Home Knowledge Base SecureW2 Documentation Certificate-Based Wi-Fi Onboarding for Guest Access

Certificate-Based Wi-Fi Onboarding for Guest Access

1. Introduction

SecureW2 has introduced an innovative Guest Onboarding solution that leverages a certificate-based approach, replacing traditional password authentication methods.
This enhancement is critical for organizations seeking to secure guest Wi-Fi access, as it simplifies guest management for administrators while delivering a seamless onboarding experience. By utilizing digital certificates to authenticate guest identities, organizations can significantly mitigate the risk of unauthorized access, ensuring a secure and efficient network experience for users. This approach not only enhances trust but also enables more effective network management in today’s increasingly digital environment.

SecureW2 supports self registration of Guests via two identities:

  1. Mobile Number
  2. Google Identity

SecureW2 currently supports integration with Twilio to send OTPs via SMS for mobile number-based guest registrations.

For web-based registrations, Google OAuth can be integrated, allowing guests to register using their Google identities.

The following sequence diagrams illustrate the certificate issuance process and the network connection flow.

1.1 Certificate Issuance via Mobile Number registration and network connection

 

1.2 Certificate Issuance via Google Identity registration and network connection

2. Prerequisites

The following are the requirements for the admin to configure the Guest onboarding solution via certificate authentication:

  1. Admin needs to configure either of the following or both to identify the guest user and register:
    1. Account in Twilio to send OTP notifications via SMS to register the mobile number.
    2. Able to configure Google OAuth to enable guest registration after their Google Identity verification.
  2. Active subscription with SecureW2 Cloud Connector.

3. Creating a Notification Gateway

The Notification Gateway enables the network admin to send OTP notifications to guest users after authentication. Currently, we use the SMS service from Twilio to send OTPs.

To create a Notification Gateway, perform the following steps:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to General > Organization.
  3. Select the Notification Gateway tab.
  4. Click Add Notification Gateway.

  5. In the Basic section, enter the name of the notification gateway in the Name field.
  6. In the Description field, enter a suitable description for the notification gateway.
  7. From the Provider drop-down list, select Twilio.
  8. Click Save.
  9. Click the Configuration tab.
    1. In the Account ID field, enter the Account SID obtained from the Twilio Console.
    2. In the Auth Token field, enter the Auth Token obtained from the Twilio Console.
    3. In the Messaging Service ID field, enter the Messaging Service SID obtained from the Twilio Console.
    4. In the Phone Number field, enter the guest user’s contact number to receive the OTP for authentication from the Twilio Console.
    5. Click the Validate Configuration button to check the validity of the phone number entered.
  10. Click Update.

4. Creating a Guest Core Provider

The Self Registration Core Provider allows network admins to issue certificates to the end user devices using their mobile number, Gmail account, or both methods.

To create a guest core provider, perform the following steps:

  1. Navigate to Integration Hub > Core Platforms.
  2. Click Add.

  3. In the Basic section, enter the name of the core provider in the Name field.
  4. In the Description field, enter a suitable description for the core provider.
  5. From the Type drop-down list, select Self Registration.

  6. Click Save. The page refreshes, and Configuration, and Notification Template tabs are displayed.
  7. Click the Configuration tab and select the required authentication methods.
    1. Mobile OTP: This method uses the configured SMS Notification Gateway to send OTP for identification during the enrollment process.
    2. Google OAuth2: This method uses the Google OAuth2 protocol to identify the user during the enrollment process. To configure Google OAuth2, create an OAuth2 app in the Google Account and add the corresponding Client ID and Client Secret to the JoinNow Management portal, which is obtained from the OAuth2 app. During the creation of the OAuth2 app in the Google Account, you need to add the “Authorized redirect URI” value obtained from the JoinNow Management portal.
  8. For Mobile OTP:
    1. Select the Mobile OTP checkbox to enable the Notification Gateway drop-down list.
    2. From the Notification Gateway drop-down list, select the notification gateway created earlier in the Creating a Notification Gateway section.
  9. For Google OAuth2:
    1. Select the Google OAuth2 checkbox to enable the Client Id and Client Secret fields.
    2. In the Client Id field, enter the Client ID obtained from the Google Console (refer to the Creating Authorization Credentials section, step 10).
    3. In the Client Secret field, enter the Client secret obtained from the Google Console (refer to the Creating Authorization Credentials section, step 10).
  10. Copy the Authorized redirect URI value on your computer.
  11. Click the Notification Template tab.
    1. Click Add Notification Template.

    2. In the Basic tab, enter a name for the Language Template in the Name field.
    3. In the Display Description field, enter a description for the Language Template.
    4. In the Locale field, enter a language code. e.g., nl for Dutch.
    5. Click Save. The page refreshes and opens the Notification Template tab.
    6. Click the Notification Template tab.
      1. In the Message field, enter the customized message format with the OTP value that can be sent to users during the enrollment process. Ensure to retain “${otp}” and “${otpValidity}” variables in the message, as they convey the OTP value and its validity, respectively.
  12. Click Update.

