With the new version of the Sponsoring Portal from CloudGuard, different scenarios can be implemented securely and comfortabely in the allocation of network access rights for guests and company-owned as well as private devices.
A special highlight of the new version is the possibility to link the Sponsoring Portal to several external LDAP directories. In this way, different authorization profiles can be assigned quickly and easily via group membership in the central Identity and Access Management (IAM) system.
One solution for different requirements
An internal employee is visited by an external person who needs access to the Internet.
Therefore, the employee logs on to the Sponsoring Portal and creates a corresponding user account. The generated access data can be conveniently printed out and handed over to the guest. The guest connects his mobile device to the Guest WLAN and logs in with the access data on the landing page. Access is via an unencrypted SSID.
With an increasing trend, employees are bringing their private devices to work and want to connect them to the WLAN. Since these devices are not managed by the company, they cannot be connected to the corporate WLAN.
My Devices (BYOD)
Thanks to the Sponsoring Portal, every authorized employee can manage his personal equipment himself. A two-stage method is used for network access. On the first access to the Sponsoring Portal, personal credentials (username/password) are generated for each employee.
Afterwards, the employee connects to the encrypted SSID and logs on to the previously generated credentials. In the second stage of the access process, the MAC address of the device plays an important role. Each device that connects to the WLAN in the manner described above must also be enabled on the Sponsoring Portal and will be recognized on the next access by the MAC address. In addition, lost devices with valid credentials can be quickly blocked in the portal and the number of devices per employee restricted. If the employee has registered via an external directory on the Sponsoring Portal, his personal devices are immediately blocked or extinguished after a definable time when leaving the company.
Safe Guest Access (Secure WiFi PEAP)
An authorized employee can set up encrypted Internet access for both his guest and WPA2 enabled devices.This procedure does not require the registration of the device's MAC address in the Sponsoring Portal. Just like "simple" Guest Access it is a personal authentication. Thanks to PEAP (Protected Extensible Authentication Protocol), a secure connection will be established.
To connect the devices to the encrypted SSID, the credentials previously created in the portal must be entered. This type of access offers a special protection for the identification data and enables automatic assignment to different VLANs depending on group membership.
Nowadays, more and more consumer electronic devices such as televisions, screens or projectors should be connected to the company WLAN. Modern devices are generally WLAN-capable, but often do not have the 802.1x standard and so they have no access to the WLAN. In the age of the "Internet of Things" (IoT), this increasingly affects the most varied devices such as medical devices, fitness machines, sensors, etc.
The employee registers the device with their MAC address in the Sponsoring Portal. If the device is connected to the open SSID, it is authenticated by its MAC address (MAB).