Hotspots

On the Wireless Protection > Hotspots > Hotspots tab you can manage different hotspots.

Note – A hotspot has to be assigned to an existing interface, typically a WLANClosed interface. All hosts using this interface will automatically be restricted by the hotspot. Therefore, before you create a hotspot you would typically create a wireless network with client traffic Separate Zone, then create an interface for the respective WLAN interface hardware. For more information, see Wireless Protection > Wireless Networks.

To create a hotspot, proceed as follows:

  1. Click Add Hotspot.

    The Add Hotspot dialog box opens.

  2. Make the following settings:

    Name: Enter a descriptive name for this hotspot.

    Interfaces: Add the interfaces which are to be restricted by the hotspot. Please ensure that for the selected interfaces a firewall rule exists which allows the desired traffic. An interface can only be used by one hotspot.

    Caution – You should not select an uplink interface here because traffic to the Internet will completely be blocked afterwards. Additionally, we strongly advise against using interfaces used by servers which provide essential services like authentication. You may irreversibly lock yourself out of WebAdmin!

    Administrative Users: Add or select users for administrative settings. Administrative users are allowed to create vouchers or change the password of the day in the User Portal. By default nobody is allowed to make administrative settings.

    Redirect to HTTPS: If enabled, users will be redirected to HTTPS.

    • Hostname type: Select if you want to redirect to an IP address or to a custom hostname (DNS).
    • Hostname (only available with custom hostname): Select or add the hostname for the redirect.

    Hotspot type: Select the hotspot type for the selected interfaces.

    • Password of the day: A new password will be created automatically once a day. This password will be available in the User Portal on the Hotspots tab which is available to all users specified on the Global tab. Additionally it will be sent to the specified email addresses.
    • Voucher (not available with BasicGuard subscription): With this hotspot type, in the User Portal tokens with different limitations and properties can be generated, printed and given to customers. After entering the code, the customers can then directly access the Internet.

      Note – If only a normal Ethernet interface is configured for this hotspot, SSID and PSK will not be displayed. If you use a normal interface and a WLAN interface, it will be displayed.

    • Terms of use acceptance: Customers can access the Internet after accepting the Terms of Use.
    • Backend authentication: With this hotspot type, users can authenticate via any supported backend mechanism (see Definitions & Users > Authentication Services). With this type, the user credentials are stored to periodically check if the users are still authorized.

    Note – If you select Backend authentication a new entry field for OTP token appears on the login form if Hotspot is configured as an OTP facility.

    Note – Every hotspot type drops the packets if the conditions are not fulfilled. ICMP packets types 8 and 0 (Echo Request and Echo Reply) will not be dropped.

    Password creation time (only with Hotspot type Password of the day): The assigned time of the day at which the new password will be created. At this time the former password will immediately get invalid and current sessions will be cut off.

    Send password by email to (only with Hotspot type Password of the day): Add email addresses to which the password shall be sent.

    Voucher definitions (only with Hotspot type Voucher): Add or select the voucher definitions you want to use for the hotspot. How to add a voucher definition is explained on the Voucher Definitions page.

    Devices per voucher (only with Hotspot type Voucher): Enter the number of devices which are allowed to log in with one voucher during its lifetime. It is not recommended to use the unlimited entry.

    Hotspot users (only with Hotspot type Backend Authentication): Select the users or user groups or add the users that should be able to access the hotspot via backend authentication. Typically, this is a backend user group.

    Session expires (only with Hotspot type Terms of Use Acceptance or Backend Authentication): Select the time span after which the access will expire. After that, with the hotspot type Terms of Use Acceptance, the users have to accept the terms of use again to log in. With the hotspot type Backend Authentication, the users have to authenticate again.

    Synchronize password with PSK of wireless networks (only with Hotspot type Password of the day): Select this option to synchronize the new generated/saved password with wireless PSK for separate zone networks.

    Note – With the new PSK all APs that are configured with a separate zone wireless network that is also used as a hotspot interface will be reconfigured and restarted. This means all connections will be dropped.

    Users have to accept terms of use (not with Hotspot type Terms of Use Acceptance): Select this option if you want the hotspot users to accept your terms of use before accessing the Internet.

    • Terms of use: Add the text to be displayed as terms of use. Simple HTML markup and hyperlinks are allowed.

    Redirect to URL after login: If selected, after entering the password or the voucher data, the users will be redirected automatically to a particular URL, e.g., your hotel's website or a webpage stating your portal system policies.

    • URL: URL to which users are redirected.

    Note – When you select hotspot type Voucher the Redirect to URL after login does not automatically redirect to the configured URL. Users will be redirected to a statistics page which contains important information about the voucher, e.g. period of validity. Users will be able to continue to the configured URL when they click on the link: You will be redirected to [URL].

    Comment (optional): Add a description or other information.

  3. Optionally, make the following hotspot customization settings:

    By default, users will be presented a login page with the Sophos logo. You can use a customized HTML file with your own images and stylesheets. Additionally, you can customize the voucher layout.

    Customization type: Select the customization type. The following types are available:

    • Basic: Use the default login page template. If required, change logo, title, and text.

      Logo: Upload a logo for the login page. Supported image file types are jpg, png and gif. A maximum image width of 300 px and height of 100 px is recommended (depending on the title length). Use the Restore Default button to select the default Sophos logo again.