5. Configuring Google OAuth2 in Google Console

The following are the high-level steps required to configure the Google Admin console for guest users who prefer using Google Authentication over Mobile OTP.

5.1 Creating a New Project

The Google Service Account must be created in the IAM & Admin console. Log in to the Google IAM & Admin console using the link here.

To create a new project in the Google service account, perform the following steps:

  1. Log in to the Google Service Account.
  2. Click the Select a Project drop-down list at the top of the page.
  3. Click NEW PROJECT.

  4. On the New Project page, enter a name for the project in the Project name field.
  5. From the Organization drop-down list, select the required organization for the project.
  6. From the Location drop-down list, select the parent organization.
  7. Click CREATE.

5.2 Creating an OAuth Consent

To create an OAuth Consent screen, follow these steps:

  1. Log into the APIs & Services console using the link here.
  2. On the left pane, click the OAuth consent screen.
  3. On the OAuth consent screen, select External to make the app available to all users outside the organization.
  4. Click CREATE.
  5. On the OAuth consent screen tab:
    1. In the App information section, for the App name field, enter the name of the application.
    2. From the User support email drop-down list, select the email address where users can contact you with questions about their consent. The App information is displayed on the consent screen to help end users identify and contact you.
    3. In the Developer contact information section, for the Email addresses field, enter the list of email addresses for Google to notify you about any changes to your project.
    4. Click SAVE AND CONTINUE.
  6. On the Scopes tab:
    1. Click the ADD OR REMOVE SCOPES button.
    2. On the Update selected scopes pop-up window, select the following values:
      • https://www.googleapis.com/auth/userinfo.email
      • https://www.googleapis.com/auth/userinfo.profile
      • Openid
    3. Click UPDATE.
    4. Click SAVE AND CONTINUE.
  7. On the Summary tab, review the app registration summary. To make changes, click EDIT. If the app registration details are correct, click the BACK TO DASHBOARD button.

5.3 Creating Authorization Credentials

To create credentials for your project, execute the following steps:

  1. Log into the APIs & Services console using the link here.
  2. On the left pane, click Credentials.
  3. Click the + CREATE CREDENTIALS menu and select OAuth client ID.

  4. On the Create OAuth client ID page, from the Application type drop-down list, select Web application.

  5. In the Name field, enter the OAuth2 client’s name. This name is only used for identifying the client in the console and will not be visible to end users.
  6. In the Authorized JavaScript origins section, click the ADD URI button.
  7. In the URIs 1 field, enter the base URL of the authentication portal.
  8. In the Authorized redirect URIs section, click the ADD URI button.
    1. In the URIs 1 field, enter the redirect URI obtained from the JoinNow Management Portal (refer to the Creating a Guest Identity Provider section, step 10).
  9. Click CREATE.
  10. The Client ID and Client secret values are generated in the OAuth client created pop-up window. Copy the Client ID and Client secret values to your computer.
  11. Click OK.

6. Creating a Network Profile

To configure the Network Profile for guest user authentication, perform the following steps:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Device Onboarding > Getting Started.
  3. On the Quickstart Network Profile generator page:
    1. From the Generate Profile for drop-down list, select Guest User Authentication to create a wireless TLS profile. When Guest User Authentication is selected, the Profile Type and EAP Method fields are unavailable to the network admin because the guest user will perform only certificate-based authentication.
    2. In the SSID field, enter the name of the profile.
    3. From the Security Type drop-down list, select WPA2-Enterprise.
    4. From the Policy drop-down list, retain the DEFAULT.
    5. From the Wireless Vendor drop-down list, select your preferred Wireless vendor.
    6. From the RADIUS Vendor drop-down list, select your preferred RADIUS vendor.
    7. Click Create.

The Network Profile is created along with the following sections:

  • CA (Root and Intermediate) is created if it is not already available under the organization name.
  • A specific Certificate Template for Guests certificates
  • Policies (Authentication Policy, Policy Engine Workflow, Enrollment Policy, and Network Policy)

7. Certificate Authority

The Certificate Authority (both Root and Intermediate) is created as a part of the Getting Started process.

If your organization already has both the Root and Intermediate CAs, they are not created during the Getting Started process. If you prefer to use a separate intermediate CA for guest TLS, you can create one and map it to issuing certificates.

