Users Guide 8 2
Contents
1. STALLATION WILL NOW TRY TO CONTACT THE NOMADIX LICENSE KEY SERVER H IN ORDER TO PROCEED THE NSE MUST BE ABLE TO CONNECT TO THE INTERNET DO YOU WANT TO CONFIGURE THE NSE S IP AND DNS SETTINGS yes no y Configuring minimal WAN interface connectivity parameters Configuration Mode static static dhcp pppoe Figure 1 Initial minimal WAN port configuration Select the desired configuration mode and use the following steps to configure the WAN port for either Static IP DHCP client or PPPoE Step la Static WAN IP Configuration Accept static as the default configuration mode and enter the following mandatory settings shown in Figure 2 Configuring minimal WAN interface connectivity parameters Configuration Mode static static dhcp pppoe IP Address 10 0 0 10 Your WAN IP address 42 Installing the Access Gateway ACCESS GATEWAY D Subnet Mask 255 255 255 0 Your subnet mask Gateway IP 10 0 0 1 Your gateway IP address WAN 802 10 tagging Disabled VLAN ID 1 DNS Domain Name nomadix com DNS Server 1 0 0 0 2 Your primary DNS IP DNS Server 2 0 0 0 0 DNS Server 3 0 0 0 0 Figure 2 Initial WAN port settings A WAN port summary page will then be displayed as shown in Figure 3 Port Name WAN Port Role wanIf Configuration Mode static IP Address Your IP address Subnet Ma2. Information and Control Console Microsoft Intern a Shop here to Message a Bar Plan A ro 128 Subscriber Console e Target URL Where subscribers are sent when they click on the button e Image Name The representative image file you want to use for the button When assigning images for buttons refer to Pixel Sizes on page 232 If you assign or change button images or banner images the Access Gateway must be rebooted for your changes to take effect When you have completed assigning all your redirect buttons click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their previous state You can now assign the banners that you want to display to subscribers 230 System Administration ACCESS GATEWAY D Assigning Banners 1 From the Subscriber Console Information and Control Console ICC Setup screen click on the Configure Banners link The Subscriber Console Information and Control Console ICC Banners Setup screen appears Subscriber Console Information and Control Console ICC Banners Setup Start Time Name Text Target URL Image Name ee pea Dury ates Banner 1 Amazon htto Avww amazon com Amazon gif 2 Banner 2 Jobs Online at JOE htto Avww jobsonline com Jobs jpg 4 Banner 3 YellowPages htipywwyellowpages com Yellow jpg 6 Banner 4 Education com http Avww edu cam Edujpg 8 Banner 5 Pri
3. Public Pool Private Pool IP Upsell Pool Default Pool Modify Pool Add a new pool Additional DHCP Options Add Modify an option Data may be entered as ASCII text or in hex format by prefixing with Ox For hex data expressing 32 bit 16 bit or 8 bit integer values an appropriate number of leading zeroes must be entered Code 0 Data bua i Existing additional options Code Data 66 tftpserver xyzcompany com Edit Delete 24 10005675 it Delete 68 Installing the Access Gateway ACCESS GATEWAY G Edit a DHCP Pool DHCP Server IP 10 0 0 4 DHCP Server Netmask 255 255 255 0 DREP Fool startle 10 0 0 111 Note Please make sure pools do not overlap DHCP Pool Stop IP 0 0 0 100 DHCP Lease Minutes 60 Router DHCP Serer IP Specify Public Pool Private Pool IP Upsell Pool Default Pool Modify Pool Remove Pool Add a new pool Additional DHCP Options Add Modify an option Data may be entered as ASCII text or in hex format by prefixing with Ox For hex data expressing 32 bit 16 bit or 8 bit integer values an appropriate number of leading zeroes must be entered Code 66 Data tftpserverl ourcompany com Modify Option Cancel Existing additional options Code Data Actions 24 10005675 Edit Delete 2 additional options are defined for this pool Setting the DNS Options DNS allows subscribers to enter meaningful URLs into their browsers i
4. 5 The following diagram shows a sample RADIUS configuration file meta file and illustration of the FTP server setup usgftp1 config242 CNFGLIST TXT Micrd Fie Edt View Favorites Tools Help Gsk O x a A search Se Favorites ef Me Address fep jusoftp1 config242 CNFGLIST TXT current txt dhcpools txt roomfile dat subnets dat uf_dns txt uf_ip txt nataddr txt mfilter txt mappings txt access txt Per eRe NN Oe DD DS usgftp1 config242 Microsoft Internet Explorer File Edit View Favorites Tools Help Ook O F gt X A Seah Folders Gly Address Ftp Jusaftp1 jconfig242 Eco Links gt urpater Name Size T Modified CNFGLIST TXT 149bytes Text Document 713142003 4 07 PM Other Places A E CuRRENT TxT 17 4KB Text Document 7 31 2003 2 43 PM usoftoi E DHCPOOLS TxT 5 S0KB Text Document 7 2 2003 11 03 AM S SUBNETS DAT 160 bytes DAT File 7 2 2003 11 03 AM My Documents E UF_DNS TxT 43bytes Text Document 7 22003 11 03 AM E My Network Places UF_IP TXT 12 bytes Text Document 7 2 2003 11 03 AM The Nomadix device will automatically initiate one reboot to enable the new settings Configuration updates for network maintenance can be accomplished by simply enabling the Auto Configuration option and rebooting the device for example using SNMP See also Defining Automatic Configuration Settings Auto Configuration Setting Up Bandwidth Management Bandwidth Manag
5. Enable or disable the Fail Over feature as required If you enabled Fail Over define the Sibling Status Primary or Secondary Enter an IP address in the Sibling IP Address field Define the port in the Fail Over Port field Select the Secondary To Primary Fail Over Time The time set here is how long the Secondary will wait while not receiving messages from the Primary before it takes over Click on the check box for Reboot after changes are saved If you are using RADIUS it is recommended to add both Nomadix gateways to the RADIUS server Click on the Submit button to save your changes or click on the Reset button to reset all values to their previous state Viewing the History Log History You can view a history log of the system s Access Reboot and Uptime activities The history log contains up to 500 entries Over 500 entries and each new log item removes the oldest entry in the list The latest entry is always at the top of the list System Administration 259 S To view the history log go to the Web Management Interface and click on System then History The Uptime and Access Reboot History screen appears ACCESS GATEWAY Uptime Indicator Uptime and Access Reboot History Uptime 1 days 3 hrs 7 mins ccess and Reboot History No Timestamp Login IP Message www ewww we a ae ae wn ww wr ww wr ww ww wn ww wn wn ww wn wn wr wr wn wn wr wr wn wr wn wr ww wn w
6. Cygwin Setup Eg Installing Cc cygwin 1 3 2 1 tar gz C cyqwin bin strace exe ko amp Total There will be a pop up dialog to inform you that the installation process is completed At the pop up dialog click on the OK button Private Key Generation Create a directory from Root and put 5 random files a dat b dat c dat d dat and e dat see note into the C cygwin bin directory or the directory where you installed openssl exe These random files can be any file type such as Word Excel etc Change the files to dat files shown above All files must follow the DOS naming format maximum 8 characters 334 Quick Reference Guide ACCESS GATEWAY D Run the command prompt from Windows then click on the OK button Run BE sam Type the name of a program folder document or Internet i resource and Windows will open it for you d cygwin ENC GWIN gt ed bin CYGWIN BINDopenss1 genrsa rand a dat b dat c dat d dat e dat 182 313344 seni random bytes loaded Generating RSA private key 1624 bit long modulus tee 65537 x10001 gt CYGWIN BIN gt Go to the c cygwin bin directory and run the following command gt openssl genrsa rand file1 file2 file3 file4 fileS 1024 gt cakey pem The following table provides an explanation of the command elements Quick Reference Guide J33 D ACCESS GATEWAY openssl openssl command genrsa A
7. The Subscriber Interface 277 G ACCESS GATEWAY S Subscriber Login Subscriber Management Internal Web Server External Web Server on flash for login pages for login amp portal pages Internal Web Management Interface Authentication Internal User Database Authorization Table Internal User Database AAA Internal Accounting Log AAA Accounting Billing Mirror Server s Billing The Authentication module is responsible for ensuring that when subscribers log in to the system they are correctly identified It can identify subscribers in many different ways For example e Based on their hardware MAC address e By validating their user name and password e By looking up subscribers on a local flash database e By looking up subscribers on a remote database The Authentication module can support user name and MAC address authentication simultaneously 278 The Subscriber Interface ACCESS GATEWAY D The initial login page can be presented in various ways depending on the system s configuration The Access Gateway supports any of the following methods and tools e Internal and external Web pages e External portal page for redirection e User name and MAC based logins simultaneous or stand alone e User selectable options and parameters for example defining the time purchased e Interaction with a Property Management System PMS and Web interfaces enabling administrat
8. The Access Gateway ensures that all traffic to the Internet is blocked until authentication has been completed creating an additional level of security in the network Also the Access Gateway allows service providers to create their own unique walled garden enabling users to access only certain predetermined Web sites before they have been authenticated Nomadix simultaneously supports the secure browser based Universal Access Method UAM IEEE 802 1x and Smart Clients for companies such as Adjungo Networks Boingo Wireless GRIC and iPass MAC based authentication is also available Security The patented iNAT Intelligent Network Address Translation feature creates an intelligent mapping of IP Addresses and their associated VPN tunnels by far the most reliable multi session VPN passthrough to be tested against diverse VPN termination servers from companies such as Cisco Checkpoint Nortel and Microsoft Nomadix iNAT feature allows multiple tunnels to be established to the same VPN server creating a seamless connection for all users on the network The Access Gateway provides fine grain management of DoS Denial of Service attacks through its Session Rate Limiting SRL feature and MAC filtering for improved network reliability 5 Step Service Branding A network enabled with the Nomadix Access Gateway offers a 5 Step service branding methodology for service providers and their partners comprising 1 Initial Flas
9. Using the 8 2 NSE you can select specific fields to display and can sort the Current Subscribers table on any field Click any table header to sort on that field Display options lt lt lt f Port Room User Name Bandwidth Throughput MAAA State Expiration idle MBytes Total Proxy MNATIP interface Deleting Subscriber Profiles by MAC Address Delete by MAC This procedure shows you how to delete a subscriber profile from the Access Gateway s database of authorized subscribers based on the profile s MAC address To see a current listing of the subscriber database sorted by MAC addresses go to Listing Subscriber Profiles by MAC Address List by MAC on page 216 212 System Administration ACCESS GATEWAY D 1 From the Web Management Interface click on Subscriber Administration then Delete by MAC The Delete a Subscriber Profile by MAC screen appears Delete a Subscriber Profile Enter MAC Address foo Delete Reset 2 Inthe Enter MAC Address field enter the MAC address of the profile you want to delete 3 Click on the Delete button to delete this subscriber profile or click on the Reset button if you want to reset the MAC Address value to the 00 state Deleting Subscriber Profiles by User Name Delete by User This procedure shows you how to delete a subscriber profile from the Access Gateway s database of authorized subscribers based on the profile s user name To see a current listing
10. https secure authorize net gateway transac Enable E Enable write only l write only External Web Server Secret Key External login page URL Parameter Signing Method Parameters Set Shared Secret Reboot after changes are saved Yes bigbrowndog http usg nomadix com usg newuserlogin as None HASH CRC32 HMAC MD5 E PORT ESIP Warning Changing URLs on this page may result in removal of the hostname portion of the URL from the Passthrough Addresses Verification of Passthrough Addresses configuration is recommended This warning pertains to 1 Portal Page URL 2 Portal XML POST URL 3 Credit Card Server URL and 4 External login page URL Submit Reset 78 System Administration ACCESS GATEWAY D 2 Enable or disable AAA Services If you enable AAA Services go to Step 3 otherwise this feature is disabled and you can exit the procedure Select a Logout IP address from the drop down list The list contains IP address that can be used as the logout IP address The default IP address is 1 1 1 1 Enable or disable the XML Interface as required XML is used by the Access Gateway s subscriber management module for port location and user administration Enabling the XML interface allows the Access Gateway to accept and process XML commands from an external source XML commands are sent over th
11. lt USG COMMAND RMTLOG_ACK gt lt ACK_VALUE gt RESULT_VALUE lt ACK_VALUE gt lt IP_ADDR gt Server IP lt IP_ADDR gt lt ERROR_CODE gt ERROR_ CODE lt ERROR_CODE gt lt USG gt Quick Reference Guide 345 D ACCESS GATEWAY Example of a Positive Acknowledgement lt USG COMMAND RMTLOG_ACK gt lt ACK_VALUE gt OK lt ACK_VALUE gt lt IP_ADDR gt 11 22 33 44 lt IP_ADDR gt lt ERROR_CODE gt 1 lt ERROR_CODE gt lt USG gt Example of a Negative Acknowledgement lt USG COMMAND RMTLOG_ACK gt lt ACK_VALUE gt ERROR lt ACK_VALUE gt lt IP_ADDR gt 11 22 33 44 lt IP_ADDR gt lt ERROR_CODE gt 5 lt ERROR_CODE gt lt USG gt Format for each Field RESULT_VALUE OK or ERROR IP Standard IP format 123 123 123 123 ERROR_CODE1 for OK or any other number Please contact Nomadix Technical Support for the complete XML DTD Refer to Contact Information on page 353 For more information about Billing Records Mirroring see also e Billing Records Mirroring on page 10 e Establishing Billing Records Mirroring Bill Record Mirroring on page 98 346 Quick Reference Guide ACCESS GATEWAY Troubleshooting This chapter provides information to help you resolve common hardware and software problems It also contains a list of known error messages associated with the Management Interface e General Hints and Tips e Management Interface Error Messages e Common Problems General H
12. on page 148 for more information 13 Enable STMP Redirection to allow the specified user to have their SMTP traffic redirected by the global SMTP redirect configuration Click on the Add button to add this device to the database or click on the Reset button if you want to reset all the values to their previous state Adding a Group Type Profile Several changes have been made to improve the NSE s handling of group account administration e Group accounts can now be configured with a maximum user value which limits the number of subscribers that can be logged in through the account at any given time e Group accounts can now be added via XML using the GROUP_ADD command e The overall layout and behavior of the WMI Subscriber Profile page has been modified to better reflect the configuration status of different account types and to better support the Group Account changes The method of identifying an account as group has been modified Instead of simply selecting a checkbox on the Subscriber page group accounts now constitute a separate account type along with Subscriber and Device The Group Account checkbox has been removed from the bottom of the page and replaced with a Group Account button in the profile selection at the top A Maximum Users per Group field has been added to allow setting the group user limit System Administration 209 S ACCESS GATEWAY 1 From the Web Management
13. Default Gateway 172 1 7 255 254 Gateway ARP Refresh Interval secs 200 Enable additional NAT IP addresses Yes NAT IP Address Current NAT IP Addresses 172 17 0 111 172 17 0 112 172 17 0 113 Reboot after changes are saved O Yes System Administration 125 ACCESS GATEWAY 2 Enter your location information in the following fields e Company Name e Site Name e Address Line 1 and Line 2 e City State Zip and Country e E mail Address e ISO Country Code e Phone Country Code e Calling Area Code 3 Select the area type that most resembles your location from the drop down list 4 Enter a Network SSID Zone 5 To enable 802 1Q WAN side tagging check the box labeled Enable WAN 802 1Q tagging and if necessary enter the tag number AN Changing these settings could result in loss of connectivity You must reboot the system if you make changes to any of the following IP settings You may lose your connection if you change the IP settings incorrectly using AN invalid IP addresses If you misconfigure the Access Gateway and network connectivity is lost you can still access the Access Gateway from the Command Line Interface CLI via a direct serial connection In this case refer to Powering Up the System on page 30 and Logging In on page 76 All IP addresses must be established otherwise the Access Gateway will not be visible on the network 6 Make a selection for Network Configur
14. WAN Port Role wanIf Configuration Mode dhcp IP Address Your IP address Subnet Mask Your subnet mask Gateway IP Your gateway IP addrss WAN 802 1Q tagging Disabled VLAN ID 1 DNS Domain Name Your domain name DNS Server 1 Your primary DNS IP address DNS Server 2 DNS Server 3 0 0 0 0 Additional NAT IP addresses Disabled show all Show all WAN Interface configuration s m T how interface lt name gt Show a single WAN Interface configuration odify interface lt name gt Modify a single WAN Interface configuration Type b to go back lt esc gt to abort for help thernet port WAN interface configuration gt Figure 5 WAN port DHCP client configuration summary page If everything is correct in the summary type b ack to return to the previous menu and proceed to step 2 to enter location information Otherwise select an option from the Ethernet port configuration menu to display or make changes to the WAN port settings When finished with settings type b ack to return to the previous menu and go to step 2 44 Installing the Access Gateway ACCESS GATEWAY G Step 1c PPPoE Dynamic IP Client Configuration Enter p ppoe when prompted Enter the following mandatory settings for a PPPoE connection with dynamic PPP IP configuration shown in Figure 6 Configuring minimal WAN interface connectivity parameters Port Role wanIf outOfService subscriberIf w anIf Confi
15. _Sebmit Reset System Administration 251 S ACCESS GATEWAY System Menu Adding an ARP Table Entry ARP Add ARP Address Resolution Protocol is used to dynamically bind a high level IP address to a low level physical hardware MAC address ARP is limited to a single physical network that supports hardware broadcasting This procedure shows you how to add an ARP table entry Note NSE 8 2 consolidates ARP operations to a single screen See Adding and Deleting ARP Table Entries 8 2 1 From the Web Management Interface click on System then ARP Add The Add ARP Table Entries screen appears Add ARP Table Entries Internet Address Physical Address Flags Use Interface 67 130 149 190 00 06 28 7a 8e 72 0x8405 0 Network Enter IP Address l Enter MAC Address oo Type Static Persistent Interface Network Subscriber 1 Subscriber 2 1 Enter the IP Address of the entry you are adding 2 Enter the MAC Address of the entry you are adding 3 Define whether this entry is e Static Will only last until the next reboot e Persistent Will be written to the current txt file and loaded on each boot of the NSE 4 Define whether the interface that the device the ARP entry is connected to is e Network WAN Interface e Subscriber 1 LAN 1 Interface e Subscriber 2 LAN 2 Interface 252 System Administration ACCESS GATEWAY D 5 Click on the Add button to add you
16. a registered trademark by the Wi Fi Alliance are certified as interoperable with each other even if they are from different manufacturers A user with a Wi Fi Certified product can use any brand of access point with any other brand of client hardware that also is certified Typically however any Wi Fi product using the same radio frequency for example 2 4GHz for 802 11b or 802 11g or 5GHz for 802 11a will work with any other product even if that product is not Wi Fi Certified WLAN Wireless Local Area Network Also referred to as LAWN A type of local area network that uses high frequency radio waves rather than wires to communicate between nodes See also Node WMI Web Management Interface The browser based system administrators interface for all Nomadix Gateways WPA Wi Fi Protected Access A Wi Fi standard that was designed to improve upon the security features of WEP The technology is designed to work with existing Wi Fi products that have been enabled with WEP as a software upgrade to existing hardware but the technology includes two improvements over WEP Improved data encryption through the temporal key integrity protocol TKIP TKIP scrambles the keys using a hashing algorithm and by adding an integrity checking feature ensures that the keys haven t been tampered with User authentication which is generally missing in WEP through the extensible authentication protocol EAP WEP regulates acc
17. or you can enable the Access Gateway to act as its own DHCP server In both cases DHCP functionality is necessary if you want to automatically assign IP addresses to subscribers Address Translation DAT functionality DAT is automatically configured to facilitate plug and play access to subscribers who are misconfigured with static permanent IP addresses or subscribers that do not have DHCP capability on their computers DAT allows all users to obtain network access regardless of their computer s network settings 8 The Access Gateway s adaptive configuration technology provides Dynamic 1 Enter c configuration at the Access Gateway Menu The Configuration menu appears 2 Enter dh dhcp the relay feature is disabled Please verify that your DHCP Server supports DHCP packets before enabling the relay Not all devices containing DHCP servers for example routers support DHCP Relay functionality EZ By default the Access Gateway is configured to act as its own DHCP server and that the IP address you use does not conflict with devices on the network side of the Access Gateway Although you cannot enable the DHCP relay and the DHCP service at the same time it is possible to disable both functions from the Command Line Interface In this case a warning message informs you that no DHCP services are available to subscribers A When assigning a DHCP Relay Agent IP address for the DHCP Relay ensure
18. statistics you can clearly see if the subscriber made a successful connection To view the list of Current Subscriber Connections go to the Web Management Interface click on Subscriber Administration then click on Current The Current Subscribers screen appears showing the usage statistics for all subscribers currently connected to the system System Administration 211 D ACCESS GATEWAY Current Subscribers Subsenber Idie Timeout 1200 Neme doesn t apply to Radius mbsenbert Factory detest TX Click to view the Subin L Rosor associated subscriber om ee T T T T T MAC P Pot AAA pyoivation 1de Bytes Bytes tua Pory NATIP State Timeout Sent Received ls dr loo 45 1 00 15 05 46 53 32 10 0 0 12 2 Vaid ee jo Sams 1388223 4028825 4417048 OFF 172 17 0 12 Unhrrated sec f aari f 00 DO B7 IC BB 20 100 0 14 3 Vakd bent rg 61656 pam 432917 OFF im 170 112 aee 70 5A B6 A0 D8 04 10 0 0 11 1 Vabd Eem 4 ev pom 1083892 1163003 OFF menom Radi 28 mins 35 T 0O15 C5 1C3E 69 10 0 0 13 3 Vaid jee joo mms 248841 12732735 2981576 OFF 172 17 0 113 Unlimited sec l In the State field Valid denotes that the subscriber has been authenticated Pending indicates that the subscriber is still waiting for authentication To view individual subscribers click on the linked MAC address
19. 0 0 4 DHCP Server Subnet Mask 255 255 255 0 DHCP Pool Start IP Address 10 0 0 12 DHCP Pool End IP Address 10 0 0 72 DHCP Lease Minutes 1440 48 Installing the Access Gateway ACCESS GATEWAY G An example of a basic network including an AG is shown in Figure 10 Client Switch AG Router lt Service Figure 10 Example of a network setup The Management Interfaces CLI and Web The Access Gateway supports various methods for managing the system J remotely These include an embedded graphical Web Management Interface WMI an SNMP client or Telnet However until the unit is installed and running system management is performed from the Access Gateway s embedded CLI via a direct serial cable connection The CLI can also be accessed remotely Until the unit is installed on the customer s network and a remote connection is established the CLI is the administrator s window to the system This is where you establish all the Access Gateway start up configuration parameters depending on the customer s network architecture The Access Gateway Menu is your starting point From here you access all the system administration items from the 5 five primary menus available e Configuration e Network Info e Port location e Subscribers e System Installing the Access Gateway 49 ACCESS GATEWAY Although the basic functional elements are the same the CLI and the WMI have E some minor
20. 172 17 0 12 S5007 gt 74 125 224 243 80 TCP ESTABLISHEI 131072009 10 0 0 12 1307 00 15 5 a6 53 32 lt gt 172 17 0 12 5008 gt 74 125 224 239 80 TCP ESTABLISHEI 131072010 10 0 0 11 138 70 Sa b6 a0 08 04 lt gt 172 17 0 12 5009 gt 10 0 0 255 138 UDP MAPPED idle 60 131072011 10 0 0 12 1308 00 15 5 a6 53 32 lt gt 172 17 0 12 5010 gt 199 7 59 190 80 TCP CLOSED idle 131072012 10 0 0 11 1988 70 Sa b6 a0 d8 04 lt gt 172 17 0 12 5011 gt 216 250 183 108 80 TCP ESTABLISH 131072013 10 0 0 11 1989 70 Sa b6 a0 d8 04 lt gt 172 17 0 12 5012 gt 216 250 183 108 80 TCP ESTABLISHI 131072014 10 0 0 11 1990 70 Sa b6 a0 d8 04 lt gt 172 17 0 12 5013 gt 216 250 183 108 80 TCP ESTABLISH 131072015 10 0 0 11 1991 70 Sa b6 a0 d6 04 lt gt 172 17 0 12 5014 gt 216 250 183 108 80 TCP CLOSED id 131072016 10 0 0 11 1992 70 Sa b6 a0 d8 04 lt gt 172 17 0 12 5015 gt 216 250 183 108 80 TCP ESTABLISHI 131072017 10 0 0 11 1993 70 Sa b6 a0 d8 04 lt gt 172 17 0 12 5016 gt 216 250 183 108 80 TCP ESTABLISH 131072018 10 0 0 11 1994 70 S5a b6 a0 d8 04 lt gt 172 17 0 12 5017 gt 216 250 183 108 80 TCP ESTABLISH Click on the Delete all sessions button to clear all current subscriber sessions Deleting DAT sessions will cause all misconfigured subscribers to lose their AN Internet connection for a short period of time Displaying the Host Table Hosts You can displ
21. 2Mbps DSL 5 x ISP circuit to be shared equally amongst all subscribers Guest HSIA Network AA A Load Balancing With Users Connected to a Preferred ISP Link In this scenario the hotel has purchased 2 x ISP links for guest HSIA One is a high quality high cost business grade ISP circuit and the other is a low cost lower grade domestic service provided by the local cable TV operator The hotel has a number of bill plan options including free to use and pay to use premium plans Under normal circumstances the hotel wants guests who have selected a free plan to use the low cost link and guests who have selected a premium service to use the higher cost business grade ISP connection If either link fails guest should fail over to the other links until the preferred link is restored Hotel Admin Network Introduction 33 ACCESS GATEWAY High Quality Business Grade Lower Quality ISP for ISP for Premium Users Free to Use users ISP 1 100Mbps Ethemet Freedom Internet JJl Guest HSIA Network Pi b i O O Premium Users FTU Users 34 Introduction ACCESS GATEWAY G Online Help WebHelp The Access Gateway incorporates an online Help system called WebHelp which is accessible through the Web Management Interface when a remote Internet connection is established following a successful installation WebHelp can be viewed on any platform for example Windows Macintosh or UNIX based plat
22. 4 8 2 If required select Group Bandwidth Policies Bandwidth Management must be enabled before you can enable and specify Group Bandwidth Policies Note In the 8 2 NSE the Bandwidth Management page only globally Enables and Disables Bandwidth Management and Group Bandwidth Policies Bandwidth settings themselves are set for each WAN interface in Ethernet Ports WAN 5 If you made any changes to the settings on this screen you must click the check box for Reboot after changes are saved the Access Gateway must be rebooted 6 Click on the Submit button to save your changes and reboot the system or click on the Reset button if you want to reset all the values to their previous state 94 System Administration ACCESS GATEWAY D Group Bandwidth Limit Policy The Group Bandwidth Limit Policy allows the you to assign a common bandwidth rate limiting policy to a group of subscriber devices All devices within the group share the total bandwidth allocated to the policy The Group Bandwidth Limit Policy feature defines the following vendor specific attributes VSAs Nomadix 19 VSA Name Role Value GROUP_BW_POLICY_ID Defines the ID the for the group policy Integer between 1 and 16777215 inclusive 20 GROUP_BW_MAX_UP Defines the total upstream bandwidth allowed for the group in Kilobits per second Integer value 0 is interpreted as unlimited 21 GROUP_BW_MAX_DOWN Defines the total downstream bandwidt
23. Configuration gt dns NOTE If DHCP Client or PPPoE Client is enabled the Primary and Secondary DNS Server may not be configured since the DHCP PPPoE server may provide those items Furthermore if DHCP Client is configured the Domain may not be configured Enter domain nomadix com Enter host name no spaces usg li Enter primary DNS 0 0 0 2 4 2 2 2 Enter secondary DNS 0 0 0 0 Enter tertiary DNS 0 0 0 0 Enter DNS Redirection Port 1029 l Enter Proxy DNS Port 1028 The system must be rebooted to function properly The DNS options have been established DNS will now convert subscriber browser URLs into the correct IP addresses automatically Archiving Your Configuration Settings Once you have installed your Access Gateway and established the configuration settings you should write the settings to an archive file If you ever experience problems with the system your archived settings can be restored at any time Refer to the following procedures e Exporting Configuration Settings to the Archive File Export on page 256 e Importing Configuration Settings from the Archive File Import on page 261 70 Installing the Access Gateway ACCESS GATEWAY D Installing the Nomadix Private MIB The Nomadix Private Management Information Base MIB is supplied on the Accessories CD ROM delivered with your Access Gateway After importing the nomadix mib file from the CD ROM you will
24. Defining Subscriber Error Messages Subscriber Errors This procedure allows you to define how error messages are displayed to subscribers E There are 2 two pages of error messages available 1 From the Web Management Interface click on Subscriber Interface then Subscriber Errors 1 of 2 The Subscriber Page Error Message Definitions 1 of 2 screen appears Subscriber Page Error Message Definitions 1 of 2 Error Messages 1 of 2 AG 5500 blocked subscriber access NSE blocked subscriber access Access to this document requires a password Access to this document requires a password An error has occurred JAn error has occurred This field must contain a number between these two values This field must contain a number between these two values No Billing options are available No Billing options are available Internet Service is not available right now Try again later Internet Service is not available right now Try again later The maximum number of concurrent users for this account has been reached The maximum number of concurrent users for this account has been reached The username field should not contain any space Please try again The username field should not contain any space Please try again The password fields you have entered do not match Please try again The password fields you have entered do not match Please try again The password field you have entered is not corre
25. Location portal1 myhotel com details OS amp UI amp MA amp RN amp 8PORT amp SIP amp TS amp NO NCE amp SIGN amp SIGNED amp METHOD GET details OS amp UI amp MA amp RN amp PORT amp SIP amp TS amp NONCE amp SIGN amp SIGNED amp METHOD HTTP 1 1 Host portal1 myhotel com eS lt HTTP 1 1 200 OK The figure above illustrates destination HTTP redirection assuming a DNS query string for www example com a magic IP address of 1 1 1 1 and a portal page URL of portal myhotel com Given this configuration the following would apply A DNS query for www example com is intercepted by the NSE which responds with the magic IP address Then the subscriber s browser sends an HTTP request to the magic IP and sets the Host header to www example com The NSE will process the HTTP request and will analyze the Host header to find the redirection URL that corresponds to www example com which is portal myhotel com in this example The NSE will then craft an HTTP redirection response that contains the portal page URL followed by a query string The string will include various redirection parameters time stamped and signed if signing is enabled for that entry which it is not in this example The subscriber will follow the redirection string and will land on the portal page URL The portal will verify and analyze the query string and then will return the relevant inform
26. PMS PERFORMANCE User Support Up to 2000 users concurrently Throughput up to 100Mbits s As defined by RFC1242 Section 3 17 PHYSICAL 1U rack space in a 19 rack 16 85 L x 10 04 W x 1 73 H 428mm L x 255mm W x 44mm H Weight 6 61 lbs Weight 3 00Kg OPERATING VOLTAGE 100 240 VAC 50 60Hz Auto Sensing POWER CONSUMPTION 64 watts Quick Reference Guide 311 D y ACCESS GATEWAY AG5500 Specifications ENVIRONMENTAL Operating temperature 5 C to 40 C Storage temperature 0 C to 70 C Operating humidity 20 90 RH non condensing Storage humidity 5 95 RH Altitude Up to 15 000ft COMPLIANCE COMPLIANCE FCC Class A Part 15 CE Mark CENELEC EN 55022 1998 A1 2000 A2 2003 Class A CENELEC EN 61000 3 2 2000 CENELEC EN 61000 3 3 1995 A1 2001 UL Std 1950 CSA22 2 No 950 INTERFACES 3 x 10 100 Mbps Ethernet RJ 45 1 x DB9 serial for serial management and PMS interface LED INDICATORS ACT LINK and 10 100 for each Ethernet port Power NETWORK MANAGEMENT Multi Level Administration Controls Integrated VPN Client IPSec for secure connection to an NOC Access Control Lists Web Administration UI CLI via Telnet and Serial Port SNMPv2c Secure XML API Auto Configuration and Upgrades Syslog AAA log 312 Quick Reference Guide ACCESS GATEWAY G AG5500 Specifications NETWORKING IEEE 802 3 3u IEEE 802 1d DHCP Server DHCP
27. Quick Reference Guide Contains product reference information organized by topic and functionality It also contains a full listing of all product configuration elements sorted alphabetically and by menu Chapter 6 Troubleshooting Provides information to help you resolve common hardware and software problems It also contains a list of error messages associated with the management interface Appendix A Technical Support Informs you how to obtain technical support Refer to Troubleshooting before contacting Nomadix Inc directly Glossary of Terms Provides an explanation of terms directly related to Nomadix product technology Glossary entries are organized alphabetically Index The index is a valuable information search tool Use the index to locate specific topics and categories contained in this User Guide 2 Introduction ACCESS GATEWAY Gp Welcome to the Access Gateway The Access Gateway is a freestanding fully featured network appliance that enables public access service providers to offer broadband Internet connectivity to their customers The Access Gateway handles transparent connectivity advanced security policy based traffic shaping and service placement supporting thousands of users simultaneously in a broadband environment The Access Gateway also offers a unique set of security and connectivity features for deploying metro wireless 802 11 networks including Mesh and WiMAX technologies Access Gat
28. Up to four additional NAT IP Addresses can be added To remove additional addresses enter the address in the field and left click Remove To enable usage of these addresses check the Enable additional NAT IP addresses checkbox When finished you must reboot the system for the new settings to take effect Click on the check box for Reboot after changes are saved to reboot the system after saving your changes Click on the Submit button to save your changes and reboot the system or click on the Reset button if you want to reset all the values to their previous state Managing the Log Options Logging System logging creates log files and error messages generated at the system level AAA logging creates activity log files for the AAA Authorization Authentication and Accounting functions You can enable either of these options Although the AAA and billing logs can go to the same server we recommend that they have their own unique server ID number assigned between 0 and 7 When managing multiple properties the properties are identified in the log files by their IP addresses 128 System Administration ACCESS GATEWAY D 1 From the Web Management Interface click on Configuration then Logging The Log Settings screen appears Log Settings WARNING Saving Log files to disk impacts system performance Saving files locally should only be used for troubleshooting System Log M Enable System Log Number 2
29. a list of ranges of numeric values 211 300 301 899 or a comma separated list of individual numeric values and ranges 211 212 213 899 Description Allows entry of a description for the zone This must be a string between 0 and 128 characters in length and cannot contain characters that are not alphanumeric dash underscore or space In each of these fields any leading or trailing spaces will be removed by the NSE when the page is submitted 178 System Administration ACCESS GATEWAY D Relogin within Zone This selection provides the option to require relogin after migration between ports that are within a given zone The default is Disabled Existing Zones Zones that have already been defined are listed here and can be edited or deleted Note The description field is not displayed in the list view Defining IPSec Tunnel Settings There are many different ways to configure manage and monitor the performance and up time of network devices SNMP Telnet HTTP and ICMP are all common protocols to accomplish network management objectives And within those objectives is the requirement to provide the highest level of security possible While several network protocols have evolved that offer some level of security and data encryption the preferred method for attaining maximum security across all network devices is to establish an IPSec tunnel between the NOC Network Operations Center and the edge device
30. between a security gateway and a host network to host Can be used in the transport layer or used to create a secure tunnel Load Balancing Ensures that demands placed on high speed Internet access HSIA are balanced based on the capability of each WAN ISP connection Location Sets up your location and IP addresses for the network subscriber subnet mask and default gateway Logging Enables logging options for the system and AAA functions MAC Authentication Enables MAC authentication retry frequency MAC address format MAC address hex alpha case and RADIUS service profile Passthrough Addresses Establishes IP pass through addresses up to 300 PMS Enables one of the listed PMS options or allows you to disable the PMS feature Port Location Establishes the Access Concentrator settings RADIUS Client This procedure sets up the RADIUS client RADIUS Proxy Establishes RADIUS proxies where different realms can be set up to directly channel RADIUS messages to the various RADIUS servers RADIUS Routing Sets up RADIUS Service Profiles up to 10 and Realm based Routing Policies up to 50 Realm Based Routing Realm Based Routing provides advanced NAI Network Access Identifier routing capabilities enabling multiple service providers to share a HotSpot location further supporting a Wi Fi wholesale model This functionality allows users to interact only with their ch
31. gt Day Month Date Time Year NSE_Site_Name S Source_IP Port D Destination_IP Port X NSE_Translated_IP Port proxy_type Subscriber_MAC Billing Type UserName first 12 char LI IN gt THU JUN 23 11 43 58 2007 testlab S 192 168 2 4 3444 D 66 163 175 128 80 67 130 149 4 5004 non proxy 00 90 27 78 81 00 RADIUS IPASS OU0000 syslogs are viewable under System Syslog menu A total of 500 syslogs are Do not configure the Server IP as the Network side IP of the gateway Stored stored locally System Administration 131 ACCESS GATEWAY Syslog History Syslog History Version Ie i 001 THU JUN 03 12 15 39 2010 AG 5500 v7 0 030 167 130 149 163 lt 134 gt INFO CFS file flash AuthFile dat synchronized from cache 1 002 THU JUN 03 12 15 27 2010 AG 5500 v7 0 030 167 130 149 163 1 lt 134 gt INFO CLISRD Starting PMS on the serial port 1 003 THU JUN 03 12 15 18 2010 AG 5500 v7 0 030 167 130 149 163 1 lt 134 gt INFO CTRL GetAliveNotifyInFlash Error opening flash usginfo dat 1 004 THU JUN 03 12 15 18 2010JAG 5500 v7 0 030 67 130 149 163 lt 134 gt INFO CLITND CLI Telnet Daemon socketFd is 21 location ofvariable i s Oxb9e6b8 1 1 005 THU JUN 03 12 15 18 2010JAG 5500 v7 0 030 67 130 149 163 lt 134 gt INFO CLISRD 0206 Setting COM1 to 9600 baud 1 006 THU JUN 03 12 15 18
32. up to 50 For additional RADIUS information see also e Setting up Quality of Service QoS on page 148 e Defining the RADIUS Proxy Settings RADIUS Proxy on page 154 158 System Administration ACCESS GATEWAY D e RADIUS Attributes on page 294 From the Web Management Interface click on Configuration then Realm Based Routing The Realm Based Routing Settings screen appears Add Realm Routing Policy Entry Active O Wildcard match Specific Realm Realm name Prefix match only Match characters preceding Suffix match only Match characters following i e NAI realm Match either Try prefix first then try suffix if no prefix match RADIUS Service Profile select one Strip off routing information when sending to RADIUS server O Tunnel Profile E Tunnel Parameters for profile triggered or RADIUS triggered tunnels Strip off routing information when sending to tunnel server o Local hostname Define RADIUS Service Profiles RADIUS service profiles are used to direct username access requests for both plain RADIUS users and users who supply realm domain in their username In response to a RADIUS access request these RADIUS servers will return the L2TP tunnel parameters which the NSE will use to establish an L2TP tunnel Create a RADIUS service profile to a RADIUS server that will handle Prefix based users This is to handle users that
33. 0 0 0 Active link to Port processing screen System Administration 201 S Finding Port Location Assignments by Port Find by Port ACCESS GATEWAY This procedure shows you how to find a port location assignment based on its port This procedure is useful if you want to review the details of a specific port location You can also find port locations based on their description or location 1 From the Web Management Interface click on Port Location then Find by Port The Find a Port Location Assignment by Port screen appears Find a Port Location Assignment by Port Enter Port 456 Show Reset 2 In the Enter Port field enter the port you want to find E The port is the VLAN ID when using 802 1Q 2 way 3 Click on the Show button to view the Process Port Location Assignments screen or click on the Reset button if you want to reset the port value to its blank state From this screen you can add update or delete port location assignments Process Port Location Assignments Location fi2 8 8 St S Part sey Subnet hororo oo Description bitest CS State No Charge Charge for Use Blocked Add Update Delete Reset 202 System Administration ACCESS GATEWAY D Importing Port Location Assignments Import This procedure shows you how to import port location assignments from the location txt file The location txt file is stored in fl