      Scale logo to recommended size: If selected, a logo exceeding the recommended width or height will be scaled down and displayed in the recommended size. If not selected, the logo will be displayed in the original size.

      Title: Add a title for the login page. Simple HTML markup and hyperlinks are allowed.

      Custom text: Add an additional text for the login page. You can for example enter the SSID of the wireless network to be used. Simple HTML markup and hyperlinks are allowed.

    • Full: Select an individual login HTML page.

      Login page template: Select the HTML template you want to use for your individual login page. Clicking the Folder icon opens a window where you can select and upload the file. Use the Restore Default button to select the default Sophos HTML template again. In this template, you can use variables that can dynamically insert information for each hotspot. For example, you can add the company name and administrator information, the terms of use and the login form. See detailed information below, in Using Variables in Login Page Template. You can download the default HTML template on the Wireless Protection > Hotspots > Global tab.

      Images/Stylesheets: Add files that are referenced in your login page template, e.g., images, stylesheets, or JavaScript files. Clicking the Folder icon opens a window where you can select and upload the files.

    Voucher template (only with hotspot type Voucher): Clicking the Folder icon opens a window where you can select and upload the PDF file with the voucher layout. By default, a default template is used. You can restore the default clicking the Restore Default button. The voucher PDF file has to have a PDF version PDF 1.5 or lower. It may have any page size and format—both size and format will be adjust during voucher creation in the User Portal, depending on page size and number of vouchers per page specified there. You can download the default PDF template on the Wireless Protection > Hotspots > Global tab.

    The PDF file may contain the following variables that will be replaced with the respective values during voucher generation in the User Portal:

    • Wireless network name (SSID): <?ssid0?> (and <?ssid1?>, <?ssid2?> and so on, if the WLAN has more than one SSIDs)
    • Wireless network password: <?psk0?> (and <?psk1?>, <?psk2?> and so on, if the WLAN has more than one SSIDs)
    • Voucher code: <?code?>
    • Voucher validity time: <?validity?>
    • Voucher data limit: <?datalimit?>
    • Voucher time limit: <?timelimit?>
    • Comment: <?comment?>
    • QR code with the hotspot access data encoded: <?qrX?>. The upper left corner of the QR code will be placed on the lower left corner of the variable.

    Note – When using variables, the PDF file must include the entire character sets of the fonts used. When a variable is replaced by its value, and one of the substitute characters is not available, it will be displayed incorrectly. We recommend to add the string <?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789?> (for English usage) to your PDF file, which will automatically be removed during voucher generation. If you use another language, you can include any other character set you want. Additionally, it is recommended to use a separate line for the variables as the layout could get corrupted if the substituted text is too long.

  4. Click Save.

    The hotspot will be created and appears on the Hotspots list.

Tip – You can open a preview of the login page after saving the hotspot. In the Hotspots list just click the button Preview Login Page of the respective hotspot.

To either edit or delete a hotspot, click the corresponding buttons.

Cross Reference – Find information about enabling backend authentication for hotspots in the Sophos Knowledge Base.

Using Variables in Login Page Template

The HTML template for the login page may contain various variables that can dynamically insert information for the hotspot login page. When Sophos UTM processes a template in order to display a login page, it replaces any template variables with the relevant value. Valid variables are:

Templates can contain if variables that make up sections like the ones shown below. Each section has an opening and a closing variable. The contents of an if section is only displayed on a specific condition.

If Section Meaning

<?if_loggedin?>
<?if_loggedin_end?>

Section is displayed when the user has successfully logged in.
<?if_notloggedin?>
<?if_notloggedin_end?>
Section is displayed when the user has not yet logged in, e.g., because terms of use have to be accepted or because an error occurred.
<?if_authtype_password?>
<?if_authtype_password_end?>
Section is displayed when hotspot type is Password of the day.
<?if_authtype_disclaimer?>
<?if_authtype_disclaimer_end?>
Section is displayed when hotspot type is Terms of Use Acceptance.
<?if_authtype_token?>
<?if_authtype_token_end?>
Section is displayed when hotspot type is Voucher.
<?if_authtype_backend?>
<?if_authtype_backendtoken_end?>
Section is displayed when hotspot type is Backend Authentication.
<?if_location?>
<?if_location_end?>
Section is displayed when the user has been redirected.
<?if_redirect_url?>
<?if_redirect_url_end?>
Section is displayed when the checkbox Redirect to URL after login is enabled.
<?if_not_redirect_url?>
<?if_not_redirect_url_end?>
Section is displayed when the checkbox Redirect to URL after login is disabled.
<?if_timelimit?>
<?if_timelimit_end?>
Section is displayed when a validity period is set for a voucher.
<?if_trafficlimit?>
<?if_trafficlimit_end?>
Section is displayed when a data volume is set for a voucher.
<?if_timequota?>
<?if_timequota_end?>
Section is displayed when a time quota is set for a voucher.
<?if_maclimit?>
<?if_maclimit_end?>
Section is displayed when a Devices per voucher value is specified.
<?if_terms?>
<?if_terms_end?>
Section is displayed when Terms of Use are defined and enabled.
<?if_error?>
<?if_error_end?>
Section is displayed when an error occurred while trying to log in.

User-Specific Login Form

If you want to create your own login form instead of using the pre-defined <?login_form?> variable, consider the following:

Cross Reference – Find information about customizing the login page for Sophos UTM hotspots in the Sophos Knowledge Base.