If you have a WatchGuard XTM 21, 22, or 23 device, this feature is not available for your device.
When you enable a hotspot for your wired or wireless guest network, you can select the External Guest Authentication hotspot type. With this hotspot type, the Firebox or XTM device sends new hotspot users to an external web server for authentication. External Guest Authentication is not related to other types of user authentication supported by your device.
Use this hotspot type if you want to automatically connect new hotspot users to an external web server that collects and verifies authentication credentials or other information for the hotspot user. Based on the information the user provides, the external web server sends an access decision to the Firebox or XTM device. The device then either allows or denies the user access to the hotspot.
This feature is described in terms of authentication, but it does not require the external web server to authenticate users. You can create an authentication page on your web server to ask hotspot users for any information that you want to use as criteria for access to your hotspot.
Before you configure the external web server and enable external guest authentication on the Firebox or XTM device, you must select the shared secret, authentication URL, and authentication failure URL to use. These settings affect the configuration of the external web server and the hotspot configuration on the device.
The shared secret is used to generate and validate a checksum included with the access decision. The external web server uses the shared secret to calculate a checksum it includes with the access decision sent to the XTM device. The XTM device uses the shared secret to verify the checksum received with the access decision. The shared secret must be between 1 and 32 characters.
This is the URL on the external web server of the web page where a hotspot user authenticates. In the XTM hotspot configuration, the Authentication URL must begin with https:// or http:// and must use the IP address of the web server, rather than a domain name.
Authentication Failure URL
This is the URL on the external web server of the web page the hotspot user sees if external guest authentication is not successful. In the XTM hotspot configuration, the Authentication Failure URL must begin with https:// or http:// and must use the IP address of the web server, rather than a domain name.
Because configuration of the web server requires web programming, we recommend that you configure the web server first. A link to a code example is included in the setup instructions for the web server. After you set up the web server, configure the Firebox or XTM device hotspot for External Guest Authentication.
For details about the configuration requirements and procedures, see:
After you have configured your web server and hotspot, you can test external guest authentication on your hotspot and review the log messages to identify any errors. For more information, see Troubleshoot Hotspot External Guest Authentication.
For an example of the script on the external web server, see the WatchGuard Knowledge Base at http://customers.watchguard.com/.
Communication between the Firebox or XTM device and the external authentication server occurs through the hotspot client browser. The device and authentication server use the parameters specified in the URLs to allow the communication. This example provides some example URLs that show at a high level how external authentication operates. For more details and a description of all the parameters in each URL, see Configure a Web Server for Hotspot External Guest Authentication.
The URLs in this example are based on these configuration settings and assumptions:
When a user initially tries to get access to a web site, the Firebox or XTM device receives an HTTP request from the hotspot user. The device checks the MAC address to see if this user already has a current hotspot session. If there is already a hotspot session for this MAC address, the device allows or denies the traffic based on the firewall policy configuration. If this is a new MAC address, to send the access request URL to the external web server, the device sends a redirect to the hotspot client browser.
Example access request URL:
The authentication page on the external web server appears in the hotspot user's browser. The hotspot user provides the information required to authenticate.
After the external web server authenticates the hotspot user, it sends the access decision URL to the Firebox or XTM device through the hotspot client browser.
Example access decision URL:
In this URL:
The Firebox or XTM device reads the access decision (success=1 or success=0) and verifies the checksum. If success=1 and the checksum verification is successful, the device creates a hotspot session for the client and redirects the client to the URL specified in the access decision URL. If success=0 or any authentication error is detected, the device redirects the client to the authentication failure URL.
In this example, authentication is successful, so the browser goes to the originally requested site, http://www.google.com.
If authentication fails or if access was denied, the browser goes to the authentication failure URL.
Example failure URL:
Enable a Hotspot