34. 1111 and 1112 System Administration 77 D ACCESS GATEWAY Select one of the following Internal Web Server SSL Support Encrypt only Sensitive Data Portal Page E Enable Enable Note To enable make sure your license includes SSL support and you have all the certificate files on the flash Certificate DNS Name ssl certificate com Enable Portal Page URL Parameter Passing Enable Parameter Signing Method None HASH CRC32 HMAC MD5 Parameters ul VIMA ORN EJPORT ASIP E Set Shared Secret write only Manual Passthrough Address Enable Portal XML POST URL Portal XML Post Port 9000 Supports GIS Clients E Yes Block IWS Login Page F Yes W Enable Usernames Note Usernames option is enabled if any of the following are true Relogin After Timeout Relogin after Migration XoverY billing or Group Accounts New Subscribers Credit Card Serice Smart Client Support E Enable Relogin After Timeout El Enable Credit Card Server Credit Card Server URL Merchant ID Use NSE s hostname and DNS domain name Authorize net SIM Compliant Change Transaction Key Set MDS Hash Value Shared Secret Chainfusion Credit Card Transaction Time Enable Note To enable make sure your license includes Smart Client support m a Fi g
35. 192 168 1 1 Ox8c3 WAN system Delete 10 0 2 0 24 10 0 2 10 0x1c1 Eth2 system 10 0 2 10 10 0 2 10 0x45 Loopback system Delete 127 0 0 1 127 0 0 1 0x45 Loopback system Delete 172 30 30 0 24 172 30 30 172 Joxici WAN system Delete 172 30 30 172 172 30 30 172 0x45 Loopback system 492 168 1024 192 168 1 4 oxici WAN system 168 1 192 168 1 4 0x45 Loopback system 192 168 110 25 0x1c1 Eth1 system 192 168 110 25 0x45 Loopback system Note deleting an Active route that is Static or Persistent does not remove that route from the Static Persistent Routing Table e Static Persistent Routing Table grouped in a separate section for easy reference and modification Static Persistent Routing Table Action Destination Prefix Gateway Interface Role Note deleting a Static or Persistent route also removes that route from the Active Routing Table e Add a New Static or Persistent Route Add a New Static or Persistent Route Destination IP Prefix Length Gateway IP Interface Type Displaying the Active IP Connections Sockets WAN Static C Role wan Persistent You can display a table which provides a detailed listing of all currently active IP Internet Protocol connections To view the Socket Table go to the Web Management Interface click on Network Info then click on Sockets 190 System Administration ACCESS GATEWAY D The So
36. 8 concentrators can be entered IP address m Ada Remove Back Current Concentrators SNMP community IP address SNMP community Port Location Semas cerand Suppor RFC1493 compliant Syren Note Up to 50 concentrators can be entered IP address SNMP community Uplink port PO Po fo Add Remove Back Current Concentrators RFC1493 Systems IP address SNMP community Uplink port From the Cascading Support screen you can return to the main Port Location Settings screen at any time by pressing the Back button 6 Click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their previous state See In Room Port Mapping System Administration 145 S ACCESS GATEWAY In Room Port Mapping This section shows In Room Port Mapping from the subscriber side when the In Room Port Mapping feature is enabled placed on different Subscriber ports Although it is technically possible to place two different VLAN tagged switches one on each Subscriber side that have the same VLAN tags designated this configuration can cause problems To avoid conflicts you must ensure that the VLAN tags are different on the different devices i Access Gateway multiple VLAN tagged systems can use the same tags and be 1 Enable In Room Port Mapping and assign a user name and password see previous section Steps 2 and 3 2 Enter the following
37. Creating a location txt File You can create your own location txt file and upload the file to the Access Gateway s flash memory at IP address flashNocation txt Use the following format when creating the file 1 1 00 00 00 00 00 00 0 0 0 0 0 Room 101 The 4 four fields used in the format represent the standard format for port location assignments location port modem MAC address for RiverDelta subnet state description Characters used for locations and descriptions are case sensitive e Location Locations are assigned as an alpha numeric or alpha numeric value unless a PMS interface is used in which case only numeric values can be used e Port Any number between 1 and 65535 e Modem MAC Address MAC address of the modem being used e Subnet Subscriber s subnet address e State Possible states are 0 no charge for using this port location 1 charge for use and 2 blocked If you do not assign a conditional state the state is registered as No Charge by default e Description Use a meaningful description for the assignment 204 System Administration ACCESS GATEWAY D Displaying the Port Location Mappings List You can display a listing of all port locations assigned to this system To view the listing of port location assignments go to the Web Management Interface click on Network Info then click on List The List Port Location Assignme
38. Gateway Installation Workflow The following flowchart illustrates the steps that are required to install and configure your Access Gateway successfully Review the installation workflow before attempting to install the Installing the Access Gateway 37 D ACCESS GATEWAY Access Gateway on the customer s network Place the AG on a flat and stable work surface and connect the power cord v Connect the AG to a live network Use the DB9 serial cable 6 ft length between the AG s serial port and your computer v Power up your computer and turn on the AG v Start a HyperTerminal session to communicate with the AG via the serial port l v Log in to the Command Line Interface v When prompted configure your AG s IP DNS and Location settings The AG will then prompt you to reboot the system When prompted accept to the Nomadix End User License Agreement EULA You must accept the EULA before the AG can connect with the Nomadix License Key Server When the key is successfully received from the server your AG will reboot You can now power down and connect the AG to the customer s network Network v Connect the AG to the customer s network Vv Power up the AG and log in via a Telnet session or the Web Management Interface Vv Set the basic configuration parameters for subscribers y The AG is now ready for administrators t
39. Interface click on Subscriber Administration then Add The Add a Subscriber Profile to the Database screen appears Add a Subscriber Profile to the Database Subscriber Device Group Account DHCP Address Type Private Public Only used if subscriber is configured for DHCP Subnet Username Password Expiration Time hrs a mins Paid USD 0 00 User Definable 1 User Definable 2 Min Upstream Bandwidth 0 Kbps Max Upstream Bandwidth 0 Kbps Min Downstream Bandwidth 0 Kbps Max Downstream Bandwidth o Kbps QoS Policy selecta policy Maximum users per group SMTP Redirection e lege Note Global SMTP Redirection must be enabled for subscriber SMTP Redirection to take effect see SMTP page under Configuration 2 Choose the Group Account type for this profile 3 Define the DHCP Address Type Public or Private only used when the IP Upsell feature is enabled otherwise leave this set to private Enter a valid Subnet address for this subscriber In the Username field enter a user name for this subscriber E User names and passwords are required for Group Accounts If you assigned a user name you must now assign a Password In the Expiration Time field define the duration in hours and minutes for the subscriber s authorized access time When the assigned time expires the subscriber must re subscribe to the service Enter an amount in the Paid field The next two fields User
40. MIB on page 54 The following example shows a partial SNMP screen response o 205 147 25 186 nomad a Unknown y Community String public System MIB Interfaces a 3 interfaces El 1 reid TT ethernetCsmacd m Using a Telnet Client There are many Telnet clients that you can use to connect with the Access Gateway Using Telnet provides a simple terminal emulation that allows you to see and interact with the Access Gateway s Command Line Interface as if you were connected via the serial interface As with any remote connection the network interface IP address for the Access Gateway must be established you did this during the installation process System Administration J3 S Logging In ACCESS GATEWAY To access the Access Gateway s Web Management Interface use the Manager or Operator login user name and password you defined during the installation process refer to Assigning Login User Names and Passwords E User names and passwords are case sensitive About Your Product License Some features included in this section will not be available to you unless you have purchased the appropriate product license from Nomadix In this case the following statement will appear either immediately below the section heading or when the feature is mentioned in the body text Your product license may not support this feature You can upgrade your product license at any time Configuration Menu Definin
41. OS http after_login_finished_page html 342 Quick Reference Guide ACCESS GATEWAY D Mirroring Billing Records Multiple Access Gateway units can send copies of credit card billing records to a number of external servers that have been previously defined by system administrators The Access Gateway assumes control of billing transmissions and saving billing records By effectively mirroring the billing data the Access Gateway can send copies of billing records to predefined carbon copy servers Additionally if the primary and secondary servers are down the Access Gateway can store up to 2 000 credit card transaction records The Access Gateway regularly attempts to connect with the primary and secondary servers When a connection is re established with either server the Access Gateway sends the cached information to the server Customers can be confident that their billing information is secure and that no transaction records are lost This document describes the process used by the Access Gateway for mirroring billing records and is organized into the following sections e Sending Billing Records on page 343 e XML Interface on page 344 e Establishing Billing Records Mirroring Bill Record Mirroring on page 98 Sending Billing Records When there is a message billing record in the message queue the system wakes up and performs the following tasks 1 Stores the billing record
42. Quick Reference Guide ACCESS GATEWAY D Keyboard Shortcuts The following table shows the most common keyboard shortcuts Action Keyboard Shortcut the insertion point Cut selected data and place it on the clipboard Ctrl X Copy selected data to the clipboard Ctrl C Paste data from the clipboard into a document at Ctrl V Copy the active window to the clipboard Alt Print Screen Copy the entire desktop image to the clipboard Print Screen Access the Help screen Abort an action at any time Esc Go back to the previous screen b HyperTerminal Settings Use the following settings when establishing a HyperTerminal session Bits per second 9600 Data bits 8 Parity None Stop bits 1 Flow control None Quick Reference Guide 323 S ACCESS GATEWAY RADIUS Attributes RADIUS Remote Authentication Dial In User Service was originally created to allow remote authentication to the dial in networks of corporations and dial up ISPs It is defined and standardized by the IETF Internet Engineering Task Force and several RADIUS server packages exist in both the public domain and for commercial sale RADIUS software stores a database of attributes about their valid subscriber base For example usernames passwords access privileges account limits and subscriber attributes can all be stored in a RADIUS database RADIUS works in conjunction
43. Quick Reference Guide 299 D ACCESS GATEWAY Route Add Add a route to the routing table System Route Delete Delete a route from the routing table System Routing Display routing performance statistics and tables Network Info Session Limit Limits subscriber sessions System SMTP Set the SMTP redirection options Configuration SNMP Establish the SNMP parameters Configuration Network Info Network Info System System Subscriber Admin Configuration Subscriber I face System Subscriber I face Subscriber I face Subscriber I face Configuration Network Info Configuration Network Info System Configuration Sockets Static Port Mapping Static Port Mapping Add Static Port Mapping Delete Statistics Subnets Subscriber Button Subscriber Interfaces Subscriber Labels Subscriber Errors Subscriber Messages Summary TCP Time Display the active IP connections Displays currently active static port mapping schemes Adds a static port mapping scheme Deletes a static port mapping scheme Display the subscriber profile statistics Enable dynamic multiple subnet support Define how control buttons are displayed to subscribers Blocks subscriber interfaces Define how field labels are displayed Define how error messages are displayed Define how other general messages are displaye Display a
44. Quick Reference Guide 303 D y ACCESS GATEWAY AG2300 Specifications ENVIRONMENTAL Operating temperature 5 C to 40 C Storage temperature 0 C to 70 C Operating humidity 20 90 RH non condensing Storage humidity 5 95 RH Altitude Up to 15 000ft COMPLIANCE FCC Class A Part 15 CE Mark CENELEC EN 55022 1998 A1 2000 A2 2003 Class A CENELEC EN 61000 3 2 2000 CENELEC EN 61000 3 3 1995 A1 2001 UL Std 1950 CSA22 2 No 950 INTERFACES 3 x 10 100 Mbps Ethernet RJ 45 1 x DB9 serial for serial management and PMS interface LED INDICATORS ACT LINK and 10 100 for each Ethernet port Power NETWORK MANAGEMENT Multi Level Administration Controls Integrated VPN Client IPSec for secure connection to an NOC Access Control Lists Web Administration UI CLI via Telnet and Serial Port SNMPv2c Secure XML API Auto Configuration and Upgrades Syslog AAA log NETWORKING IEEE 802 3 3u IEEE 802 1d DHCP Server DHCP Relay RADIUS Client MD 5 PAP CHAP MS CHAPv1 v2 304 Quick Reference Guide ACCESS GATEWAY S AG2400 Specifications AVAILABLE NSE MODULES AG 2400 Hospitality Module AG 2400 High Availability Module PERFORMANCE 200 concurrent users or devices Throughput up to 230 Mbps as defined by RFC 1242 Section 3 17 PLATFORM Intel based System INTERFACE 1 RJ 45 WAN 3 RJ 45 ETH 1 12VDC Power Connector 1 RJ 45 Console 1 DB 9 Serial Connecto
45. Remove Curent Images NOTE You must reboot for configuration changes to take effect Reboot 236 System Administration ACCESS GATEWAY D Web Page File Name This text box lets you add or remove the names of the web pages that you intend to serve to the end users Note The name of the web page has to be added in order for it to be served to the end users Uploading the web page to the web directory is not sufficient Image File Name This text box lets you add or remove the names of the image files that you intend to server to the end users Note The name of the image file has to be added in order for it to be served to the end users Uploading the image file to the web directory is not sufficient Defining the Subscriber s Login UI Login UT This procedure allows you to set up the presentation and content of the subscriber s login User Interface UD 237 System Administration D ACCESS GATEWAY 1 From the Web Management Interface click on Subscriber Interface then Login UI The Subscriber Login User Interface Settings screen appears Subscriber Login User Interface Settings Serice Selection Message Please selectthe amount of high speed access you wish to purchase Existing Username Message Please enteryouruserIDandpassword New Username Message Please enter a new userID and password Contact Message Please contact your Network Administrator in case of problems PMS
46. Remove to remove the peer from the IPSec Tunnel Peers table e Reset to undo any changes you made to the peer settings and return the peer to its original settings 4 Click the Back to Main IPSec Tunneling Settings page link to return to the JPSec Tunnel Settings screen Managing IPSec Security Policies You can add a new IPSec security policy or modify the settings of an existing IPSec security policy from the IPSec Tunnel Settings screen 118 System Administration ACCESS GATEWAY D Adding a New IPSec Security Policy 1 Inthe IPSec Security Policies table click the Add button to add an entry The Psec Tunnel Security Policy Settings screen opens IPSec Tunnel Security Policy Senings Tunnel peer IP address required for ESP and AH tunnels 172 1 1 125 w Traffic Selectors Protocol ANY X Remote End Remote IP Subnet 172 17 99 192 Subnet Mask 255 255 255 240 Remote UDP TCP Port 0 or 0 for all ports Local End Use current Network Interface IP Address Note Network IP Address is dynamic if DHCP or PPPoE Client is enabled W Use this static IP address subnet Local IP Subnet Subnet Mask IP address of network interface for this policy 0 Local UDP TCP Port 0 or 0 for all ports Security Parameters Discard Bypass Discard bypass direction In only z Out only In and Out Esp Acceptable encryption algorithms DES o apes WW nuit E AH p The following parameters pertain to both ESP
47. Save to file disabled _ enable Enable disable AAA Log disabled enable Enter AAA Log Number 0 7 0 2 Enter AAA Log Filter Emergency Alert Critical Error Warning Notice Info Debug F ON P E Select an option from above 7 7 Enter AAA Log Server IP 255 255 255 255 10 10 10 10 Enable disable AAA Log Save to file disabled enable Enable disable RADIUS History Log disabled enable Enter RADIUS History Log Number 0 7 0 s2 Installing the Access Gateway ag ACCESS GATEWAY Enter RADIUS History Log Filter Emergency Alert Critical Error Warning Notice Info Debug WANRWNHO Select an option from above 6 7 Enter RADIUS History Log Server IP 255 255 255 255 10 10 10 10 Enable disable RADIUS History Log Save to file disabled enable Enable disable System Report Log disabled enable Enter System Report Log Number 0 7 0 k2 Enter System Report Log ServerIP 255 255 255 255 10 10 10 10 Enter System Report Log interval minutes 0 5 Enable disable Tracking Log disabled enable Enter Tracking Log Number 0 7 0 J2 Enter Tracking Log Server IP 255 255 255 255 10 10 10 10 Enable disable Tracking Log Save to file disabled Enable Disable Name Reporting disabled enable Enable Disable Port Reporting disabled enable Enable Disable Location Reporting disabled enable Enable Disable 500th Packet Count Reporting disabled enable System L
48. Select one of the following network options for the Local End e Use current Network Interface IP Address Select this option if you would like to use the current network interface IP Address Note that the network IP address is dynamic if DHCP or PPPoE client is enabled This setting is the default setting e Use this static IP address subnet If you select this option you must also enter the Local IP Subnet the Subnet Mask and the IP address of network interface for this policy e The Local IP Subnet is the IP address of the local network secured by the IPSec tunnel The address can specify a host e The Subnet Mask is the subnet mask of the local network secured by the IPSec tunnel The address can specify a host e The IP address of network interface for this policy is the IP Address for the NSE inside an IPSec tunnel The IP address must be within the Local LAN subnet or the same as the Local LAN IP address IP address 0 0 0 0 disables the functionality The default setting is 0 0 0 0 6 Enter the port number in the Local UDP TCP Port field 0 is for all ports only if protocol is UDP or TCP 7 Inthe Security Parameters section define the parameters of the security policy The options are Discard Bypass ESP and AH ESP is the default setting e Discard e Bypass Select the direction of the discard bypass the options are In only Out only or In and Out Out only is the default setting e ESP Select all the acceptable en
49. Service PMI nicia elie atic oie a eee 135 Senne Up Port Locations Port LOCATOR seciccasceesictncaseeisvacinemarenmnroisumaan 142 SEAME UP OKAR OF SEVO OOS ei areata EER E EENE AEE AREARE 148 Defining the RADIUS Client Settings RADIUS Client cscssccscesesesseeneeeeeseeneeeeees 149 D Defining the RADIUS Proxy Settings RADIUS Proxy 8 2 mnrsipnamananinas 154 Defining the Realm Based Routing Settings Realm Based Routing scosse 158 Managing SMTP Redirection SMIT anuni senad arna A EE 167 Managing the SNMP Communihes SNMP ariin h 168 Enabling Dynamic Multiple Subnet Support Subnets ssseesseeeeseseeeeseeerereerens 169 Displaying Your Configuration Settings SUMIMATY sassanianinnsienninnanismina avi Senne the System Date and Time Tune arinn E eS 172 PORNO TT THER DIPSET INOS cake cicartesouto O G O 174 Seung Up URE Pillering FIRE PuUrerii ef aaea EE 173 Selocine User Apert Pitertip SON OE ranana E EE EO 176 viii ACCESS GATEWAY D LOO M OTUA Era NE R REO I ee DERE IP SEG Tinel SenM ON orarie orinar eio R E EAA E OA 179 BEA mio MEn onra a A a 181 TSG ARF TONE ENTS TART f sorra aE OO 181 Pilarin DAT SeoOnS DATI ortet se neesanimccatcelnsed KERETE EaR i NEA 181 DSP AVING Hie TINGE Table L TOMS siio ann a S 182 DIG PEE Siete TEMP hauen ei debi iiie 183 Displaying the Network Interfaces interate S caremera 183 D Interface Montor MoA E2 hei eE EA E N E aR oem TEN EST 185 DOS Sra aes heir Sronstes UP asic a 2c suchen
50. Settings Enable Disable Mirroring I Enable Bill Record Mirroring Unit Identification Property ID HSG NSE ID 015b71 Primary and Secondary Servers Primary P o URL LoS E Secret Key sd Part fo Secondary IP URL DoS E Secret Key C Port fo Carbon Copy Servers P sid URL D Secret Key Co Port Doo P sid URL LOOSS E Secret Key Es Part co P sd URL ti E Secret Key sd Port fo Failsafe Provisions Retransmit Method Alternate Number of Retransmit Attempts 3 Retransmit Delay B ce Do Not Alternate If you want to enable the billing records mirroring functionality for credit card transactions click on the check box for Enable Bill Record Mirroring Enter the property identification code in the Property ID field Enter the communication parameters for the primary server that is to be used for mirroring including e Primary IP e URL e Secret Key A The Access Gateway and the mirror servers must use the same secret key Repeat Step 4 for the secondary server if any and all carbon copy servers Define the fail safe provisions including e Retransmit Method Alternate or do not alternate System Administration 99 D ACCESS GATEWAY e Number of Retransmit Attempts This tells the system how many times it should attempt to retransmit billing records before suspending the task e Retransmit Delay This specifies t
51. System Log Filter 7 Debug j System Log Server IP 10 10 10 10 System Log save to file M Enable AAA Log M Enable AAA Log Number ek AAA Log Filter Debug E AAA Log Server IP foo AAA Log save to file M Enable RADIUS History Log M Enable RADIUS History Log Number RADIUS History Log Filter Debug E RADIUS History Log Server IP foto RADIUS History save to file M Enable System Report Log M Enable System Report Log Number 2 System Report Server IP 10 10 10 10 System Report Log Interval minutes 5 Subscriber Tracking Log M Enable NOTE To enable Subscriber Tracking the External Time Server must be enabled see Configuration gt Time Subscriber Tracking Log Number 2 Subscriber Tracking Log Server IP 10 10 10 10 Subscriber Tracking Log save to file D Enable Include User Name reporting 25 chars M Enable Port Location Include Port reporting M Enable Include Location reporting 25 chars M Enable Report every 500th packet Danish law M Enable WARNING Communication between the gateway and the syslog server may need to be secured to comply with local laws Consider routing communication through an IPSec tunnel Submit Reset System Administration 129 ACCESS GATEWAY 2 If required click on the check box for System Log to enable system logging When system logging is enabled the standard SYSLOG protocol UDP is used to send all message logs generated by the Access Gatew
52. URL target format http Access Gateway IP address 1111 usg roommapping For example http 219 57 108 103 1111 usg roommapping The Enter Network Password prompt appears Enter Network Password 2 x Enter user name and gt Please type your user name and password password Site 8 46 15 1 Realm User Name ei Password I Save this password in pour password list Click here if you want to save your user name and password 146 System Administration ACCESS GATEWAY G 3 Enter your user name and password then click on the OK button The In Room Port G NOMADIX Mapping screen appears Enter the room number and a description for this room Select the access mode you want to assign to this room e Room Free Access e Room For Charge e Room Blocked Click on the Submit button to save your changes Repeat Steps 4 through 6 for each room see note If you leave your browser open the cookie that is placed on your system will allow you to go from room to room during the mapping process However if you close your browser the cookie is deleted and you will need to login again System Administration 147 S ACCESS GATEWAY Setting up Quality of Service QoS The Quality of Service feature allows subscriber traffic to be classified so that it can then be acted upon by devices that support QoS prioritization or other QoS capabilities This requires the use
53. URLs Portal page redirect enables redirection to a portal page before the authentication process This means that anyone will get redirected to a Web page to establish an account select a service plan and pay for access Home Page redirect enables redirection to a page after the authentication process for example to welcome a specific user to the service after the user has been identified by the authentication process See also Portal Page Redirect on page 17 iNAT Nomadix invented a new way of intelligently supporting multiple VPN connections to the same termination at the same time iNAT thus solving a key problem of many public access networks 12 Introduction ACCESS GATEWAY D Nomadix patented iNAT intelligent Network Address Translation feature contains an advanced real time translation engine that analyzes all data packets being communicated between the private address realm and the public address realm The NSE performs a defined mode of network address translation based on packet type and protocol for example ISAKMP etc UDP packet fragmentation is supported to provide more seamless translation engine for certificate based VPN connections If address translation is needed to ensure the success of a specific application for example multiple users trying to access the same VPN termination server at the same time the packet engine selects an IP address from a freely definable pool of pub
54. a detailed listing of all interface communication elements and their current status To view the Network Interfaces go to the Web Management Interface click on Network Info then click on Interfaces System Administration 183 D ACCESS GATEWAY The Network Interfaces screen appears Network Interfaces A lo unit number 0 Flags 0x48049 UP LOOPBACK MULTICAST TRAILERS ARP RUNNING INET_UP Type SOFTWARE_LOOPBACK inet 127 0 0 1 Netmask Oxff000000 Subnetmask Oxff000000 Metric is 0 Maximum Transfer Unit size is 1536 packets received 0 packets sent multicast packets received multicast packets sent input errors 0 output errors collisions 0 dropped output queue drops rtl unit number 0 PHY BMSR 0x782d Link up Auto succeeded BMCR 0x3000 Speed 100 Mbps half duplex Flags 0x68043 UP BROADCAST MULTICAST ARP RUNNING INET_UP Type ETHERNET_CSMACD inet 172 30 30 172 Broadcast address 172 30 30 255 Netmask Oxffff0000 Subnetmask Oxffffff00 inet 67 130 149 163 Broadcast address 67 130 149 191 Netmask Oxff000000 Subnetmask Oxffffffed Ethernet address is 00 50 e8 01 63 3f Metric is 0 Maximum Transfer Unit size is 1500 235340404 octets received 5702033 octets sent 163906 unicast packets received 167558 unicast packets sent 0 non unicast packets received non unicast packets sent incoming packets discarded outgoing packets discarded incoming errors outgoing errors unknown protos collisions 0 dropped output queu
55. address specified If you specified a subnet is it correct If you suspect the subnet try using 255 255 255 0 The DHCP relay is disabled and the DHCP service settings in the Access Gateway are misconfigured Check the internal DHCP service settings Subscribers are unable to route to a domain name but they can route to an IP address The DNS server settings are misconfigured Check the DNS settings host domain and the primary secondary and tertiary DNS The DNS server is down Check with the service provider Is the DNS server down 350 Troubleshooting ACCESS GATEWAY D Problem When a subscriber logs in for the first time their browser is not redirected to the specified home page Possible Cause Home page redirection is not enabled in the Access Gateway Solution Enable home page redirection The home page URL was entered into the Access Gateway incorrectly Re enter the correct URL The server that hosts the home page is down or the service provider if different from the host is not able to route to your page Check that the server is operational and that the home page can be accessed through your service provider if different DNS is misconfigured in the Access Gateway Check the DNS settings host domain and the primary secondary and tertiary DNS Troubleshooting 351 G ACCESS GAT
56. all of the authentication and encryption power and added features you need Choose Secure Site with a 40 bit SSL Secure Server ID or select Secure Site Pro with a 128 bit SSL Global Server ID Securing 5 or more servers You need OnSite for Server IDs Features Secure site Secure Site Pro Need help Contact our Sales Team 349 895 G VeriSign SSL Encryption 40 bit Core Features 22 VeriSign Authentication Service E VeriSign Secure Site Seal 2 VeriSign NetSure Protection Quick Reference Guide 339 F ACCESS GATEWAY Select Buy Now for 40 bit SSL Secure Server ID or 128 bit SSL Global Server ID Some older versions of popular browsers only support 40 bit or 56 bit encryption Since it impossible to forecast the browsers that may be used in a visitor based network Nomadix recommends implementing a 40 bit Public Key During the process VeriSign will ask for your business information and verification There are several ways to proof the existence of your business Please follow the instruction from VeriSign carefully In addition there is one section about generating a CSR however since you have already created the CSR in step 2 with OpenSSL you can skip the instructions CSR Submission to VeriSign Description Server Software AliBaba WarpGroup Vendor AOL Navisoft Select your server software vendor from Aventail the pull down list BEA WebLogic Enter CSR Information MIIB7DCCAVU
57. an Address Resolution Protocol ARP table entry ARP Delete Deletes an ARP table entry Quick Reference Guide 295 G y ACCESS GATEWAY Items Description ARP Interface Adds or deletes an Address Resolution Protocol ARP table entry All ARP Table configuration additions and deletions now made on the same page Manually added ARP Static Persistent are now shown in their own section for easy reference Bridge Mode Enables the Bridge Mode option Dynamic Proxy A function that assures a subscriber can be connected Export Exports the system s configuration settings to an archive file Factory Imports the factory default settings Fail Over Sets up a sibling Nomadix Gateway allowing one device to take up the users should the other device become disconnected from the network History Displays a history log of the system s activity including Access Reboot and Uptime ICMP Sets up ICMP blocking for traffic from pending or non authenticated users that are destined to addresses other than those defined in the pass through walled garden list Import Imports previously exported system configuration settings from an archive file Login Sets up the login name and password Mac Filtering Blocks malicious users based on their MAC address Up to 50 MAC addresses can be blocked at any one time Reboot Reboots the Nomadix Access Gateway Route Add
58. ansiosa a a E 42 Sep Io DHCP Ghent COn EUNA rriro inaa REA A ERER ARAA 44 Step Ic PPPoE Dynamic IP Chent Configura Onsusinsuiiaranessearrisiseass 45 Step lds PPPoE Static IP Client Configurafl ll erirasemrocannern 46 Step 2 Entering Your Location Information ssvicsucisescusascinteesiescanssenordetisacausanaveasasavadsannse 46 Sep ae Remievng Your License KEY corrosie an E NRR 47 SEDE CO TPIS TE SITE o E E 47 Siep 3 Confiouring AG DACP Server SOUS os csczisccecsessissensscsiasteeansss nce nei iiriksi 48 The Management Interfaces CLI and Web P sais iccenteseesarecias ncurersnrausurasateisiunaureniadivssvasierenterss 49 Making Menu Selections and Inputting Data with the CLI n os 50 Menu Organization Web Management Interface x sccccsscsssiinscrnsosaveoxivasevesviansen evavciesvoevs 50 inputting Data Maxim m Character Lengths oo oasis scnssswn thine trantabide spats Hiibe snemeasios iiis 32 Online Docamemanon and Hel pensns a iainaeieRe 33 OWCE Tee Tete OS OE ee decepac el asc oa aacecbashaneteass chide enamemescabica mteasncerea ene cucmisacstsune 53 Establishing the Start Up Comte irati0m jicsissicsscssncarapocenscerenscnmvenseps renosa oaiae 54 Assigning Login User Names and Pass Words sic cscavcssnosasrocscsinanedoanndenveiescudnsin seaman ueaschanss 33 Setting the SNMP Parameters optiona succcsasensenaninnsen esaa 56 E Configuring the WAN inierface 8 2 ccusismsusnnsarinsnesmeeusinmeusrsisnnnnsiitiniinen 57 Enabling the Logging Options rec
59. are sent to these servers for future retrieval To see sample reports go to Sample SYSLOG Report on page 291 and Sample AAA Log on page 290 Enabling MAC Authentication MAC Authentication 1 From the Web Management Interface click on Configuration then MAC authentication The MAC Authentication Settings screen appears MAC Authentication Settings MAC Authentication F Enable Retry Frequency 10 seconds MAC Address Format aa bb cc dd ee ff aa bb cc dd ee ff aabbccddeeff Case of Hex Alpha Characters Lower Upper RADIUS Service Profile to use selectone v Submit Reset 2 Check the MAC Authentication checkbox to enable the MAC based authentication functionality The default setting is disabled 3 Enter the retry frequency in seconds in the Retry Frequency field This setting is the wait time in seconds before reattempting MAC authentication following a failed attempt The minimum and default value is 10 seconds 4 Select the MAC Address Format This setting is the format in which the subscriber s MAC address will be expressed in the RADIUS username and password attributes The System Administration 133 D ACCESS GATEWAY RADIUS server must use the same format The options are aa bb cc dd ee ff aa bb cc dd ee ff or aabbccddeeff The default setting is aa bb cc dd ee ff 5 Select the Case of Hex Alpha Characters This setting specifies in the MAC addresses in RADIUS usern
60. defaults 4 Enter the SNMP parameters communities and identifiers The SNMP parameters include your contact information the get set communities and the IP address of the trap recipient Your SNMP manager needs this information to enable network management over the Internet 5 If you enabled the SNMP daemon you must reboot the system for your changes to take effect In this case enter y yes to reboot your Access Gateway Sample Screen Response Configuration gt sn Enable the SNMP Daemon Yes Enter new system contact newname domainname com Nomadix Newbury Park CA 56 Installing the Access Gateway ACCESS GATEWAY G Enter new system location Office Newbury Park CA Enter read get community public Enter write set community private Enter IP of trap recipient 0 0 0 0 10 11 12 13 SNMP Daemon Enabled System contact newname domainname com System location Office Newbury Park CA Get read community public Set write community private Trap recipient 10 11 12 13 Reboot to enable new changes yes no y Rebooting You can now address the Access Gateway using an SNMP client manager Configuring the WAN interface 8 2 The 8 2 NSE adds the following configuration steps If a license key is not present you will still be directed to set up the WAN configuration as soon as you log into the CLI However the subsequent steps are new and network settings are no longer configured under Locat
61. derived from one that is Includes options 1 subnet mask 3 router 6 domain name server 15 domain name 51 lease time 54 server identifier 58 renewal time 59 rebinding time e Items not valid in a DHCP offer or ACK message Includes options 50 requested IP address 55 parameter request list 56 error message 57 maximum message size 60 vendor class identifier 61 client identifier e Items generated automatically by the mechanism of DHCP message construction which carry no application information Includes options 0 pad 52 option overload 53 DHCP message type 255 end Unrecognized options Options 62 63 77 254 are unrecognized Some of these codes are legitimate and are defined in other RFCs while others are not defined These option codes are not explicitly disallowed on the NSE but the NSE is unaware of them that is it will make no attempt to validate either the code or the data It is the administrator s responsibility to ensure that the option codes and data entered are legitimate The following screens illustrate adding additional DHCP options to a DHCP Pool Installing the Access Gateway 67 D ACCESS GATEWAY Edit a DHCP Pool DHCP Server IP 10 0 0 4 DHCP Server Netmask 255 255 255 0 DHCP Panl Starti NO0 Note Please make sure pools do not overlap DHCP Pool Stop IP 10 0 0 100 DHCP Lease Minutes 60 1 Router DHCP SerwerIP Specify E
62. each model in the given order above Subscriber Management Models The system administrator establishes the subscriber management model via the Command Line Interface CLI or the Web Management Interface These models can be changed while the Access Gateway is running without rebooting or interrupting the service Free Access If the Access Gateway is configured to disable AAA services all subscribers will have free access to the Internet MAC Address Each computer with an Ethernet interface card has a unique MAC hardware address The Access Gateway can be configured to allow access for specified MAC addresses In this model when a subscriber attempts to access the Internet the Access Gateway validates the subscriber s MAC address against a MAC authorization table If the MAC address is verified the Access Gateway authorizes access to the Internet A possible scenario for using this model is to allow Internet access to administrative personnel in all locations User Name and Password Each subscriber can choose a unique user name and password and be charged for it In this model when a subscriber attempts to access the Internet they are prompted for the user name and password before access is authorized Possible scenarios in which this model is appropriate include allowing subscribers to use more than one computer or when subscribers want to move between locations Credit Card In this model when subscribers conne
63. enabling the creation of VLANs that use equipment from multiple vendors 10 100 Ethernet See Ethernet AAA Authentication Authorization and Accounting A combination of commands used by Nomadix Gateways to authenticate authorize and subsequently bill subscribers for their use of the customer s network When a subscriber logs into the system their unique MAC address is placed into an authorization table The system then authenticates the subscriber s MAC address and billing information before allowing them to access the Internet and make online purchases See also MAC Address Access Concentrator A type of multiplexer that combines multiple channels onto a single transmission medium in such a way that all the individual channels can be simultaneously active For example ISPs use concentrators to combine their dial up modem connections onto faster T 1 lines that connect to the Internet Concentrators are also used in Local Area Networks LANs to combine transmissions from a cluster of nodes In this case the concentrator is often called a hub Access Router A router at a customer site which connects to the network service provider Also known as a Customer Premises Equipment CPE router See also Router 355 ACCESS GATEWAY ACK ACKnowledgment If all the transmitted data is present and correct the receiving device sends an ACK signal which acts as a request for the next data packet Adaptive Configuration Tec
64. file List Displays the port location file listing all port location assignments Quick Reference Guide 293 D ACCESS GATEWAY Subscriber Administration Menu Items Items Description Add Adds subscriber profiles to the database Current Displays a list of all currently connected subscribers Delete by MAC Deletes a subscriber based on a specific MAC address Delete by User Deletes a subscriber based on a specific user name DHCP Leases Sets up the current subscriber DHCP leases Expired Removes expired profiles Find by MAC Finds a subscriber profile based on a specified MAC address Find by User Finds a subscriber profile based on a specified user name List by MAC Displays a list of authorized subscriber profiles sorted by MAC address List by User Displays a list of authorized subscriber profiles sorted by user name RADIUS Session History These logs record RADIUS proxy accounting messages sent or received by the RADIUS proxy Statistics Displays the current subscriber profile statistics for example how many profiles are currently in the database Subscriber Interface Menu Items Items Description Billing Options Establishes the various billing plans and rates schemes including messages and appearance ICC Setup Sets up the Information and Control Console ICC for subscribers Language Support D
65. go to e Setting Up a Normal Billing Plan on page 224 System Administration 223 D ACCESS GATEWAY e Setting Up an X over Y Billing Plan on page 225 Setting Up a Normal Billing Plan 1 If required click on the Enable check box to enable make active this billing plan 2 Define a label for this billing plan in the Label field 3 Each plan must have a unique label different from other plans 3 Enter a description for this billing plan in the Description of Service field 4 Define the Pricing schemes for this billing plan rate per minute per hour per day per week and per month 5 Define the Time Unit of the billable event either Minute Hour Day Week or Month One time unit is assigned to each billing plan The Access Gateway allows you to define multiple billing plans with different time units at the same time For example you can define one billing plan that changes by the hour e g 2 95 per hour and a second plan that charges per day e g 12 95 per day 6 Define the Up to network and Down to subscribers bandwidth range for this billing plan 7 Define the DHCP Pool public or private see following note The public option requires IP Upsell to be turned on otherwise subscribers will receive private IP addresses 8 Click on the Submit this Plan button to save your changes and establish this billing plan Alternatively you can click on the Delete t
66. guests with loyalty memberships can qualify for premium services Load Balancing 8 2 The 8 2 NSE provides load balancing as an optional module See Load Balancing and Link Failover on page 26 for a more complete description and typical use cases Introduction 15 ACCESS GATEWAY Logout Pop Up Window As an alternative to the ICC the NSE delivers a HTML based pop up window with the following functions e Provides the opportunity to display a single logo e Displays the session s elapsed count down time e Presents an explicit Logout button See also Information and Control Console on page 13 MAC Filtering MAC Filtering enhances Nomadix access control technology by allowing system administrators to block malicious users based on their MAC address Up to 50 MAC addresses can be blocked at any one time See also Session Rate Limiting SRL on page 20 Multi Level Administration Support The NSE allows you to define 2 concurrent access levels to differentiate between managers and operators where managers are permitted read write access and operators are restricted to read access only Once the logins have been assigned managers have the ability to perform all write commands Submit Reset Reboot Add Delete etc but operators cannot change any system settings When Administration Concurrency is enabled one manager and three operators can access the Access Gateway platform at any one time Mu
67. in the flash 2 Create an XML packet based on the new billing record 3 Send the billing record to the carbon copy server s 4 Transmit the data currently stored in the flash based on the specified retransmission method round robin A B A B or fail over A A B B The system stores the billing record in the flash so that the record will not be lost for example if the Access Gateway is powered down during transmission attempts Billing records are sent to the carbon copy server s only after the records are placed in the message queue Carbon copy servers will not receive the records again if a task for retransmitting to the primary or secondary server needs to be performed Quick Reference Guide 343 D ACCESS GATEWAY XML Interface XML for the External Server The Access Gateway sends a string of XML commands according to specifications HTTP headers are added to the XML packets that are built as the billing mirroring information is sent to the external server in HTTP compliant XML format Content length has also been added to the HTTP post The XML string built from the billing mirror record is in the following format Access Gateway to External Server lt USG RMTLOG_COMMAND ADD_REC gt lt REC_NUM gt max 4 characters lt REC_NUM gt lt USG_ID gt max 6 characters lt USG_ID gt lt PROPERTY_ID gt max 64 characters lt PROPERTY_ID gt lt DATE gt max 10 characters lt DATE gt lt TIME gt max 8 characters
