how to configure walled gardens
How to configure Walled Gardens. What is a Walled Garden? A Walled Garden is an enclosed environment that controls the end user’s access to certain websites and services. The Walled Garden directs the end users navigation path within particular areas to allow and/or prevent access to certain materials. Typically it used to restrict access to the internet.
A Walled Garden approach is different from a regular restriction setup. If you were restricting users access traditionally at a more primal level, you would simply prevent them from getting out to the internet completely. However this approach isn’t particularly user friendly. Utilising a Walled Garden, you can restrict access using a predefined subset of domains and/or IP addresses so that they are allowed access to the outside world, but only those places that are permitted, those within the “garden”. There are also added user friendly features, like you can force your users to authenticate against a portal before they are allowed access to the outside world so they are aware they are in that garden, and you can also present the users with a customised denial page rather than just a generic unable to load type error message.
ISPs like to use Walled Gardens to fence in users for a number of reasons. Shielding children from pornography for example, or collaborating vendors aiming to direct consumer’s internet navigation to each others’ websites thus keeping them from accessing the websites of competitors. However in this document we will be looking at Walled Gardens on a smaller scale, for use in private network environments such as a company’s intranet or a school network.
Essentially we will be restricting wireless LAN traffic users to a predetermined set of addresses. It is theoretically possible to do it with wired connections also but this is much less common.
Configuring Walled Gardens
After logging into the main Meraki portal for the network, navigate to Wireless and then Access Control. Select the SSID that you wish to restrict from the SSID menu and then scroll about halfway down the page to Walled Garden.
Set the option to Walled garden is enabled and an additional form will be displayed. Within this form, simply enter the addresses you wish to allow access to. When you have saved your changes, any users logging into that particular SSID will be contained within that list of domains and addresses.
You can also enforce a splash page login too, by applying the setting Block all access until sign-on is complete and configuring the splash page options in the section above.
Cisco Wireless LAN Controller
As you might expect, the Cisco method of configuring and managing a Walled Garden is a little trickier and there are a few different ways of doing it. This will require that you know the IP ranges of whatever sites you wish to allow access to. This information shouldn’t be too difficult to find, most mainstream websites publish their IP ranges for these purposes, and of course any internal intranet addresses should be known to you or your sys admins.
You will also need to have VLANs configured for your various SSIDs, so that, for instance, a Guest Wifi SSID is in one VLAN, the Staff Wifi SSID is another VLAN, etc. VLANs are configured under Controller and then Interfaces, with each VLAN being a virtual interface obviously.
It is probably a good idea that you name the VLANs with appropriate tags so you can identify them easily later. You then link the VLANs to the SSIDs under the WLANs menu at the top.
To configure the list of destinations you wish to allow to, select Security at the top and Access Control Lists on the left hand side. Create a new access list by hitting New in the top right and then selecting Add New Rule to start adding the rules.
Each rule should be a permit rule, have a source of anywhere, so 0.0.0.0 / 0.0.0.0, and the destination as the network and subnet of the website(s) you want to permit. The source port should be Any and the destination port should be HTTP and/or HTTPS. Leave the rest as default. There is no need to define a Deny All line as this is inferred when you apply the Permit command to the interface.
Now all that is left to do is apply the access lists to the VLANs. Navigate to Controller and then Interfaces and edit the interface (VLAN) that you want to apply the access list to. In the Edit menu, right at the bottom, there is an Access Control List menu. Simply select the name of your ACL from this list and hit Apply.
As with the Meraki, you can configure a customer splash page and URL redirection by navigating to Security and then Web Auth.
First of all you need to define a custom address object group that we will apply to administer the Walled Garden. Navigate to Network and then Address Objects. Scroll down below the Address Groups portion to the Address Objects section.
Click Add and then you will get the following dialogue box:
You will need to create individual address objects for each network you wish to permit. After you have created all of your permit objects, you need to group them into an address object group, so scroll to the top of that screen under Address Object Groups and click Add Group.
Here you will group all of the permit objects you have just defined into one handy group by moving them from the left menu to the right. Remember to give the group a logical name like Wireless Permit or something similar.
After configuring the two necessary address objects, it is time to apply these in the necessary area to restrict/allow them. Navigate to Network and then Zones, and then right at the bottom of the zones list you will see WLAN. Click the pencil icon on the right hand side and you will open the wireless zone settings.
Tick the Enable Guest Services box and the rest of the options will be unlocked. Simply apply the Wireless Allow object group in the Pass Networks drop down menu. By leaving the Deny Networks box empty, you are effectively applying a Deny All else rule.
You can also apply further Walled Garden tweaks by using the Customer Authentication Page and the Post Authentication Page. Unfortunately there doesn’t appear to be a custom deny page available for just the wireless Walled Garden users.