To create a new intermediate CA, perform the following steps:

  1. Navigate to Dynamic PKI > Certificate Authorities.
  2. Click Add Certificate Authority.

  3. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  4. From the Type drop-down list, select Intermediate CA.
  5. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  6. In the Common Name field, enter a common name for the CA certificate. SecureW2 recommends a name that includes “SCEP.”
  7. From the Key Size drop-down list, select 2048 for the CA certificate key pair.
  8. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  9. In the Validity Period (in years) field, enter the validity period of the CA certificate.
  10. In the Notifications section:
    1. From the Expiry Notification Frequency (in days) drop-down list, select the frequency interval for which a certificate expiration notification should be sent to users.
    2. Select the Notify user on successful Enrollment check box to notify users after a successful enrollment.
    3. If the RFC has a valid email address, the guest user will receive the certificate issued or expired notification; otherwise, they will not receive the notification.
  11. In the Revocation section:
    1. In the Revoke Certificate if unused for field, select the number of days after which an unused certificate can be revoked.
    2. From the Reason Code drop-down list, select any one of the following reasons for which the certificate is revoked.
      1. Certificate Hold
      2. AA Compromise
      3. Privilege Withdrawn
      4. Unspecified
    3. If the guest user uses SecureW2 RADIUS, auto revocation will take place.
  12. Click Save.

8. Certificate Template Configuration

The Certificate Template is created as a part of the Getting Started process. To edit the Guest TLS certificate template, perform the following steps:

  1. Navigate to Dynamic PKI > Certificate Authorities.
  2. Scroll to the Certificate Templates section, and then click Edit on the DEFAULT GUEST CERTIFICATE TEMPLATE 1.

  3. In the Basic section, for the Name field, enter the name of the certificate template.
  4. In the Subject field, retain the default value CN=${/auth/upn:/device/identity} hardcoded in the certificate template.
    • /auth/upn – The guest user’s mobile number or email address is encoded in the CN of the Certificate template.
    • /device/identity – The device identity is encoded in the CN of the Certificate template.
    • If the /auth/upn and /device/identity attributes are used together, as specified in the default template, the value of the /auth/upn attribute is prioritized and encoded in the CN of the Certificate template. If the /auth/upn attribute is not available, then the value of /device/identity is used.
    • You can also choose to use either one, based on your requirements.
      1. CN=${/auth/upn} or
      2. CN=${/device/identity}
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  8. In the SAN section, for Other Name, RFC822, DNS, and URI fields, retain the default values provided in the certificate.
  9. Click Update.

9. Policy Management

The following policy components are created as part of the Getting Started process for Guest TLS.

  • Authentication Policy
  • Policy Workflow
  • Enrollment Policy
  • Network Policy

The Authentication Policy links the Core Provider to the network profile and is required to authenticate users with the specified Core Provider. The Policy Workflow can be assigned to a unique Enrollment Policy for certificate issuance and used to trigger a Network Policy.

The user can update the values according to their business requirements.

9.1 Authentication Policy

If you have already set up an authentication policy using Getting Started, you can edit it with the required values.

  1. Navigate to Policy Management > Authentication.
  2. On the Authentication page, click Edit on the Guest TLS authentication policy.
  3. Click the Conditions tab.
  4. In the Profile drop-down list, ensure that the network profile you created in the Creating a Network Profile section is selected.
  5. Click the Settings tab.
  6. From the Core Provider drop-down list, ensure that the core provider you created in the Creating a Guest Core Provider section is selected.
  7. Click Update.

9.2 Policy Workflow

To edit the Guest TLS Policy Engine Workflow, perform the following steps:

  1. Navigate to Policy Management > Policy Workflows.
  2. Click Edit on the DEFAULT GUEST ROLE POLICY 1.

  3. Click the Conditions tab.
  4. In the Core Provider drop-down list, ensure that the core provider you created in the Creating a Guest Core Provider section is selected.
  5. Click Update.

9.3 Enrollment Policy

To edit the Guest TLS Enrollment Policy, perform the following steps:

  1. Navigate to Policy Management > Enrollment.
  2. Click Edit on the DEFAULT GUEST ENROLLMENT POLICY 1.

  3. Click the Conditions tab.
  4. In the Conditions section, from the Policy Workflow list, ensure that the policy workflow you created in the Policy Workflow section is selected.
  5. From the Device Role list, ensure that the DEFAULT DEVICE ROLE POLICY 1 is selected.
  6. Click the Settings tab.
  7. From the Use Certificate Authority drop-down list, ensure that the Intermediate CA you created in the Certificate Authority section is selected.
  8. From the Use Certificate Template drop-down list, ensure that the Certificate Template you created in the Certificate Template Configuration section is selected.
  9. Click Update.

9.4 Network Policy

To edit the Guest TLS Network Policy, perform the following steps:

  1. Navigate to Policy Management > Network.
  2. Click Edit on the DEFAULT NETWORK POLICY 1.

  3. Click the Conditions tab.
  4. From the Policy Workflow Equals drop-down list, ensure that the policy workflow you created in the Policy Workflow section is selected.
  5. From the Device Role Equals drop-down list, ensure that the DEFAULT DEVICE ROLE POLICY 1 is selected.
  6. Click Update.