68. in the subscribers browser We recommend that you use VeriSign all instructions in this document are based on obtaining a key from VeriSign Please contact Nomadix Technical Support if you want to use a different Certificate Authority For Nomadix technical support go to Contact Information on page 353 Obtain a Private Key File cakey pem To create a Private Key File you must install OpenSSL on your Windows 9x or NT operating system on a PC with Internet access Requirements for Certificate Signing Request CSR and Key Generation e Cygwin and OpenSSL application installed on Windows 9x or NT e 5 large random files residing on the workstation large compressed log files recommended by VeriSign These files are put in as file1 file2 file3 file4 fileS in the key generation command Downloading Cygwin There are several sources for obtaining Cygwin to install OpenSSL One popular source is http sources redhat com cygwin A Nomadix used Cygwin version 1 3 2 for generating this section of the User Guide 330 Quick Reference Guide ACCESS GATEWAY D Installing Cygwin and OpenSSL on a PC The example in this document is based on downloading the software with Netscape 4 75 The procedure starts from the Cygwin Net Release Setup Program screen Cygwin Setup Click on the Next button The following screen appears Cygwin Setup Click on the Next button to display the next setup screen Local pa
69. interface 1 Check the Subscriber Tracking Log option to enable or disable the Subscriber tracking log Note NTP must be enabled on the NSE for Subscriber tracking log to be enabled 2 Enter the subscriber tracking log number in the Subscriber Tracking Log Number field This is the syslog number to identify this syslog to your Server 3 Enter the IP address of the Syslog server that is listening for the syslogs from your NSE in the Subscriber Tracking Log Server IP field 132 System Administration ACCESS GATEWAY D 4 Check the Subscriber Tracking Log save to file option to save the syslogs locally to the NSE flash Note Not recommended Check the Include User Name Reporting option to include the first 25 characters of the username in the Syslog Check the Port Location Include Port Reporting option and Port Location Include Location option to include the port information from the port location table and the Port reported to the system by either VLAN or SNMP query The Location information is limited to 25 characters Check the Include every 500th Packet option to follow the Danish law that requires the 500 packet for each subscriber to be logged Enabling this will send the 500 packet for each subscriber to the syslog system Click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their previous state When logging is enabled log files and error messages
70. interface lt name gt Show a single WAN Interface configuration modify interface lt name gt Modify a single WAN Interface configuration Type b to go back lt esc gt to abort for help Ethernet port WAN interface configuration gt mod int WAN Port Role wanI f 1 CoutOfService subscriberIf wanIf gt Configuration Mode static 1 static dhcp pppoe IP Address 67 130 149 57 1 Subnet Mask 255 255 255 128 Gateway IP 67 1380 149 126 1 GW ARP Refresh Interval lt secs gt 120 i Bandwidth uplink speed 15000 is Bandwidth downlink speed 15000 E WAN 862 19 tagging Disabled 1 ULAN ID i l DNS Domain Name nomadix2 com J DNS Server 1 67 130 149 123 1 DNS Server 2 8 8 8 8 1s DNS Server 3 0 0 0 0 1 Additional NAT IP addresses Disabled 1 Additional NAT IP address configuration for WAN show all Show additional NAT IP addresses add ipaddress Add a new NAT IP address delete ipaddress lt ipaddr gt Delete an existing NAT IP address Type b to go back lt esc gt to abort for help Additional NAT IP address configuration for WAN gt Enabling the Logging Options recommended System logging creates log files and error messages generated at the system level AAA logging creates activity log files for the AAA Authentication Authorization and Accounting functions You can enable either of these options Although the AAA and billing logs can go to the same server we recommend that
71. it has received the request 1 To enable the accounting service for your RADIUS functionality click on the check box for Enable RADIUS Accounting Service Enter the primary RADIUS accounting server IP address in the Primary IP field Enter the accounting port in the Port field for the primary RADIUS accounting server This is the port the system uses when communicating accounting records Enter a secret key in the Secret Key field for the primary RADIUS accounting server Repeat Steps 1 through 4 for the secondary RADIUS accounting server if used Retransmission Options This category requires you to define the data retransmission method failover or round robin the retransmission frequency and how many retransmissions the system should attempt 1 2 Select the Retransmission Method Failover or Round Robin Enter a value for the time in seconds in the Retransmission Frequency field This value determines how much time elapses between transmission attempts Enter a numeric value in the Retransmission Attempts per server field to define how many times the system attempts to transmit the data Click on the Add button to add this RADIUS Service Profile When you have completed the definition of your RADIUS Service Profile you can return to the previous screen Realm Based Routing Settings by clicking on the Back to Main Realm Based Routing Settings page link The RADIUS Service Profile you just created is added to
72. must be entered in the form of a PCAP style string Packet Capture Settings Filtering parameters for WAN interface Expression Snap Length 128 Packet Count 100 Circular i Max Duration 1 hours between 1 and 240 Previously used filters clear history System Administration 267 S Rebooting the System Reboot ACCESS GATEWAY This procedure shows you how to reboot the Access Gateway The reboot procedure outlined on this page allows you to decide when to reboot if you are making multiple changes to different menu functions and you want to reboot just one time after completing all your changes 1 From the Web Management Interface click on System then Reboot The Reboot Device screen appears Reboot Device Reboot operating system ok 2 Click on OK to reboot the operating system Adding a Route Route Add This procedure shows you how to add a route into the Access Gateway s routing table This is accomplished by establishing the route s destination IP address and by setting the gateway or router IP address by which the route s destination can be reached 268 System Administration ACCESS GATEWAY S 1 From the Web Management Interface click on System then Route Add The Add Static Routes screen appears Add Static Routes Destination Prefix Gateway Flags Use Interface 0 0 0 0 0 67 130 149 190 0x3 502 Netw
73. of 802 1q based VLANS on the network as it is based on 802 1p Class of Service CoS marking The QoS classification function supports both external and internal modes In External mode when the NSE received packets with 802 1p priority bits already set it will pass the priority values through unaltered In Internal mode classification and resultant bit marking is performed via QoS policies that are defined within the NSE The two modes can also be used in combination 1 From the Web Management Interface click on Configuration then QoS The QoS Settings screen appears QoS Settings i es QoS Mode J Enable QoS Classification D Enable External 8021p classifier only Classification mode External 8021p and Internal Internal policies only QoS Marking 802 1p C Enable QoS Policies QoS Policies for subscriber traffic up to 16 may be created Unique name Description There are 0 subscriber policies _ Add Policy Click hare to add s new QoS Policy Enable QoS Mode if you want to use QoS policies Enable QoS Classification to facilitate the classification mode desired Classification can be based on internally defined policies by incoming frames that are already classified or both 4 Enable QoS Marking to mark packets using 802 1p Class of Service values 148 System Administration ACCESS GATEWAY D 5 Select Add Policy to define a new QoS policy or select a link to a policy that is already defi
74. only Manual Passthrough Address Enable Portal XML POST URL http portal mycompany com xmlpostasp Portal XML Post Port 80 Supports GIS Clients vi Yes Block IWS Login Page Yes Usernames Enable Note Usernames option is enabled if any of the following are true Relogin After Timeout Relogin after Migration XoverY billing or Gre The feature is configured by selecting a signing method the parameters to be signed and assigning a secret key Two signature methods are supported e HASH CRC32 e HMAC MD5 Not all parameters that are part of the URL redirection string need to be included in the signature calculation The following parameters are considered sensitive and can be selected e UI the ID of the NSE e MA the subscriber s MAC address e RN the Room Number e PORT the port number the subscriber is connected to e SIP the subscriber IP address removed in 8 2 The desired secret key simply needs to be entered in the field Once entered it is not visible to the user Information that indicates which parameters were signed along with the resultant hash value are then included in some additional parameters that are appended to the redirection string In order to utilize the parameter signing feature the EWS or Portal Page Server used must be configured to correctly parse and verify the signing information Documentation that includes 86 System Administration ACCESS GATEWAY D guidelines for config
75. or bill users based on the number of connections location of the connection bytes sent and received connect time etc The customer database can exist in a central RADIUS server along with associated attributes for each user When a customer connects into the network the RADIUS System Administration 149 D ACCESS GATEWAY client authenticates the customer with the RADIUS server applies associated attributes stored in that customer s profile and logs their activity including bytes transferred connect time etc The Access Gateway s RADIUS implementation also handles vendor specific attributes VSAs required by WISPs that want to enable more advanced services and billing schemes such as a per device per month connectivity fee Public internet Router gt Subscriber a ET Aggregation gt Equipment Subscriber 2 RADIUS Saw Server All subscribers attempting to gain access to the network are validated by RADIUS 150 System Administration ACCESS GATEWAY D For additional RADIUS information see also e Defining the RADIUS Proxy Settings RADIUS Proxy on page 154 e Defining the Realm Based Routing Settings Realm Based Routing on page 158 e RADIUS Attributes on page 294 1 From the Web Management Interface click on Configuration then RADIUS Client The RADIUS Client Settings screen appears RADIUS Client Settings Server Selection and Communicatio
76. page From this Web page technical support can type a username and password and instruct the Access Gateway to send a RADIUS access request to the RADIUS server following the same basic rules as if the request was from a user The URL for the test page is http lt Nomadix Access Gateway IP gt radtest testradius htm and can be accessed from the network side of the Access Gateway You must open a separate browser to utilize this feature The Framed IP field is configurable by the user and can be set to any IP address 7 Click on the check box for Radius Authentication Enable to enable the Centralized Authentication mechanism If chosen the system will first try to authenticate against the local database and then will check against the RADIUS Service Profiles that are configured 8 Select the RADIUS Service Profile from the pop up list The list of available profiles is defined in Realm Based Routing 9 Enter a Session Timeout value in minutes This defines the time of validity period of the cookie passed to the Web browser from the WMI Session and RADIUS session 264 System Administration ACCESS GATEWAY D 10 Managers Only If RADIUS is enabled you can enter a login name in the RADIUS Remote Test Login field Remote RADIUS Authentication Test Page For RADIUS logins the maximum number of characters for usernames is 96 The maximum number of characters for passwords is 128 11 Managers Only If you entere
77. parameter for openssl to generate an RSA key Rand A parameter for openssl to generate a random number from the files list file1 file2 file5 These five large random files are residing on the workstation large compressed log files recommended by VeriSign These files are entered in the key generation command as file1 file2 file3 file4 file5 gt Output to cakey pem The file that contains the private key You must have the file name cakey pem to be used in the Access Gateway Because there is a parameter buffer size limitation of the openssl command the argument length should not have more than 80 characters If you are creating multiple keys please output them into different directories and save them as different names However if you are saving them as different names you must change the names back to cakey pem when trying to FTP to the Access Gateway Do not include des3 option to keep the private key in an unencrypted form 336 Quick Reference Guide ACCESS GATEWAY D Here is the output of cakey pem MIICXAIBAAKBgOCL oRXNthhvRhOSy90 PFHdgyahbeIFtvUZ2eX 6 6jghhVfm FYU TXupzPo4iWgguziTOpnzVj2xUWVkr4DogdawZ2 yUSqikbiGctlIitwfgo0cVOaxgP6GH PaaDIthZd8xxVVGyHe Ykt98FCif6yDwcHSEfLRMfYgRxviVnFrethxR G wIDAQAB A40GAP 1oxSiweMNOfixkLhn2awpzuiEdprozyVTpDsPVL3EJ1ISHwGwPHSulloHikod eybDOULHNIN yvzssKwkad HasNzFgFPrh4ifpo RuoGPtcyU0605 2 4h sPssshn UYkeDS Ac
78. peer in the Tunnel Peer field Enter a Dead Peer Detection interval integer value in seconds Select the Internet Key Exchange IKE Protocol Version System Administration 117 ACCESS GATEWAY 5 Inthe Peer Authentication Method section select one of the two peer authentication methods e Authenticate via pre shared key Enter the pre shared key in the Shared Key field e Authenticate via X 509 Certificate e Enter the filename of the private certificate in the Private Key Filename field e Enter the filename of the public certificate in the Certificate Filename field Note that the files must exist on flash first 6 Inthe IKE Channel Security Parameters section select the following settings e Acceptable Encryption Algorithms Check the DES 3DES and or AES128CBC checkboxes you must check at least one option e Acceptable Hash Algorithm Check the MD5 SHA and or AES128 checkboxes you must check at least one option 7 Click Add to add the IPSec tunnel peer to the IPSec Tunnel Peers table on the PSec Tunnel Settings screen 8 Click the Back to Main IPSec Tunneling Settings page link to return to the JPSec Tunnel Settings screen Modifying an Existing IPSec Tunnel Peer 1 Click on the IPSec tunnel peer link that you wish to modify in the IPSec Tunnel Peers table The IPSec Tunnel Peer Settings screen opens Modify the settings as desired Click e Modify to save the changes to the peer e
79. preceding Suffix match only Match characters following i e NAI realm Match either Try prefix first then try suffix if no prefix match RADIUS Service Profile RadiusPrefix x Strip off routing information when sending to RADIUS server T Tunnel Profile none gt Tunnel Parameters for profile triqgered or RADIUS triqgered tunnels Strip off routing information when sending to tunnel server Vv Local hostname Add Back to Main Realm Based Routing Settings page 164 System Administration ACCESS GATEWAY D The following screen shows a realm routing policy that handles suffix based usernames using a tunnel profile Specific Realm Realm name ftcisp com Wildcard match Prefix match only Match characters preceding Suffix match only Match characters following i e NAI realm Match either C Try prefix first then try suffix if no prefix match RADIUS Service Profile select one Strip off routing information when sending to RADIUS server M Tunnel Profile LNS One Tunnel Parameters for profile triqgered or RADIUS triqgered tunnels Strip off routing information when sending to tunnel server Vv Local hostname This differences in this example are that the realm name is tcisp com Suffix match only is enabled the delimiter in this case is and a tunnel profile LNSOne is selected instead of a RADIU
80. previous state making changes to the EWS settings does not require a system reboot Redirection Parameter Signing External Web Server EWS and Internal Web Server IWS Portal Page Parameters can be digitally signed preventing malicious subscribers from intercepting forging and replaying URL redirection strings used by the NSE and EWS or IWS Portal Page to validate subscriber access This capability eliminates a vulnerability that was previously exploited to gain unauthorized Internet access at charge for use sites The signing feature can create a cryptographically strong signature that protects the sensitive portions of a URL redirection string i e NSE ID MAC address of the subscriber etc while letting the EWS Portal Page verify that the URL string has not been tampered or forged by the subscriber System Administration 85 ACCESS GATEWAY Select one of the following Internal Web Server SSL Support Enable Encrypt only Sensitive Data v Enable Note To enable make sure your license includes SSL support and you have all the certificate files on the flash Certificate DNS Name cert cacertarg Portal Page MI Enable Portal Page URL http portal mycompany com default asp Parameter Passing v Enable Parameter Signing Method O none Ouasi crczz ymac mos Parameters viu Yima Viry Mi port V sie Shared Secret write
81. resources available from our corporate Web site www nomadix com include a full PDF version of this User Guide viewable with Acrobat Reader white papers technical notes and business cases The PDF version of this User Guide and associated README files are also available on the Accessories CD ROM supplied with your Access Gateway Quick Reference Guide This section provides information to help you navigate and use the management interfaces CLI and Web quickly and efficiently It also contains the product specifications a listing of the factory default settings sample log reports listings of commands by menu and alphabetical HyperTerminal settings and some common keyboard shortcuts Installing the Access Gateway 53 D ACCESS GATEWAY Establishing the Start Up Configuration The CLI allows you to administer the Access Gateway s start up configuration settings When establishing the start up configuration for a new installation you are E connected to the Access Gateway via a direct serial connection you do not have remote access capability because the Access Gateway is not yet configured or connected to a network Once the installation is complete see Installation Workflow on page 37 and the system is successfully configured you will have the additional options of managing the Access Gateway remotely from the system s Web Management Interface an SNMP client manager of your choice or a simple Telne
82. saved M Yes Submit iNAT Address Pool Please enter an IP address range Note Up to 50 iNAT IP addresses ranges can be entered Note Please make sure to enter the correct addresses iNAT Start IP iNAT End IP Add Remove Currently configured iNAT IP sddressesiranges 200 200 200 200 Number of iNAT Addresses Ranges 1 2 Enable or disable the iNAT feature as required 3 If you enabled iNAT you have the option of enabling or disabling the following VPN protocols System Administration 115 ACCESS GATEWAY PPTP PPTP CALL ID IPSEC SIP removed in 8 2 4 Click on the Submit button to save your options Use the iNAT Start and iNAT End fields to enter an IP address or range of IP addresses up to 50 then click on the Add button to add the IP address es or click on the Remove button to delete the IP address es from the database Defining IPSec Tunnel Settings IPSec 1 From the Web Management Interface click on Configuration then IPSec The PSec Tunnel Settings screen appears IPSec Tunnel Settings Global Settings Enable IPSec Enable NAT Traversal HE IPSec Tunnel Peers up to 10 may be created Peer IP Address Authentication Method 78 90 25 Pre shared key Add Click here to add a new IPSec Tunnel Peer IPSec Security Policies up to 30 may be created SP PeerlP Address Protocol Remote IP Subnet port Local IP Subnetiport Type i 7890
83. saving of billing records By effectively mirroring the billing data the NSE can send copies of billing records to predefined carbon copy servers Additionally if the primary and secondary servers are not responding the NSE can store up to 2 000 billing records The NSE regularly attempts to connect with the primary and secondary severs When a connection is re established with either server the NSE sends the cached information to the server Customers can be confident that their billing information is secure and that no transaction records are lost Bridge Mode This feature allows complete and unconditional access to devices When Bridge Mode is enabled your NSE powered product is effectively transparent to the network in which it is located 10 Introduction ACCESS GATEWAY D The NSE forwards any and all packets except those addressed to the NSE network interface The packets are unmodified and can be forwarded in both directions The Bridge Mode function is a very useful feature when troubleshooting your entire network as it allows administrators to effectively remove your product from the network without physically disconnecting the unit Command Line Interface The Command Line Interface CLI is a character based user interface that can be accessed remotely or via a direct cable connection Until your Nomadix product is up and running on the network the CLI is the Network Administrator s window to t
84. session at midnight of every day 10 If required check the box for Enable Byte Count Reset On Account Start to reset the transmitted and received byte count for a subscriber once an accounting start is sent This function prevents counting Walled Garden traffic if the billing plan is using bytes sent received as a charge criterion 11 If required check the box for Enable RADIUS Subnet Attribute if you want to allocate a specific subnet to a user System Administration 153 S ACCESS GATEWAY 12 13 14 15 16 17 18 If required check the box for Enable Goodbye URL if you want the system to display a post session goodbye page The goodbye page can be defined as a RADIUS VSA or be driven by the Access Gateway s Internal Web Server IWS If required check the box Enable Forget your Password to create a link that users can go to and is added to the passthrough list so they can run a page at their ISP to get their password If required check the box Enable RADIUS Based WAN VLAN to allow the 802 1 q tag to be in the users profile and acted upon AN Changing the default tag number may result in a loss of connectivity Enable or disable the User Session Time Adjustment and credit functionality when the NSE is down Enable charging for idle time to count idle time in the session time of Radius accounting packets Enable RADIUS QoS Policies to assign a QoS policy to a user in t
85. set to compare loaded pages with cached pages QR Subsciber Administration o O amp e Add Current Delete by MAC Delete by User DHCP Lesses Expired Find by MAC Find by User List by MAC List by User RADIUS Session History Statistics Subscriber Interface 3 S D D D S D e eI ef Billing Options ICC Setup Langusge Support Local Web Server Login UI Post Session UI Subscriber Buttons Subscriber Labels Subscriber Errors 1 of 2 Subscriber Errors 2 of 2 Subscriber Messages 1 of 3 Subscriber Messages 2 of 3 Subscriber Messages 2 of 3 Subscriber Messages TOA E B B B B B Login Mac Filtering Memory Utilization Reboot Route Add Route Delete Session Limit Static Port Mapping Add Static Port Mapping Delete Serial Subscriber Interfaces Syslog System Utilization Upgrade User Settings Installing the Access Gateway JI D ACCESS GATEWAY Inputting Data Maximum Character Lengths The following table details the maximum allowable character lengths when inputting data Data Field Max Characters All Messages billing options 72 All Messages subscriber error messages 72 All Messages subscriber login UI 72 All Messages subscriber other messages 72 Description of Service billing options Plan 140 Home Page URL 237 Host Name and Domain Name DNS settings 64 IP DNS Name passthr
86. should fail If STP costs change or if one network segment in the STP becomes unreachable the spanning tree algorithm reconfigures the spanning tree topology and reestablishes the link by activating the standby path Without spanning tree in place it is possible that both connections may be simultaneously live which could result in an endless loop of traffic on the LAN Subnet A portion of a network which may be a physically independent network segment which shares a network address with other portions of the network and is distinguished by a unique subnet address In general a subnet is to a network what a network is to the Internet 365 ACCESS GATEWAY Subnet Address The subnet portion of an IP address that is dedicated to the subnet In a subnetted network the host portion of an IP address is split into a subnet portion and a host portion using an address subnet mask See also IP Address and Subnet Subnet Mask See Subnet Address Subscriber Any person or organization that pays a period fee for services SYSLOG SYStem LOGging Syslog is the standard event logging subsystem for Unix and consists of a server daemon a client function library and a client command line utility You can log to files terminal devices logged on users or even forward to other syslog systems See also Daemon TCP Transmission Control Protocol Manages data into small packets and ensures that the data is transmitted correctl
87. summary of the configuration settings Display the TCP performance statistics Set the system date and time Display the UDP performance statistics Upgrade the Access Gateway system firmware Define URLs for filtering URL Filtering 300 Quick Reference Guide ACCESS GATEWAY D Default Factory Configuration Settings The following table shows a partial listing of the Access Gateway s primary default configuration settings the settings established at manufacturing For a complete listing of the factory default settings refer to the factory txt file For more information go to Importing the Factory Defaults Factory on page 257 Function Default Setting Version Nomadix Access Gateway ID Network Interface MAC Subscriber Interface MAC Nomadix Access Gateway v5 4 xxx depends on firmware version AG3100 MAC address is unique for each product MAC address is unique for each product Network Interface IP 10 0 0 10 Subscriber IP 10 0 0 11 Subnet Mask 255 255 255 0 Default Gateway IP 10 0 0 1 DHCP Client Enabled Admin IP 172 30 30 172 Domain nomadix Host Name AG3100 Primary DNS 0 0 0 2 Secondary DNS 0 0 0 0 Tertiary DNS 0 0 0 0 DHCP Relay Disabled External DHCP Server IP 0 0 0 0 DHCP Relay Agent IP 0 0 0 0 DHCP Server Enabled DHCP Server IP 10 0 0 4 DHCP Subnet Mask 255 255 255 0 DHCP Pool Start IP 10 0 0 12 DHCP Pool End I
88. that it can easily be updated Such a BIOS is sometimes called a flash BIOS Flash memory is also popular in modems because it enables the modem manufacturer to support new protocols as they become standardized Forwarding Rate The maximum rate at which 64K packets can be delivered to their destination See also Packet Packet Switching Network pps and Throughput Fragment Length Fragmentation Breaking a packet into smaller units when transmitting over a network medium that cannot support the original size of the packet The fragment length value should remain at its default setting unless you experience a high packet error rate Setting the fragment length too low may result in poor performance FTP File Transfer Protocol A standard protocol used for copying and moving files quickly efficiently and securely across public and private networks An FTP site is one where files are available for downloading and uploading FTP sites usually require a secure login name and password to gain access Gateway Any device that provides a seamless connection between otherwise incompatible systems Gopher A computer program and an accompanying data transfer protocol for reading information that has been made available to the public on the Internet Gopher is gradually being superseded by HTML Home Page Usually the first page users see when they visit a Web site if they address the home page s URL A well constructed Web site will normal
89. the list System Administration 161 S ACCESS GATEWAY Define Tunnel Profiles Tunnel profiles can be defined when L2TP tunnel parameters are known and it is not necessary to send an access request to a RADIUS server to obtain those parameters or for accounting purposes Create a tunnel profile for each L2TP tunnel whose parameters are known The tunnel parameters that the profile contains are the IP address of the LNS and the tunnel password See Figure 2 for an example of a tunnel profile Where is Figure 2 Add Tunnel Profile Unique Name Tunnel Parameters Tunnel Peer IP Tunnel Password Add Back to Main Realm Based Routing Settings page Define Realm Routing Policies Realm routing policies are used to determine how supplied username password input is used to authenticate users Create a realm routing policy for each realm that will be handled The realm routing policy will reference either a RADIUS service profile or a tunnel profile Many different realm routing policies can reference the same RADIUS service or tunnel profile This policy references a RADIUS service profile so a realm match will result in an access request being sent to the RADIUS server s specified in the RADIUS service profile In this case the RADIUS service profile RadiusPrefix is referenced and so the RADIUS server s defined therein will receive RADIUS access requests Notice that the checkbox is unchecked for Strip off ro
90. then connect the Access Gateway to the customer s subscriber port Rear View To Subscribers To Network 3 Connect the power cord and turn on the Access Gateway 4 Goto Establishing the Basic Configuration for Subscribers on page 64 Establishing the Basic Configuration for Subscribers When you have successfully established the start up configuration and installed the unit onto the customer s network connect to the Access Gateway via Telnet You must now set up the basic configuration parameters for subscribers including e Setting the DHCP Options DHCP Dynamic Host Configuration Protocol allows you to assign IP addresses automatically to subscribers who are DHCP enabled The Access Gateway can relay the service through an external DHCP server or it can be configured to act as its own DHCP server e Setting the DNS Options DNS Domain Name System allows subscribers to enter meaningful URLs into their browsers instead of complicated numeric IP addresses DNS converts the URLs into the correct IP addresses automatically 64 Installing the Access Gateway ACCESS GATEWAY Gp Setting the DHCP Options When a device connects to the network the DHCP server assigns it a dynamic IP address for the duration of the session Most users have DHCP capability on their computer To enable this service on the Access Gateway you can either enable the DHCP relay routed to an external DHCP server IP address
91. to change the configuration settings and you are unsure of the effect that the changes will have You can restore the archived system configuration settings at any time with the import function 256 System Administration ACCESS GATEWAY Gy 1 From the Web Management Interface click on System then Export The Export Configuration screen appears Export Configuration Export the current settings to the archive file E View archive txt Click here to view the archive txt file Click here to view the current txt file 2 Click on the OK button to export the current authentication settings to the archive txt file Importing the Factory Defaults Factory This procedure shows you how to replace the current authentication settings with the settings that were established at the factory You will need to reboot the system for some of the imported default settings to take effect System Administration 257 D ACCESS GATEWAY 1 From the Web Management Interface click on System then Factory The Factory Configuration screen appears Factory Configuration Load the original factory configuration settings and save them as the current settings NOTE Will reboot automatically after the factory settings are restored WARNING The factory configuration does not include network settings The network connection will be service interruption perform this import in the command line
92. to select their bandwidth and billing plan options quickly and efficiently and displays a dynamic time field to inform them of the time remaining on their account The ICC also offers service providers an opportunity to display advertising banners and provide a choice of redirection options The Access Gateway also lets System Administrators define a simple HTML based pop up window for explicit Logout that can be used as an alternative to the more fully featured ICC 226 System Administration ACCESS GATEWAY D described above The pop up Logout Console offers the opportunity to display the elapsed count down time and one logo for intra session service branding Information and Control Console Microsoft Intern a Shop here to amazon com CLIC HERE PianA 256128 efOfMiCe n Sn Sa omadix Subscriber Console DOR Featured ICC o 1234 amazon com A Nomadix Popup Window Logout Console This procedure allows you to set up how the ICC is displayed to subscribers For more information about the ICC go to Information and Control Console ICC on page 258 System Administration 227 G ACCESS GATEWAY 1 From the Web Management Interface click on Subscriber Interface then ICC Setup The JCC Setup screen appears ICC Setup Display ICC Information and Control Console Title information and Control Console Choice of ICC or Logout console ICC I
93. visible on the network 1 Enter c configuration at the Access Gateway Menu The Configuration menu appears 2 Enter loc set Location options The system displays the Company Name If the name displayed is not correct or no name is entered enter it now When prompted enter the company s address line by line 6 lines When prompted enter a valid email address for this company The system now displays the current network interface IP address the default address is 10 0 0 10 and prompts you for a valid address The network interface IP address is the public IP address that allows administrators to see the Access Gateway on the network Use this address when you need to make a network connection with the Access Gateway The network interface address must be on the same subnet 5 When prompted enter a valid network interface IP address The IP addresses from subscribers that are on a subnet different from the Access Gateway for example misconfigured are translated by Nomadix Dynamic Address Translation DAT Installing the Access Gateway 61 ACCESS GATEWAY Enter a valid subnet mask After assigning the subnet mask the system displays the current default gateway IP address the factory default is 10 0 0 1 This is the IP address of the router that the Access Gateway uses to transmit data to the Internet Enter a valid default gateway IP address After establishing all Location settings
94. will login with a username in the format type of ISP username In this case the delimiter is and what appears before it ISP is the realm name Create a RADIUS service profile for a RADIUS server that will handle Suffix based users This is to handle users that will login with a username in the format type of username ISP com In this case the delimiter is and what appears after it ISP com is the realm name System Administration 159 ACCESS GATEWAY S To add a RADIUS Service Profile click on the appropriate Add button The Add RADIUS Service Profile screen appears Add RADIUS Service Profile Unique Name Authentication C Enable RADIUS Authentication Service Protocol PAP Primary IP DNS Port p Secret Key Secondary IP DNS Port p Secret Key Accounting C Enable RADIUS Accounting Service Primary IP ONS Port p Secret Key Secondary IP ONS Port fo Secret Key Retransmission Options Retransmission Method Failover Round Robin Retransmission Frequency B _ seconds Retransmission Attempts A per server Enter a name of your choice for this service profile in the Unique Name field Authentication This category requires input for enabling RADIUS authentication and requires you to define IP addresses ports and secret keys for the primary and secondary RADIUS servers the secondary server is optional 1 Enable or disable the R
95. your account request click on the check box for Send Framed IP 8 To enable Radius termination action enhancement click on the check box for Enable Termination Action Radius Attribute then select the percentage 100 75 of the maximum data volume threshold for which term action will be enforced volume based sessions only This option provides support for Radius Termination Action for time and volume based subscribers working in conjunction with an external Radius server Enforcement of this attribute will result in either e logout of the subscriber e re authentication of the subscriber through issuance of a new Radius Access Request that contains a new Acct Session ID The Radius re authentication that occurs due to term action enforcement will be transparent to the subscriber This is true for time based sessions that expire as well Radius accounting augmentation will take place as a result of a successful re authentication 152 System Administration ACCESS GATEWAY D Network Side Subnet Subscriber Subnet s RADIUS SERVER The following VSAs are used for implementation of volume and time based Radius termination action VSA Name Value Termination Action 1 Session Timeout 60 Nomadix MaxBytesDown 3000000 Nomadix MaxBytesUp 3000000 9 Ifrequired check the box for Enable Session Terminate End Of Day When Authorized to allow business policies that want to terminate the
96. 0 0 0 0 0 TCP 5 10 208 134 6 6001 00 20 a6 4c 42 ff lt gt 2 5 3 1 6001 gt 0 0 0 0 0 TCP System Administration 19 D ACCESS GATEWAY Displaying TCP Statistics TCP You can display the TCP Transmission Control Protocol statistics which are presented as a detailed listing of all TCP elements and their current status TCP is a standard protocol that manages data transmissions across networks To view the TCP Statistics go to the Web Management Interface click on Network Info then click on TCP The TCP Statistics screen appears TCP Statistics a TCP 1448 packets sent 811 data packets 372044 bytes 1 data packet 512 bytes retransmitted 480 ack only packets 21 delayed 0 URG only packet 0 window probe packet 0 window update packet 156 control packets 1073 packets received 576 acks for 371791 bytes 138 duplicate acks 0 ack for unsent data 171 packets 49716 bytes received in sequence 32 completely duplicate packets 0 byte 0 packet with some dup data 0 byte duped 136 out of order packets 0 byte packet 0 byte of data after window window probe window update packets packet received after close discarded for bad checksum discarded for bad header offset field 0 discarded because packet too short 7 connection requests 144 connection accepts 138 connections established including accepts 147 connections closed including 13 drops 0 embryonic connection dropped 474 segments updated rtt of 48
97. 03 THU AUG 21 14 12 47 2003 26739 Bytes 314116 Bytes GoTo xxx nomadix com Sample of Post Session UI Goodbye Page 242 System Administration ACCESS GATEWAY D 1 From the Web Management Interface click on Subscriber Interface then Post Session UI The Subscriber Post Session User Interface Settings screen appears Subscriber Post Session User Interface Settings IWS Goodbye Page Display Option Enable IWS Goodbye Page Vv Display IP Address Vv Display Authen Type v Display Start Time Vv Display Stop Time Vv Display Byte Sent Vv Display Byte Received Vv Display Hypertext Link URL Oo Hyper Text Link URL IWS Goodbye Page Field Label Definitions Session Summary Session Summary IP Address IP Address Authen Type Authen Type Start Time StietTime Stop Time tpTime Byte Sent Byesmn Byte Received Byte Received Go To Go To Revert Revert all name fields to default values Submit Reset System Administration 243 ACCESS GATEWAY 2 Click on the Enable IWS Goodbye Page check box to enable or disable the WS Goodbye Page as required 3 If you enabled the JWS Goodbye Page select your preferred display options by checking the corresponding boxes e Display IP Address e Display Authen Type e Display Start Time e Display Stop Time e Display Byte Sent e Display Byte Received e Display Hypertext Link URL 4 If you enabled the Hypertext Link URL feat
98. 2010 AG 5500 v7 0 030 67 130 149 163 lt 134 gt INFO Config configGetRaw configuration from flash nisacc txt 007 THU JUN 03 12 15 18 2010JAG 5500 v7 0 030 167 130 149 163 1 lt 134 gt INFO INIT AG 5500 v7 0 030 with ID 01633F Initialized 1 THU JUN 03 12 15 18 2010JAG 5500 v7 0 030 167 130 149 163 1 lt 135 gt DEBUG iNAT PROXYALGDATAs should be between 0x4980ffc and Ox4ffOffc 009 THU JUN 03 12 15 18 2010 AG 5500 v7 0 030 1 67 130 149 163 I lt 135 gt DEBUG iNAT ndxSessionListNodes should be between 0x3092030 and 0x39a b430 l l 010 THU JUN 03 12 15 18 2010 AG 5500 v7 0 030 167 130 149 163 lt 134 gt INFO DHCP ndxDHCPInit 0021 DHCP initialized 011 THU JUN 03 12 15 18 2010 AG 5500 v7 0 030 167 130 149 163 1 lt 131 gt ERROR Config configGetRaw Error opening flash ddns txt 1 012 THU JUN 03 12 15 18 2010 AG 5500 v7 0 030 67 130 149 163 1 lt 131 gt ERROR INIT SSL context initialization failed 013 THU JUN 03 12 15 18 2010 AG 5500 v7 0 030 167 130 149 163 1 lt 131 gt ERROR SSL Unable to set cert and key files for network context 1 014 THU JUN 03 12 15 18 2010 AG 5500 v7 0 030 667 130 149 163 1 lt 131 gt ERROR SSL Unable to set cert file code 33558531 I 1 PageFaults are stored in the file named lograw txt in the flash directory and is not viewable on the web management
99. 25 ANY 10 1 0 0 6 10 149 65 0 24 2 789025 ANY 10 1 0 0 6 67 130 149 65 Local IP Address is derived from the current Network IP Address Add Click here to add a new IPSec Security Policy ESP ESP 116 System Administration ACCESS GATEWAY D 2 Check the Enable IPsec checkbox to enable IP Security Note that you will have to reboot for IPsec to take effect Check Enable NAT Traversal to allow packets to traverse NAT IPsec boundaries Click Submit to save the setting To add or modify IPsec tunnel peers see Managing IPSec Tunnel Peers on page 117 To add or modify IPsec security policies see Managing IPSec Security Policies on page 118 Managing IPSec Tunnel Peers You can add a new IPSec tunnel peer or modify the settings of an existing IPSec tunnel peer from the IPSec Tunnel Settings screen Adding a new IPSec tunnel peer 1 Click the Add button in the IPSec Tunnel Peers table The IPSec Tunnel Peer Settings screen opens IPSec Tunnel Peer Settings Tunnel Peer a Peer IP address Dead Peer Detection Interval 60 seconds IKE Version WW Own Peer Authentication Method Authenticate via pre shared key Shared Key Authenticate via X 509 Certificates Private Key Filename Certificate Filename E IKE Channel Security Parameters Acceptable encryption algorithms DES 3DES J AeEs128cBc O Acceptable hash algorithms MD5 SHA AESI2 O Enter the IP address of the
