Q: Why is my client able to access the internet through the BSC without logging in or authenticating?
1. Go to Status>Active Connections>All connections.
2. Look for the client's IP address and or mac address in the connections table.
3. Identify what role the client is in.
If the client is in the un-registered role
Before a client authenticates they are placed in the un-registered role. By default, the un-registered role only allows DNS in it's firewall policy. This is so clients can resolve the host name of their original destination and the login page. If the client is able to access the internet it is likely the un-registered role's firewall policy is allowing HTTP/HTTPS to ANY. Clients will be able to access anything that is allowed in the un-registered role before authenticating. At a minimum, DNS should be allowed.
1. Go to User Roles>Roles>Click to edit the un-registered role.
2. Scroll down to the policies section.
3. Make sure you are not allowing HTTP/HTTPS to ANY in the un-registered role's firewall policy. Clients will be able to access anything allowed before authenticating. At a minimum, DNS should be allowed.
If the client is in a role other than the un-registered role
If the client is in a role other than the un-registered role it is likely there is a default role configured on the managed interface that corresponds to the client. When a default role is configured, as soon as traffic is received from a client on that interface, the BSC automatically puts the user in that role.
1. Go to Network>Managed.
2. If you have more than 1 managed interface click to edit the appropriate one that corresponds to the client. If you only have 1 managed interface configured the properties of that interface will be displayed.
3. Click the interface tab if not already selected.
4. Scroll down to the default role.
5. Select un-registered. Clients will now be redirected to the login page.