How to set Access Control to create guest SSID on Omada Controller/EAP

User Application Requirement
Updated 04-22-2019 08:22:16 AM
This Article Applies to: 

Suitable for Omada Controller/OC200/EAP

In some scenario, customers may want to provide Wi-Fi access to the Internet for visitors. But they don’t want the visitor to access the local wired network or other wireless clients for security consideration.

For Omada Controller, there are two ways to achieve this goal by using access control function or guest network. This article aims to give you some instructions about how to configure access control or guest network on Omada Controller.

Method 1: How to configure Access Control to create guest SSID on Omada Controller?

Below is a sample topology. In this sample the mobile phone which connect to Guest SSID can access Internet but cannot access the wired devices.  

 

1. Add an Access Control Rule at Wireless Control->Access Control->Add Access Control Rule, then click Apply. For example, if the wireless clients and wired clients belong to same subnet (192.168.1.x). We can set Block Subnets as 192.168.1.0/24, Block Exclude Subnets as 192.168.1.1(Gateway), 192.168.1.7(IP address of Omada Controller). (If guest clients need to connect to some special devices, you can add the IP address of these devices to Exclude Subnets list. Please note, you must not block the gateway, DHCP Server, DNS Server, or you will not connect to the Internet!) 

2. Add a Guest SSID at Wireless Settings->Basic Wireless Setting

3. Edit this SSID, and add the corresponding access control rule to this SSID, click Apply. (Note: Access Control function can’t take effect to wireless clients which connected with the same SSID of same AP.)

4. If you want to Block the communication between wireless clients which connected with same SSID of same AP, please enable SSID Isolation function (block the communication between wireless clients which are connected to a same SSID of a same AP) at Wireless Settings->Basic Wireless Setting->Edit SSID

 

Notes:

1)    There are two Rule Modes including Allow and Block. Allow is a white list and Block is a black list.

2)    The IP address in “Subnets” list comply with the rule mode you choose, except the IP address in “Except Subnets” list. For example, if you configure a Block rule with subnets: 192.168.1.0/24 and except subnets: 192.168.1.2/32. Then clients connect with this SSID will only access 192.168.1.2 of 192.168.1.x subnet. But clients are able to access other subnets.

Method 2: How to configure Geust Network on Omada Controller?

We have added Guest Network in Omada Controller and EAP. With Guest Network enabled,

  1. All wireless devices connected to the SSID cannot communicate with each other;
  2. All wireless devices connected to the SSID will be blocked from reaching any private IP subnet (10.0.0.0 -- 10.255.255.255; 172.16.0.0 -- 172.31.255.555; 192.168.0.0 -- 192.168.255.255 ).

When we configure the Guest SSID, just enable guest network, then guest network will block clients from reaching any private IP subnet.

 

 

 

 

 

 

 

 

 

Note:

1. Guest Network can only be used after the EAP is managed by Omada Controller 3.1.4 or higher version.
2. Guest Network can only be used after upgraded your EAP to corresponding firmware.