100. 3 Follow the on screen instructions to set up your DHCP options For example Sample Screen Response Configuration gt dh Enable Disable IP Upsell disabled Enable Disable DHCP Relay disabled Enable Disable DHCP Server enabled I Enable Disable Subnet based DHCP Service disabled Enable Disable Forwarded DHCP Clients disabled Installing the Access Gateway 65 G ACCESS GATEWAY IP Upsell Disabled DHCP Relay Disabled External DHCP Server IP 0 0 0 0 DHCP Relay Agent IP 0 0 0 0 DHCP Server Enabled DHCP Server Subnet based Disabled Forwarded DHCP Clients Disabled Server IP Server Netmask Start IP End IP Lease Type IPUp 208 11 0 4 255 255 0 0 208 11 0 5 208 11 0 7 20 PRIV NO 10 0 0 4 259 255 2595 0 10 0 0 5 10 0 0 250 30 PRIV NO Default IP Pool DHCP IP Pools Configuration 0 Show IP Pools 1 Add a new IP Pool 2 Modify an IP Pool 3 Remove an IP Pool 4 Exit this menu Select the DHCP Pool configuration mode 0 After setting up your DHCP options the system must be rebooted for your changes to take effect DHCP Options from RFC 2132 You can configure DHCP options as defined in RFC 2132 The configured options are sent to subscribers who obtain their network configuration from the NSE via DHCP This capability only applies to the NSE s DHCP Server function There is no change to the NSE s operation as a DHCP client The options are configurable on a per pool basis Different se
101. 3 Select the Type of PMS Pre paid or Post paid you require from the available list or choose the ASCII Serial Printer option when a serial printer is connected to the Access Gateway s serial port you can choose only one of the listed options The pre paid option requires hotel guests to pre pay for services The post paid i option allows hotel guests to terminate their connection via the ICC and be billed only for the actual time they are online The NH proprietary PMS is offered ona post paid basis only e Ifyou choose HOBIC RSI you must select the Type of Access e For Marriott you can either choose Marriott or you can choose a type of WFB interface Post Only Query and Post or Name and Room 138 System Administration ACCESS GATEWAY D e Click Disable Registration Number to suppress prompt for a registration number on guest login e If you choose Micros Fidelio Post Only with TCP IP you must provide the Target IP Address and the Target Port Number e If you choose Micros 1700 2000 3700 4700 8700 emulation you must provide the following additional information Communications System Unit Number 1 64 Communications System Name Store Revenue Center Number Internet Access e Store Revenue Center Number Other You also have the following check box options see note e Match Last Name Only e Skip First Char in Last Name e OnQ Compliant Enable this option if you want to use Nomadix M
102. 30 30 172 IP Address 172 30 30 173 Netmask 255 255 0 0 Gateway 172 30 30 172 DNS If Required 4 2 2 1 6 Power up your computer and turn on the product You can then configure the WAN for a static IP address DHCP Client or PPPoE client using appropriate configuration guidelines that follow in order to obtain the license key Once the key has been obtained the web management interface WMI can be used to continue configuration LCD Messages 8 2 Some Access Gateway hardware models are equipped with an LCD panel that displays the following system information e Platform and Firmware Version Installed e Primary IP Address of the NSE e NSEID e Active Subscribers Installing the Access Gateway 41 D ACCESS GATEWAY Configuration Note The WAN port of the AG must be connected to a live network that can access the Internet in order to retrieve the license key from the license key server Log in by typing admin then password admin Type y es when prompted to configure settings The initial minimal WAN port configuration mode will be displayed as shown in Figure 1 Ready Press enter to login NSE Login admin lt Enter gt Password lt Enter gt NO LICENSE KEY HAS BEEN ENTERED A LICENSE KEY MUST BE ENTERED IN ORDER TO PROCEED WITH INSTALLATION SEE USER S GUIDE FOR LICENSE KEY INFORMATION
103. 7 1 9000 gt 0 0 0 0 0 TCP 10 208 134 6 6001 00 20 a6 4c 42 f f lt gt 4 2 7 1 6001 gt 0 0 0 0 0 TCP External IP Address 2 3 4 5 External Port 0 Delete Reset 2 Enter the External IP Address and or the External Port of the item you want to delete 3 Click on the Delete button to delete the static port or click on the Reset button to reset your changes to their previous state For more information about Static Port Mapping see also System Administration 273 D ACCESS GATEWAY e Displaying the Static Port Mapping Table Static Port Mapping on page 191 e Adding Static Ports Static Port Mapping Add on page 271 Blocking a Subscriber Interface Subscriber Interfaces The Access Gateway allows System Administrators to block subscriber interfaces 1 From the Web Management Interface click on System then Subscriber Interfaces The Subscriber Interfaces screen appeats Subscriber Interfaces Etht Block Wired Subscriber Interface 1 Enable Block Wired Subscriber Interface 2 Eth2 Enable Block Wired Subscriber Interface 4 Eth4 Enable Eth1 Eth2 Block Wired Subscriber Interface 3 Eth3 L Enable Eth4 Eth5 Block Wired Subscriber Interface 5 EthS C Enable 2 Enable or disable your choice of Block Wired Subscriber Interfaces 3 Click on the Submit button to save your changes or click on the Reset button to reset all values to their previous state U
104. 9 attempts 157 retransmit timeouts 13 connections dropped by rexmit timeout O persist timeout 0 keepalive timeout 0 keepalive probe sent 0 connection dropped by keepalive 0 pcb cache lookup failed ooonon 192 System Administration ACCESS GATEWAY D Displaying UDP Statistics UDP You can display the UDP User Datagram Protocol statistics which are presented as a detailed listing of all UDP elements and their current status UDP is an Internet standard transport layer protocol It is a connectionless protocol which adds a level of reliability and multiplexing to the Internet Protocol IP To view the UDP Statistics go to the Web Management Interface click on Network Info then click on UDP The UDP Statistics screen appears UDP Statistics UDP 91 total packets 28 input packets 63 output packets 0 incomplete header bad data length field bad checksum broadcasts received with no ports full socket 28 pcb cache lookups failed 0 pcb hash lookup failed m o z o Port Location Menu The Port Location capabilities on the NSE have been enhanced It is now possible to define a policy on a port The billing methods RADIUS Credit Card PMS L2TP Tunneling and the billing plans available on each port can now be individually configured This ability allows for having different billing methods and billing plans on different ports of the NSE A practical application of this feature is to have a normal hotel
105. AA AAA_ Authentication 00 10 5A 61 40 12 hrs 31 nomadix 4207 Successful IFF 0 min com Mar 18 21 53 nomad237 INFO AAA AAA_lookup 00 00 0E 32 2 31 nomadix 4106 Added_in_memory_ta_ C BC com ble_ pending Mar 18 43 54 nomad237 INFO AAA AAA_ Authentication 00 60 08 B4 20 31 nomadix 4208 Unsuccessful_ Error 6A com Mar 21 34 21 nomad237 INFO AAA AAA_Interface 00 00 0 12 34 20 hrs 31 nomadix 4007 Added_by_administrat 56 34 min com or Mar 21 35 15 nomad237 INFO AAA AAA Interface 00 00 0 12 34 2 hrs 31 nomadix 4009 Updated_by_adminisir 56 34 min com ator Mar 21 36 05 nomad237_ INFO AAA AAA Interface 00 00 0 12 34 31 nomadix 4006 Removed_by_administ 56 com rator Message Definitions AAA Log The six basic messages are defined as follows Message Definition AAA_ Authentication Successful Subscriber profile was successfully added to the Access Gateway authorization table after being authenticated by the credit card server 320 Quick Reference Guide ACCESS GATEWAY D Message Definition AAA_Authentication Subscriber profile was not added to the Access Unsuccessful_ Error Gateway authorization table because the credit card server did not recognize the transaction AAA_lookup Subscriber profile has been recognized and the Added_in_memory_table_pending Access Gateway is waiting to authenticate the user AAA_Interface Subscrib
106. ACCESS GATEWAY The following table provides an explanation of the command elements openssl openssl command req A parameter for creating a request new Defining a new request key from private key gt Output to server csr the output file Fill in your company information If States or Province names do not exist in your country please repeat the Locality Name The Common Name is the name used in the Access Gateway gt AAA gt SSL Certificate Domain Name The Common Name in the Public Key must match the SSL Certificate Domain Name in the Web Management Interface of the Access Gateway refer to the Access Gateway setup information later in this document Here is the output of server csr MIIB DCCAVUCAQAwgasxC ZAJBQGNVBAYTALVTMRMWEOYDVOQIEwpDYWxpZm9ybmlh MREwF wYDVOQQHEXBXZXNObGFr Z5BUaUxsYUdLMRAwDGYDVOQOQKE wdOb2 1hZG14MNROw EgYDVOQLEwtFbhmdpbm lemluzzEcMBoGALUEAxMTdaGVzdaHNzbCSub2 1hzG14L Ly bTEmMCOGCSqG5 Ib3 DOEJ ARYXAGVj aHNicHBycnRabmot YWRpeCSjib20ugZsuDOrd KoZ ThvcNagEBBOADGYOANIGJ AOGBAI hFce22GG9GESLL2 88Ud2DJqFt4gi29Rn Z5fqOCGFV hb8VhRNe 6nN 3 ghaCDDMhNCmfiNUPbFRZUSvq0iB3 BnbJTyqIpvUadgi 1Z DRxXRrGa oYwSBoNi2F 13 zHFVUbIASiS33 wUKI r IPBwfORSExSiBHGShicUt yivFH4h AgMBAAGg AD ANBgkqhkiG9wOBAQOF AAOBgQA2 Sey1Bid1ld400P0zY6LBE CqliHv2List2cBJG6Ukfyfya cvReASCOOFMUR3mRHF VE LEDSSO9G F 22Noz62m RASOOCIPyiddbxV58uqN
107. ADIUS Authentication Service as required by clicking on the Enable RADIUS Authentication Service check box 2 Ifyou enabled the RADIUS Authentication Service enter the primary RADIUS authentication server IP address in the Primary IP field This field can also be populated by a DNS name to allow for changing the DNS resolution instead of having to change settings in the NSE when the IP of the Radius server changes 3 Enter the authorization port in the Port field for the primary RADIUS authentication server This is the port the system uses when authorizing subscribers 4 Enter a secret key in the Secret Key field for the primary RADIUS authentication server During the authentication process the server and client exchange secret keys The secret 160 System Administration ACCESS GATEWAY D 5 keys must match for communication between the server and the client to continue The secret key is a valuable and necessary security measure AN The Access Gateway and the RADIUS servers must use the same secret key Repeat Steps 2 through 4 for the secondary RADIUS authentication server if used Accounting This category requires input for enabling the RADIUS accounting service and also requires the necessary IP addresses ports and secret keys for the primary and secondary RADIUS accounting servers The RADIUS accounting server is responsible for receiving accounting requests and returning a response to the client indicating that
108. AEOBGxghkgBhyhFAQCBAQI wLDAGF ihodHRwezouL 3d3dy522XJp 21nbi5 jb2GvcmUwb3NpdG9yeS 9DUF MgMBEGCWCGSAGG E I BAQQEAwI GQDAUBGNU HSUEDTALBgl ghkgBhuhCBAEwOQY JKo2 I hucNAQEEBQADGYEAGADSeql colpizSxF SnjX Aint 142orUMAXDBUuebKudGUKeSygBbod2CetyJY p ctkKezDQE JI sytEMia pOAXc GuUAPYPKAZ1YYO1LDXXx91 79WDHSTLryESAgl gPt FCNL1q BaUgWkcFKSkcc gpuE UKFE jTdxDloexuUulFi7GI END CERTIFICATE You have now finished the process of obtaining a public key Setting Up Access Gateway for SSL Secure Login FTP the cakey pem and server pem files into the Access Gateway platform s flash directory FTP to the Access Gateway by Netscape ftp username password Access Gateway Network IP flash Drag and drop the cakey pem and server pem files into the directory Changing Settings in the WMI To change settings in the Web Management Interface WMD go to Configuration Menu on page 76 Quick Reference Guide 34 D ACCESS GATEWAY Setting Up the Portal Page System administrators can create login button s on the Portal Page and can setup http links for regular logins secure logins or both When subscribers enter the Portal Page they can then choose either a regular login or a secure login To setup the Portal Page add the following For Regular Logins http Access Gateway_ip 1111 usg login OS http after_login_finished_page html For Secure Logins https Certificate_DNS_Name 1112 usg login
109. ARP TABLE destination gateway flags Refcent Use Interface 1 2 3 4 00 90 27 bd c2 df 405 1 545 feio 2 3 4 5 00 c0 7b 81 ac b0 405 1 0 feio Displaying DAT Sessions DAT Dynamic Address Translation DAT allows all users to obtain network access regardless of their computer s network settings To view the DAT Session Table go to the Web Management Interface click on Network Info then click on DAT System Administration 181 D ACCESS GATEWAY The DAT Session Table screen appears DAT Session Table Peletecilsessions NOTE Pressing this button will clear all current subscriber sessions without rebooting the device Current subscriber cont CURRENT DAT SESSIONS for 172 17 0 12 17 total 131072002 10 0 0 11 1984 70 S5a b6 a0 08 04 lt gt 172 17 0 12 5001 gt 74 125 224 241 80 TCP ESTABLISHEI 131072003 10 0 0 11 1985 70 Sa b6 a0 d8 04 lt gt 172 17 0 12 5002 gt 74 125 224 241 80 TCP ESTABLISHE 131072004 10 0 0 11 1986 70 S5a b6 a0 d6 04 lt gt 172 17 0 12 5003 gt 74 125 224 241 80 TCP ESTABLISHEI 131072005 10 0 0 11 1987 70 Sa b6 a0 d8 04 lt gt 172 17 0 12 5004 gt 74 125 224 239 80 TCP ESTABLISHE 131072006 10 0 0 12 1304 00 15 c5 a6 53 32 lt gt 172 17 0 12 5005 gt 74 125 224 243 80 TCP ESTABLISHEI 131072007 10 0 0 12 1305 00 15 c5 a6 53 32 lt gt 172 17 0 12 5006 gt 74 125 224 243 80 TCP ESTABLISHE 131072008 10 0 0 12 1306 00 15 c5 a6 53 32 lt gt
110. Access Control 9 Auto Configuration Bandwidth Management Bill Record Mirroring Destination HTTP Redirection DHCP DNS Dynamic DNS Gre Tunneling Home Page Redirect iNAT IPSec Location Logging MAC authentication Nomadix Services Passthrough Addresses PMS Port Location Qos RADIUS Client RADIUS Proxy Realm Based Routing Bandwidth Management Bandwidth Management Enabled Enable Group Bandwidth Policies M Enable Requires Bandwidth Management Reboot is not required Bandwidth uplink to network speed 1000000 Kbps Bandwidth downlink to subscribers speed 1000000 Kbps NOTE You must reboot for setting changes to take effect Reboot after changes are saved O Yes Group Bandwidth Limit Policy Current Table When the feature is enabled a group bandwidth policy ID column is displayed in the current table Once policies are instantiated policy information can be viewed via XML System Administration 97 D ACCESS GATEWAY Current Subscribers Subscriber Idle Timeout 1200 Note doesn t apply to Radius subscribers Factory default 1200 s Submit _Reset Ii he z 3 Throughput MAC IP Port Room User Group Bw Bandwiditi In Out Up Aah Expiration ul By er Byte i Total Proxy Name Policy Up Down po State Timeout Sent Received Out Down 12 12 Unlimite dRadius 30 mins 0 70 54 B6 A0 D8 04 10 149 67 11 1 1 grpbw 1 1024 2048 513 513 alid Unlimited
111. Accounting This feature also known as AAA employs a combination of command routines designed to create a flexible efficient and secure billing environment For example when a subscriber logs into the system their unique MAC address is placed into an authorization table The system then authenticates the subscriber s MAC address and billing information before allowing them to access the Internet and make online purchases 276 The Subscriber Interface ACCESS GATEWAY i Subscriber Launch browser i y gt Enter credit card details 4 gt Billing lt 4 mirror AAA server Ea lt gt External Web server The AAA Structure The Access Gateway s Authentication Authorization and Accounting AAA module enables the solution provider to provision track and bill new or returning subscribers This includes e Allowing the solution provider for example a hotel to bill its guests for the high speed network services it provides track usage on the network and deny service to those guests who have not paid e Allowing the solution provider to bill subscribers for services rendered either directly on their hotel bill in the hotel scenario via a mailed invoice or directly to the subscriber s credit card account The following illustration shows the functional relationship between the Access Gateway s internal modules and the external support systems
112. Adds a route into the Nomadix Access Gateway s routing table Route Delete Deletes a route to a specific IP destination Routing View Nomadix Access Gateway s routing table Add or delete a route to a specific IP destination Session Limit Limits the number sessions any one user can take over a given time period and if necessary then blocks malicious users Static Port Sets up static port mapping schemes Mapping Add 296 Quick Reference Guide ACCESS GATEWAY D Items Description Static Port Mapping Delete Deletes static port mapping schemes Static Port Set up or delete static port mapping schemes Mapping Subscriber Blocks subscriber interfaces Interfaces Syslog Displays syslog history System Utilization Displays system utilization information Upgrade Obtain the latest Firmware Upgrade Procedure from Nomadix Technical Support User Settings Blocks IPPROTO traffic from misconfigured subscribers Items Description ARP Add Adds an Address Resolution Protocol ARP table entry ARP Delete Deletes an ARP table entry Bridge Mode Enables the Bridge Mode option Export Exports the system s configuration settings to an archive file Factory Imports the factory default settings FailOver Sets up a sibling Nomadix Gateway allowing one device to take up the users should the other device become disconnected from the netwo
113. CAQAwgasxC zAJBGNVBAYTALVTMRMVEQYDV Copy the entire MRKwF wYDVQQHEXBXZXNObGFr ZSBUaUxsYWdLMRAwDgYDV contents of the CSR EgYDVQOLEwtFbmdpbm lemluZzEcMBoGALUEAXMTdGV2d file including the lines TEmNCOQGCSqGS Ib3 DOEJ ARYXaGVj aHNicHBvcnRAbmotyY that contain the begin Ko ZIhvcNAQEBBQADGYOAMIGJ AOGBAd hFc22GG9GESLL and end statements 25 f qOCGFV b8VhRNe 6n 4 ghaCDDMhNCmfNUPbFRZUSvg into the field on the 1Z2 DRxXRxGA oYuBBOMi2F 13 zHFVUbIdSi833 wUKI rIP right ylvFH4b AgMBAAGGADANBgkqhkiG9wOBAQOF AAOBgQA2S cql a ee Please select Apache Freeware to submit the CSR to VeriSign The Certificate Signing Request is in the server csr created in the previous step Open server csr and copy and paste all data into the edit box Select the purchase method and summit the required contact information For Expedited Service you will typically be able to get the Public Key by email within two days For Regular Service you will typically be able to obtain the key within seven days When you receive an email from VeriSign with Secure Server ID Global Server ID if you create a 128 bit key that contains the Public Key information cut and paste the key to paste it into a new file named server pem 340 Quick Reference Guide ACCESS GATEWAY 5 The file server pem will look like this EA server_pem txt Notepad MITFIDCCBI mgAw BAg QOG G840WHmELUAr I BeTrwjANBgkqhkiGowGBAQgFADCB UjE FMB OGATUECHMWUmUyaUNp224qUHJ1c3Q
114. CESS GATEWAY The Internal Billing Options Plan Setup or Internal Billing Options XoverY Plan Setup screen appears for the billing plan and type you selected Internal Billing Options Plan Setup Plan 1 Enable M Label Description of Service per week maximum 3 weeks Pricing Rate Per Minute o0 Rate Per Hour bo Rate Per Day ma i Rate Per Week p24 sid Rate Per Month Bes Time Unit Minute Hour 0 Day 0 Week Month te Wired for Business o Maximum Bandwidth Up 256 Down 512 QoS Policy 7 DHCP Pool Private NOTE Public option requires IP Upsell to be turned Public on Otherwise subscribers will receive private IP addresses 222 System Administration ACCESS GATEWAY S Sample of Internal Billing Options XoverY Plan Setup Screen Internal mpi anes XoverY Plan eae Plan 4 Enable M Label Description of Service Wireless Intemet Access for 24 hour Plan Details Plan Cost fra sid Plan Duration X fi Time Unit for Plan Duration Minute Hour oO Day Plan Validity Y Eo Time Unit for Plan Validity Day Week Month Maximum Bandwidth Up 256 Down 512 QoS Policy select a policy DHCP Pool Private NOTE Public option requires IP Upsell to be turned Public on Otherwise subscribers will receive private IP addresses NOTE Usernames will be enabled if you submit an XoverY plan Depending on the type of plan you want to set up
115. Currently Allocated DHCP Leases Index IP Address MAC Address Lease Status Time Remaining 1 10 0 1 12 00 18 0A 21 61 14 Expired 2 10 0 1 13 50 46 5D E9 B4 E2 Expired 3 10 0 1 14 34 C0 59 7D FO F5 Expired Counts Active 0 Expired 3 Offered 0 Lapsed Offers 0 Conflicts 0 Deleting All Expired Subscriber Profiles Expired This procedure shows you how to delete all expired subscriber profiles from the Access Gateway s database of authorized subscribers Use this procedure when you want to clean up the subscriber database 1 From the Web Management Interface click on Subscriber Administration then Expired The Remove Expired Profiles screen appears Remove Expired Profiles Remove expired subscriber profiles from the database Note Your browser may be blocked for a few seconds after selecting this command a 214 System Administration ACCESS GATEWAY D 2 Click on the OK button to remove all expired profiles Finding Subscriber Profiles by MAC Address Find by MAC This procedure shows you how to find a subscriber profile from the Access Gateway s database of authorized subscribers based on the profile s MAC address Use this procedure when you want to see the statistics corresponding to the MAC address Statistics include user name and password if any and the access time remaining for this subscriber 1 From the Web Management Interface click on Subscriber Administration then Find by MAC The Fi
116. Definable 1 and User Definable 2 are optional Use these fields for simple notations about the subscriber 210 System Administration ACCESS GATEWAY D 10 Define the Min Upstream Bandwidth and Max Upstream Bandwidth range for this subscriber in Kbps 11 Define the Min Downstream Bandwidth and Max Downstream Bandwidth range for this subscriber in Kbps 12 Enter the Maximum users per group for the subscriber account 13 Select a policy from the QoS Policy menu See Setting up Quality of Service QoS on page 148 for more information 14 Enable STMP Redirection to allow the specified user to have their SMTP traffic redirected by the global SMTP redirect configuration Click on the Add button to add this subscriber to the database or click on the Reset button if you want to reset all the values to their previous state Displaying Current Subscriber Connections Current You can display a listing of all the subscribers currently connected to the system The list includes the MAC addresses of the subscribers their active state the individual expiration times port numbers if assigned bandwidth limits current bandwidth usage and the number of bytes that have been passed from the subscriber to the Internet This data can be used if a dispute arises between the subscriber and the solution provider for example if a subscriber claims that their connection to the Internet was not completed By reviewing the byte
117. E ACORN RER E itty aTe o M E E Maas enip HeeRaeEUpER ESD GUAR Welcome to The Access Gateway rninn ra E A Ee EEDA ETE TRE r RN Product Configuration and Licensing aiiin en N T AAEE Eey Pee tire sich Bone iiS ein a E ees Sae aa p E E E A a E ae tasrt ce renmaretiness Local Content and SOV VION sieran A AI A IEO Tionpareii CONOR VEY sensere hectic eet ice ee eee neces EE een aes Bine ENO nE riie E EE Acces TIE and Authentic tiOt es ses ta sctdi iiris i EKE i ENEE EKE NNE IEEE EENS EEA RERE Kek E E E E E E E en A Sep Service BrOndIAN sisian aA EE a AAR Eai NSE Core Fimctional ily os sensisssarsencsaisapsupcassecsverarcenancipenwascosipersuncssipeanasczeunapnensenupeenenausupe ENER Arees COTO nrasane N A tases bosdcumseabeaconu aes Bondwukth Management sigs vicacascasuniucrscasveaiaesois ass A aA docs RE A E ARAE Biling Records MTOTINE oc siceiosedeiutiwis ae nani EnaA ES Pa T NR 6 EE E E E E E OPTI ENE TUEITOCE cas ccosiases vessosasesamtanacaoaraconnna seaman iceien sein renanictestnaaidanoranaesanacsiass DE Maree erry es eter eee Lente Serer etree ner eet err crt treater ee rer Ton fer are TAIL E AVE RS SPRITE atao OE E A Dynamic Transparent F VOR ass cs acs xnasicsses ipiri sacs vuatsasasn ease i sanas SEKENE EKSENE RIENE Ena ESRC licenso COUTE orason o eraceaiauninreatdsaaieramsanctsaciottaaes External Web Server Mode acsansirveinynn ii AE EESE RAE IntiquNSE Conieuranon S Zjem are T E OT Terna WED SETET Anapara aE casianausasuphans
118. EWAY This page intentionally left blank 332 Troubleshooting ACCESS GATEWAY Appendix A Technical Support We have tried to ensure that you get the most up to date information available about the Access Gateway and we hope this User Guide has met all your operational and performance needs However we understand that occasionally you may run into problems that require additional technical support Troubleshooting on page 347 provides some basic troubleshooting information and procedures that will help you to diagnose and solve your problem if the problem is related to the Access Gateway Additionally you should check with your network documentation to verify that the network components are functioning correctly If you cannot resolve the problem with your documentation resources try connecting to our corporate Web site We may have new information posted here that addresses your issues If you are still having problems our friendly and experienced technical support team is always ready to assist you When contacting technical support please have your Access Gateway s serial number available The serial number is located on the bottom panel of your Access Gateway Contact Information You can contact us by Email fax telephone or regular mail Telephone 4 4 1 818 575 2590 E mail support nomadix com Fax 4 1 818 597 1502 Address Nomadix Inc 30851 Agoura Rd Suite 102 Agoura Hills CA 91301 USA A
119. G NOMADIX NOMADIX ACCESS GATEWAY User Guide Version 7 4 8 2 aya NTT 2013 NOMADIX IN ALL RIGHTS RESERVED docomo DOCOMO interTouch G Rev A Access Gateway Copyright 2013 Nomadix Inc All Rights Reserved This product also includes software developed by The University of California Berkeley and its contributors Carnegie Mellon University Copyright 1998 by Carnegie Mellon University All Rights Reserved Go Ahead Software Inc Copyright 1999 Go Ahead Software Inc All Rights Reserved Livingston Enterprises Inc Copyright 1992 Livingston Enterprises Inc All Rights Reserved The Regents of the University of Michigan and Merit Network Inc Copyright 1992 1995 All Rights Reserved and includes source code covered by the Mozilla Public License Version 1 0 and OpenSSL This User Guide is protected by U S copyright laws You may not transmit copy modify or translate this manual or reduce it or any part of it to any machine readable form without the express permission of the copyright holder ACCESS GATEWAY ACCESS GATEWAY G Trademarks The D smo NOMADI X and Nomadix Service Engine are trademarks of Nomadix Inc All other trademarks and brand names are marks of their respective holders Product Information Telephone 1 818 597 1500 Fax 1 818 597 1502 For technical support information see the Appendix in this User Guide Write your product serial n
120. IP address or you can enable the Access Gateway to act as its own DHCP server In both cases DHCP functionality is necessary if you want to automatically assign IP addresses to subscribers System Administration 103 ACCESS GATEWAY 1 From the Web Management Interface click on Configuration then DHCP The DHCP Settings screen appears DHCP Settings DHCP Services C Disable DHCP Relay DHCP Server IP DHCP Relay Agent IP O Enable shee ss Note The NSE s Network IP address is used if 0 0 0 0 is entered DHCP Server Forwarded DHCP Client Enable CO Subnet based C IP Upsell Note To enable IP Upsell make sure your license includes it C Enable ServerlP Server Netmask 10 0 9 4 255 255 255 0 Total number of lasses 29 Start IP End IP Lasse IP Tyoe IF Unsell 10 0 0 12 10 0 0 50 1440 PRIVATE NO Default Pool Click here t o add a new DHCP Pool NOTE You must reboot for configuration changes to take effect Reboot after changes are saved O Yes B Nomadix patented Dynamic Address Translation DAT functionality is automatically configured to facilitate plug and play access to subscribers who are misconfigured with static permanent IP addresses or subscribers that do not have DHCP capability on their computers DAT allows all users to obtain network access regardless of their computer s network settings 2 DHCP Services is enabled by default Do not di
121. Interface WMI on page 74 22 Introduction ACCESS GATEWAY D Optional NSE Modules Load Balancing 8 2 E Load Balancing requires an optional NSE product license With the 8 2 NSE Load Balancing Module Internet traffic is balanced across multiple WAN ISP connections to ensure that traffic is distributed based on the capability of each connection For example organizations may wish to balance traffic between a low cost DSL WAN ISP and one high performance high capacity WAN ISP This is of value when multiple links are used to optimize cost for Internet service such as balancing traffic between one low cost DSL WAN ISP and one high performance high capacity WAN ISP Hotels may also use this capability to provide tiered services reflecting the capacity of the WAN ISP connection The Link Failover feature of the Load Balancing Module is designed to improve business continuity In the event that one or more links fail traffic is seamlessly rerouted to the remaining surviving links without lapse of service When the failed links recover the NSE routes new connections toward the now working links until a normal balanced configuration is reached For details of the Load Balancing capabilities and sample use cases see Load Balancing and Link Failover on page 26 Hospitality Module The optional Hospitality Module provides the widest range of Property Management System PMS interfaces to enable in room guest billing for H
122. L 1U rack space in a 19 rack 10 00 L x 10 00 D x 1 73 H 254mm L x 254mm D x 44mm H Weight 5 0 Ibs Weight 2 27 Kg OPERATING VOLTAGE 100 240 VAC 50 60Hz Auto Sensing POWER CONSUMPTION 44 watts Quick Reference Guide 309 D y ACCESS GATEWAY AG3100 Specifications ENVIRONMENTAL Operating temperature 5 C to 40 C Storage temperature 0 C to 70 C Operating humidity 20 90 RH non condensing Storage humidity 5 95 RH Altitude Up to 15 000ft COMPLIANCE FCC Class A Part 15 CE Mark CENELEC EN 55022 1998 A1 2000 A2 2003 Class A CENELEC EN 61000 3 2 2000 CENELEC EN 61000 3 3 1995 A1 2001 UL Std 1950 CSA22 2 No 950 INTERFACES 3 x 10 100 Mbps Ethernet RJ 45 1 x DB9 serial for serial management and PMS interface LED INDICATORS ACT LINK and 10 100 for each Ethernet port Power NETWORK MANAGEMENT Multi Level Administration Controls Integrated VPN Client IPSec for secure connection to an NOC Access Control Lists Web Administration UI CLI via Telnet and Serial Port SNMPv2c Secure XML API Auto Configuration and Upgrades Syslog AAA log NETWORKING IEEE 802 3 3u IEEE 802 1d DHCP Server DHCP Relay RADIUS Client MD 5 PAP CHAP MS CHAPv1 v2 310 Quick Reference Guide ACCESS GATEWAY AG5500 Specifications AVAILABLE NSE MODULES High Availability Fail Over Hospitality Module Property Management Interface
123. Line Interface CLI Integrated VPN Client for Management Radius Driven Configuration Multi Level Admin Support Centralized Radius Authentication SMTP Redirection Access Control Bridge Mode SNMPv2c Syslog AAALog MEDIA ACCESS CONTROL CSMA CA PORTS 10 100 1000 Base T Ethernet RJ 45 UTP WAN5 10 10 100 1000 Base T Ethernet RJ 45 UTP LAN RJ 45 port for Serial Access Systems Console DB9 Serial Port Property Management Interface Quick Reference Guide 307 G ACCESS GATEWAY AG2400 Specifications IP ADDRESS MANAGEMENT IEEE 802 3 3u 3eb IEEE 802 1d DHCP Server DHCP Relay Multiple Subnet Support IP UPsell DHCP Client PPPoe Client INTELLIGENT ROAMING Realm Based Routing Zone Migration SERVICE PROVISIONING Home Page Redirect HTTP Redirect HTTPS Redirect Portal Page Redirect Session Termination Redirect Information and Control console Pop up explicit logout button International Language Support External Web Server Mode Internal Web Server Mode Secure XML API over SSL Login Page Failover USER TRUE PLUG AND PLAY Dynamic Address Translation 308 Quick Reference Guide ACCESS GATEWAY G AG3100 Specifications AVAILABLE NSE MODULES High Availability Fail Over Hospitality Module Property Management Interface PMS PERFORMANCE User Support Up to 200 users concurrently Throughput up to 85Mbits s As defined by RFC1242 Section 3 17 PHYSICA
124. Location Menu on page 193 e Subscriber Administration Menu on page 205 e Subscriber Interface Menu on page 219 e System Menu on page 252 Now that the Access Gateway has been installed and configured successfully this User Guide moves away from the Command Line Interface CLI and documents the Access Gateway from the Web Management Interface WMI viewpoint Choosing a Remote Connection Once installed and configured for the customer s network the Access Gateway can be managed and administered remotely with any of the following interface options e Using the Web Management Interface WMI Provides a powerful and flexible Web interface for network administrators e Using an SNMP Manager Allows remote Windows management using an SNMP client manager for example HP OpenView However before you can use SNMP to access the Access Gateway you must set up the appropriate SNMP communities For more information refer to Managing the SNMP Communities SNMP on page 168 e Using a Telnet Client To use any of the remote connections Web SNMP or Telnet the network interface IP address for the Access Gateway must be established you did this during the installation process Choose an interface connection based on your preference System Administration 73 D ACCESS GATEWAY Using the Web Management Interface WMI The Web Management Interface WMI is a graphical vers
125. M Enable Submit Please enter either an IP address or a DNS name or a Domain name and click on one of the provided buttons Note DNS name and Domain name should not contain protocol port or path information Up to 300 URL Filtering Addresses can be entered IP DNS Name www test com Add Remove Current Url Filtering Addresses Domain Names wn test com IP addresses 1 2 3 4 Number of Url Filtering Addresses 2 If you want to enable this feature click on the check box for URL Filtering Click on the Submit button to save your setting If URL Filtering is enabled you can add or remove up to 300 addresses in the IP DNS Name field After entering the address you want to add simply click on the Add button the address will be added to the displayed list Add or remove addresses as required Selecting User Agent Filtering Settings The Access Gateway can ignore traffic being generated by unsubscribed user devices that are not accessing walled garden sites or an unauthenticated users 176 System Administration ACCESS GATEWAY D 1 From the Web Management Interface click on Configuration then User Agent Filtering The User Agent Filtering Settings screen appears User Agent Filtering Settings User Agent Filtering Enable Please enter the name of an HTTP User Agent and click on one of the provided buttons Note HTTP traffic from these User Agents will be discarded until the user becomes Valid Up to 128 n
126. MES scsscavcscocssenntsasedsannevinedvendvanesiassdsinediaavenievivasveeisvininnd 328 setuni Up Me SSL Fenti iy isey thor insects oiskin ania EAER EEE AaS 330 PPE OST E E E E E E E E A E S 330 Obtain a Private ke File enker pens SENAI EE AITO A PNE I IR POTE uae 330 Installing Cygwin and OpenSSL ona PC vsicsmininsmauvewvurmmrniarvenismunmanmerinu 331 Proe Rey GOTON O ai a a E A 334 Create a Certificate Signing Request CSR PTE EE E 337 Crente a Pube Key Pie Cre PCr peni sarmionrrariir arn 338 Setting Up Access Gateway for SSL Secure LOGI sisimessrirnirnvesinii innin 341 Setting Up the Portal Page E E E EE EEN E E EET 342 Delis Rilling REC ienna a E RARR 343 Sending Billing Record Sonesson oie A AAi 343 PE PINE E E AO 344 ki G ACCESS GATEWAY Chapter 6 Troubleshooting ssirsisssissiusssissisispesaiusvssiiasssisisssek rssesdibviesiisorssia ieser 347 General Tanis Set TiPs ash cts ous soeassisdal ea en n EE E EEEE 347 Manigement Interface Error MSSsA ges cas ipasaxsissepisiatenianvenias taste nines aPINa ANR E EA ASS 348 Cammo FORTE MIE cii ap n AE A AA 350 Contact Torna IO ern S RE ER ER e o 353 xii ACCESS GATEWAY Introduction About this Guide This User Guide provides information and procedures that will enable system administrators to install configure manage and use the Access Gateway product successfully and efficiently Use this guide to take full advantage of the Access Gateway s functionality
127. NOTE You must reboot for setting changes to take effect Reboot after changes are saved I Yes Submit Reset 2 Select Internal Time to use the local hardware time or select External Time Server if you want to use NTP instead of the internal clock of the NSE If you select Internal Time enter the new date and time parameters in the relevant fields if required e Year HHHH e Month 1 12 e Day 1 31 e Hour 0 23 e Minute 0 59 After entering new data for the final parameter minutes the system writes the information into its BIOS then displays the new date and time System Administration 173 D ACCESS GATEWAY If you select External Time e Inthe Server Timeout field enter the number of seconds before the NSE gives up on receiving a time response from the NTP server e Inthe Time Server 1 4 fields enter up to 4 different NTP servers to query for the correct time 3 The Access Gateway also allows you to enter a Time offset from UTC This parameter is the Universal Coordinated Time based on the ISO 8601 standard and is used in conjunction with RADIUS servers for example if the RADIUS server is setup for a time zone that is different from the Access Gateway 4 When finished click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their previous state Setting up Traffic Descriptors Traffic Descriptors are a dependency of cr
128. P 10 0 0 250 Lease Duration Minutes 1440 Home Page Redirection Disabled Parameter Passing Disabled Redirection Frequency Minutes 3600 Dynamic Address Translation DAT Enabled cannot be changed Quick Reference Guide 301 G ACCESS GATEWAY Function Default Setting AAA Logging Disabled AAA Log Server Number 3 AAA Log Server IP 0 0 0 0 SYSLOG System Logging Disabled SYSLOG Server Number 2 SYSLOG Server IP 0 0 0 0 AAA Services Disabled Internal Authorization Enabled New Subscribers Enabled Credit Card Service Enabled Parameter Passing Disabled Usernames Enabled XML Disabled DNS Redirection Enabled SMTP Redirection Disabled SMTP Server IP 0 0 0 0 SNMP Disabled SNMP Get Community public SNMP Set Community private SNMP Trap IP 0 0 0 0 System Administration Login User admin Name admin System Administration Password 302 Quick Reference Guide ACCESS GATEWAY S Product Specifications AG2300 Specifications AVAILABLE NSE MODULES High Availability Fail Over PERFORMANCE User Support Up to 50 users concurrently Throughput up to 20Mbits s As defined by RFC1242 Section 3 17 PHYSICAL 1U rack space in a 19 rack 10 00 L x 10 00 D x 1 73 H 254mm L x 254mm D x 44mm H Weight 5 0 Ibs Weight 2 27 Kg OPERATING VOLTAGE 100 240 VAC 50 60Hz Auto Sensing POWER CONSUMPTION 44 watts
129. Power Cord 1 6 RJ45 DB9 Console Cable 2 Rack Mount Brackets and PS bracket 1 Bumper and Screw Kit AG 5800 1 U S NEMA 5 15p Power Cord 1 EU Schuko CEE7 7 Power Cord 1 6 RJ45 DB9 Console Cable 2 Rack Mount Brackets 1 Bumper and Screw Kit Start Here 1 Unpack the Nomadix Access Gateway and place the product on a flat and stable work surface 2 Register the gateway for support services by completing and returning the Nomadix Gateway Registration Form hardcopy enclosed or obtain the form online at http www nomadix com registration 3 Connect the power cord 4 Connect to the Access Gateway AG There are two ways to connect to the Access Gateway AG e Serial Connection Connect the RJ45 console cable to the product s console port and the DB9 female to your computer 40 Installing the Access Gateway ACCESS GATEWAY G Start a HyperTerminal or equivalent session to communicate with the AG via the product s console interface Use the following configuration settings for your session 9600 8 None 1 None e Subscriber side Ethernet Connection Connect a cross over Ethernet cable between the product s Eth1 port and your computer s Ethernet port 5 Setup a SSH client to establish a SSH session to communicate with the NSE gateway via the administrative IP address after the Access Gateway finishes powering up The administrative IP address is 172
130. Relay RADIUS Client MD 5 PAP CHAP MS CHAPVv1 v2 AG5600 Specifications AVAILABLE NSE MODULES High Availability Fail Over Hospitality Module Property Management Interface PMS PERFORMANCE User Support Up to 2000 users concurrently Throughput up to 750Mbits s As defined by RFC1242 Section 3 18 PHYSICAL 1U rack space in a 19 rack 17 24 L x 11 53 W x 1 73 H 438mm L x 292 0mm W x 44mm H Weight 8 8 Ibs Weight 4 00 Kg Quick Reference Guide 313 G ACCESS GATEWAY AG5600 Specifications OPERATING VOLTAGE 100 240 VAC 50 60Hz Auto Sensing POWER CONSUMPTION 65 watts ENVIRONMENTAL Operating temperature 0 C to 40 C Storage temperature 10 C to 70 C Operating humidity 20 90 RH non condensing Storage humidity 5 95 RH Altitude Up to 15 000ft COMPLIANCE UL UL US and Canada FCC Class A CE EN 55022 2006 A1 2007 EN 55024 1998 A1 2001 A2 2003 IEC 61000 4 2 1995 A1 1998 A2 2000 IEC 61000 4 3 2006 IEC 61000 4 4 2004 IEC 61000 4 5 2005 IEC 61000 4 6 2007 IEC 61000 4 8 1993 A1 2000 IEC 61000 4 11 2004 EN 61000 3 3 1995 A1 2001 A2 2005 Low Voltage Directive European Council Directive 2006 95 EC IEC 60950 1 2005 2nd Edition EN60950 1 2006 A11 2009 INTERFACES 2 x 10 100 1000 Mbps GigE RJ 45 LAN 1 x 10 100 1000 Mbps GigE RJ 45 WAN 1 x DB9 serial PMS Interface 1 x Front Acc
131. S GATEWAY The numbers must be entered in the form of a telephone number which the selected PMS will interpret If the phone number field required by the PMS is shorter than 15 characters only the first required number of characters will be supplied If desired enable Syslog PMS communications Miscellaneous settings Syslog PMS communications applies to WFB and FOSSE only Submit Reset Click on the Submit button to save your changes and restart the serial interface or click on the Reset button if you want to reset all the values to their previous state interoperability with a number of other PMS and call accounting solutions such as Ramesys ImagInn Xeta Virtual XL and Hilton s proprietary standard OnQ This development effort is on going For an up to date list of supported PMS systems please contact our Technical Support team Refer to Appendix A Technical Support on page 323 Based on the HOBIC interface standards Nomadix Inc has also certified Setting Up Port Locations Port Location Port Location allows you to establish the mode of operation for devices System Administration ACCESS GATEWAY D 1 From the Web Management Interface click on Configuration then Port Location The Port Location Settings screen appears Port Location Settings In Room Port Mapping IC Enable Username Password Note for security reasons this option should be disabled when In Room Port M
132. S billing functionality for all supported PMS interfaces providing hotel guests System Administration 135 G ACCESS GATEWAY with the option to terminate their connection via the ICC and be billed only for the actual time he she was online The Access Gateway is equipped with a serial port to facilitate connectivity with the system s CLI or a customer s Property Management System Some PMS vendors may require you to obtain a license before integrating the PMS with the Access Gateway Check with the PMS vendor Some Property Management Systems may use interfaces that are incompatible 8 with the Access Gateway If your Access Gateway is having trouble communicating with a solution provider s PMS please contact technical support Refer to Contact Information on page 323 Before you can change the PMS settings a PMS must be connected to the Access Gateway via the serial port on the rear panel See also Connecting the Access Gateway to the Customer s Network on page 46 The Access Gateway can query most popular Property Management Systems for confirmation of the names and room numbers of hotel guests effectively becoming a clone of a popular Micros POS system This functionality allows hotels to seamlessly deploy wireless networks or alternatively use low cost wired access concentration equipment that either do not support port ID or do so in a proprietary format that Nomadix does no
133. S service profile This means that this realm routing policy will match usernames that are of the format username tcisp com Since this policy references a tunnel profile no RADIUS access requests will be sent to any RADIUS server In this case the NSE will use the L2TP tunnel parameters specified in the tunnel profile to establish a tunnel and pass the username password input to the tunnel server Again as before the username passed to the tunnel server will have realm information stripped since the checkbox for Strip off routing information when sending to tunnel server is checked This checkbox may be unchecked if it is necessary for usernames to contain realm information for user authentication System Administration 165 D ACCESS GATEWAY The Local hostname field is also blank is this example which means that the NSE will use the default value of usg_lac during tunnel negotiation Configure RADIUS Client The NSE RADIUS client must be setup for realm based routing mode since realm information will be used by the NSE s L2TP tunnel feature to determine how to handle usernames that contain realm information The screen below shows an example of setting the routing mode to handle realm based usernames Server Selection and Communication Routing Mode Disabled RealmBased Fixed Default RADIUS Service Profile NMDxRadius gt Your new RADIUS Service Profiles are RADIUS Rout
