Alibaba Cloud SASE (Secure Access Service Edge) provides a guest network access solution to manage internet access for visitors. After a guest connects an endpoint to the dedicated guest wireless network, an authentication page (also known as a portal page) appears in their browser. Guests authenticate using an SMS verification code. Once authenticated, they can access the internet.
Prerequisites
You have configured a dedicated wireless network for guests.
The configuration process may vary depending on the brand and model of your wireless controller (AC). For specific instructions, consult the official product documentation or user manual on your AC vendor's website.
Authentication settings
In SASE, guest wireless network management consists of two main components: Authentication Portal Settings and Custom Settings on Authentication Page.
Portal authentication configuration
In this section, you can configure settings such as the Application Method, Guest Whitelist, and Validity Period.
Log on to the Alibaba Cloud SASE console.
In the left-side navigation pane, choose Network Access Control > Guest Network.
In the upper-right corner of the page, click Authentication Configuration.
On the Authentication Portal Settings tab, configure the parameters as described in the following table.
Parameter
Description
Application Method
Two modes are supported: Self-service Application and Assisted Application.
Self-service Application: Guests authenticate by using an SMS verification code to access the network. This mode is suitable for open scenarios.
Assisted Application: An employee scans a QR code to help the guest connect to the network. This mode is suitable for scenarios that require a higher level of security.
Guest Whitelist
Add guest phone numbers to the whitelist.
If no guest whitelist is configured: All guests can authenticate with an SMS verification code.
If a guest whitelist is configured: Only phone numbers on the whitelist can authenticate with an SMS verification code.
After successful authentication, guests can access network resources.
Validity Period
Set the duration for which an authentication is valid. The default is 1 day. After the period expires, the guest must re-authenticate.
NoteFor example, if you set the authentication validity period to 1 day, the authentication expires 24 hours after the guest logs in.
Click Submit.
Authentication page customization
This feature lets you customize the portal page for both desktop and mobile endpoints, including the company logo, company name, and background image.
Click the Custom Settings on Authentication Page tab and customize the portal page for Desktop Client and Mobile Client devices as described below.
Parameter
Description
Logo
Upload your company logo. The image must be a PNG file that is 16 pixels high and no larger than 300 KB. There is no width restriction.
Company Name
Set the company name that appears below the logo.
Logon Prompt
Set the login prompt text.
Background Image
Upload a background image for the portal page.
Redirect URL After Authentication
The URL where users are sent after they successfully authenticate.
After completing the configuration, click Submit.
View guest network access records
You can view guest network access records from the last seven days. To deny internet access to a guest, you can use actions such as Blacklist Management and Forceful Logout.
In the left-side navigation pane, choose Network Access Control > Guest Network.
To block a guest, find the target account name and in the Operation column, click Forceful Logout or Add to Blacklist.
Forceful Logout: The account is immediately disconnected and must re-authenticate to connect to the guest network.
Add to Blacklist: In the dialog box, enter a reason, and then click OK. The account is blocked from connecting to the guest network until it is removed from the blacklist.
Blacklist management
To prevent a guest from accessing the internet through portal authentication, you can add them to the blacklist.
Click Blacklist Management. On the Blacklist Management page, click Create Blacklist.
In the Create Blacklist panel, enter the Account Name and Device MAC Address of the guest you want to block, and then click Confirm.
To unblock a guest, click Remove from Blacklist and then click OK. The account can then authenticate and access the internet again.
Log audit
SASE provides log auditing for guest network access records.
Go to the Access Logs > Guest Authentication Logs tab to view guest authentication records.