Creating time-based access policies
You may have users who you would like to limit to a specific window of time; for example, you might have guest WiFi but want to limit each user to 60 minutes of internet time per day. This article is devoted to achieving that end!
First thing will be to install Captive Portal on your Default Policy. Set it to capture all traffic; this way, any device that tries to connect to the internet will receive a Captive Portal page and have to click 'Continue'. (This generates a Captive Portal authentication event, which is the basis for this process.)
The next few steps will require some creativity with Policies and NG Firewall's tagging function. Here's what you'll do:
- Create a Policy Manager policy for 'No Internet Access' (or whatever you'd like to call it). In that policy, you can create a Firewall app rule to block with no conditions; any traffic passed through that policy won't be able to connect to anything:
You'll also install Bandwidth Control and create two rules:
- 'Give Host a Quota', expiring at the end of the day, with a quota bytes setting of 1
- 'Set Priority' to 'severely limited' (ideally set to 0.1% in QoS settings)
- 'Give Host a Quota', expiring at the end of the day, with a quota bytes setting of 1
- Create a Trigger in Config > Events > Triggers to add a tag to a device once it's completed a Captive Portal login. The tag can be anything you like; in this example, we're using internet-access. That's what you'll use to move the device into the 'internet access' policy. Make sure the tag lifetime is set to 3600 seconds.
- Create a second Trigger to add a tag for the 24-hour lockout. Set the lifetime to 86400 seconds.
- Create a Policy Manager rule to move devices into an open internet access policy if they have the tag you created in step #3:
- Create a Policy Manager rule to move devices into the 'no internet access' policy if they have the tag you created in step #4:
- Make sure your rules are in the correct order. The rule to give access needs to be ordered above the rule to lock the device out:
You're all set! Now, anyone who connects to your network will be presented with a Captive Portal page. Once they click 'Continue' on that page, their session begins and their device receives two tags: internet-access and lockout. While the device has the internet-access tag, it is moved into the Default Policy; once that tag expires (after the 60 minute/3600 second lifetime), the device no longer meets Policy Manager Rule #1, so NG Firewall moves on to the next rule. The device will still have the lockout tag, so it is moved into the No Internet Access policy (where it stays until the tag expires).
Follow
Comments
0 comments
Article is closed for comments.