134. Subsciiber Waite SETDEIE soucier a vane eatanvirsivseen inn Cae RHO oes eGR EE 282 SubseTiber Mine Pen eT Modeli iio vossossacrenidnanicvaciente anaciuerid anion tiaaeenenonenmu 282 Configuring the Subscriber Management Models eis pede th TE E E thoes 283 Information and Control Console ICC a E A eens paeeines a 284 SOC FONU WOW oi usd S EEEE E ASEE KE EKETA EAEEREN aan KEETE REER 284 TOUT COnNIOL uroi a E O 285 Subscriber Administration Menu Items 110000 PE E ores E ane aes 294 Subseri ber Miler fiv Menu Demi saranno ti AARAA 294 System Menu ltems ET AEE A E A TA ER PA E E EA E ee OD Alphabetical Listing of Menn iteris CW WU icacsss oiron 299 Default Factory Configuration Sethe sucrimcsinorinniiasi ranan ER ci S Product Sporcie a aaa Ri E AAEE IESEAN REPRESAS ROSE 303 Sample AAA L08 s icususwurmusnunnar eee ee elaine eae Message Definitions AAA Log e E E E E E T 320 Sample SYSLOG Report Peres eres E E E E E 321 Sample FINGE LOE ins poi or Rann ES EARE AS NEREA RENAR 322 Keybpard SHom Wi crre ee ee 323 HyperTerminal Settings ae Siberis Sr E EI VEE A en an 323 RADIUS Ati Bates aeaa E E E ens ee ei eae 324 Authentication Request ois serascisssousssovrsseus ieee P E P AE E TE E tees 323 Aunthenicaton Reply A6CEpt ausirian r R A A R 323 ACCOUNTA E ROGUES rii ri SA S panied eeeranoracae ames 326 Selecta Deroie n DeSeT E E aA AE EE EE AEAEE SiS 327 Nomadix Vendor Specific AUTIDU
135. TE You must reboot for the following settings to take effect DHCP 9 DNs Network Interface Configuration Method 3 Dynamic DNS DHCP Client i Gre Tunneing PPPoE Client Configure PPPoE Client 18 Home Page Redirect S inat Static S IPSec Static Configuration Parameters S Logging Network IP Address MAC authentication 4 Subnet Mask 9 Nomadix Services E Passthrough Addresses Default Gateway S Pms S PortLocation Gateway ARP Refresh Interval secs 200 S aos B RADIUS Client Reboot after changes are saved O Yes S RADIUS Proxy 0 Realm Based Routing 0 Routed Subscribers sj SMTP Required Field Enabling the Bridge Mode Option Bridge Mode Bridge Mode allows complete and unconditional access to devices on the subscriber side of the Access Gateway When the Bridge Mode option is enabled the Access Gateway is effectively transparent to the network in which it is located allowing clusters of switches especially Cisco Systems switch clusters to be managed using the STP Spanning Tree Protocol or any other algorithm protocol The Access Gateway forwards any and all packets except those addressed to the Access Gateway network interface The packets are unmodified and can be forwarded in both directions This is a very useful feature when troubleshooting your entire network as it allows administrators to effectively remove the Access Gateway from the network without physically disc
136. Tables Active ARP Table MAC Address Permanent Published Interface 00 90 fb 3a ac 65 no no te Delete 192 168 1 4 00 50 e8 02 85 5e yes yes WAN 172 30 30 172 00 50 e8 02 85 5e yes WAN Delete 192 168 110 25 00 50 e8 02 85 5f yes Etht system Bai 100210 ovsoesanteo yes yes en oem Note deleting an Active ARP entry that is Static or Persistent does not remove that entry from the Static Persistent ARP Table 192 168 1 1 Static Persistent ARP Table ton Asares MAC Aasross arta moie Type Note deleting a Static or Persistent ARP entry also removes that entry from the Active ARP Table if present Add a New Static or Persistent ARP entry IP Address MAC Address Interface WAN Role wan sub Type Static Persistent Configurable Gateway ARP Refresh Interval The NSE will periodically refresh its ARP cache entry for the gateway IP When gateway redundancy is implemented via the use of multiple gateway devices with the same IP address the periodic refresh enables the NSE to quickly discover the new MAC address of the gateway You can set the refresh frequency on the Location page The frequency must be between 30 and 600 seconds 600 seconds is half of the ARP cache refresh interval so the ARP entry can never expire 254 System Administration ACCESS GATEWAY D 9 Bill Record Mirroring S Destination HTTP Redirection NO
137. Updating a Port Location Assignment 194 System Administration ACCESS GATEWAY D Adding a Port Location Assignment This procedure shows you how to add a port location assignment If you want to update an existing assignment go to Updating a Port Location Assignment 1 From the Web Management Interface click on Port Location then Add The Add Port Location Assignments screen appears Add Port Location Assignments Location Loo i Port E Description e Subnet r Default QoS Policy no policy z State No Charge Blocked Charge for Use Note The following items have no effect unless the port based billing policies feature is enabled Also each individual item has no effect unless the corresponding feature is enabled L Enable RADIUS Billing L Enable Tunneling I Enable PMS Billing I Enable Credit Card Billing Billing plan s available on port ai Plans z Note Ifyou plan on using a PMS interface please make sure that the Location field consists of numbers only Add Reset System Administration 195 ACCESS GATEWAY N Enter a location identifier in the Location field Locations can be assigned as an alpha numeric or alpha numeric value unless a PMS interface is used see note If you are using a PMS interface ensure that the Location field consists only of numbers no alpha characters or symbols E All alpha characters used for locations and descriptions a
138. Username Message Please enter your Usemame andRoomNumber Enable JavaScript v Enable Remember Me option M Must have javascript enabled Remember Me Message Remember my username and password Remember for how many days 7 Help Hyperlink Message Help Hyperlink URL Locale US Currency USD __ Must use an ISO 4217 International Currency Code Number of decimals for amount 2 Image File Name jimagegf Page Background Color white SCS View Color Grid Table Background Color FEoEoc2 o Page Title Font Verdana Line Item Font Verdana Partner Image I Enable Partner Image File Name NOTE You must reboot for Image File Name or Partner Image File Name settings changes to take effect Reboot after changes are saved D Yes Submit Reset 2 Define the messages you want subscribers to see when they log in Keep messages brief and to the point Available message categories include e Service Selection Message 238 System Administration ACCESS GATEWAY D 10 e Existing Username Message e New Username Message e Contact Message e PMS Username Message If any of your devices do not support Java scripts you have the option of disabling the Access Gateway s JavaScript support JavaScript support is enabled by default If necessary and if JavaScript support is already enabled click on the check box for Enable Javascript to disable this feature Click on the check box for Enable Reme
139. ZUrEyqxkoxSnce43b00GEe4vV 8xEmUChwz7ul0ECOODUZSgqkdmj 43 6 OqbPLUtauF yf 4S5U7 2C49m2 pOhvDsadL2 K5ada7FmSNpNfYaUVKhHpT LZ0 gLyz A1Z GEJVAKEAWNTxYDTZICtGJoxh9goN PIlpfnMOJb3GuWx2d4Lx70Zq UqxBBYD KqGpv9jK51 Kd1iDVlawWDShSUI41I18C8QJ adHwZ7Sahadyj iNmPgSkOB exXK8 9 CMSIPta V LUT ImVqNTasthyYbts 1 TNV7PgaldKOmhoieSoHJUigNhHo tSwJaYzuy U 64epniehmiTlggqlJgYYsefIwiYNdinnxsSzvztfts6OlHmesSyEHhHNYNrx4av4ohced Lh adS705bxcluP IQJBaMSCE vzwtF 48Uqoiftf2 jcc 6wH8542Sbzs45nWESFFiv r4Um55va2RD0 fom832CwwPPquingsY6tz ZLzddGsg Create a Certificate Signing Request CSR File Run the following command to generate the certificate signing request gt openssl req new key cakey pem gt server csr C WINNT System32 command com 65537 x1 801 gt YGWIN BIN gt Dopenss1 req new cakey pem gt server csr y configuration from usr 7 J cnf You are about to be asked to enter information that will be incorporated into your ce ificate reque it to enter is what is called a Distinguished Name or a DN a few Fields but you can leave some blank here will be a default value the field will be left blank lt 2 letter code gt AU full ne gt CIsh conpar ane eg Common Name Ceg YOUR name 1 Email Address 1 techsupport nc Please enter the following extra attributes to be sent with your certificate request A challenge password 1 An optional company name 1 C WINNBIN gt Quick Reference Guide 337 S
140. a cana ious ecanued ako ermeudeacumeind tans 186 Viewer IF Se Tummel Status TP SOf iriiria n aere REA AERA 187 Viewing NAT IP Address Usage NAT IP Usage arinrenransnannonniuninianrnemaias 187 Displaying the Routing Tables ROUNE auserneen rk 188 D Displaying the Routing Tables Routing 8 2 ccccccccccceseeseesserseeseeeseesecneceeeeeeeseeeeeesees 189 Displaying the Active IP Connections Sockets s0cesssesorescerovorsererenseneronensenes 190 Displaying the Static Port Mapping Table Static Port Mapping sscseseseereees 19 Disha TOF Siatnanes d TOP suscdaaashanroraiaovausciveianauaaibcsaeaubiesviai Gite ansesabiniaesbiaeiels 192 DSIAVIN ES VOP Sanu FIPS asetar a E REES N aai 193 Port eee te Jemlst Psat meer tee tees ee ee oa gy runes terer reer ertnrery na therein Crees ere fer ce ee 193 Adding and Updating Port Location Assignments Add oeesceeeeeeeeene 194 Deleting All Port Location Assignments Delete All acisini 197 Deleting Port Location Assignments by Location Delete by Location 0000 198 Deleting Port Location Assignments by Port Delete by POrt ccsccscscscsesteneeseeteeees 199 Exporting Port Locaton Assigaments FIDO usneseni 199 Finding Port Location Assignments by Description Find by Description 200 Finding Port Location Assignments by Location Find by Location nosses 201 Finding Port Location Assignments by Port Find by Port 202 importing Porl Location Assignment
141. able Block Subscriber side Web Management Access HTTP M Enable Piesse note that this will terminate the curent subsciber side session Block Subscriber side Web Management Access HTTPS M Enable Block Subscriber side FTP Access M Enable Block Subscriber side SFTP Access M Enable Block Subscriber side SSH Shell Access I Enable Source IP based Access Control Access Control I Enable NOTE You must reboot for setting changes to take effect Reboot after changes are saved D Yes Access Control End IP None 2 For Configurable Ports enter a Telnet Port and an HTTP Port 3 Enable or disable administrator access to any of the following interfaces 88 System Administration ACCESS GATEWAY D Telnet Access Web Management Access HTTP Web Management Access HTTPS FTP Access SFTP Access SSH Shell Access ia Blocking or unblocking interface access will terminate the current session SNMP Enabling the blocking of all interfaces and disabling SNMP will Do not enable the blocking of all interfaces without setting up and enabling completely block access to the Access Gateway administration interface For assistance contact Nomadix Technical Support 4 Enable or disable subscriber side interface blocking for any of the following interfaces Telnet Access enables disables blocking of Telnet access from the subscriber side to the NSE Telnet interface Default setting is enabled Web Management Access HTTP enable
142. ace page shows the settings for each port in either WAN or OOS modes Ports in SUB mode are not shown Each of the displayed ports has individual iNAT Subscriber tunnel settings accessible by clicking on that port s link A new improved interface allows easy deletion of any iNAT address range Routing Displays the routing tables and performance statistics Sockets Displays the active Internet connections Static Port Mapping Displays the currently active static port mapping scheme TCP Displays the TCP performance statistics UDP Displays the UDP performance statistics Port Location Menu Items Items Description Add Adds or updates port location assignments Delete All Deletes all port location assignments Use this command with caution Delete by Location Deletes port location assignments based on a specified location Delete by Port Deletes port location assignments based on a specified port VLAN tag Export Exports specified port location assignments to the location txt file Find by Description Finds a port location assignment based on a unique description Find by Location Finds a port location assignment based on a specified location Find by Port Finds a port location assignment based on a specified port 292 Quick Reference Guide ACCESS GATEWAY G Description Import Imports specified port location assignments from the location txt
143. administrators to block access from Telnet Web Management and FTP sources Auto Configuration Provides an effortless and rapid method for configuring devices for fast network roll outs Bandwidth Management Manages the bandwidth for subscribers defined in Kops Kilobits per seconds for both upstream and downstream data transmissions Bill Record Mirroring Configures the Nomadix Access Gateway to send copies of billing records to external servers DHCP Assigns the Nomadix Access Gateway as its own DHCP server or enables the DHCP relay for an external server DNS Sets up the DNS parameters including the host name domain and the primary and secondary DNS servers Dynamic DNS Sets parameters for Dynamic DNS GRE Tunneling Sets GRE Tunneling parameters Home Page Redirect Redirects the subscriber s browser to a specified home page iNAT Enables Intelligent Address Translation for Transparent VPN Access Interface Monitoring The ability to actively monitor each WAN ISP and VLAN connection to assure that full network functionality exists 288 Quick Reference Guide ACCESS GATEWAY D Item Description IPSec IPsec is an end to end security scheme operating in the Internet Layer of the Internet Protocol Suite It can be used in protecting data flows between a pair of hosts host to host between a pair of security gateways network to network or
144. aid USD bo User Definable 1 User Definable 2 Max Upstream Bandwidth 0 Kbps Max Downstream b o i Bandwidth o Kbps QoS Policy selecta policy 7 Count down after Login D Enable M Enable Note Global SMTP Redirection must be enabled for subscriber SMTP Redirection to take effect see SMTP page under SMTP Redirection Configuration options Add Reset Choose the Subscriber account type Define the DHCP Address Type Public or Private only used when the IP Upsell feature is enabled otherwise leave this set to private 4 Enter a valid MAC Address for the subscriber If you have chosen to manage this subscriber by user name only you do not need to enter a MAC address but you must enter a user name Enter the IP Address of the subscriber Enter a valid Subnet address for this subscriber 206 System Administration ACCESS GATEWAY D 7 10 11 12 13 14 15 16 In the Username field enter a user name for this subscriber If you entered a MAC address and you do not want to assign a user name skip Step 9 password User names and passwords are case sensitive Having a user name and password J is an optional service that subscribers may request for example if they are using more than one machine or moving between locations and they want an additional level of security If they request this service they are prompted at the login screen for the user name and password you assi
145. alm Based Routing Settings screen The Add Realm Routing Policy screen appears To make this entry the active entry click on the Entry Active check box To define a specific realm choose the Specific Realm option and enter the destination in the Realm Name field Alternatively you can choose the Wildcard match option then define your search options e Prefix match only e Suffix match only e Match either Select the required RADIUS Service Profile from the pull down menu Click on the Strip off routing information check box if you want to remove the routing information Click on the Add button to add this Realm Routing Policy When you have completed the definition of your Realm Routing Policy you can return to the previous screen Realm Based Routing Settings by clicking on the Back to Main Realm Based Routing Settings page link The screen below shows a realm routing policy that handles prefix based usernames using a RADIUS service profile Notice that Specific Realm is clicked and the Realm name is cisp Also notice that Prefix match only is clicked and that the delimiter is This means that this realm routing policy will match usernames that are of the format cisp username System Administration 163 G ACCESS GATEWAY Add Realm Routing Policy Entry Active 7 Specific Realm Realm name cisp Wildcard match Prefix match only Match characters
146. ame On the Internet a node is a host computer with a unique domain name and IP address See also Domain Name and IP Address NTP Network Time Protocol An Internet standard protocol built on top of TCP IP that assures accurate synchronization to the millisecond of computer clock times in a network of computers Based on UTC NTP synchronizes client workstation clocks to the U S Naval Observatory master clocks Running as a continuous background client program on a computer NTP sends periodic time requests to servers obtaining server time stamps and using them to adjust the client s clock OFDM Orthogonal Frequency Division Multiplexing An FDM modulation technique for transmitting large amounts of digital data over a radio wave OFDM works by splitting the radio signal into multiple smaller sub signals that are then transmitted simultaneously at different frequencies to the receiver OFDM reduces the amount of crosstalk in signal transmissions 802 11a WLAN technology uses OFDM OSPF Open Shortest Path First This routing protocol was developed for IP networks based on the shortest path first or link state algorithm Routers use link state algorithms to send routing information to all nodes on a network by calculating the shortest path to each node based on a topography of the Internet constructed by each node Routers send that portion of the routing table keeping track of routes to particular network destinations that describes the
147. ame and password attributes whether the hex alpha characters A F will be uppercase or lower case The options are Lower or Upper The default setting is Lower 6 Select the RADIUS Service Profile to use from the RADIUS Service Profile to use menu This setting specifies the RADIUS Service Profile and therefore which RADIUS servers to use for MAC based Authentication purposes 7 Click Submit to save the settings or Reset to return the settings to the previous state Assigning Passthrough Addresses Passthrough Addresses The Access Gateway allows up to 300 IP passthrough addresses and DNS names This feature allows users to pass through the Access Gateway and access predetermined services for example the redirected home page at the solution provider s discretion even though they may not have subscribed to the broadband Internet service This is useful if solution providers want to openly promote selected services to all users even if they are not currently subscribing paying for access Allowing up to 300 passthroughs IP and DNS offers customers greater promotional flexibility The Access Gateway is supplied with Hotmail as a default passthrough setting 134 System Administration ACCESS GATEWAY S 1 From the Web Management Interface click on Configuration then Passthrough Addresses The Passthrough Address Settings screen appears Passthrough Address Settings Passthrough Addresses M Enab
148. ames of HTTP User Agents can be entered HTTP User Agent name Ada _Remove Current HTTP User Agent Filtering Names Windows Update Agent iTunes Number of User Agent Filtering Names 2 2 Enable User Agent Filtering to use the filtering capabilities for the User Agents 3 Add the names of the different User Agents that you want to filter to the HTTP User Agent name field Windows Update and Apple iTunes are default filtered Agents Zone Migration Zone migration is an expansion of the NSE s re login after migration capability which currently allows the system to force a subscriber to log in again if the subscriber moves from one port location to another Zone migration significantly expands this capability via the following means It allows the creation of multiple zones which are then constituted by groupings of multiple port locations These groupings can be made up of any combination of desired ports port values do not have to be sequential in order to be grouped within a given zone The re login requirement can then be configured so that subscribers can move from one port to another within a zone without being required to re login However when moving between ports in different zones the re login requirement is enforced It is also possible to configure a zone so that migration between ports within the zone requires the user to re login In addition the re login after migration function was previously limite
149. anced security see also Establishing Session Rate Limiting Session Limit on page 270 Utilizing Packet Capturing Packet Capture The Packet Capture feature provides NSE administrators with an on system utility to capture network traffic on each of the NSE network interfaces The captured network traffic will be accessible for FTP download and viewing on a remote host in the form of a PCAP formatted file Note that a utility that is capable of reading and displaying PCAP formatted files such as Wireshark is required in order to view the results 266 System Administration ACCESS GATEWAY D 1 From the Web Management Interface click on System then Packet Capture The Packet Capture Settings screen appears Packet Capture Settings Note Starting a capture clears any captured packets from the interface _Interface Capture Options Download WAN WAN capture pcap LAN LAN capture pcap AUX AUX capture pcap 2 To initiate a capture on a given interface click that interface s associated Start button The button label will change to Stop indicating that a capture is in progress Click the button again to stop the capture 3 When a capture has been stopped the captured traffic can be viewed by clicking the Download link for the given interface 4 To modify capture settings click the Show button for the desired interface This will display the parameters that can be adjusted Filtering expressions
150. and AH policies Acceptable authentication algorithms MDS V SHA V NULL Perfect Forward Secrecy Strength None 768 bit 1024 bit O Maximum Lifetime 28800 seconds Maximum Lifesize 0 kbytes Automatic renewal a Back to Main IPSec Tunneling Settings page 2 Select the tunnel peer IP address for which you would like to add a security policy from the Tunnel peer IP address menu You must select a peer if the policy is using ESP or AH if the policy is a Discard or Bypass policy select none 3 In the Traffic Selectors section define a specific protocol by one of the following methods e Select a specific protocol from the Protocol menu e Enter a specific protocol number in the Protocol field Protocol numbers are available at www iana org assignments protocol numbers System Administration 119 Gy ACCESS GATEWAY Next you will define selectors of the Security Policy All selectors must match for the policy to be applied 4 Define the following selectors for the Remote End e Remote IP Subnet Enter the IP address of the remote network secured by the IPSec tunnel The address can specify a host e Subnet Mask Enter the subnet mask of the remote network secured by the IPSec tunnel e Remote UDP TCP Port Enter the port number 0 is for all ports only if protocol is UDP or TCP 5 Security Policy can derive the settings for the Local End from the current Network IP settings of the unit
151. and features Refer to Product Specifications on page 303 for a list of Access Gateway Products that this document supports The Nomadix Access Gateway hardware is configured and controlled by Nomadix Service Engine NSE software The NSE 7 4 Release supports the AG2300 AG3100 and AG5500 NSE 8 0 supports the AG5600 and AG5800 NSE 8 2 supports the AG2400 AG5600 and AG5800 The NSE 8 2 software provides several new features including independent multi WAN configuration and an optional Load Balancing module Features and enhancements specific to NSE 8 2 are labeled 8 2 Introduction D ACCESS GATEWAY Organization This User Guide is organized into the following sections Chapter 1 Introduction The current chapter an introduction to the features and benefits of the Nomadix Access Gateway Chapter 2 Installing the Access Gateway Provides instructions for installing the Access Gateway and establishing the start up configuration Chapter 3 System Administration Provides all the instructions and procedures necessary to manage and administer the Access Gateway on the customer s network following a successful installation Chapter 4 The Subscriber Interface Provides an overview and sample scenario for the Access Gateway s subscriber interface It also includes an outline of the authorization and billing processes utilized by the system and the Nomadix Information and Control Console Chapter 5
152. appears Add a Subscriber Profile to the Database Subscriber Device Group Account Proxy Arp For Device Enable 802 1Q Device Port 0 Only if device and Port Location is 802 1Q two way MAC Address IP Address Subnet Username User Definable 1 User Definable 2 Min Upstream Bandwidth 0 Kbps Max Upstream Bandwidth 0 Kbps Min Downstream Bandwidth 0 Kbps Max Downstream Bandwidth k Kbps QoS Policy select a policy M SMTP Redirection me Note Global SMTP Redirection must be enabled for subscriber SMTP Redirection to take effect see SMTP page under Configuration Choose the Device account type for this profile If required enable the Proxy Arp For Device feature Set the 802 1Q Device Port if the device is connected to a specific VLAN Enter a valid MAC Address for the device Enter the IP Address of the device Enter a valid Subnet address for this device In the Username field enter a user name for this device The next two fields User Definable 1 and User Definable 2 are optional Use these fields for simple notations about the device 10 Define the Min Upstream Bandwidth and Max Upstream Bandwidth range for this 11 device in Kbps Define the Min Downstream Bandwidth and Max Downstream Bandwidth range for this device in Kbps 208 System Administration ACCESS GATEWAY D 12 Select a policy from the QoS Policy menu See Setting up Quality of Service QoS
153. apping is done No Port Location mapping VLAN IDs 802 10 two way Access Concentrator Query Tut Systems Expresso Cascading Lucent DSL Terminator C Tut MDU Lite Systems Cascading RFC1493 Compliant Systems Cascading RiverDelta 1000B Elastic Networks Note when changing concentrator type please remove old concentrators before entering new ones IP address SNMP community l SNMP query interval B minutes Maximum time it takes to detect subscriber migration Relogin after migration Submit Reset System Administration 143 ACCESS GATEWAY System administrators can set the properties for each room from the subscriber side of the Access Gateway The system automatically detects which port number the administrator is using and allows them to enter the fields for the room corresponding to the port they are using If required click on the check box for In Room Port Mapping to enable this feature If you enabled In Room Port Mapping you must assign a Username and Password You will need these when you perform port mapping from the subscriber side of the Access Gateway Go to In Room Port Mapping on page 146 to map rooms from the subscriber side of the Access Gateway For security reasons this feature should be disabled when in room port mapping from the subscriber side of the Access Gateway is completed Select No Port Location Mapping if you are not
154. as abies Sas Sah E 23 Hospitality Module nissin wats eins woes A RAR E EA 23 PUES PUTCO AHO rne ecinetandonatiaNaasumbimaeamsetunsunas 24 FTES AVNET MG IEEE E E A A canes E E 24 Network Architeemie Sample Jensotiireis nenna A N A 25 D Load Balaneme and Link Failover S2 sgn snm pana 26 Denon a E OnE IIR oa os Gi ji chaz ERA RE 26 Load Balancing across Multiple Low Speed LING ves ecsssscasseanesarionsrrsaseasvavessseeoomestangsons 29 HOVE TO SPOOR I ST E saicas sec E E E casenteetonins dust tease demeranee Clete 29 Separate Guest HSIA and Admin ISP Links with Failover Between Each ISP Link 30 Guest HSIA Failover Only to Admin Network iscesciscsssnssniscsrancinercnsansnsaaeavincarincsnansdnaaekvnne 31 Sharing of Guest HSIA Network and Hotel Admin Network Amongst Mun ple TSP LIS comana AA E 32 Load Balancing With Users Connected to a Preferred ISP Link 33 vi ACCESS GATEWAY D Online Help Webel 9 sisiescsviisavacavercnonaviten vise civnvavine IR NARAKA RKA NERENN mse eae EREA 35 Wotes Cautions and Warnie Seiner eee ia en AANA A NA E AENA 35 Chapter 2 Installing the Access Gateway ccscssssssssscsssscssccssssssssscssssssssssssssscssaecs 37 Tistallaion WorklOW sierici n AR EN 37 Powernne Upto SYA Miaa E T re ee 39 User Mannal and DeGuise tO sisii ai nE aA R ERRERA ERE EREDETRE 39 AE CSOT POr CONTEN E oron E EAE A O 40 E EE a AA ON 40 AIE E o A E E E A E E neem nanan penaeaestcn 42 Step diu Slane WAN IP COn Eguraldi
155. ash location txt resident in the Access Gateway s flash memory If you have never exported port location assignments since installing the Access E Gateway at this site the location txt is empty See also Exporting Port Location Assignments Export on page 199 You can create your own location txt file FTP to the Access Gateway s flash directory for example IP address flash location txt and upload the file See also Creating a location txt File on page 204 1 From the Web Management Interface click on Port Location then Import The Import Port Location Assignments screen appears Import Port Location Assignments Import Port Location assignments from flash location txt Import View location txt Click here to view the location txt file 2 Click on the Import button to import port location assignments from the flash location txt file Viewing the ocation txt File You can click on the View location txt link if you want to view the current contents of the file System Administration 203 D ACCESS GATEWAY 3 http 7 208 50 30 89 flash location txt Microsoft Internet Explorer provi E3 File Edit View Favorites Tools Help ay QO Back v gt z x 2 A e Search 5 Favorites GA Media A Address a http 208 50 30 89 flash location txt gt Go Links i 1 00 00 00 00 00 00 0 0 0 0 0 Room 101
156. at forwards packets received on a specific port to a particular static IP typically private and mis configured and port number on the subscriber side of the Access Gateway The advantage for the network administrator is that free private IP addresses can be used to manage devices such as Access Points on the subscriber side of the Access Gateway without setting them up with public IP addresses This procedure shows you how to add static ports System Administration 271 D ACCESS GATEWAY 1 From the Web Management Interface click on System then Static Port Mapping Add The Add Static Port Mapping Entries screen appears Add Static aiia Entries Internal Address Internal Port MAC Address lt gt External Address External Port gt Remote Address Remote Port Protocol 1 208 50 30 182 80 00 50 99 di b0 58 lt gt 67 130 149 164 6080 gt 0 0 0 0 0 TCP External ports are protected by the IP based Access Control Note It is possible that ports in 1024 5000 range are in internal use by the gateway If mapping external ports in this range please be sure to reboot the gateway for the settings to take effect Internal IP Address _ a Internal Port bo i MAC Address po External Port Valid range 1024 65535 Remote IP Address _ en Optional Leave blank zero if you want to connect to the internal device from any network side workstation Protect with Source IP based Access Control C Enab
157. ation Access Control ssirswssnsisnarnnonrnonnnin 87 Defining Automatic Configuration Settings Auto Configuration 90 Setting Up Bandwidth Management Bandwidth Management sossen 93 Group Bandwidth Limit POUCH ccacounictietinrienueinrieenemainniexniimmnn umn 95 Group Bandwidth Limit Polley Opera on eosina i 95 Group Bandwidth Limit Foley EU OOI Es i osc tacs ida nigaciestoniteai elope akantarien 1aeibies aeeeehedeaes 96 Group Bandwidth Limit Policy Current Table marme 97 Establishing Billing Records Mirroring Bill Record Mirroring osses 98 COM OUTS DIGS OR HTTP REGIE orrainn ao eena E OOo 100 Moanasins the DHCP service options DHCP sxscsiscossasteiiacssssoisiceasisosinastsoeerieistaee atasita 103 Enabling DNSSEC Suppo T asinina RA AR N RS 107 Mimneimp the DNS Opnons DNS hossen Sindanacuaredadiiounsnearkuea anaamienenoedes 108 Managing the Dynamic DNS Options Dynamic DNS 109 D iro on eran ET 111 Setting the Home Page Redirection Options Home Page Redirect ossos i12 Enabling Intelligent Address Translation NAT M J nucrineceneninnsennennneemna 114 Defining IPSec Tummel Settings P Sef arinrin 116 EE onibai eE 122 Esmiblishing Your Location LOCC srren ian ea aan em 124 Mangeme the Loe Options Lee gin aonmorieotinsianonii ran teI E a EENE 128 Enabling MAC Authentication MAC Authentication cccccccesceesceesnceeseceeseceseeenseeenes 133 Assigning Passthrough Addresses Passthrough Addresses 134 Monne a PMS
158. ation likely about the subscriber s account status depending on what the portal is configured to handle System Administration 101 D ACCESS GATEWAY e After successful redirection occurs the list of signed parameters and signature methods are passed to the portal page HTTP 1 0 302 RD http portall myhotel com details O0S lt 0riginal Server gt amp UI lt NSE s ID gt amp MA lt subscriber s MAC gt amp RN lt Room name gt amp PORT lt VLAN gt amp SIP lt subscriber s IP gt amp TS lt timestamp gt amp NONCE lt 16 chars gt amp SIGN lt signature gt amp SIGNED lt list of signed parameters gt amp METHOD lt signature method gt 1 From the Web Management Interface click on Configuration then Destination HTTP Redirection The Destination HTTP Redirection Settings screen appears Destination HTTP Redirection Settings Destination HTTP Redirection Enabled Portal Pages Add a new Portal Page Matching String URE Parameter Passing C Enable Parameter Signing Method None O HASH CRC32 O HMAC MD5 Parameters Ou Oma Orn Oport OSIP C Set Shared Secret write only Existing Portal Page entries up to 20 may be created Matching String URL Parameter Passing Parameter Signing Actions www example com portall myhotel com Disabled None Edit Delete 1 Destination Portal Page s are defined 2 To enable Destination HTTP R
159. ation Method This determines how the Access Gateway receives its IP address to work on the network e Ifthe Access Gateway receives its IP address from a DHCP Server select DHCP Nothing else needs to be configured e Ifthe Access Gateway receives a static IP address enter the static IP address Subnet Mask and Gateway in the Static Configuration Parameters box 126 System Administration ACCESS GATEWAY S e Ifthe Access Gateway receives its IP address from a PPPoE Server select the Configure PPPoE Client link and enter the following parameters PPPoE Service Name This is the Service Name TAG The maximum allowed length is 31 characters PPP Keep Alive e Echo Request Interval in seconds Setting this to 0 will disable echo requests from the NSE The default value for this parameter is 30 seconds e Maximum Missed Responses allowed This is the number of echo requests that can be allowed to go without a response before the NSE determines that the PPP link is down This parameter can only set to whole number above 0 PPP Authentication e Username This is the username for PPP based authentication required by your service provider e Password This is the password for PPP based authentication required by your service provider Max length for both username and password is 128 characters IP Configuration Mode This defines the IP address configuration mode for the NSE Setting this to Dynamic will obtain a dynamic IP address
160. ation request is built It is transmitted in both the Access Request and the Accounting Request Session Timeout There is currently no default session timeout that you can set in the Access Gateway Web Management Interface WMI If the Radius server does not send a Session Timeout the Access Gateway will set the subscriber expiration time to 0 which means access forever Log Off URL Allows for the placement of a log off URL for example 1 1 1 1 on an external portal page Idle Timeout The WMI allows the setting of a default timeout If the Radius server does not send an Idle Timeout in the Radius Access Accept the Access Gateway will use the default one to disconnect subscribers 0 means forever Timeout Detection If a subscriber is sending traffic through the Access Gateway the Access Gateway will immediately detect a Session Timeout However in the case of an Idle Timeout or an inactive subscriber Session Timeout the Access Gateway detects it via a clean up function that is currently called every 2 minutes Thus the current precision for sending the Acct Stop is about 2 minutes Quick Reference Guide 327 F ACCESS GATEWAY Subscriber Session Duration Acct Session Time is calculated the following way for each transmitted retransmitted Acct Stop Acct Session Time time of last sent packet subscriber login time Another attribute Acct Delay Time will take into consideration the time spent in retransmis
161. aving your changes 7 Click on the Submit button to save your changes and reboot the system or click on the Reset button if you want to reset all the values to their previous state Managing the Dynamic DNS Options Dynamic DNS Use the following procedure to set the Dynamic DNS options System Administration 109 D ACCESS GATEWAY 1 From the Web Management Interface click Configuration then Dynamic DNS The Dynamic DNS Configuration screen appears Dynamic DNS Configuration Enable F Provider into Protocol dyndns org secure Server members dyndns org Port m3 _ AECE hea Hostname unsethostname com Username unset_username Password eeccccccccocce Force Update NOTE some Dynamic DNS Providers e g dyndns org consider unnecessary updates i e updates with unchanged IP addresses abusive Such updates may result in hostname username being blocked Submit and Force Update Check the Enable checkbox to enable Dynamic DNS DDNS functionality The default setting is disabled Enter the Provider Info e Select the provider protocol from the Protocol menu Currently only dyndns org and dyndns org Secure are supported The default setting is dyndns org secure e Inthe Server field enter the server name to which the client sends updates to the DDNS server e Select the port number for the server from the Port menu Enter the Account Informat
162. ay a table which lists the hosts that are currently configured This table includes the assigned host names their corresponding IP addresses and any aliases that may be assigned to each host Hosts provide services to other computers that are linked to it by a network To view the Host Table go to the Web Management Interface click on Network Info then click on Hosts The Host Table screen appears Hosts Table hostname inet address aliases localhost 127 0 0 1 AG 5000 67 130 149 163 182 System Administration ACCESS GATEWAY D Displaying ICMP Statistics ICMP You can display the current ICMP Internet Control Message Protocol statistics ICMP is a standard Internet protocol that delivers error and control messages from hosts to message requesters These statistics are presented as a listing which details the current status of each ICMP transmission element To view the ICMP Statistics go to the Web Management Interface click on Network Info then click on ICMP The ICMP Statistics screen appears ICMP Statistics ICMP 0 call to icmp_error 0 error not generated because old message was icmp Output histogram echo reply 3 0 message with bad code fields 0 message lt minimum length 0 bad checksum 0 message with bad length Input histogram routing redirect 8 echo 3 3 message responses generated Displaying the Network Interfaces Interfaces You can display the network interfaces which are presented as
163. ay to the specified SYSLOG server 3 Enter a unique number between 0 and 7 in the System Log Number field This ID number is assigned to the System Log Server 4 Enter a valid IP address in the System Log Server IP field 5 If required repeat Steps 2 through 4 for the AAA Log feature 6 Setting a Log Filter The syslogs can be filtered at 7 levels as shown above Setting the level to a number disables any syslogs above that filter setting For e g setting the filter to 2 Critical only generates 0 Emergency 1 Alert and 2 Critical level syslogs All other syslogs are not generated 7 Log save to file Setting This setting enables disables saving of syslogs generated by the system to a file named syslog txt in the flash directory of the NSE This setting abides by the other settings set for the syslogs like filters number and enable disable It is not required to input a server IP address if you intend to only store the syslogs locally Please leave the IP address field blank for such cases The following Logs are available for configuration on the NSE AAA Log These logs record events related to Authentication Authorization and Accounting on the NSE RADIUS History Log These logs record RADIUS proxy accounting messages sent or received by the RADIUS proxy Please refer to Viewing RADIUS Proxy Accounting Logs RADIUS Session History on page 218 for additional configuration information System Logs These logs record events
164. ay uses to transmit data to the Internet Assigning Login User Names and Passwords When you initially powered up the Access Gateway and logged in to the Management Interface the default login user name and password you used was admin The Access Gateway allows you to define 2 concurrent access levels to differentiate between managers and operators where managers are permitted read write access and operators are restricted to read access only Once the logins have been assigned managers have the ability to perform all write commands Submit Reset Reboot Add Delete etc but operators cannot change any system settings When Administration Concurrency is enabled one manager and three operators can access the Access Gateway at any one time the default setting for this feature is disabled 1 Enter sy system at the Access Gateway Menu The System menu appears 2 Enter lo login The system prompts you for the current login If this is the first time you are changing the login parameters since initializing the Access Gateway the default login name and password is admin The system accepts up to 11 characters any character type for user names and passwords All user names and passwords are case sensitive 3 When prompted confirm the current login parameters and enter new ones Sample Screen Response System gt lo Enable Disable Administration Concurrency disabled e Current login admin Current passw
165. be able to view and manage SNMP objects on your Access Gateway Procedure 1 Import the nomadix mib file into your SNMP client manager 2 Connect to the Access Gateway from a node on the network that is accessible via the Access Gateway s network port Internet LAN etc Be sure to enable the SNMP daemon on the Access Gateway available on the Access Gateway s CLI or Web Management Interface under the Configuration menu snmp 3 All variables defined by Nomadix start with the following prefix iso org dod internet private enterprises nomadix 4 You should now be able to define queries and set the SNMP values on your Access Gateway If necessary consult this User Guide or your SNMP client manager s documentation for further details We recommend that you change the predefined community strings in order to maintain a secure environment for your Access Gateway Installing the Access Gateway 71 ACCESS GATEWAY 72 Installing the Access Gateway ACCESS GATEWAY System Administration This chapter provides all the instructions and procedures necessary for system administrators to manage the Access Gateway on the customer s network after a successful installation The system administration procedures in this section are organized as they are listed under their respective Web Management Interface WMI menus e Configuration Menu on page 76 e Network Info Menu on page 181 e Port
