Advanced Location-Based Registration and Web Access

Advanced location-based registration and web access allows you to configure different access features for end users based on the location of a connecting end-system, as determined by the location groups you have defined for your network. (For more information on setting up location groups, see the Add/Edit Location Group Window Help topic.)

For example, with location-based registration, a company can have guest registration configured for their conference rooms and authenticated registration configured in offices, with different portal designs for each access method.

Use the following steps to define a location-based access configuration. The configuration specifies the access method and portal used by the end user to register or log in, and the access levels assigned to the end user following registration or login. You must define a separate access configuration for each location.

  1. Click the NAC ManagerEdit NAC Configuration toolbar button to open the NAC Configuration window .
  2. In the left-panel tree, select the Features icon. In the right panel, click the Enable Feature button and select Advanced Location-Based Access from the menu.

  3. The Advanced Location-Based Registration & Web Access Behavior window opens.

  4. Configure the Rule Conditions that must be met in order for an end user to qualify for this location-based access.
    1. In the Location drop-down box, select the desired location group from the list of existing groups. The location group defines the SSID, APs, switches, or ports that an end-system must connect to in order to meet the rule conditions. You can create a new location group or edit an existing group, if desired.
    2. In the Time drop-down box, select the desired Time group from the list of existing groups. The time group defines the time period that an end-system must connect to in order to meet the rule conditions. You can create a new time group or edit an existing group, if desired.
  5. The Portal Welcome and Login Pages are displayed when end users first attempt to connect to the network. In order to provide a custom experience for connecting end users, you can set all IP addresses for this location to see the welcome and login pages as configured in the portal specified for this location. Otherwise, end users see the login page as defined by the default portal configuration. This option is useful for service providers with multiple tenants that want to have unique login pages for each tenant location.
    1. In the Incoming IP Range drop-down box, select an end-system group that contains the IP subnets for this location. You can create a new group or edit an existing group, if desired. If you select None, the default login page displays to end users.
  6. Select the end-system zone assigned to any end user that matches the Rule Conditions. See How to Configure End-System Zones for more information about how to use and configure end-system zones in NAC Manager.
  7. In the Portal section, use the drop-down menu to select the portal configuration you want to use for this location. You can also create a new portal configuration or edit an existing configuration, if desired.
  8. Use the Enable Feature button to select the type of access you want to define for this location. Once you have enabled a feature, you can click on the feature link that appears below to open the Edit Portal Configuration window and edit the access feature parameters.
    • Guest Registration - Guest registration forces any new end-system connecting on the network to provide the user's identity in the registration web page before being allowed access to the network. After successful registration, the end-system is permitted access until the registration expires or is administratively revoked.
    • Guest Web Access - Guest Web Access provides a way for you to inform guests that they are connecting to your network and lets you display an Acceptable Use Policy (AUP). Guest web access provides a single session, and no permanent end user records are stored.
    • Secure Guest Access - Secure Guest Access provides secure network access for wireless guests via 802.1x PEAP by sending a unique username, password, and access instructions for the secure SSID to guests via an email address or mobile phone (via SMS text).
    • Authenticated Registration - Authenticated registration provides a way for existing corporate end users to access the network on end-systems that don't run 802.1X (such as Linux systems) by requiring them to authenticate to the network using the registration web page. After successful registration, the end-system is permitted access until the registration expires or is administratively revoked.
    • Authenticated Web Access - Authenticated web access provides a way to inform end users that they are connecting to your network and lets you display an Acceptable Use Policy. End users are required to authenticate to the network using the Authenticated Web Access login page. However, end users are only granted one-time network access for a single session, and no permanent end user registration records are stored.
    • Assisted Remediation - Assisted remediation is a process that informs end users when their end-systems have been quarantined due to network security policy non-compliance, and allows end users to safely remediate their non-compliant end-systems without assistance from IT operations.
  9. In the Access Rules section, define the access levels assigned to end users as they move through the registration or login process. As the end user registers or logs in through the portal, they transition through several rules. Each rule assigns the end user to an end-system group and NAC profile that specifies the access level for the end user while they are in that state. Use the drop-down menus to select the end-system group and NAC profile for each rule.
  10. Click OK. The NAC Configuration Features panel lists the new location.

Related Information

For information on related windows: