Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
technical:ppsk-user-reg [2024/07/09 11:33] systemtechnical:ppsk-user-reg [2024/07/09 19:46] (current) system
Line 6: Line 6:
 ----- -----
 ====== User registration in a PPSK environment ====== ====== User registration in a PPSK environment ======
-  * RADIUSdesk enables the fast onboarding of new users in a PPSK network. +  * RADIUSdesk enables the fast onboarding of new users in a PPSK enabled network. 
-  * This page discusses the different options you can select to optimise your setup+  * The onboarding process consists of the following steps 
-<panel type="info" title="Overview video of on-boarding process"> +       - The user connects to an SSID that has PPSK enabled with the shared key **used for onboarding**. 
-{{ :videos:ppsk_registration.mp4 |On-boarding Overview }} +       - The user is shown a landing page on the captive portal where they can register and select their own PPSK
-</panel>+       The user disconnects and reconnects with their own PPSK to gain full Internet access
 +  * This page describes the most important points you need to consider in order to achieve a functioning setup.
  
 ----- -----
-===== Network setup ===== +===== Planning the VLANs ===== 
-  * For user registration we make use of a captive portal with a landing page that allows for user registration+  * With the PPSK solution in RADIUSdesk, you must specify the VLANs that you want to use. 
-  * We use predefined preshared key that when used will dynamically move the user onto the network with the captive portal+  * They are connected to realm
-  * You can decide what role this captive portal must fill. +  * On the screenshot below you can see that we have specified VLAN 5 and also VLAN 100-110
-      * You can use the captive portal in the traditional way that allows users to connect through it to gain Internet access with an option to sign-up. The signup dialog can include an option for the user to specify their own Private Preshared Key (PPSK)+  We will use VLAN 5 for the Captive Portal network
-      Alternatively you can use the captive portal simply as a place where the user can sign-up. During this registration process they can then specify their Private Preshared Key (PPSK) which they will give them full Internet access when they use their own Preshared Key +<panel type="primary"> 
- +{{:technical:ppsk:vlans.png?nolink|}}
- +
-<panel type="info" title="Private PSK - Small deployments"> +
-{{ :technical:ppsk:ppsk_small.png }}+
 </panel> </panel>
  
 ----- -----
 +===== The onboarding user =====
 +  * We create an onboarding user with a PPSK that is easy to remember.
 +  * This is given to users who want to register to connect to the WiFi network.
 +  * The onboarding user is also assigned the VLAN that we use for the Captive Portal network (VLAN 5).
 +<panel type="primary">
 +{{:technical:ppsk:onboarding_user.png?nolink|}}
 +</panel>
 + 
  
-===== Large installations (MDU - apartment blocks, flats, hotels, etc.) ===== +----- 
-  * In large installations, you can potentially have hundreds of access points, all centrally managed with MESHdesk and APdesk. +===== The Captive Portal ===== 
-  * In these installations, you need to work with other components to get an integrated solution+  * We need to change the default captive portal created by the RADIUSdesk wizard
-  * Typically you will have +  * We will connect it to VLAN 5
-    * A common SSID configured for private PSK security on all access points. +  * To have VLAN 5 as a selectable optionwe need to add it to the AP profile or mesh network
-    * External / centralised onboarding captive portal. +<panel type="primary"> 
-    * Multiple VLAN enabled switches. +{{:technical:ppsk:ap_desk_vlan.png?nolink|}}
-    * A firewall hosting multiple networks, each connected to a different VLAN. +
-  * This includes multi-dwelling units (MDU)schools, hotels and conference facilities as well as WiFi networks with IOT devices+
-<panel type="info" title="Private PSK - Large deployments"> +
-{{ :technical:ppsk:privatepsk_large.png }}+
 </panel> </panel>
  
 <alert type="success" icon="glyphicon glyphicon-bullhorn"> <alert type="success" icon="glyphicon glyphicon-bullhorn">
-  * You may have noticed that the access points in the picture are the Aruba AP105. +  * The VLANs that we define here are separate from the VLANs that are connected to the realm (RADIUS side)  
-  * RADIUSdesk provides a solution for networks and does not sell hardware. +  * The VLANs we define here can be used internally in a mesh network or access point without the need for a VLAN-enabled switch
-  * The Aruba AP105 as well as many other older and current hardware is supported by OpenWrt and can therefore be used in your deployment+  * If you have a larger setup where the VLANs and their NAT/DHCP networks are provided by another vendor, you only need VLAN 5 for the Captive Portal
-  * No vendor lock-in :-)+
 </alert> </alert>
  
 +  * The captive portal also connects to the SSID for which PPSK with RADIUS encryption is enabled.
 +  * This is only a formality. The actual network to which a client is assigned is determined by RADIUS.
 +<panel type="primary">
 +{{:technical:ppsk:ppsk_captive1.png?nolink|}}
 +</panel> 
  
 +------
 +===== Enable user registration =====
 +  * User registration is enabled under the settings of the login page used by the captive portal.
 +  * We have an option called **Require Private PSK (PPSK)** which also needs to be enabled.
 +  * Then there are three options for VLAN assignment during registration.
 +     - **No VLAN** - No VLAN will be assigned to the newly created user.
 +     - **Preselect** - Select one of the VLANs which are associated with the realm which you specified the new user should belong to. This is useful if you want to perform some checks after registration before assigning the final VLAN.
 +     - **Next Available** - The system selects the next available VLAN from the pool of VLANs of the realm to which the new user is to belong. If the pool is exhausted, the registration fails with a corresponding message.
 +<panel type="primary">
 +{{:technical:ppsk:user_registration.png?nolink|}}
 +</panel>
  
 +-----
 +===== The landing page =====
 +  * There are two options for the landing page.
 +    - You can use the default Captive Portal login page which you have enabled user registration and checked **Require Private PSK (PPSK)**.
 +    - You can use the simplified Registration Only page (you still need to enable user registration)
 +  * The URL for the default Captive Portal login page is as follows: https://cloud.radiusdesk.com/cake4/rd_cake/dynamic-details/chilli-browser-detect/ (Replace the FQDN with the FQDN of your RADIUSdesk server)
 +  * The URL for the simplified register only page is as follows: https://cloud.radiusdesk.com/login/ppsk_register/index.html (Replace the FQDN with the FQDN of your RADIUSdesk server)
 +  * For the simplified registration only page you must also append the ID of the login page, e.g. **?dynamic_id=37**.
 +  * To determine the ID of the login page simply click on the **Preview** button in the Login Page applet. 
 +  * This opens a preview of the standard login page with the dynamic_id in the query string.
 +  * You can then use this value and update the settings of the captive portal.
 +  * See screenshot below:
 +<panel type="primary">
 +{{:technical:ppsk:simple_register.png?nolink|}}
 +</panel>
 +
 +-----
 +====== Highlights ======
 +  * The following video summarises all the points we have covered on this page:
 +<panel type="info" title="Highlight video of on-boarding process">
 +{{ :videos:ppsk_registration.mp4 |On-boarding Overview }}
 +</panel>
  
  
  • technical/ppsk-user-reg.1720517629.txt.gz
  • Last modified: 2024/07/09 11:33
  • by system