166. be re assigned to the remaining interfaces Once that interface is restored current subscribers will NOT be re assigned but new subscribers can be assigned to that interface in accordance with the load balancing algorithm An NSE reboot will rebalance all subscribers Subscribers will use the IP address of their WAN port or assigned additional NAT address for their DAT sessions To configure load balancing choose Configuration gt Load Balancing Load Balancing E Configuration Load Balancing Failover Mode C No Load Balancing or Failover Load Balance between all available WAN interfaces Fail Over WAN ports in order Active Rebalancing Link Availability Criteria C WAN Interface availability determined by Interface Monitor WAN Interface availability determined by link status Submit Run Time Status Primary Interface WAN DEFAULT Failover Rule avail WAN Route Table avail Eth1 Route Table avail Eth2 Route Table avail 122 System Administration ACCESS GATEWAY D You can choose to trigger the Load Balancing Failover feature either by the link status of the port s or by the new active Interface Monitoring feature When either Interface Monitoring or link status is used WAN ports will be characterized as either Available or Unavailable If Load Balancing is configured to use Interface Monitoring but Monitoring itself is not configured the status will be Unknown Using Li
167. can be pinged to verify connectivity via ICMP response e Host Probing HTTP will generate an HTTP GET to the configured Web address The HTTP response will verify network connectivity To view configured WAN interfaces select Configuration gt Interface Monitoring in the Web Management Interface The Interface Monitoring Settings screen appears Interface Monitoring Interface Monitoring Settings WAN Interface Name Role Current State WAN WAN Available Eth1 WAN Not Available me fon oeo System Administration 185 D ACCESS GATEWAY Click on any interface name to configure individual interface settings Interface Monitoring Interface Monitoring Settings for Eth1 interface Monitoring Enable Monitoring Interval 60 seconds Monitoring Method Automatic Host Probing Host Protocol Ping HTTP Ping HTTP Ping HTTP Submit _Cancel Displaying the IP Statistics IP You can display the IP Internet Protocol statistics which are presented as a detailed listing of all IP elements and their current status With IP transmissions data is broken up into packets which are then sent over the network By using IP addressing Internet Protocol ensures that the data reaches its destination even though different packets may pass through different networks to get to the same location To view the ZP Statistics go to the Web Management Interface click on Network Info then cl
168. celine com http Avww priceline com PriceLinjpg 10 Co e ICC NOTE You must reboot for Banner Image or Button Image settings changes to take effect Reboot after changes are saved I Yes Submit Reset Ee ea Click here to return to the previous screen e You can display up to 5 banners but they must be defined here Banners require all the same parameters that buttons use see Assigning Buttons on page 229 with the addition of 3 three more These are e Duration Defines how long the banner is displayed in the ICC e Start Time This is an optional parameter that you set if you want to assign a start time for when the banner is displayed e Stop Time This is an optional parameter that you set if you want to assign a stop time for when the displayed banner closes When assigning images and times for banners refer to Pixel Sizes on page 232 and Time Formats on page 233 System Administration 231 S ACCESS GATEWAY N Define the parameters for your banner s Name Text Target URL Image Name see following note Duration secs Start Time Optional Stop Time Optional 8 If you assign or change button images or banner images the Access Gateway must be rebooted for your changes to take effect 3 If you changed any of the Image Name definitions click on the check box for Reboot after changes are saved to reboot the Access Gate
169. cess Gateway can issue IP addresses to any DHCP enabled subscriber who enters the network Enabling DNSSEC Support DNSSEC support adds authentication and integrity capability to DNS systems The DNSSEC feature in the NSE allows DNSSEC queries and responses to traverse the NSE between subscribers and the NSE s configured DNS servers The NSE itself does not participate in DNSSEC trust relationships with subscribers Reboot is not required Use the following procedure to set the DNS configuration options 1 From the Web Management Interface click on Configuration then DNS The Domain Name System DNS Settings screen appears System Administration 107 ACCESS GATEWAY Domain Name System DNS Settings Host Name AGSx00 Dornain nomadixcom Primary DNS Server Secondary DNS Server Tertiary DNS Server UDP DNS Redirection Port 1029 Proxy UDP DNS Pot 1028 CDNSSEC Support Enable Reboot is not required NOTE Ports must be diferent and between 1024 and 5000 NOTE If DHCP Client or PPPoE Client is enabled the Primary and Secondary DNS Server may not be configured since the DHCP PPPoE server may provide those items Furthermore if DHCP Client is configured the Domain may not be configured NOTE You must reboot for configuration changes to take effect Reboot after changes are saved O Yes 2 Check the Enable check box to enable DNSSEC Support functionality The default setting is disabled 3 Click on the Subm
170. ckage directory C My Download Files stock neo cancet_ Quick Reference Guide 331 G ACCESS GATEWAY Click on the Next button to display the next setup screen Cygwin Setup m 2 ed eck neo ceros Click on the Next button to display the next setup screen Cygwin Setup Cygwin Setup ftp ftp nas nasa gov ftp mirrors ren net http mirrors ren net ftp linux sarang net 332 Quick Reference Guide ACCESS GATEWAY D Select a location and click on the Next button Z For the purposes of this document Nomadix used ftp planetmirror com In the following screens please skip all packages except cygwin and openssl then click on the Next when you are done At the time of this writing there are more than 70 packages to install Please ensure that you skip all of them except the two packages mentioned above Cygwin Setup D O a O tg O os O cygunsv O cygwin O dejagnu O O eped O fie O fiewits Os findutils O fix O gk Cygwin Setup o 8 S nooo0o00o00o0n0o4 pen Quick Reference Guide 333 G ACCESS GATEWAY Click on the Next button to start the download process Wait for the download process to complete C Downloading cygwin 1 3 2 1 tar gz 18 131k 727k 32 kb s Package Total ee Click on the Next button to start the install process Wait for the install process to complete
171. cket Table screen appears Socket Table B Active Internet connections including servers PCB Proto Recv Q Send Q Local Address Foreign Address state 3e6d2a8 TCP ia 742 6 6 1 7 80 3 2 8 1 18 ESTABLISHED 3e6d1d0 TCP QO ia 6 6 1 7 80 J2 8 118 TIME WAIT 3e6d0c8 TCP a 0 6 6 1 7 80 3 2 651 518 TIME WAIT 3e6cd2c TCP ia ia B 6 1 7 22 8 4 5 1 24 ESTABLISHED 3e6c6fc TCP Qa O 0 0 0 0 1111 0 0 0 0 0 LISTEN 3e6c678 TCP ia Oo 0 0 0 0 301 0 0 0 0 0 LISTEN 3e6c5f 4 TCP ia Oo 0 0 0 0 23 0 0 0 0 0 LISTEN 3e6c4ec TCP QO Oo 0 0 0 0 80 0 0 0 0 0 LISTEN 3e6c360 TCP ia m O 0 0 0 21 0 0 0 0 0 LISTEN 3e6c570 UDP ia 0 0 0 0 0 67 0 0 0 0 0 Displaying the Static Port Mapping Table Static Port Mapping You can display a table which provides a detailed listing of the currently active static port mapping scheme To view the Static Port Mapping Table go to the Web Management Interface click on Network Info then click on Static Port Mapping The Static Port Mapping Table screen appears Static Port Mapping Table I STATIC PORT MAPPING TABLE Int IP Int Port MAC lt gt Ext IP Ext Port gt Rem IP Rem Port Protocol 1 6 2 7 1 80 00 a0 6 53 b7 84 lt gt 2 5 3 1 8080 gt 0 0 0 0 0 TCP 2 10 0 0 13 23 00 03 47 15 ed c7 lt gt 2 5 3 1 8023 gt 0 0 0 0 0 TCP 3 10 208 134 5 80 00 60 1d 31 92 c0 lt gt 2 5 3 1 8081 gt 0 0 0 0 0 TCP 4 12 13 14 15 80 00 00 23 45 67 80 lt gt 2 5 3 1 9000 gt
172. content and organizational differences For example in the WMI the subscribers menu is divided into Subscriber Administration and Subscriber Interface See also Menu Organization Web Management Interface on page 50 Making Menu Selections and Inputting Data with the CLI The CLI is character based It recognizes the fewest unique characters it needs to correctly identify an entry For example in the Access Gateway Menu you need only enter to access the Configuration menu but you must enter su to access the Subscribers menu and sy to access the System menu because they both start with the letter s You may also do any of the following e Enter b back or press Esc escape to return to a previous menu e Press Esc to abort an action at any time e Press Enter to redisplay the current menu e Press at any time to access the CLI s Help screen When using the CLI if a procedure asks you to enter sn this means you must type sn and press the Enter key The system does not accept data or commands until you hit the Enter key Menu Organization Web Management Interface When you have successfully installed and configured the Access Gateway from the CLI you can then access the Access Gateway from its embedded Web Management Interface WMI The WMI is easier to use point and click and includes some items not found in the CLI You can use either interface depending on your preference For a c
173. cords Mirroring e Bridge Mode e Command Line Interface e Credit Card e Dynamic Address Translation e Dynamic Transparent Proxy e End User Licensee Count e External Web Server Mode e Home Page Redirect e iNAT e Information and Control Console e Internal Web Server e International Language Support e IP Upsell e Logout Pop Up Window e MAC Filtering e Multi Level Administration Support e Multi WAN Interface Management 8 2 e NTP Support e Portal Page Redirect e RADIUS Client 8 Introduction ACCESS GATEWAY Gp e RADIUS driven Auto Configuration e RADIUS Proxy e Realm Based Routing e Remember Me and RADIUS Re Authentication e Secure Management e Secure Socket Layer SSL e Secure XML API e Session Rate Limiting SRL e Session Termination Redirect e Smart Client Support e SNMP Nomadix Private MIB e Static Port Mapping e Tri Mode Authentication e URL Filtering e Walled Garden e Web Management Interface Access Control For IP based access control the NSE incorporates a master access control list that checks the source IP address of administrator logins A login is permitted only if a match is made with the master list contained within the NSE If a match is not made the login is denied even if a correct login name and password are supplied The access control list supports up to 50 fifty entries in the form of a specific IP address or range of IP addresses The NSE also offers access control ba
174. covered due to the redundancy of the transmission DTIM Delivery Traffic Indication Message A message included in data packets that can increase wireless efficiency 357 CA Ay ACCESS GATEWAY Dynamic IP Address A temporary IP address that is assigned by the DHCP server to a device Devices retain dynamic IP addresses only for the duration of their networking session When a device disconnects from the network the IP address is recaptured by the DHCP server and becomes available for reassignment to another device See also DHCP IP Address IP Address Translation Static IP Address and Translation EAP Extensible Authentication Protocol An extension to PPP EAP is a general protocol for authentication that also supports multiple authentication methods for example public key authentication and smart cards IEEE 802 1x specifies how EAP should be encapsulated in LAN frames In wireless communications using EAP a user requests connection to a WLAN through an AP which then requests the identity of the user and transmits that identity to an authentication server such as RADIUS The server asks the AP for proof of identity which the AP gets from the user and then sends back to the server to complete the authentication ECommerce A business venture between a supplier and its customers using online services for example the Internet Both parties use online services to conduct business transactions Transactions may include g
175. creen Modifying an Existing IPSec Security Policy 1 Click on the IPSec security policy link that you wish to modify in the IPSec Security Policies table The IPsec Tunnel Security Policy Settings screen opens Modify the settings as desired Click e Modify to save the changes to the policy e Remove to remove the security policy from the IPSec Security Policies table e Reset to undo any changes you made to the policy settings and return the policy to its original settings Click the Back to Main IPSec Tunneling Settings page link to return to the JPSec Tunnel Settings screen System Administration 12 D ACCESS GATEWAY Load Balancing 8 2 Load Balancing is an optional licensed feature for NSE 8 2 For an overview of Nomadixload balancing and common use cases see Load Balancing and Link Failover on page 26 The NSE can balance subscriber assignment between all active WAN interfaces when Load Balancing mode is enabled Note that subscribers are balanced not traffic As subscribers go valid they are assigned to a WAN interface taking account of both the Uplink bandwidth settings of the interfaces and the number of subscribers currently using each interface Higher bandwidth settings will mean more subscribers will be assigned to that interface The subscriber will use the assigned interface for all traffic If a WAN interface goes down the subscribers currently assigned to that interface will
176. criber Profiles go to the Web Management Interface click on Subscriber Administration then click on List by MAC The Authorized Subscriber Profiles screen appears Click on a link to view the associated subscriber Authorized Subscriber Profiles Expiration Paid Amt Left Userl User2 Current Plan SMTP Redirection 0 0 0 0 Unlimited 0 3 MAC Username 00 00 00 00 00 00 j 00 10 A4 B1 0F 92DA 00 50 99 D1 B0 58 Note indicates XoverY plan 1 indicates subscriber added by Admin or XML useradd or EWS with no associated plans 216 System Administration ACCESS GATEWAY D ia 1 indicates a subscriber added by Admin or XML useradd with no associated plans Listing Subscriber Profiles by User Name List by User You can display the currently active database of authorized subscribers based on user names To view the list of Authorized Subscriber Profiles go to the Web Management Interface click on Subscriber Administration then click on List by User The Authorized Subscriber Profiles screen appears Click on a link to view the associated subscriber Authorized Subscriber Profile Expiration Paid Amt Left Userl User2 Current Plan SMTP Redirection 10 0 0 12 2 hrs 37 min 5 00 0 00 208 50 30 182 Unlimited 0 0 0 0 Unlimited 00 00 00 00 00 00 Note indicates XoverY plan 1 indicates subscriber added by Adm
177. cros Fidelio Post Only with TCP IP O HOBIC 1BT2 Oo O Target IP Address 192 168 1 1 HOBIC TEST oO 0O Target Port Number 5010 HOBIC RSI O oO FIAS 8 x Compliant o Type of Access L Disable Registration Number a 8 1 8 2 Only No decimal in amount O Micros 1700 2000 3700 O O Galaxy Post Only oO re A700 8700 System Sofware Emulation Mamott O oO Communications System Unit Number 1 64 1 WEB Post Only oO Communications System Narne NOMADIX WFB Query amp Post O Store Revenue Center Number Internet Access 1 WFB Name amp Room Store Revenue Center Number Other 2 WFB Revenue Code 1 Match Last Name Only oO FOSSE Name amp Room Skip First Char In Last Name go FOSSE Revanue Code 2 On Compliant o NH O Long name matching 0 For Post paid PMS Type Only Idle Timeout Minutes 0 idle Data Threshold Bytes 0 Note regarding the use of Last Name Only and Skip First Char with Micros Systems Certain types of pms systems send selection records as lastname padded with white space ascii 0x20 on the right followed by a comma along with 1 and enama flane Nearmally wa camnere avant character nf tha nama ac tunad hu tha near ta the cantante nf the calartian racard Hthie match lact nam 2 You have the option of disabling PMS services by clicking on the PMS services disabled radio button then clicking on the Submit button to save your choice If you disable PMS services you can exit this procedure otherwise go to Step 3
178. cryption algorithms by putting a check in the checkbox of each option the options are DES 3DES and NULL 3DES is the default setting See Setting joint ESP and AH parameters on page 121 to set parameters that pertain to both ESP and AH polices 120 System Administration ACCESS GATEWAY D e AH See Setting joint ESP and AH parameters on page 121 to set parameters that pertain to both ESP and AH policies Setting joint ESP and AH parameters These parameters affect both ESP and AH policies e Select all the Acceptable authentication algorithms by putting a check in the checkbox of each option the options are MD5 SHA and NULL The default settings are MD5 and SHA e Select the Perfect Forward Secrecy Strength to enable PFS PFS makes the keying material used in protecting the data independent of the keying material used for protecting the IKE exchanges The options are None 768 bit and 1024 bit The default setting is None e Enter the maximum lifetime in seconds in the Maximum Lifetime field The default settings 28800 e Enter the maximum life size in kbytes in the Maximum Lifesize field e Enable the automatic renewal option by putting a check in the Automatic renewal checkbox The default setting is enabled Click Add to add the policy to the IPSec Security Policy table on the PSec Tunnel Settings screen Click the Back to Main IPSec Tunneling Settings page link to return to the JPSec Tunnel Settings s
179. ct Please try again The password field you have entered is not correct Please try again Revert Revert all fields to default values Submit Reset 2 Enter the definitions you want for each error message in the corresponding fields 3 Click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their previous state System Administration 247 D y ACCESS GATEWAY 4 Repeat Steps 3 for page 2 of 2 see following screen Subscriber Page Error Message Definitions 2 of 2 Error Messages 2 of 2 Error in Room Billing Error in Room Billing Too many subscribers are already logged in Please try again later Too many subscribers are already logged in Please try again later Try again Try again Continue Continue The User ID you have entered cannot be found Please try another The User ID you have entered cannot be found Please try another The User ID you have entered is already taken Please try another The User ID you have entered is already taken Please try another We are sorry we are sorry This field must contain a whole number value with no decimals This field must contain a whole number value with no decimals Your account was not found Please check your Username and Password Your accountwas notfound Please check your Username and Password Couldn t establish tunnel Please check your Use
180. ct to the network and attempt to access the Internet they are prompted for their credit card information The Access Gateway is pre configured to use the Authorize Net service and you will need to open a merchant trading account with them before using this subscriber management model 282 The Subscriber Interface ACCESS GATEWAY G Configuring the Subscriber Management Models Model What You Need To Do Free access Disable the AAA services MAC address Enable the AAA services and add a subscriber profile to the database for each MAC address you want to enable User Name and Password Enable the AAA services and Usernames Add a subscriber profile to the database for each user name and password you want to enable You will need to request a unique user name and password when they pay for the service The user name and password are optional the MAC address will be substituted but in this event the service is not transferable between computers Credit card Enable the AAA services You have the choice of enabling the Access Gateway s internal authorization module or using an external credit card authorization server Internal Authorization Enabled Enter the credit card server s URL and IP address then enter the merchant ID you obtain from Authorize Net If you have NOT enabled Internal Authorization Set up your own external authorization server with your merchant ID Enter the secret key the default is b
181. cure XML API See also Assigning a PMS Service PMS on page 135 see following note E Your product license must support the PMS feature 220 System Administration ACCESS GATEWAY G 1 From the Web Management Interface click on Subscriber Interface then Billing Options The Internal Billing Options Setup screen appears Internal Billing options Setup Normal Plans Number Active Label 0 Yes Plan A View Edit Delete a Yes PlanB View EdiDelete 2 Yes Public View EdiyDelete 3 No Label 3 View EdiDelete 4 No Label 4 View Edit Delete XoverY Plans Number Active Label 5 Yes 2by2 View Edi Delete mritreduction Please Choose from the following plans lessage Offer Message How many days of Internet access would you like to purchase Ha Contact your service provider with questions Units of Access Minimum Maximum Minute 1 967680 Hour 1 16128 Day 1 672 Week 1 96 Month 1 24 Free Billing Options Default Free Access Time p Days Maximum Subscriber Lifetime 180 Days Maximum 180 Days Promotional Code Options Code Definition Percentage Discount A Oe wr oa nN 234 esai pi EPI Submit Reset 2 Review the billing plans normal plans and X over Y plans that are currently active To view or edit a billing plan simply click on the View Edit Delete button opposite the corresponding plan System Administration 221 S AC
182. d real time translation engine that analyzes all data packets being communicated between the private and public address domains The Nomadix iNAT engine performs a defined mode of network address translation based on packet type and protocol for example IKE etc The 8 2 NSE provides the following iNAT enhancements e Anew separate iNAT interface page shows the settings for each port in either WAN or OOS modes Ports in SUB mode are not shown 114 System Administration ACCESS GATEWAY D e Fach of the displayed ports has individual iNAT Subscriber tunnel settings accessible by clicking on that port s link e The interface allows easy deletion of any iNAT address range On the 8 2 NSE iNAT settings are configured individually for each interface 1 From the Web Management Interface click on Configuration then iNAT 8 2 NSE Only A list of current iNAT settings appears You can select a specific interface to change its iNAT configuration iNAT ee INAT Settings Interface of ranges in Seay l bee PPTP Camp P5 C inaT Pool WAN WAN Disabled Enabled Enabled Enabled Eth1 WAN Disabled Disabled Disabled Disabled ema wan Disabled Disabled Disabled Disabled The iNAT screen appears iNAT iNAT M Enable PPTP M Enable PPTP CALL ID M Enable Requires Reboot IPSEC M Enable SIP M Enable Reboot after changes are
183. d 233 Enable Serving of Local Web Pages Local Web Server cccccssssssceseceeteseetsenseeees 236 Denning the Subscriber s Login UI Login OF vscsssussccinioncinienomnanniaminenastees 237 Defining the Post Session User Interface Post Session UL ccscccsccsceseceseeseeteceseeeees 24 Defining Subscriber UI Buttons Subscriber Buttons sssini 244 Defining Subscriber U1 Labels Subscriber Labels rccsesecosarencvensianrienvecncacdvonsurenvarencs 245 Defining Subscriber Error Messages Subscriber Errors c ccsccssseesesesssesseseeseeseeneees 247 Defining Subscriber Messages Subscriber Messages 249 OS UN u saad E E S Aca cise T node E E E 252 Adding on ARP Table Enty ARP Add va cnscaoascceeeacioiniasdeatbiviericroiaianieeabiavabsaaesiens 2352 Dees ARP Table ENAP ARP Delet sureres ninnaa ariki uiii 233 D Adding and Deleting ARP Table Entries 8 2 cccccsecesscsseseeseseeeceeeeseeeeseeeeseeneseeseees 233 Confienrable Gateway ARP Rejresh Merval acisna 254 Enabling the Bridge Mode Option Bridge Mode siiisiisiiisrsiseiiierisisrisisisisssnsterisass 235 Exporting Configuration Settings to the Archive File Export 256 Importing the Fuctory Defaults Tatia y scssi e 257 Denning the Pail Over Opinions Fail Ove ssc scnessecariseantintrninncsmtucnindans 258 Wrens he Frater Log SEES OPUS rsru noa iarae tats ghatnanp labia tig uustatetas 259 Establishing ICMP Blocking Parameters ICMP suenie 260 Importing Configuration Settings f
184. d 2400 See also Defining Automatic Configuration Settings Auto Configuration on page 90 Click on the Add button to add this Upstream RADIUS NAS definition then click on the Back to Main RADIUS Proxy Settings page link to return to the RADIUS Proxy Settings screen System Administration 157 S The Upstream RADIUS NAS definition you just added appears in the list You can add up to 10 definitions ACCESS GATEWAY RADIUS Proxy Settings RADIUS Proxy Services M Enable Authentication Server Port fi 812 Accounting Server Port fi 813 Submit Reset Upstream RADIUS NAS definitions up to 200 may be created IP Address Default Service Profile 10 0 0 1 CMS 10 0 0 5 CMS 10 0 0 2 CMS Add Click here to add a new Upstream RADIUS NAS Click here to see configured RADIUS service profiles and Realm Routing Policies 8 Repeat Steps 5 through 11 to add more Upstream RADIUS NAS definitions as required 9 To view your configured RADIUS Service Profiles and Realm Routing Policies click on the link Click here to see configured RADIUS service profiles and Realm Routing Policies this will take you to the Realm Based Routing Settings screen See also Defining the Realm Based Routing Settings Realm Based Routing on page 158 Defining the Realm Based Routing Settings Realm Based Routing Use this procedure when setting up RADIUS Service Profiles up to 10 and Realm based Routing Policies
185. d a login name in Step 7 enter a password in the RADIUS Remote Test Password field 12 Managers Only Click on the Submit button to save the login and password parameters or click on the Reset button if you want to reset all the values to their previous state Defining the MAC Filtering Options Mac Filtering MAC Address filtering enhances Nomadix access control technology by allowing System Administrators to block malicious users based on their MAC address Up to 600 MAC addresses can be blocked at any one time see caution to be blocked from service Please make sure that you enter the correct i MAC addresses that you enter here will cause the subscribers at these addresses addresses before submitting the data System Administration 265 S ACCESS GATEWAY 1 From the Web Management Interface click on System then MAC Filtering The MAC Filtering screen appears MAC Filtering MAC Filtering Enable Please enter a MAC address Note Up to a maximum of 600 MAC addresses can be entered Note Please make sure to enter the correct address MAC Note This action will unblock all MAC Addresses Currently Blocked MAC Addresses 2 Click on the check box for MAC Filtering to enable or disable this feature as required 3 Enter a MAC address in the MAC field then click on the Add button to add this address to the blocked list or click on the Remove button to remove this address from the list For adv
186. d jointly by Microsoft Corporation U S Robotics and several remote access vendor companies known collectively as the PPTP Forum PPTP is a new technology used for creating Virtual Private Networks VPNs Because the Internet is essentially an open network PPTP is used to ensure that messages transmitted from one VPN node to another are secure PPTP allows users to dial in to their corporate networks via the Internet See also Internet Tunneling and VPN Preamble In wireless networks part of the wireless signal that synchronizes network traffic Print Billing Command Authentication Authorization and Accounting configuration that allows the NSE to support Driverless Print servers that can bill subscribers rooms for printing their documents without them having to install printers Profile An electronic file that defines how subscribers normally interact with the service provider s network 363 ACCESS GATEWAY Protocol A standard process consisting of a set of rules and conditions that regulates data transmissions between computing devices Some examples of protocols include HTTP HyperText Transfer Protocol FTP File Transfer Protocol TCP IP Transmission Control Protocol Internet Protocol and POP Post Office Protocol All these protocols are responsible for regulating the transmission of their specific data file types QoS Quality of Service A collective measure of the level of service delivered to the custom
187. d to RADIUS and PMS users This capability has now been extended to other subscriber login types System Administration 177 S ACCESS GATEWAY 1 From the Web Management Interface click on Configuration then Zone Migration The Zone Migration Settings screen appears Zone Migration Settings Relogin after migration C Enable only applies to user sccounts that have a user name Submit Zone Based Migration Add a new Zone Zone Name Port Locstions Example 212 299 201 400 499 Description Relogin within Zone Disabled Enabled Add Zone Reset Existing Zones Zone Name _ Port Locations Relogin within Zone Actions No Zones are defined 2 Select Relogin after migration to enable the Zone Migration feature Add a new Zone In the Zone Based Migration section new zones can be added and initially configured using the following parameter fields Zone Name Allows entry of a name appropriate for the zone to be created The name must be unique cannot exceed 16 characters and cannot contain characters that are not alphanumeric dash underscore or space Port Locations This is where the port configuration for the zone is entered The data must be entered as a string between 1 and 128 characters in length The string must contain either an individual numeric value 211 a comma separated list of numeric values 211 212 arange of numeric values with dash separated delimiters 211 899
188. d with load balancing between all links ISP 1 ISP 2 ISP 3 ISP 4 ISP5 2Mbps DSL 2Mbps DSL 2Mbps DSL 2Mbps DSL 2Mbps DSL Guest HSIA Network Failover to Standby ISP Link In this example the organization has a high quality 100M Ethernet service But to guarantee continuous HSIA service the organization has a back up ISP service from a low cost wireless Introduction 29 S ACCESS GATEWAY provider which charges on a data volume basis The organization only wishes for this link to be used when the main ISP circuit is not available The Nomadix NSE is configured for failover only from the WAN to port Eth2 on the NSE Main ISP Circuit Back Up ISP Circuit ISP 1 Separate Guest HSIA and Admin ISP Links with Failover Between Each ISP Link In this scenario the hotel has separate HSIA and Hotel Admin ISP circuits Under normal circumstances Guests will be connected to the Guest HSIA ISP and Hotel Admin users will connect to the Admin ISP If either link fails then failover to the other link will occur If the Guest HSIA link fails the guests will be connected to the Admin ISP link until the Guest HSIA link is restored If the Admin ISP link fails the Admin users will be connected to the Guest HSIA link until the Admin ISP is restored The Nomadix NSE is configured with load balancing and failover All Guests use ISP 1 as the preferred WAN the Admin network router uses ISP2 as the preferred WAN 30 Intr
189. dcalaseasteantes international Language SUPOTE rinin aan AE AREARE RARR ARER TEBE EE E E A E E E E E AE A E A VETRI T A A EANA E ET E E TEA A E EE E E Toron FOOD Wido riepa R POLAE E E E A E E E ACCESS GATEWAY Muin Level AUPE SIVGTION SUPPO js ecogdi sciayseihiauharsnsii serasunk iek 16 D Mult WAN Interace Management 8 2 nesnsnsoue iia E E EES 16 NIF DUPO araa cinders dueackvaantnniaeaatromtbaionetomioenccsticanae 16 Foral Tore ROTTO o iaei EEan EEEE RENEE EE AEE URSA EREET REEE SEA ATERRAR SAS RE I7 RADARS driven Auto COn ONONO inper REEERE i RONO S C PER ciena A phic sides nse tieec ites Mee meethceenn eM eRe hs 18 RADIUS PIONS oirnn E A SERIE La ene ee 18 Realm Based Roning ss 5s seks tanigansadincanniea Saaabeuisu A E 18 Remember Me and RADIUS Re Authenticatio iersinii 19 DOCURE DIANA CE MIONE siririna AEA AS 19 Secure Socket LAVENISSL conson oan ee 20 POE TERE AEE AEF ais c55 seu acice vaecuca aa eaeuncacupies bakin aachuu ys ise dace eetenaean bended caasaca reaches aueaaaecaeags 20 A Pe FEIT A O A tas thane veh E afsen th donteaskteuntine E T hl 20 ESSTONL Terminanon RE PECK iieo E O EE OEE 21 S RE E DONT T E A E A A A rested 21 SVMF Nomadi Frite MID riian a AA A A AA 21 D FON NOPR E uao Ze TENORS Auen oat OOE 21 URES TETN iina a A E AA ued 22 Waheda GarO ET srar cn ie a R AORE AER E E Wu ime acetone 22 Web Management LECCE ipiis irian E E AAEREN 22 Optional NSE MOU 6S serere earna ARNE EEEIEE NO EEE N 23 Load BR RTT r
190. de LDAP Lightweight Directory Access Protocol Directories containing information such as names phone numbers and addresses are often stored on a variety of incompatible systems LDAP provides a simple protocol that allows you to access and search these disparate directories over the Internet LDAP is commonly used for online billing applications MAC Address Media Access Control The hardware address that uniquely identifies each node of a network In IEEE 802 networks the Data Link Control DLC layer of the OSI Reference Model is divided into two sub layers the Logical Link Control LLC layer and the Media Access Control MAC layer The MAC layer interfaces directly with the network media Consequently each type of network media requires a different MAC layer On networks that do not conform to the IEEE 802 standards but do conform to the OSI Reference Model the node address is called the Data Link Control DLC address Mbps Megabits per second A standard measure for data transmission speeds for example the rate at which information travels over the Internet 1 Mbps denotes one million bits per second Several factors can influence how quickly data travels including modem speed bandwidth capacity and Internet traffic levels at the time of transmission Not to be confused with MegaBytes per second MBps See also Throughput MIB Management Information Base A set of parameters an SNMP management station can query or es
191. disabled both the external DHCP relay and the system s DHCP service To make DHCP available to subscribers at least one of these functions must be enabled x is ambiguous The system has more than one option it can display You must provide additional characters to narrow the system s choices down to just one xxx is invalid enter Your input is not recognized by the system Troubleshooting 349 D ACCESS GATEWAY Common Problems If you are having problems you may find the answers here Problem When using the internal AAA login Web server you cannot communicate with Authorize Net Possible Cause The internal AAA login server communicates with Authorize Net on a specified port which is not enabled within the company s firewall Solution Enable communications with Authorize Net on port 1111 When a subscriber who is enabled with DHCP logs onto the system they are not assigned an IP address The DHCP relay is enabled with an incorrect IP address for the external DHCP server Check the IP address for the external DHCP server If necessary test the communication with the ping command The DHCP relay is enabled with the correct IP address for the external DHCP server but the DHCP server is misconfigured Check the external DHCP server settings for example is it configured to a routable class of IP addresses Are there enough IP
192. dministrators to define a simple HTML based pop up window for explicit logout that can be used as an alternative to the more fully featured ICC The pop up Logout Console can display the elapsed count down time and one logo for intra session service branding 4 Nomadix Popup Window DOK mem Logout Console The Subscriber Interface 285 G ACCESS GATEWAY 286 The Subscriber Interface ACCESS GATEWAY Quick Reference Guide This chapter contains product reference information organized by topic Use this chapter to locate the information you need quickly and efficiently Web Management Interface WMI Menus The following tables contain a listing and brief explanation of all menus and menu items contained in the Access Gateway s Web Management Interface WMI listed as they appear on screen Menus Description Configuration Displays the Configuration menu Items in this menu let you establish IP Menu parameters set DHCP options set DNS and home page redirection options set MAC based authentication display configuration settings and set the system date and time SNMP and SYSLOG parameters Network Info Menu Displays the Network Info menu The items in this menu are used to monitor and review network connections routings protocols and network session statistics Port Location Displays the Port Location menu Items in this menu let you find add Menu remove and updat
193. domain filename path type for example http www myfile com nextpage html UTC Coordinated Universal Time A time scale that couples Greenwich Mean Time GMT which is based solely on the Earth s inconsistent rotation rate with highly accurate atomic time When atomic time and Earth time approach a one second difference a leap second is calculated into UTC UTC was devised on January 1 1972 and is coordinated in Paris by the International Bureau of Weights and Measures UTC like GMT is set at 0 degrees longitude on the prime meridian VoIP Voice over IP An emerging technology for transporting integrated digital voice video and data over IP networks A major advantage of VoIP and Internet telephony is that it avoids the tolls charged by ordinary telephone services See also Internet and IP VPN Virtual Private Network A network that is constructed by using public wires to connect nodes For example there are a number of systems that enable you to create networks using the Internet as the medium for transporting data These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted VxWorks A real time operating system manufactured and sold by Wind River Systems of California USA VxWorks program development requires a host machine running Unix or Windows W3C World Wide Web Consortium An international consortium of companie
194. e If running NSE 8 2 you can also change the language of the Web E Management Interface See lt cross reference gt 1 From the Web Management Interface click on Subscriber Interface then Language Support The Language Support screen appears Language Support What language will your subscribers be using English C Chinese Big5 C French C German Japanese Shift_JIS C Spanish C Other Please choose a character set encoding Browser default z roe E Chinese Big5 Chinese EUC CN Chinese EUC TW Chinese GB2312 Japanese EUC JP Japanese ISO 2022 JP Japanese Shift_JIS Korean EUC KR Korean ISO 2022 KR_ xv 234 System Administration ACCESS GATEWAY D 2 Select the language you want to use see notes There are currently 6 six pre translated language options If you want to have E the ICC pre translated into Japanese and enter and display Japanese characters on the Web Management Interface and the subscriber s portal page choose the Japanese Shift_JIS option If you want to have the ICC displayed in English but enter and display Japanese characters on the Web Management Interface and the subscriber s portal page choose the Other option then choose one of the available Japanese character sets from the drop down menu If sufficient space is available the Access Gateway s Internal Web Server also supports multiple languages at the same time The following sample image sho
195. e Enable one of the following e ICC Information and Control Console e Nomadix Logout Console If you enabled either of the ICC pop up options you can choose a unique name for the console Simply type a meaningful name in the Title field Define the physical location where you want the Nomadix Logout Console to appear on the subscriber s screen Choose one of the following options e Upper Left Corner e Upper Right Corner e Lower Left Corner e Lower Right Corner Define how you want to display the subscriber session time e Elapsed Time how much time has elapsed since the start of the session e Time Remaining how much time is remaining for the session You must now decide what you want the ICC to do if the subscriber closes it Choose one of the following options e Redisplay itself e Logout return the subscriber to a pending state valid only with RADIUS and Post Paid PMS You must now assign the buttons that you want to display to subscribers Assigning Buttons When assigning the redirect buttons that will appear in the ICC you can define one ISP Logo Button large button and up to 8 smaller buttons Button 2 through Button 9 with the following parameters System Administration 229 D ACCESS GATEWAY Name Text The name of the button and the mouse over text The mouse over text is the text that appears in the ICC s Message Bar when your mouse pointer rolls over a button image
196. e distribution of per session keys to EAP authenticators and supplicants Complementing the RADIUS Proxy functionality is the ability to route RADIUS messages depending on the Network Access Identifier NAI Both prefix based for example SP username ISP net and suffix based username ISP net NAI routing mechanisms are supported Together the RADIUS Proxy and Realm Based Routing further support the deployment of the Wholesale Wi Fi model allowing multiple providers to service one location See also RADIUS Client on page 18 Realm Based Routing Realm Based Routing provides advanced NAI Network Access Identifier routing capabilities enabling multiple service providers to share a HotSpot location further supporting a Wi Fi wholesale model This functionality allows users to interact only with their chosen provider in a seamless and transparent manner 18 Introduction ACCESS GATEWAY D Remember Me and RADIUS Re Authentication The NSE s Internal Web Server IWS stores encrypted login cookies in the browser to remember logins using usernames and passwords This Remember Me functionality creates a more efficient and better user experience in wireless networks The RADIUS Re Authentication buffer has been expanded to 720 hours allowing an even more seamless and transparent connection experience for repeat users Secure Management There are many different ways to configure manage and monitor the perf
197. e network to the Access Gateway The Access Gateway parses the query string executes the commands specified by the string and returns data to the system that initiated the command request If you enabled the XML Interface feature enter the XML IP server address Enable or disable Print Billing Command as required This feature enables NSE to support Driverless Print servers If this feature is enabled you must enable the XML interface and enter the IP address for the XML interface Step 3 and Step 4 With Print Billing enabled print servers can bill subscribers rooms for printing their documents without them having to install printers The DNS name print server com will internally resolve to the Configured Print Server URL that is entered in the configuration When subscribers are redirected to the Print Server the NSE adds Parameters to that request so that the Server is able to charge the proper subscriber With these variables sent to the server it can now send the XML command to bill the users properly Print Server IP needs to be entered as one of the XML server IP for the command to successfully complete The XML command is lt USG COMMAND BILL_PRINT IP_ADDR gt lt ROOM_NUM gt lt ROOM_NUM gt lt DOC_NAME gt lt DOC_NAME gt lt NUM_COPIES gt lt NUM_COPIES gt lt NUM_PAGES gt lt NUM_PAGES gt lt COST gt lt COST gt lt TIME_SUBMITTED gt lt TIME_SUBMITTED gt lt USG gt Subscribers could get to
198. e Guide ACCESS GATEWAY G Alphabetical Listing of Menu Items WMI The menu items listed here are for a fully featured Nomadix Access Gateway with all optional modules included Refer to About Your Product License on page 76 Item DescriptionMenu Set AAA Optom i et aia sassi aces ead ERR Configuration Enables secure administration of the Access Gateway Configuration Add or update port location assignments Port Location Add subscriber profiles to the database Subscriber Admin Display the ARP table Network Info Add an ARP table entry System ARP Delete cece Delete an ARP table entry System Bandwidth Management Define upstream and downstream bandwidth Configuration Billing Options Establish the billing options 0 00 Subscriber I face Bill Record Mirroring Enable bill record copying to external servers Configuration Bridge Mode Enable the Bridge Mode option System Current Display currently connected subscribers Subscriber Admin DAT Display the DAT session table Network Info Delete All Delete all port location assignments Port Location Delete by Location Delete port location assignments by location Port Location Delete by MAC Delete subscriber profiles by MAC address Subscriber Admin Delete by Port Delete port location assignments by port Port Location D