10. Guest Authentication

In this section, you can configure and customize TLS authentication for guest onboarding. Admins can design the Guest Landing Page for Guest Onboarding via Self-Registration, with an option to customize the landing pages in different languages and user interfaces.

10.1 Creating a Language Template

The Language Template allows the admin to customize the text on the guest authentication landing page. The landing page of the default language template can be modified, or new foreign language templates, such as Dutch, French, Italian, etc., can be created.


To create a language template, perform the following steps:

  1. Navigate to Guest Authentication > Language Template.
  2. On the Language Template page, click Add Template.

  3. In the Basic tab, enter a name for the Language Template in the Name field.
  4. In the Display Description field, enter a description for the Language Template.
  5. In the Locale field, enter a language code. e.g., nl for Dutch.
  6. Click Save. The page refreshes and opens the Landing Page tab.
  7. Click the Landing Page tab.
  8. In the Page Heading field, enter a name for the heading of the landing page.
  9. In the Page Description field, enter a short description for the landing page.
  10. In the Self Registration Login Button field, enter the name to display on the button on the Guest Landing page.

  11. Click Update.

10.2 Configuring a Guest Registration Network Profile

Guest Registration allows only the Organization Admin role to map the Network Profile of the guest users, enabling them for certificate enrollment and onboarding to the network.

NOTE: Once the Network profile is mapped on the Guest Registration page, you cannot modify the Identity Provider and Network Profile on the Authentication Policies page, nor can you delete the Authentication policy.

  1. Navigate to Guest Authentication > Guest Registration.
  2. To provide TLS authentication for guests, select the Enable checkbox.
  3. To block TLS authentication for guests, clear the Enable checkbox.
  4. From the Network Profile drop-down list, select the guest network profile created in the Creating a Network Profile section.
  5. Click Update.

10.3 Configuring Guest Landing Page

Admins can customize the guest landing page, which is the first page viewed when the guest users attempt to onboard to the network. The configurations made on the Language Template and Self Registration pages are also published on the Landing Page.

  1. Navigate to Guest Authentication > Landing Page.
  2. In the Stylesheet section:
    1. To customize the Guest Landing page design, download the .css file from https://cloud.securew2.com/public/<Organization Code>/guest/css/main.css, edit the file, and then upload it by clicking the Choose file button. The maximum size for a .css file that can be uploaded in the stylesheet section is 100 KB. This URL is also available on the Landing Page.
    2. Click Upload.
    3. When the Reset button is clicked, the uploaded .css stylesheet is removed from the Stylesheet section, and the customized Guest Landing Page is restored to its default state.
  3. In the Profile Logo section:
    1. Click the Choose file button and select the logo for the landing page. The logo must be a bitmap image, 24-bit, with dimensions 383×97 and a resolution of 72 pixels per inch.
    2. Click Upload, and the uploaded image will be displayed as the Organization logo on the Guest Landing Page.
  4. Click Publish.

11. Onboarding Process for Guest Users - Sample Workflow

During device onboarding, the user is redirected to the Guest Landing Page. When the Register button is clicked, the user is directed to the User Onboarding page.

The following is a sample of the customized Guest Landing Page.

11.1 Windows

On the User Onboarding page, the corresponding OS is displayed based on the device’s OS. Below is the sample onboarding flow for the Windows OS platform.


Registration via Mobile OTP





Registration via Google Identity

The onboarding flow for Android and macOS is similar to that of the Windows platform.

11.2 Guest onboarding using iOS devices

Registration via Mobile OTP


Registration via Google Identity












11.3 Guest onboarding using Chromebook devices

Registration via Mobile OTP











Registration via Google Identity









12. Other Possible Use Cases

  1. What happens if an existing guest user attempts to onboard to the network with an already registered phone number or Google email?

The guest user will be allowed to re-enroll, during which the already configured certificate will be automatically revoked, and a new certificate will be issued.

13. Conclusion

The enrolled guest devices and their details can be tracked on the Devices page in the JoinNow Management Portal. To view the Guest device details, navigate to Data and Monitoring > Devices and disable the Managed toggle button.

The values in the Onboarded Devices field under the Subscriptions section display the number of devices with valid certificates that were onboarded via Guest with the TLS feature.

A new report type named “Total Enrolled Guest Devices” has been added to the Predefined Reports page to track enrolled guest devices. To view the Total Enrolled Guest Devices report, navigate to Data and Monitoring > Reports > Predefined Reports.

Wi-Fi Authentication events for guests are available on the RADIUS Events page. To access the RADIUS Events page, log in to the JoinNow Management Portal and navigate to Data and Monitoring > RADIUS Events.

More General Help Explainers