Services, Network Access Enforcement tab

  1. Select Network Access Enforcement.
  2. Enable the Enable Network Access Enforcement toggle.

Screen shot of Network Services, Network Access Enforcement enabled

  1. In the Account UUID and Authentication Key text boxes, type the UUID and authentication key for the WatchGuard Cloud account that manages your devices.

If an endpoint device has been stolen or compromised, you can generate a new authentication key for devices to re-authenticate with Network Access Enforcement. From the Administration > My Account page in WatchGuard Cloud, click the refresh icon next to Authentication Key to generate a new key. After you generate a new key, WatchGuard Cloud auto-deploys the refreshed key pair to the device. Make sure to update these values in the WatchGuard Endpoint Security Network Access Enforcement configuration.

This information is available on the Administration > My Account page in WatchGuard Cloud.

  1. Click Save Changes.

It might take several minutes for the Network Access Enforcement configuration to deploy to your devices.

For more information about network access enforcement and Endpoint Security, go to Configure Network Access Enforcement in WatchGuard Endpoint Security.

Enable Network Access Enforcement on an Access Point SSID

After you enable Network Access Enforcement in WatchGuard Endpoint Security, enable it for the access point SSID.

You can also configure Network Access Enforcement in an Access Point Site and apply the configuration to multiple access points. For more information, go to About Access Point Sites.

  1. Select Configure > Devices.
  2. Select the access point or access point site you want to configure.
  3. Select Device Configuration.

    The device configuration page opens.

Screen shot of the main Device Configuration page for access points in WatchGuard Cloud

  1. In the Wi-Fi Networks tile, click SSIDs.
  2. Select an existing SSID or add a new SSID.
  3. Select the Advanced tab.
  4. Enable Network Access Enforcement.

Screen shot of the Network Access Enforcement configuration in an SSID in WatchGuard Cloud

  1. Configure a Landing Page URL that is the web page to which a wireless client is redirected after successful Network Access Enforcement validation. For example, you can enter the home page of your company's web site. The default landing page is the WatchGuard website.
  2. Configure your Walled Garden settings. A Walled Garden is a list of domains and IP addresses that wireless clients can connect to before Network Access Enforcement validation or if the validation fails. For example, you could add your company and support information site to your Walled Garden for users to access help before and after they attempt to connect. To add a Domain Name or Network IPv4 IP address, click Add Destination.

The Walled Garden list does not support wildcard domains. For example, you cannot specify a domain such as *.watchguard.com.

The Walled Garden already includes default internal domains for branding images from WatchGuard Cloud and fonts from fonts.googleapis.com and fonts.gstatic.com.

  1. Click Save.
  2. Deploy the configuration changes to your access point.

Related Topics

Video tutorial: Network Access Enforcement

Network Access Enforcement Overview

About WatchGuard Endpoint Security

Configure Network Access Enforcement in WatchGuard Endpoint Security