199. e drops rtl unit number 1 PHY BMSR 0x782d Link up Auto succeeded BMCR 0x3100 Speed 100 Mbps full duplex Flags 0x668143 UP BROADCAST MULTICAST PROMISCUOUS ARP RUNNING INET_UP Type ETHERNET_CSMACD Ethernet address is 00 50 e8 01 63 3e Metric is 0 Maximum Transfer Unit size is 1500 5341691 octets received 235139037 octets sent 82912 unicast packets received 325878 unicast packets sent non unicast packets received non unicast packets sent incoming packets discarded outgoing packets discarded incoming errors outgoing errors unknown protos collisions 0 dropped oo000 o oo00000 o orooco o 184 System Administration ACCESS GATEWAY D Interface Monitoring 8 2 As a complementary feature to Load Balancing 8 2 introduces the ability to actively monitor each WAN connection to assure that full network functionality exists Interface Monitoring must be enabled it is off by default It is set separately for each configured WAN interface Three failures must occur before the system sets the port status to Unavailable and re assigns subscribers Monitoring may be configured for both the Monitoring Interval default is 60 seconds and for three different methods as required by the network e The default method Automatic will generate a random DNS query to each configured DNS server Receiving an Error back from the server s verifies full network connectivity e Host Probing Ping A Host or IP address
200. e from one AP coverage area to another without interruption in service or loss in connectivity Round Robin Queuing An algorithm that services each queue in a predefined sequence For example it might empty 1 500 bytes apiece from queue 1 high priority queue 2 medium priority and queue 3 low priority servicing each in turn Router A hardware device that connects two or more networks and routes the incoming data packets to the appropriate network RTS Length Request to Send A packet sent when a computer has data to transmit The computer will wait for a CTS Clear To Send message before sending data The RTS Length value should remain at its default setting unless you encounter inconsistent data flow Only minor modifications to this value are recommended SLIP Serial Line Internet Protocol SLIP is a standard protocol for connecting to the Internet with a modem over a phone line It has trouble with noisy dial up lines and other error prone connections so look to higher level protocols like PPP for error correction SMTP Simple Mail Transfer Protocol A standard protocol that regulates how e mail is distributed over the Internet See also Protocol 364 ACCESS GATEWAY D SNMP Simple Network Management Protocol A standard protocol that regulates network management over the Internet SNMP uses TCP IP to communicate with a management platform and offers a standard set of commands that make multi vendor interope
201. e same physical LAN When DHCP subscribers select a service plan with a public pool address the Access Gateway associates their MAC address with their public IP address for the duration of the service level agreement The opposite is true if they select a plan with a private pool address This feature enables a competitive solution and is an instant revenue generator for ISPs The IP Upsell functionality solves a number of connectivity problems especially with regard to L2TP and certain video conferencing and online gaming applications Note In the 8 2 NSE L2TP support is no longer required and has been removed The 8 2 NSE provides additional flexibility for configuring upsell scenarios Users can be assigned WAN s of different bandwidth capabilities for example for hotel guests of stature or for premium payment System Administration 105 S ACCESS GATEWAY 8 10 11 12 13 14 If you want to add a new DHCP Pool click on the Add button The Add DHCP Pools screen appears Add DHCP Pools eee OHCP Server IP Cn DHCP Server Netmask E DHCP Pool Start IP C n DHCP Pool Stop IP C DHCP Lease Minutes a Public Pool Private Pool F IP Upsell Poot I Detauk Poot DHCP Options Rovter OHCP Severe Specify Aaaf Note Please make sure pools do not overlap danane maemae Lanie gone pams Dhor Simes ILLAS 262062040 109012 100080 1440 PRIVATE NO Dafeuit Pasi Total number cf iamas 39 Back to Main DHCP Configu
202. e the Port Location Assignments for example VLAN tags Subscriber Displays the Subscriber Administration menu The items in this menu Administration allow you to add remove and monitor subscriber profiles display the Menu current DHCP leases and monitor the subscribers currently connected to the network Subscriber Displays the Subscriber Interface menu The items in this menu allow you Interface Menu to define how the subscriber interface is displayed to users and what information it contains System Menu Displays the System menu Items in this menu let you manage login names and passwords configuration settings and routings Quick Reference Guide 287 D ACCESS GATEWAY Configuration Menu Items Item Description AAA Establishes the AAA service options Access Control To enable secure administration of the product the Nomadix Access Gateway incorporates a master access control list that checks the source IP address of administrator logins A login is permitted only if a match is made with the master list contained on the Nomadix Access Gateway If a match is not made the login is denied even if a correct login name and password are supplied The access control list supports up to 50 fifty entries in the form of a specific IP address or range of IP addresses Additionally the Nomadix Access Gateway offers access control based on the type of Interface being used This feature allows
203. early VPN protocols such as PPTP have been widely discredited as a secure tunneling method As part of Nomadix commitment to provide outstanding carrier class network management capabilities to its family of public access gateways we offer secure management through the NSE s standards driven peer to peer IPSec tunneling with strong data encryption Establishing the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any preferred management protocol but also the secure management of third party devices for example WLAN Access Points and 802 3 switches on private subnets on the subscriber side of the Nomadix gateway The advantage of using IPSec is that all types of management traffic are supported including the following typical examples e ICMP PING from NOC to edge devices e Telnet Telnet from NOC to edge devices e Web Management HTTP access from NOC to edge devices e SNMP e SNMP GET from NOC to subscriber side device for example AP e SNMP SET from NOC to subscriber side device for example AP e SNMP Trap from subscriber side device for example AP to NOC System Administration 179 S Two subsequent events drive the secure management function of the Nomadix gateway and the devices behind it ACCESS GATEWAY 1 Establishing an IPSec tunnel to a centralized IPSec termination server for example Nortel Contivity As part of the session establishment process key tunnel pa
204. eating rules for a Quality of Service Policy The Traffic Descriptors are how the Access Gateway identifies subscriber traffic They are conditions or a group of conditions that are linked to a description 1 From the Web Management Interface click on Configuration then Traffic Descriptor The Traffic Descriptor Settings screen appears Traffic Descriptor Settings Traffic Descriptor Settings up to 100 may be created No traffic descriptors are defined Rea Click here to add a new Traffic Descriptor 174 System Administration ACCESS GATEWAY D 2 Select Add to create a new Traffic Descriptor or select a link to an existing descriptor to modify it The Add Traffic Descriptor screen appears kad Add Traffic ann Unique Name test Description new traffic descriptor Match Any All _ ofthe following conditions Condition 4 Local IP address is 6 7 8 9 Remove Add Descriptor NOTE Conditions wont be stored in database until Add descriptor button is clicked Back to Main Traffic Descriptor Settings page Add Condition Transport Protocol iy TCP Note For ranges of local remote IP addresses UDP ports or TCP ports enter the range endpoints separated by a dash e g 10 20 135 1 10 20 135 254 or 5000 5999 Note For transport protocol vou may specify the followina protocol names Enter a name for the descriptor in the Unique Name field Enter a brief summary about the d
205. ect on page 12 RADIUS driven Auto Configuration Nomadix unique RADIUS driven Auto Configuration functionality utilizes the existing infrastructure of a mobile operator to provide an effortless and rapid method for configuring devices for fast network roll outs Once configured this methodology can also be effectively used to centrally manage configuration profiles for all Nomadix devices in the public access network Two subsequent events drive the automatic configuration of Nomadix devices 1 A flow of RADIUS Authentication Request and Reply messages between the Nomadix gateway and the centralized RADIUS server that specifies the location of the meta configuration file containing a listing of the individual configuration files and their download frequency status are downloaded from an FTP server into the flash of the Nomadix device 2 Defines the automated login into the centralized FTP server and the actual download process into the flash Optionally the RADIUS authentication process and FTP download can be secured by sending the traffic through a peer to peer IPSec tunnel established by the Nomadix gateway and terminated at the NOC Network Operations Center See also Secure Management on page 19 Introduction I7 D ACCESS GATEWAY 8 2 The 8 2 NSE provides a Radius VSA that supports assigning specific users to specific WAN interface See Defining Automatic Configuration Settings Auto Configuration
206. edirection click on the Enabled check box The default setting is disabled You may create up to 20 portal pages 3 In the Portal Pages section enter the matching string that will be directed to the portal page in the Matching String field 4 Enter the portal page s URL in the URL field 102 System Administration ACCESS GATEWAY D 5 To enable parameter passing click on the Parameter Passing Enable check box 6 Select the Parameter Signing e Method None HASH CRC32 or HMAC MD5 select one method e Parameters UI MA RN PORT and SIP select all applicable parameters SIP was removed in 8 2 7 To enable Set Shared Secret click on the Set Shared Secret check box If you enable this feature enter the shared secret text string in the Set Shared Secret field 8 Click on the Submit button to save the redirection settings or click on the Reset button if you want to reset all the values to their previous state Portal page setting are saved to the table in Existing Portal Page entries section of the screen From that table you can edit or delete existing portal pages Managing the DHCP service options DHCP When a device connects to the network the DHCP server assigns it a dynamic IP address for the duration of the session Most users have DHCP capability on their computer To enable this service on the Access Gateway you can either enable the DHCP relay routed to an external DHCP server
207. efines the language to be displayed on the Web Management Interface and the subscriber s portal page 294 Quick Reference Guide ACCESS GATEWAY G Items Description Local Web Server Upload the required pages and images to the flash web directory using FTP Total file size of all pages and images cannot exceed 200 KB Login UI Defines the appearance of the internal subscriber login user interface including all the login messages and fonts etc and establishes the currency Post Session Ul Defines the post session Goodbye page Subscriber Buttons Defines how each of the subscriber s user interface control buttons are displayed Subscriber Labels Defines how the subscriber s user interface field labels are displayed Subscriber Errors Defines how error messages are displayed to subscribers 1of2 page 1 of 2 Subscriber Errors Defines how error messages are displayed to subscribers 2 of 2 page 2 of 2 Subscriber Messages Defines how other general messages are displayed to 1of 3 subscribers page 1 of 3 Subscriber Messages Defines how other general messages are displayed to 20f3 subscribers page 2 of 3 Subscriber Messages Defines how other general messages are displayed to 30f3 subscribers page 3 of 3 Subscriber Messages Can be created using the internal web server System Menu Items Items Description ARP Add Adds
208. eflect the needs of the solution provider The Access Gateway is a gateway to this network providing connection services that enable and automate an effective Enterprise relationship between a supplier the solution provider and its The Subscriber Interface 273 S ACCESS GATEWAY customer the subscriber The Access Gateway s role in this customer supplier relationship is effectively invisible to subscribers Subscriber AG Broadband Network Authorization and Billing As a gateway device the Access Gateway enables plug and play access to broadband networks Broadband network solution providers can now offer their subscribers a wide range of high speed services including access to the Internet Of course a high speed Internet connection is not free subscribers pay an access fee based on the duration of their connection Additionally subscribers may want to take advantage of the solution provider s local network services for example purchasing goods and local services In either case the subscriber is required to pay Naturally subscribers expect to pay only for the services rendered to them In any environment billing is a complex process It requires accurate data collection and reconciliation a means to validate and protect the data and an efficient method for collecting payments The Access Gateway offers powerful billing support functionality called Authentication Authorization and
209. elete by User Delete subscriber profiles by user Subscriber Admin DHCP Set the DHCP service options Configuration DHCP Leases Set the current subscriber DHCP leases Subscriber Admin DNS Set the DNS parameters eee Configuration Expired Remove all expired subscriber profiles from database Subscriber Admin Export Export configuration settings to the archive file System Export Export port location assignments to file Port Location Factory Import the factory default configuration settings System FailOver Sets up a sibling Nomadix Gateway System Find by Description Find port location assignments by description Port Location Find by Location Find port location assignments by location Port Location Find by MAC Find a subscriber profile by MAC address Subscriber Admin Find by Port Find port location assignments by pott Port Location Find by User Find a subscriber profile by user name Subscriber Admin History Display the system s history log System Home Page Redirect Redirect the subscriber s browser Configuration Hosts Display the host table Network Info ICC Setup Sets up the Information Subscriber I face ICMP Display ICMP performance statistics Network Info ICMP Sets up ICMP blocking 0 0 eee System Import Import configuration settings from the archive file System Import Import port location assignment
210. ement The Access Gateway allows system administrators to manage the bandwidth for subscribers defined in Kbps Kilobits per seconds for both upstream and downstream data transmissions With the ICC feature enabled subscribers can increase or decrease their own bandwidth dynamically and also adjust the pricing plan for their service The 8 2 NSE enables or disables bandwidth policies for bandwidth management and group bandwidth management policies You can specify settings for each individual WAN System Administration 93 S ACCESS GATEWAY 1 From the Web Management Interface click on Configuration then Bandwidth Management The Bandwidth Management screen appears Bandwidth Management Bandwidth Management Enabled M Enable Bandwidth uplink to network speed i500 Kbps Bandwidth downlink to subscribers speed i500 Kbps NOTE You must reboot for setting changes to take effect Reboot after changes are saved l Yes Submit Reset 2 If required click the check box for Bandwidth Management Enabled this field is not available on the AG2300 platform because Bandwidth Management is always enabled 3 Ifyou enabled Bandwidth Management enter the uplink and downlink speeds in Kbps in the appropriate fields Setting the uplink or downlink speeds to anything greater than what your product supports is prevented by the NSE Please refer to Product Specifications on page 274 for your product s capabilities
211. en load balancing with failover should be used 4 It is important to consider the relative cost of links If all links have a fixed monthly charge then ideally they should be used in a load balanced mode so that costly links are not sitting unused most of the time But if an ISP link has a relatively low monthly charge with high per megabyte data usage charges then it should only be used in failover mode as a backup to a main ISP link 28 Introduction ACCESS GATEWAY D 5 It may be requirement to share ISP bandwidth between Guest HSIA and Hotel Admin networks or have each network available as a fall back network for the other Both scenarios can be handled with the Nomadix NSE 6 It may be desirable to have certain users connected to a particular ISP link and other users connected to a different ISP link Nomadix 8 2 NSE provides a preferred WAN radius attribute VSA For example paying users may be connected to an expensive high quality link with free users connected to a lower quality link with link failover still available if the preferred link fails Some examples of typical common deployment scenarios are outlined below These are just examples and other deployment scenarios can be handled as well Load Balancing across Multiple Low Speed Links In this example an establishment has access to only low speed DSL based ISP circuits and wishes to aggregate five such links together The Nomadix NSE is configure
212. enerating orders invoices and payments and submitting inquiries Also known as Enterprise ESS Extended Service Set See infrastructure mode Ethernet A Local Area Network LAN protocol developed by Xerox Corporation in cooperation with DEC and Intel in 1976 Ethernet uses a bus or star topology and supports data transfer rates of 10 Mbps The Ethernet specification served as the basis for the IEEE 802 3 standard which specifies the physical and lower software layers Ethernet is one of the most widely implemented LAN standards A newer version of Ethernet called 100Base T or Fast Ethernet supports data transfer rates of 100 Mbps The latest version Gigabit Ethernet supports data rates of 1 Gigabit 1 000 Mbps per second See also Mbps Fast Ethernet See Ethernet FCC Federal Communications Commission US wireless regulatory authority The FCC was established by the Communications Act of 1934 and is charged with regulating Interstate and International communications by radio television wire satellite and cable FDM Frequency Division Multiplexing A multiplexing technique that uses different frequencies to combine multiple streams of data for transmission over a communications medium FDM assigns a discrete Carrier frequency to each data stream and then combines many modulated carrier frequencies for transmission For example television transmitters use FDM to broadcast several channels at once FHSS Frequency Hoppin
213. er QoS can be characterized by several basic performance criteria including availability low downtime error performance response time and throughput lost calls or transmissions due to network congestion connection set up time and the speed of fault detection and correction Service providers may guarantee a particular level of QoS defined by a service level agreement to their subscribers QoS enabled hardware and software solutions sort and classify IP packet requests into different traffic classes and allocate the proper resources to direct traffic based on various criteria including application type user or application ID source or destination IP address time of day and other user specified variables See also CoS and ToS RADIUS Remote Authentication Dial In User Service An authentication and accounting system used by many Internet Service Providers ISPs When you dial in to the ISP you must enter your username and password This information is passed to a RADIUS server which checks that the information is correct and then authorizes access to the ISP system RFC Request for Comments A series of notes about the Internet started in 1969 when the Internet was the ARPANET An RFC note can be submitted by anyone Each RFC is designated by an RFC number Once published an RFC never changes Any modifications to an original RFC are assigned a new RFC number Roaming In wireless networking roaming refers to the ability to mov
214. er criteria that QoS systems can use to provide differentiated classes of service The characteristics of the CoS may be appropriate for high throughput traffic for traffic with a requirement for low latency or simply for best effort The QoS experienced by a particular flow of traffic will be dependent on the number and type of other traffic flows admitted to its class See also Qos Daemon A program that runs continuously in the background or is activated by a particular event for example an error may trigger Syslog The word daemon is Greek for spirit or soul See also SYSLOG DAT Dynamic Address Translation Nomadix Gateways provide plug and play access to subscribers who are misconfigured with static permanent IP addresses or subscribers that do not have DHCP functionality on their computers DAT is a Nomadix Inc patented technology that allows all users to obtain network access regardless of their computer s network settings See also DHCP DHCP Dynamic Host Configuration Protocol A standard method for assigning IP addresses automatically to devices connected on a TCP IP network When a new device connects to the network the DHCP server assigns an IP address from a list of its available addresses The device retains this IP address for the duration of the session When the device disconnects from the network the IP address becomes available for reassignment to another device See also Dynamic IP Addr
215. er profile was manually added to the Added_by_administrator authorization table AAA_Interface Subscriber profile was updated Updated_by_administrator AAA_Interface Subscriber profile was manually removed from the Removed_by_administrator authorization table Sample SYSLOG Report Syslog reports are generated by the Access Gateway and sent to the syslog server that is assigned to general error detection and reporting 2003 02 10 11 25 53 Local2 Info 1 2 3 4 INFO Access Gateway v51 4 126 DHCP ndxDHCPInit 0021 DHCP initialized 2003 02 10 11 25 53 Local2 Info 1 2 3 4 INFO Access Gateway v51 4 126 CLISRD 0206 Setting COM1 to 9600 baud 2003 02 10 11 25 53 Local2 Info 1 2 3 4 INFO Access Gateway v51 4 126 CLISRD Starting CLI on the serial port 2003 02 10 11 25 53 Local2 Info 1 2 3 4 INFO Access Gateway v51 4 126 INIT Access Gateway v51 4 126 with ID 010384 Initialized Quick Reference Guide 32 S ACCESS GATEWAY Sample History Log A history log is generated by the Access Gateway which includes the system s activity Access Reboot and Uptime Uptime and Access Reboot History Uptime 1 days 3 hrs 7 mins Access and Reboot History No Timestamp Message 001 MON APR 29 17 WMI Getting index 002 MON APR 29 17 WMI Getting intro 003 MON APR 29 17 WMI Getting index More listings 34 45 2002 htm 34 42 2002 htm 34 41 2002 htm 36 sec 322
216. escriptor in the Description field Set condition matching to require a match to All conditions or Any one of the conditions This condition list displays a list of the conditions that have been defined for this descriptor Select a condition type from the Add Condition menu and define the matching parameters Once added conditions will be displayed in the condition list Select Remove to remove a condition from this descriptor Select Add Descriptor to accept the parameters and conditions defined and add the descriptor to the descriptor list on the main page Setting Up URL Filtering URL Filtering The Access Gateway can restrict access to specified Web sites based on URLs defined by the system administrator URL filtering will block access to a list of sites and or domains entered by the administrator using the following three methods e Host IP address for example 1 2 3 4 e Host DNS name for example www yahoo com System Administration 1735 Gy ACCESS GATEWAY e DNS domain name for example yahoo com meaning all sites under the yahoo com hierarchy such as finance yahoo com sports yahoo com etc The system administrator can dynamically add or remove specific IP addresses and domain names to be filtered for each property 1 From the Web Management Interface click on Configuration then URL Filtering The URL Filtering Address Settings screen appears URL Filtering Address Settings URL Filtering
217. ess IP Address Static IP Address and TCP IP DNS Domain Name System A system that maps meaningful domain names with complex numeric IP addresses See also Domain Name and IP Address Domain Name A unique and meaningful name representing each addressable computing device on a dynamic network for example the Internet Some devices have more than one domain name When a user types a domain name requesting a connection to the device DNS converts the domain name into a numeric IP address The location of the device on the network is known by its IP address WWW YAHOO COM is an example of a commercial domain name on the World Wide Web See also DNS Internet and IP Address Driverless Print Servers Servers that can bill subscribers rooms for printing their documents without them having to install printers See also Print Billing Command DSSS Direct Sequence Spread Spectrum One of two types of spread spectrum radio the other being Frequency Hopping Spread Spectrum FHSS DSSS is a transmission technology used in WLAN transmissions where a data signal at the sending station is combined with a higher data rate bit sequence or chipping code that divides the user data according to a spreading ratio The chipping code is a redundant bit pattern for each bit that is transmitted which increases the signal s resistance to interference If one or more bits in the pattern are damaged during transmission the original data can be re
218. ess RJ 45 serial system console 314 Quick Reference Guide ACCESS GATEWAY G AG5600 Specifications LED INDICATORS ACT LINK and 10 100 1000 for each Ethernet port Power NETWORK MANAGEMENT Multi Level Administration Controls Integrated VPN Client IPSec for secure connection to an NOC Access Control Lists Web Administration UI CLI via Telnet and Serial Port SNMPv2c Secure XML API Auto Configuration and Upgrades Syslog AAA log NETWORKING IEEE 802 3 3u 3ab IEEE 802 1d DHCP Server DHCP Relay RADIUS Client MD 5 PAP CHAP MS CHAPv1 v2 Quick Reference Guide 315 ACCESS GATEWAY AG5800 Specifications USER TRUE PLUG AND PLAY Dynamic Address Translation DAT Dynamic Transparent Proxy SERVICE PROVISIONING Home Page Redirect HTTP Redirect Portal Page Redirect Session Termination Redirect Information and Control console Pop up Explicit Logout Button International Language Support External Web Server Mode Internal Web Server Mode Secure XML API over SSL Login Page Failover BILLING PLAN ENABLEMENT RADIUS Client RADIUS AAA Proxy Port Based Policies Port Mapping Local Database Credit Card Interface PMS Advanced XML Interface Bill Mirroring 316 Quick Reference Guide ACCESS GATEWAY G AG5800 Specifications ACCESS CONTROL AND AUTHENTICATION Authorization Authentication and Accounting AAA Walled Garden Group Accounts Tr
219. ess to a wireless network based on a computer s hardware specific MAC address which is relatively simple to be sniffed out and stolen EAP is built on a more secure public key encryption system to ensure that only authorized network users can access the network It should be noted that WPA is an interim standard that will be replaced with the IEEE s 802 11i standard upon its completion XML eXtensible Markup Language A specification developed by the W3C XML is a pared down version of SGML designed especially for Web documents It enables designers to create their own customized tags to provide functionality not available with HTML For example XML supports links that point to multiple documents as opposed to HTML links which can reference just one destination each For all Nomadix Gateways XML is used by the subscriber management module for port location and user administration Enabling the XML interface allows your Nomadix Gateway to accept and process XML commands from an external source XML commands are appended to a URL in the form of an encoded query string Nomadix Gateways parse the query string executes the commands specified by the string and return data to the system that initiated the command request See also HTML TCP and W3C 368
220. ession establishment process key tunnel parameters are exchanged for example Hash Algorithm Security Association Lifetimes etc 2 The exchange of management traffic either originating at the NOC or from the edge device through the IPSec tunnel Alternatively AAA data such as RADIUS Authentication and Accounting traffic can be sent through the IPSec tunnel See also RADIUS driven Auto Configuration on page 17 The advantage of using IPSec is that all types of management traffic are supported including the following typical examples e ICMP PING from NOC to edge devices Introduction 19 D ACCESS GATEWAY e Telnet Telnet from NOC to edge devices e Web Management HTTP access from NOC to edge devices e SNMP e SNMP GET from NOC to subscriber side device for example AP e SNMP SET from NOC to subscriber side device for example AP e SNMP Trap from subscriber side device for example AP to NOC Secure Socket Layer SSL This feature allows for the creation of an end to end encrypted link between your NSE powered product and wireless clients by enabling the Internal Web Server IWS to display pages under a secure link important when transmitting AAA information in a wireless network when using RADIUS SSL requires service providers to obtain digital certificates to create HTTPS pages Instructions for obtaining certificates are provided by Nomadix Secure XML API XML Extensible Markup Language is u
221. eway The Access Gateway yields a complete solution to a set of complex issues in the Enterprise Public LAN and Residential segments Product Configuration and Licensing All Nomadix Access Gateway products are powered by our patented and patent pending suite of embedded software called the Nomadix Service Engine NSE The Access Gateway employs our NSE core software package and comes pre packaged with the option to purchase additional modules to expand the product s functionality This User Guide covers all features and functionality provided with the NSE core package as well as additional optional modules Your product license must support the optional NSE modules if you want to take advantage of the expanded functionality The following note will preface procedures that directly relate to optional modules See also e NSE Core Functionality e Optional NSE Modules Introduction 3 D ACCESS GATEWAY Key Features and Benefits The Access Gateway is a 1U high free standing or rack mountable Access Gateway that employs three fast Ethernet ports to interface with the router one for network side and the aggregation equipment two for subscriber side within the network It also incorporates an RS232 serial port for connecting to a Property Management System PMS and for system management and administration while maintaining one billing relationship with their chosen provider The Access Gateway enables a wide variety of
222. eway redirects the subscriber s login request to an external server transparent to the subscriber The login page served by the EWS reflects the look and feel of the solution provider s network and presents more login options Enabling AAA Services with the Internal Web Server You are here because you want to enable the AAA Services with the Access Gateway s Internal Web Server The Access Gateway maintains an internal database of authorized subscribers based on their MAC hardware address and user name if enabled By referring to its database record also known as an authorization table the Access Gateway instantly recognizes new subscribers on the network You can configure the Access Gateway to handle new subscribers in various ways see the table on this page With the IWS you also have the option of enabling SSL support After selecting the Internal Web Server authorization mode you have the option of enabling or disabling the Usernames and New Subscribers features These features work in conjunction with each other to determine how new subscribers are handled Refer to the following table Usernames New Subscribers System Response Disabled Enabled Allows new subscribers to enter the system without giving a user name and password Enabled Enabled Allows new subscribers or authentication by their optional user name and password Enabled Disabled New subscribers are not allowed Only existing subscribers a
223. eys before the application protocol transmits or receives any data TLS is application protocol independent Higher level protocols can layer on top of the TLS protocol transparently Based on Netscape s SSL 3 0 TLS supersedes and is an extension of SSL TLS and SSL are not interoperable See also Protocol and SSL Translation See IP Address Translation 366 ACCESS GATEWAY D Tunneling A technology that enables one network to send its data via another network s connections Tunneling works by encapsulating a network protocol within packets carried by the second network For example Microsoft s PPTP technology enables organizations to use the Internet to transmit data across a Virtual Private Network VPN It does this by embedding its own network protocol within the TCP IP packets carried by the Internet See also TCP IP and VPN ToS Type of Service A field within an IP header which can be used by the device originating the packet or by an intermediate networking device to signal a request for a specific QoS level ToS uses three bits to tell a router how to prioritize a packet and one bit apiece to signal requirements for delay throughput and reliability See also Packet QoS Router and Throughput URL Uniform Resource Locator The standard method used for identifying the location of information available to the Internet This is effectively the address of a document or file expressed in the form protocol
224. formation described above is sent to the configured Syslog server The content of the syslogs is sent in human readable format The configuration page of the syslog server to which these RADIUS proxy accounting messages are sent is available under the Configuration Logging menu as described above The third set of Syslog parameters on that page pertains to the RADIUS History Log 218 System Administration ACCESS GATEWAY D Displaying Current Profiles and Connections Statistics You can view the total number of profiles and connections currently stored in the Access Gateway s database of authorized subscribers The displayed list includes the number of subscribers currently in the database Current Table and a numerical breakdown of how the subscribers can utilize the system for example free access credit card etc The total number of user profiles stored in the Access Gateway s internal database is also shown To view the Subscriber Statistics go to the Web Management Interface click on Subscriber Administration then click on Statistics The Subscriber Statistics screen appears Subscriber Statistics Subscribers in Current Table Pending a Free Access 2 Radius 0 Credit Card 0 Property Management System 0 External Web Server o Added Via XML Command Added by Administrator USG Internal Database User Profiles lo Subscriber Interface Menu Defining the Billing Options Bi
225. forms using either Internet Explorer or Netscape Navigator see note WebHelp is useful when you have an Internet connection to the Access Gateway and you want to access information quickly and efficiently It contains all the information you will find in this User Guide For more information about WebHelp and other online documentation resources go to Online Documentation and Help on page 53 Notes Cautions and Warnings The following formats are used throughout this User Guide General notes and additional information that may be useful are indicated with a Note Cautions and warnings are indicated with a Caution Cautions and warnings AN provide important information to eliminate the risk of a system malfunction or possible damage Introduction 35 ACCESS GATEWAY 36 Introduction ACCESS GATEWAY Installing the Access Gateway This section provides installation instructions for the hardware and software components of the Access Gateway It also includes an overview of the management interface some helpful hints for system administrators a Quick Reference Guide and procedures settings you should write the settings to an archive file If you ever experience problems with the system your archived settings can be restored at any time See Archiving Your Configuration Settings on page 70 Once you have installed your Access Gateway and established the configuration Nomadix Access
226. from PPPoE server similar to DHCP client Setting this to static will require manually configuring IP address in the text box Maximum TCP MSS Please note that this is the MSS not MTU The maximum value suggested by the RFC is 1452 7 Enter a valid IP address in the Network IP Address Field The IP addresses from subscribers that are on a subnet different from the Access Gateway for example misconfigured are translated by Nomadix Dynamic Address Translation DAT patented technology to the Network IP Address The subscriber interface acts as a multifunctional translator For example if a subscriber s computer is setup statically for a network with a gateway address of 10 1 1 1 the Access Gateway emulates the gateway to accommodate this subscriber while emulating other gateways to accommodate other subscribers 8 Enter a Valid Subnet Mask in the Subnet Mask Field The subnet mask defines the number of IP addresses that are available on the routed subnet where the Access Gateway is located 9 Enter a valid default gateway IP address in the Default Gateway field System Administration 127 D ACCESS GATEWAY The default gateway is the IP address of the router that the Access Gateway uses to transmit data to the Internet 10 Multiple NAT IP addresses for Session Expansion can be individually added by entering 11 12 each desired address in the NAT IP Address field and left clicking the Add button
227. g Spread Spectrum One of two types of spread spectrum radio the other being Direct Sequence Spread Spectrum DSSS FHSS is a transmission technology used in WLAN transmissions where the data signal is modulated with a narrowband carrier signal that hops in a random but predictable sequence from frequency to frequency as a function of time over a wide band of frequencies The signal energy is spread in time domain rather than chopping each bit into small pieces in the frequency domain This technique reduces interference because a signal from a narrowband system will only affect the spread spectrum signal if both are transmitting at the same frequency at the 358 ACCESS GATEWAY Gp same time If synchronized properly a single logical channel is maintained The transmission frequencies are determined by a spreading or hopping code The receiver must be set to the same hopping code and must listen to the incoming signal at the right time and correct frequency in order to properly receive the signal Current FCC regulations require manufacturers to use 75 or more frequencies per transmission channel with a maximum dwell time the time spent at a particular frequency during any single hop of 400 ms Flash Memory A special type of EEPROM Electrically Erasable Programmable Read Only Memory that can be erased and reprogrammed in blocks instead of one byte at a time Many modern PCs have their BIOS stored on a flash memory chip so
228. g the AAA Services AAA This procedure shows you how to set up the AAA Authentication Authorization and Accounting service options AAA Services are used by the Access Gateway to authenticate authorize and subsequently bill subscribers for their use of the customer s network The Access Gateway currently supports several AAA models which are discussed in Subscriber Management on page 256 1 From the Web Management Interface click on Configuration then AAA The Authentication Authorization and Accounting Settings screen appears 76 System Administration ACCESS GATEWAY Authentication Authorization and Accounting Settings AAA Services Logout IP XML Interface Print Billing Command AAA Passthrough Port 802 1X Authentication Support V Enable 1111 V Enable XML SERVER 1 IP XML SERVER 2 IP XML SERVER 3 IP XML SERVER 4 IP I Enable Print Server URL V Enable Port 443 Enable Note 802 1x requires that both AAA and RADIUS Authentication be enabled 802 1X Reauth Period secs 0 Enable Origin Server OS parameter encoding for Portal Page and EWS V Enable Enable failover to Internal Web Server Authentication if Portal Page External Web Server is not reachable Port based billing policies HTTPS Redirection Enable V Enable V Enable Port must be different from 80 2111
229. g1 mU d29yazE XMBUGATUECKMOUMUYy aUNpZ2245 TELUYYy4SxMZAxBgNUBASTK1IZ1 cml TaWdul EludGUybmF BaW9uYWwgl2Uy dmUy ENBICOgQ2xheSMghzF JMECGATUECKNAGSA3LNZ1cm1lzaWdul mNUDS 9DUF Mg SW5 jbSJwi mJS1F J12i sgTELBQkIMSURZIEXURC4SOYykSNyBW2X JpU21 nb jAeF wow MT AIM AWMDAWMDB aF whwhj AIM AYMZUSNT Lat GCMQswCQYDUQQGE wJUUZE TMBEG ATVECBMKQ2F saWZ2ucm5p TEZMBCGATUEBXQQU2UzZd6xha2UgUml SDEF NZ TEQMASG AIVECHQHT MOL YWRpeDEUMBI GATUECXQLRWSnaW5 12 JpbmexGzAZBQNUBAMUENNZ bDDEyOCSub21h2614L mNubTCBnzANBgkghki GowGBAQEF AAOB j QAwgYkCgYEAv26u S2FdHF 7AbDUJSu dF SASdUWUSxatWJqZWNBkD6al UR21PHGPKb 1 jsbcsS PEp9be 21 UKSASFze38kdxPSth24CNOSC OMMFIIymgsaDrULZY711CBy jO7DUXuTXaauKAl ixC7S6SCKE9LNSKgOTYrvibi iaQ5McQI2Z z2pTUCAWEAAADCAL SwqgJXMAKGA IU EwQCMAAWgg FBGNUHQME gg WMI ICE jCCAg4wgg I KBgtghkgBhuhF AQcBATCCAFKW ggGnUGhpcyB j2XJHaW2py2F 82SBpbmNucnBucmF 82xXMg YnkgemUm2x JL OMNIL CB bmnQgaXRz THUZZSBpcyBz2dHJpY3RseSBzdWJqgZWNOI HRULCB BaGUgUmUyaUNpZ224g Q2UydG1 maWNhdG1l ubiBQcmF jdG1 jZ2SBTdGF 62011 bnQgkKENQUYyksIGF2YW1isYWJs Z2SBhdDogalR GcHMOL y9Sd3cudmUyaXNp224uY29tl ONQUzsg nkgRS1tVW1sIGF Oe TENQUYyTYy2XF 1Z2XNGc OB22XJpc2inbis jb2871G69y1GIS1GihaWwgYXQgUmUyaUNp Z24STELUY YAS IDI TOT MgQ29hc3QgOXZ1LiwgT WP TbARhawWagUml 1 dywgd BEGOTQW NDMgUUNBIFRIbC4gKZEGKDQXNSKgOTYXL Tg 4MzAgQ29wexJp22h61Ch jKSAXOTK2 IF21emlTaWdul CBJbmMul CBBbGwgUml naz IF Jlc2UydmUkLiBDRUJUQUIOIF dB ULJBTIRJRUMGRE LT QOxBSUTFREBHbmOglELBQKIMSURZTEXxJTULURUQUOASEDECE SAGE EUBBWEBA
230. gn here Solution providers can charge a fee for this service at their discretion If you assigned a user name you must now assign a Password In the Expiration Time field define the duration in hours and minutes for the subscriber s authorized access time When the assigned time expires the subscriber must re subscribe to the service Enter an amount in the Paid field The next two fields User Definable 1 and User Definable 2 are optional Use these fields for simple notations about the subscriber Define the Max Upstream Bandwidth and Max Downstream Bandwidth range for this subscriber in Kbps Select a policy from the QoS Policy menu See Setting up Quality of Service QoS on page 148 for more information Enable Countdown after login if you want the timeout amount to take effect after the user logins If the option is not enabled user timeouts take effect the moment the subscriber is added Enable STMP Redirection to allow the specified user to have their SMTP traffic redirected by the global SMTP redirect configuration Click on the Add button to add this subscriber to the database or click on the Reset button if you want to reset all the values to their previous state System Administration 207 D ACCESS GATEWAY Adding a Device Type Profile 1 o0 NDRRON From the Web Management Interface click on Subscriber Administration then Add The Add a Subscriber Profile to the Database screen
231. guration s m T how interface lt name gt Show a single WAN Interface configuration odify interface lt name gt Modify a single WAN Interface configuration ype b to go back lt esc gt to abort for help Ethernet port WAN interface configuration gt Figure 7 WAN port PPPoE client configuration summary page If everything is correct in the summary type b ack to return to the previous menu and proceed to step 2 to enter location information Otherwise select an option from the Ethernet port configuration menu to display or make changes to the WAN port settings When finished with settings type b ack to return to the previous menu and go to step 2 Step Id PPPoE Static IP Client Configuration Use the same steps for configuring dynamic PPPoE shown in Figure 6 above but select static for PPP IP Configuration Mode and enter your IP address for PPP Static IP Address A summary page similar to Figure 7 above will be displayed If everything is correct in the summary type b ack to return to the previous menu and proceed to step 2 to enter location information Otherwise select an option from the Ethernet port configuration menu to display or make changes to the WAN port settings When finished with settings type b ack to return to the previous menu and go to step 2 Step 2 Entering Your Location Information You will be required to enter location information in order to obtain the license key Enter the fo
232. guration Mode static static dhcp pppoe p PPPoE Service Name none to clear Your Service CP Echo Request Interval 30 aximum LCP Non responses 6 PPP Authentication User Name none to clear Your User Name PPP Authentication Password none to clear Your Password PPP IP Configuation Mode dynamic dynamic static PPP Static IP Address 0 0 0 0 PPP Maximum TCP MSS 1452 WAN 802 10 tagging Disabled VLAN ID 1 D D NS Domain Name nomadix com NS Server 3 0 0 0 0 Figure 6 Selecting PPPoE with dynamic IP configuration A WAN port summary page will then be displayed as shown in Figure 7 Port Name WAN Port Role wanIf Configuration Mode pppoe IP Address Your IP address Subnet Mask Your subnet mask Gateway IP Your gateway PPPoE Service Name Your Service Name CP Echo Request Interval 30 aximum LCP Non responses 6 PPP Authentication User Name Your user name PPP Authentication Password Your password PPP IP Configuation Mode dynamic PPP Static IP Address 0 0 0 0 PPP Maximum TCP MSS 1452 WAN 802 10 tagging Disabled VLAN ID 1 DNS Domain Name Your domain name Installing the Access Gateway 45 D ACCESS GATEWAY DNS Server 1 Your dns server IP address DNS Server 2 0 0 0 0 DNS Server 3 0 0 0 0 Additional NAT IP addresses Disabled show all Show all WAN Interface confi
233. h allowed for the group in Kilobits per second Integer value 0 is interpreted as unlimited Group Bandwidth Limit Policy Operation The NSE maintains a collection of all installed group bandwidth policies The collection is indexed by the bandwidth policy ID provided by the RADIUS server The collection can store as many policy records as the number of licensed subscriber devices All subscriber devices sharing the same group bandwidth policy ID belong to the same group A subscriber device can participate in only one bandwidth limiting group at a time When a login is performed to an account that returns a bandwidth policy ID that does not yet exist in the NSE a new policy record is created and inserted into the aforementioned collection The subscriber authorized by the Access Accept is associated with the newly installed bandwidth policy ID and the bandwidth limits returned are invoked When the Access Accept for a subscriber contains a bandwidth policy ID already present on NSE the subscriber is associated with the existing group policy All subscribers that are now members of the group share the total bandwidth allocated to the policy If at some point a login is performed to an account that returns the policy ID for an existing policy but also returns bandwidth values different than those currently allocated for that policy the policy will be updated with the new values found in the Access Accept Thus the latest Acces
234. h Page branding 2 Initial Portal Page Redirect Pre Authentication Typically this is used to redirect the user to a venue specific Welcome and Login page 3 Home Page Redirect Post Authentication This redirect page can be tailored to the individual user as part of the RADIUS Reply message the URL is received by the NSE or set to re display itself at freely configurable intervals Introduction ACCESS GATEWAY Gp 4 The Information and Control Console ICC contains multiple opportunities for an operator to display its branding or the branding of partners during the user s session As an alternative to the ICC a simple pop up window provides the opportunity to display a single logo 5 The Goodbye page is a post session page that can be defined either as a RADIUS VSA or be driven by the Internal Web Server IWS in the NSE Using the IWS option means that this functionality is also available for other post paid billing mechanisms for example post paid PMS Introduction 7 D ACCESS GATEWAY NSE Core Functionality Powering Nomadix family of Access Gateways the Nomadix Service Engine NSE delivers a full range of features needed to successfully deploy public access networks These core features solve issues of connectivity security billing and roaming in a Wi Fi public access network The NSE s core package of features includes e Access Control e Bandwidth Management e Billing Re
235. hat you go through port location state and description displays the value currently assigned to the field To update a Port Location assignment simply update the fields with new values If you have updated a port location assignment you may want to change its E description to distinguish from the old assignment Although the old assignment will no longer exist in the system a meaningful description can often be a valuable quick reference guide Deleting All Port Location Assignments Delete All This procedure shows you how to delete all port location assignments The Access Gateway displays a warning and prompts you to confirm this action before deleting all the port locations currently assigned in the system System Administration 197 S ACCESS GATEWAY 1 From the Web Management Interface click on Port Location then Delete All The Delete All Port Location Assignments screen appears Delete All Port Location Assignments Are you Sure Delete All 2 Click on the Delete All button to delete all Port Location assignments Deleting Port Location Assignments by Location Delete by Location This procedure shows you how to delete a port location assignment based on its location The Access Gateway prompts you to confirm this action before deleting the requested port location If you are unsure which port locations are currently mapped to the system you can view a list at Displaying the Port Location Map
236. he system Software upgrades can only be performed from the CLI See also The Management Interfaces CLI and Web on page 49 Credit Card The Credit Card provides a secure interface over SSL to enable billing via a credit card for High Speed Internet Access HSIA This module also includes the Bill Mirror functionality for posting of billing records to multiple sources See also e Secure Socket Layer SSL on page 20 e Billing Records Mirroring on page 10 Dynamic Address Translation Dynamic Address Translation DAT enables transparent broadband network connectivity covering all types of IP configurations static IP DHCP DNS regardless of the platform or the operating system used ensuring that everyone gets access to the network without the need for changes to their computer s configuration settings or client side software The NSE supports both PPTP and IPSec VPNs in a manner that is transparent to the user and that provides a more secure standard connection See also Transparent Connectivity on page 5 Dynamic Transparent Proxy The NSE directs all HTTP and HTTPS proxy requests through an internal proxy which is transparent to subscribers no need for users to perform any reconfiguration tasks Uniquely the NSE also supports clients that dynamically change their browser status from non proxy to proxy or vice versa In addition the NSE supports proxy ports 80 800 900 911 and 990 as well as al
237. he time delay between each retransmission 7 Click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their previous state Configuring Destination HTTP Redirect Destination HTTP Redirect provides DNS triggered redirection of HTTP requests to one or more portal page URLs configured on the NSE Portal pages could include account status maps local information etc The NSE will intercept and respond to DNS queries containing configurable strings Subscribers requesting a website at that DNS will obtain a DNS response that contains a magic IP address which is the same value obtained when the subscriber queries the DNS string logout nomadix com The NSE will process HTTP requests for that magic IP address configurable on the AAA page and will reply with an HTTP redirection which may include a number of signed redirection parameters to a configured URL By following the HTTP redirection the subscriber will reach the target URL and he she will then be served a page containing whatever information is relevant account and or other specific information 100 System Administration ACCESS GATEWAY D User 5 NSE External Server DNS query www example com ortal1 myhotel com gt DNS response 1 1 1 1 GET HTTP 1 1 Magic IP Address Host www example com Redirect Message OK Accept Message ey HTTP 1 0 302 RD
238. heir Radius Profile Click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their previous state Defining the RADIUS Proxy Settings RADIUS Proxy A RADIUS Proxy allows the NSE to relay authentication and accounting packets between the parties performing the authentication process Different realms can be set up to directly channel RADIUS messages to the various RADIUS servers For additional RADIUS information see also e Setting up Quality of Service QoS on page 148 e Defining the Realm Based Routing Settings Realm Based Routing on page 158 e RADIUS Attributes on page 294 154 System Administration ACCESS GATEWAY D 1 From the Web Management Interface click on Configuration then RADIUS Proxy The RADIUS Proxy Settings screen appears RADIUS Proxy Settings RADIUS Proxy Services C Enable Authentication Server Port Po Accounting Server Port o Local port for communicating with home servers bo No upstream NASs are defined Add Click here to add a new Upstream RADIUS NAS Click here to see configured RADIUS serice profiles and Realm Routing Policies 2 Enable or disable RADIUS Proxy Services as required by clicking on the appropriate check box 3 If you enabled RADIUS Proxy Services you must provide the Authentication Server Port and the Accounting Server Port references 4 Click on the Submit button
239. his Plan button if you want to delete this plan or click on the Reset button if you want to reset all the values to their previous state 9 Click on the Back button at any time to return to the Internal Billing Options Setup previous screen 10 Repeat Steps 2 through 11 for each billing plan You can enable make active any or all of the available billing plans 224 System Administration ACCESS GATEWAY D 11 12 13 14 15 Define the messages you want to present to subscribers including e Introduction Message e Offer Message e Policy Message Define the Units of Access Minute Hour Day Week or Month you want to make available to subscribers If you want to allow free access to subscribers you can define the following free billing options e Default Free Access Time in days e Maximum Subscriber Lifetime in days Define any Promotional Code Options in the Code Definition and Percentage Discount fields as required You can define up to 5 Promotional Code Options J The Percentage Discount parameter must be between I and 100 Click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their previous state Setting Up an X over Y Billing Plan 1 2 oa FH z If required click on the Enable check box to enable make active this billing plan Define a label for this billing plan in the Label field E Each plan m
240. hnology A Nomadix Inc patented technology that enables Dynamic Address Translation See also DAT ad hoc mode An 802 11x networking framework in which devices or stations communicate directly with each other without the use of an Access Point AP Ad hoc mode is also referred to as peer to peer mode or an Independent Basic Service Set IBSS Ad hoc mode is useful for establishing a network where wireless infrastructure does not exist or where services are not required ADSL Asynchronous Digital Subscriber Line A method for moving data at high speed over regular phone lines AP Access Point A hardware device or a computer s software that acts as a communication hub for users of a wireless device to connect to a wired LAN APs are important for providing heightened wireless security and for extending the physical range of service a wireless user has access to ARP Address Resolution Protocol Used to dynamically bind a high level IP address to a low level physical hardware address ARP is limited to a single physical network that supports hardware broadcasting ATM Asynchronous Transfer Mode A network technology based on transferring data in cells or packets of a fixed size 53 bytes each The cell used with ATM is relatively small compared to units used with older technologies The small constant cell size allows ATM equipment to transmit video audio and computer data over the same network and assures that no single t
241. host via the network port IP DNS Name of host to ping Size of ping packet 64 Submit Reset 2 Click on the check box for Block ICMP from pending users to enable or disable this feature as required 3 You can Ping a host via the network port by entering either an IP address or DNS name of host This is the site that you want the ping to be sent to from the NSE 4 Click on the Submit button to save your changes or click on the Reset button to reset all values to their previous state Importing Configuration Settings from the Archive File Import This procedure shows you how to restore the system configuration settings from an archive file previously created with the export function You will need to reboot the system for some of the imported default settings to take effect especially DHCP System Administration 261 D ACCESS GATEWAY 1 From the Web Management Interface click on System then Import The Import Configuration screen appears Import Configuration Import configuration settings from the archive file and save them as the current settings NOTE A reboot may be required for some imported settings to take effect particularly DHCP WARNING The network connection may be lost when the import is performed if the network settings in the archive are different from those currently in use o View archive txt View current txt Click here to view the current txt file Click he
242. i Mode Authentication Universal Access Method over SSL IEEE 802 1x Smart Client Support Boingo iPass MAC Authentication Remember Me Log in ADVANCED SECURITY iNAT IPSec Support PPTP Support Session Rate Limiting SRL User Agent Filtering Mac Address Filtering URL Filtering ICMP Blocking Proxy ARP for device to device communication POLicy BASED TRAFFIC SHAPING Bandwidth Management QoS Tagging Group Bandwidth Management IP ADDRESS MANAGEMENT IEEE 802 3 3u 3ab IEEE 802 1d DHCP Server DHCP Relay Multiple Subnet Support IP UPsell DHCP Client PPPoE Client INTELLIGENT ROAMING Realm Based Routing Zone Migration Quick Reference Guide 317 G ACCESS GATEWAY AG5800 Specifications BRANDING Parameter Passing enabled branding NETWORK MANAGEMENT Web Management Interface WMI Command Line Interface CLI Integrated VPN Client for Management RADIUS Driven Configuration Multi level Admin Support Centralized Radius Authentication SMTP Redirection Access Control Bridge Mode SNMPv2c Syslog AAALog MEDIA ACCESS CONTROL CSMA CA PORTS 10 100 1000 Base T Ethernet RJ 45 UTP WAN 5 10 100 1000 Base T Ethernet RJ 45 UTP LAN Front access RJ 45 port for serial System Console DB9 serial port Property Management Interface POWER 100 240 VAC 50 60Hz 220 watts ENVIRONMENT Operating temperature 0 C to 40 C Storage temperature 20 C to 70 C Operati
243. ick on IP 186 System Administration ACCESS GATEWAY S The ZP Statistics screen appears IP Statistics total 3343 badsum tooshort toosmall badhlen badlen infragments fragdropped fragtimeout forward cantforward redirectsent unknownprotocol nobuffers reassembled outfragments noroute oo0o0oo0o0c 0c cc 0c a S e A ie GS i AE 000 Viewing IPSec Tunnel Status IPSec To view the current IPSec Tunnel Status go to the Web Management Interface click on Network Info then click on IPSec Viewing NAT IP Address Usage NAT IP Usage To view the current NAT IP Address Usage go to the Web Management Interface click on Network Info then click on NAT IP Usage The NAT IP Usage summary screen appears System Administration 187 D ACCESS GATEWAY ac ss00 NAT IP Address Usage Q Configuration e a a a 1 Network Into iE ARP NAT IP Address Cumul Assigned Currently Assigned Cumul DAT Sessions Current DAT Sessions B oar 172 17 0 12 4 1 270 203 3 pnssec 172 17 0 111 1 1 49 48 E Hosts 172 17 0 112 1 1 25 24 172 17 0 113 1 1 105 104 19 icmp D interfaces P r 9 IPsec B Login Page Failover B Packet Capture Summary D Routing D Sockets B Static Port Mapping B Subscriber Tunnels Displaying the Routing Tables Routing You can display the current Routing Tables including any dynamically generated routes unreachable routes or wildcard routes To view the Routing Tab
244. ick on the Reset button if you want to reset the port value to its blank state Exporting Port Location Assignments Export This procedure shows you how to export your current port location assignments to the location txt file The location txt file is stored in flash location txt resident in the Access Gateway s flash memory Exporting your current port location assignments to the Access Gateway s flash memory will overwrite the existing location txt file System Administration 199 S ACCESS GATEWAY 1 From the Web Management Interface click on Port Location then Export The Export Port Location Assignments screen appears Export Port Location Assignments Export Port Location assignments to flash location txt Export 2 Click on the Export button to export port location assignment to the flash location txt file Finding Port Location Assignments by Description Find by Description This procedure shows you how to find a port location assignment based on its description This procedure is useful if you want to review the details of a specific port location You can also find port locations based on their location or port 1 From the Web Management Interface click on Port Location then Find by Description The Find a Port Location Assignment by Description screen appears Find a Port Location Assignment by Description Enter Description Show Reset 2 Inthe Enter Description f
245. icros POS emulation to query amp post to Hilton Corporation s OnQ PMS system 4 To view or modify PMS Redirector Service parameters click the Configure link next to the PMS Redirector selector option The PMS Redirector page appears System Administration 139 Gy ACCESS GATEWAY PMS Redirector Filters Filter From PMS Filter To PMS 7 Link Initialization Records LD DA__DATE__ TI_TIME__ V _VERSION__IFWAW LRIRIPS FLRNPTTADATIP CT LRIRIPA FLRNASP DATI LRIRIPRIFLPIDATIP CT LRIRIPLIFLRNG GNDATIP LRIRIGI FLDATIRN Expected Responses Record ID Expected Response Time Out PR PLIPA 15 PS PA 15 xL 15 140 System Administration ACCESS GATEWAY D PMS solutions such as Galaxy require this option to be enabled to work with E Nomadix Micros POS emulation in wireless hospitality networks Some PMS systems send selection records as lastname padded with white space ascii 0x20 on the right followed by a comma along with first name initial and some flags Normally the Access Gateway compares every character of the name as typed by the user to the contents of the selection record If the Match Last Name Only feature is enabled the Access Gateway compares only the user input with the part of selection record which comes before the comma assumes that the user only enters a las
246. ield enter the description of the assignment you want to find E The system ignores the case upper or lower of the characters you enter 3 Click on the Show button to view the specified port location assignment or click on the Reset button if you want to reset the description value to its blank state The requested port location is displayed 200 System Administration ACCESS GATEWAY D Finding Port Location Assignments by Location Find by Location This procedure shows you how to find a port location assignment based on its location This procedure is useful if you want to review the details of a specific port location You can also find port locations based on their description or port 1 From the Web Management Interface click on Port Location then Find by Location The Find a Port Location Assignment by Location screen appears Find a Port Location Assignment by Location Enter Location fi23 Show Reset 2 Inthe Enter Location field enter the location of the assignment you want to find 3 The system ignores the case upper or lower of the characters you enter 3 Click on the Show button to view the specified port location assignment or click on the Reset button if you want to reset the location value to its blank state The requested port location is displayed Find a Port Location Assignment by Location Enter Location l Location Port State Description Subnet l1 p No Charge 0
247. igbrowndog Enter the external authorization server s URL then enter its IP address as a pass through IP address The Subscriber Interface 283 S ACCESS GATEWAY Information and Control Console ICC The ICC is a HTML pop up window that is presented to subscribers allowing them to select their bandwidth and billing options quickly and efficiently and displays a dynamic time field to inform them of the time remaining on their account The ICC also offers service providers an opportunity to display advertising banners and provide a choice of redirection options For information about configuring the ICC refer to Defining Languages Language Support on page 233 ICC Pop Up Window The ICC displays a HTML based applet in the form of a pop up window from which subscribers can dynamically control their billing options and bandwidth and which allows service providers to display advertising banners and redirect their subscribers to predetermined Web sites Bandwidth selection Banner pull down amazon com CLIC HERE 256 128 Plan A Redirect buttons Message Bar Time remaining The pop up window automatically displays at Home Page Redirection HPR or whenever the subscriber brings up a new browser window 284 The Subscriber Interface ACCESS GATEWAY D Logout Console The Access Gateway allows System A
248. igh Speed Internet Access HSIA service This module also includes 2 Way PMS interface capability for in room billing in a Wi Fi enabled network In addition the Hospitality Module includes the Bill Mirror functionality for posting of billing records to multiple sources With this module the NSE also supports billing over a TCP IP connection to select PMS interfaces Introduction 23 D ACCESS GATEWAY PMS Integration E Your product license may not support this feature Some Property Management Systems may require you to obtain a license before 3 integrating the PMS with the Access Gateway Check with the PMS vendor By integrating with a hotel s PMS your NSE powered product can post charges for Internet access directly to a guest s hotel bill In this case the guest is billed only once The NSE outputs a call accounting record to the PMS system whenever a subscriber purchases Internet service and decides to post the charges to their room Nomadix Access Gateways are equipped with a serial PMS interface port to facilitate connectivity with a customer s Property Management System High Availability Module E Your product license may not support this feature The optional High Availability Module offers enhanced network uptime and service availability when delivering high quality Wi Fi service by providing Fail Over functionality This module allows a secondary Nomadix Access Gateway to be placed in the network that can ta
249. igured This ability allows for having different billing methods and billing plans on different ports identified by VLANs or SNMP Port Query of the concentrator A practical application of this feature is to have a normal hotel room with a plan A that is 9 99 for a day with PMS billing and have a meeting room with a plan of 14 99 an hour with Credit Card billing In order for the port based policies to work you must enable Port Based Billing Policies See also Adding and Updating Port Location Assignments Add on page 194 Enable or disable HTTPS Redirection The NSE responds to regular HTTP requests from pending subscribers with a redirection to the login screen The NSE does not respond to HTTPS requests from pending subscribers HTTP requests with a destination port 443 with a redirect this will result in a timeout or invalid certificate warning 80 System Administration ACCESS GATEWAY S Enabling HTTPS Redirection adds a security exception to the user s browser to allow the certificate received from the NSE to be always valid 14 Depending on which authorization mode you choose go to the following sub sections in this procedure Enabling AAA Services with the Internal Web Server The IWS is flashed into the system s memory and the subscriber s login page is served directly from the Access Gateway Enabling AAA Services with an External Web Server In the EWS mode the Access Gat
250. illing Plan s available on port 196 System Administration ACCESS GATEWAY D Please note that while it is possible to set the value of a per port configuration parameter independently of the value of the corresponding global parameter the feature itself is disabled for a port unless both the per port and global parameters are set to enabled Thus e RADIUS authentication for a port is enabled only if the RADIUS Client is globally enabled AND the per port enable RADIUS billing parameter is set e Credit card billing for a port is enabled only if Credit Card Services is globally enabled AND the per port enable Credit Card billing parameter is set e PMS billing for a port is enabled only if PMS Services is globally enabled AND the per port enable PMS billing parameter is set e Tunneling for a port is enabled only if Tunneling is globally enabled AND the per port enable Tunneling parameter is set 8 Click on the Add button to save your changes the message Entry added or updated in the location file appears or click on the Reset button if you want to reset all the values to their previous state Updating a Port Location Assignment The procedure for updating a port location assignment is similar to adding a port location assignment The difference between the two procedures is how they are presented to you For example if you already have port locations assigned and you enter an existing port value each data field t
251. in or XML useradd or EWS with no associated plans ia 1 indicates a subscriber added by Admin or XML useradd with no associated plans System Administration 217 S ACCESS GATEWAY Viewing RADIUS Proxy Accounting Logs RADIUS Session History These settings are available under Subscriber Administration RADIUS Session History menu RADIUS Proxy Accounting Session History Note Up to the 2000 most recent accounting messages will be displayed RADIUS Proxy Accounting History Collection M Enable logfile M Enable syslogs NOTE Must also enable RADIUS history syslog on logging configuration page Submit RADIUS Proxy Accounting Session History 0 records available No history records are present Enable Logfile checkbox When this setting is enabled any RADIUS proxy accounting messages sent or received by the RADIUS proxy application are logged into a file named RADHIST RAD in the flash directory This log contains accounting messages exchanged with downstream servers and upstream NASs The size of the log file is limited to 2000 records accounting messages or 320000 bytes when and if necessary the oldest records are purged to make room for new records If the logfile is disabled the current logfile is purged from the flash If this is re enabled again only RADIUS accounting message sent received from that point in time forward will be stored in the log Enable Syslogs checkbox If enabled then the same in
252. ing Settings added to the list RADIUS Service Profiles up to 10 may be created Unique Name Primary Auth Serer Port Primary Acct Se Method Freq Attmpt 645 6 275 1645 6 275 1646 failover 5 3 CMS 6 2 7 6 1812 6 27 6 1813 failover 0 o UMS IAS C 6 2 7 4 1645 6274 1645 failover 0 o default 6 27 3 1812 6 2 7 3 1813 failover 5 3 Your new Realm Routing Policies are Add Click here to add a new RADIUS proxy p added to the list Realm Routing Policies up to 50 may be defined Realm Pre Suf Match Strip Profile BOINGO Prefix no IPASS Pretix no GONG Suffix no 645 indicates policy configured as disabled Add Click here to add a new Realm Routing Policy The Realm Routing Policy you just created is added to the list That covers the main steps for configuring an NSE to support L2TP tunneling 166 System Administration ACCESS GATEWAY D Managing SMTP Redirection SMTP When SMTP redirection is enabled for misconfigured or properly configured subscribers the Access Gateway redirects the subscriber s E mail through a dedicated SMTP server including SMTP servers which support login authentication To the subscriber sending and receiving E mail is as easy as it s always been This function is transparent to subscribers 1 From the Web Management Interface click on Configuration then SMTP The SMTP Redirection Settings screen appears SMTP Redirection Settings SMTP Redirection Misc
253. ings were not changed This is either a response to your decision not to change settings or the message is generated by the system when it fails to locate the data it needs Error loading factory settings The system cannot find the default configuration file when attempting to restore the factory settings Error occurred ARP entry not added The IP or MAC address is invalid Ensure that you input the correct format for these fields NFS client support not included This message is displayed when the system reboots and NFS clients are not supported No matching MAC address found in profile database The system could not match the MAC address you defined while attempting to remove a subscriber profile not defined This is the factory default for some system parameters The system must be rebooted to function properly The system must be reset to function properly You have made changes to the system s configuration that requires you to reboot before your changes become effective 348 Troubleshooting ACCESS GATEWAY D Error Message Cause Warning before using this command you must FTP a valid boot image to the flash When upgrading the software the system needs the new boot image file You must FTP the file from NOMADIX to your local hard drive Warning no DHCP services are available to subscribers This message is displayed because you have
254. interface via the serial port Submit and Reboot View factory txt View current txt Click here to view the Click here to view the factory txt file current txt file 2 Click on the Submit and Reboot button to replace the current system configuration settings with the factory default settings and reboot the Access Gateway Defining the Fail Over Options Fail Over E Your product license may not support this feature Many large scale networks require fail over support for all devices in the public access network The Fail Over Options feature allows two Nomadix Gateways to act as siblings where one device will take up the users should the other device become disconnected from the network As part of this functionality the settings except IP addresses between the two devices will be synchronized automatically 258 System Administration ACCESS GATEWAY D 1 on PF YO DN From the Web Management Interface click on System then Fail Over The Fail Over screen appears Fail Over Fail Over I Enable NOTE Failover may not work with dynamically assigned IP addresses DHCP or PPPoE client NSE Status Primary Secondary Sibling IP address 10 10 10 10 Fail Over Port 4111 Secondary To Primary Fail Over Time 5 Mins gt Change in this field does not require reboot NOTE You must reboot for configuration changes to take effect Reboot after changes are saved D Yes Submit Reset
255. ints and Tips The Access Gateway is both a hardware device and a powerful software utility As a hardware computing device the Access Gateway requires careful handling It should be positioned in a dust free and temperature controlled environment Never block the unit s ventilation holes and do not stack with other equipment unless correctly mounted in a rack If you suspect the unit is overheating check that the internal cooling fan is operating correctly The fan should run freely and silently at all times The power cord and the UTP patch cables must have an unrestricted path between the unit and their destinations Ensure that the RJ45 connectors are firmly located in their receptacles Applying these guidelines should ensure trouble free operation Troubleshooting 347 D ACCESS GATEWAY Management Interface Error Messages The following table contains the error messages associated with the Management Interface CLI and Web All messages are listed alphabetically Error Message Cause AAA must be enabled before adding a subscriber to the profile database You are attempting to add a subscriber profile while AAA is disabled Command not available xx The system does not recognize your command xx denotes your input Current settings were not archived This message is displayed if you answer no when prompted to overwrite the configuration archive file with new settings Current sett
256. ion The following are the steps are needed to configure the main WAN interface 1 Enter c configuration at the Access Gateway Menu The Configuration menu appears 2 Enter eth ethernet 1 After you have entered yes to the initial prompt enter mod int WAN or m i WAN modify interface WAN Note that modes and interface names are case sensitive The configuration then steps through the settings one by one Port role for the WAN port should be already set to WAN just hit lt enter gt Set the configuration mode to match your network settings Set the remaining network settings 9 PY NS Default uplink and download speed is 15 Mbps Enter different values if desired In the 8 2 NSE bandwidth and DNS settings are configured separately for each WAN interface You can configure them later in the WAN configuration dialog in the Web Management Interface If you do not wish to configure additional NAT IP addresses at this time type b A summary of the WAN port settings is now displayed if they are correct type b again Installing the Access Gateway 57 D ACCESS GATEWAY You will now see the Nomadix location configuration page Enter contact data and agree to the Nomadix End User License Agreement Your license will be retrieved when you enter y The NSE will then reboot to activate your license settings onf iguration eth show all Show all WAN Interface configuration show
257. ion e Enter the host name which is the DDNS name that is mapped to the client IP address in the Hostname field DDNS mapping is configured on the DynDNS org account e Enter the user name for the DDNS server account in the Username field e Enter the password name for the DDNS server account in the Password field 110 System Administration ACCESS GATEWAY D 5 In the Force Update field click Submit and Force Update to force an immediate update to the DDNS Note that too many updates may be considered abuse by the DDNS vendor Alternatively click Submit to save the settings or Reset to clear the changes and return the settings to the previous state Ethernet Ports WAN 8 2 NSE 8 2 provides support for multiple separately configurable WAN interfaces You may assign each interface as a WAN Subscriber Interface or specify that it remain out of service Each interface has its own IP DNS Bandwidth VLAN and NAT IP addresses and can obtain its IP address by DHCP PPPoE or Static configuration The number of configurable WANs will vary with the Access Gateway hardware See lt cross reference gt for these details The NSE can now support up to five AG5800 WAN interfaces at once using completely independent network settings for each Each WAN port has independent Mode IP DNS iNAT Monitoring Additional NAT addresses 802 1Q tagging and bandwidth settings Roles for most ports those marked either EthX o
258. ion including e Identity of the users Is a random ISP section used or is it desirable to have certain users steered toward a particular ISP e For random ISP Whether subscriber destination address or session based link selection is used User Based ISP Selection versus Random ISP Selection User based ISP selection is the process whereby the ISP link that is selected in a load balanced environment is based on the identity of the user For example all users from guest rooms may be steered toward one ISP link and all meeting room users steered toward another ISP link that is only used for meetings and conferences The alternative is to use random ISP selection whereby the load balancer or NSE selects the ISP to be used according to the current load conditions The Nomadix NSE uses random ISP selection by default Link Availability Detection Method and Time Load balancing and failover requires some form of monitoring of each ISP link to determine its availability for executing load balancing and failover decisions Generally link monitoring is accomplished by two different methods 1 Periodic probing of predefined hosts using HTTP or ICMP ping requests 2 Periodic DNS queries to the DNS servers provided by each ISP The period between successive link tests is usually configured and is typically set to between 30 seconds and 60 seconds This represents the maximum time for which a user will remain connected to a failed ISP connect
259. ion before being re routed to a working ISP link in an ISP failure scenario Traffic Balancing and Weighting Load balancers have some form of weighting of traffic between links to achieve a desired balance scenario With the Nomadix NSE traffic is balanced by individual subscriber numbers and weighted according to the speed of the ISP connected to each port For example if an NSE has 2 x 10M links connected and currently has 100 active subscribers then 50 users would be connected to each link If the ISP links were 10 Mbps and 40Mbps then 20 users would be connected to the 10M link and 80 users to the 40M link and so on Introduction 27 D ACCESS GATEWAY Load Rebalancing upon Link Recovery Load balancing and failover with well configured link availability detection provides fast and effective recovery from ISP link failure occurrences Additional consideration must be made as to what actions should be taken when a failed ISP link recovers The Nomadix approach is to rebalance as the ISP links change thus making sure the maximum level of service is always provided There is a small yet important waiting time to ensure changing links is kept to a minimum Load Balancing and Failure Considerations Is load balancing or just ISP failover required Is aggregation of multiple low speed links required How reliable are different local ISP services What are the relative costs of different ISP services moe nU N Do ISP links
260. ion of the Command Line Interface comprised of HTML files The HTML files are embedded in the Access Gateway and are dynamically linked to the system s functional command sets You can access the WMI from any Web browser Your browser preferences or Internet options should be set to compare loaded pages with cached pages To connect to the Web Management Interface do the following 1 Establish a connection to the Internet 2 Open your Web browser 3 Enter the network interface IP address of the Access Gateway set up during the installation process 4 Log in as usual supplying your user name and password To access any menu item from the WMI click on the item you want The corresponding work screen then appears in the right side frame From here you can control the features and settings related to your selection Although the appearance is very different from the Command Line Interface the information displayed to you is basically the same The only difference between the two interfaces is in the method used for making selections and applying your changes selections are checkable boxes and applying your changes is achieved by pressing the Submit button Pressing the Reset button resets the screen to its previous state clearing all your changes without applying them Selecting the language of the Web Management Interface You can click on Language Selection to change the language of the Web Management Interface text Current
261. it button to save your changes reboot is not required or click on the Reset button if you want to reset all the values to their previous state Managing the DNS Options DNS DNS allows subscribers to enter meaningful URLs into their browsers instead of complicated numeric IP addresses by automatically converting the URLs into the correct IP addresses You can assign a primary secondary or tertiary third DNS server The Access Gateway utilizes whichever server is currently available Use the following procedure to set the DNS configuration options 1 From the Web Management Interface click on Configuration then DNS The Domain Name System DNS Settings screen appears 108 System Administration ACCESS GATEWAY D 2 Enter the Host Name the DNS name of the Access Gateway E The host name must not contain any spaces Enter a valid Domain name the Internet domain that DNS requests will utilize Enter the IP addresses for the DNS servers located at the customer s network operating center where DNS requests are sent Servers include e Primary DNS Server e Secondary DNS Server e Tertiary DNS Sever The secondary and tertiary DNS servers are only utilized if the primary DNS server is unavailable Enter a DNS Redirection Port and a Proxy DNS Port When finished you must reboot the system for the new settings to take effect Click on the check box for Reboot after changes are saved to reboot the system after s
262. ized RADIUS server that specifies the location of the meta System Administration 91 D ACCESS GATEWAY configuration file containing a listing of the individual configuration files and their download frequency status are downloaded from an FTP server into the flash of the Nomadix device 2 Defines the automated login into the centralized FTP server and the actual download process into the flash Step 1 RADIUS Authen Req Response message to determine location of meta configuration file RADIUS Server Step 2 FTP download of configuration files secure The Auto Configuration setup requires a few basic steps to be completed by both the field engineer and the NOC administrator Administrative Steps to Enable Auto Config Typically these tasks are performed either at a device pre staging center or by the field engineer 1 Establish a WAN connection and electronically accept the EULA 2 Setup RADIUS Server parameters go to Defining the Realm Based Routing Settings Realm Based Routing on page 158 3 Setup Username and Password for RADIUS Authentication Administrative Steps to Enable Auto Config for the NOC Administrator 1 Add NAS IP address 2 Add Nomadix Auto Config VSA to the Nomadix dictionary file on the RADIUS server 3 Create a RADIUS profile with the configuration VSA 4 Create an FTP server with the configuration files 92 System Administration ACCESS GATEWAY D
263. ke effect You can view a grid of acceptable screen colors To view the grid simply click on the View Color Grid link If you click on the View Color Grid link the Browser Safe Background Colors by RGB screen appears partial view only shown here Browser Safe Background Colors by RGB Here are the various browser safe Web colors Of course there are many more colors possible than those shown here but these are the 216 colors that match the popular browsers palettes So if you use these colors you can be reasonably sure they will appear as you intended on a random subcriber s color display The colors are represented with their 6 hex digits codes as you would enter them in HTML The first 2 hex digits represent red the middle 2 green the last 2 blue ore colors Click on the check box for Partner Image to enable this feature then enter the name of the image file in the Partner Image File Name field See Subscriber Login Screen Sample on page 241 If you made changes to the Image File Name or Partner Image File Name fields you must reboot the Access Gateway for your changes to take effect In this case click on the check box for Reboot after changes are saved The partner image splash screen is not the same screen that is defined by the Image File Name IWS screen field Click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their pre
264. ke over if the primary device fails ensuring Wi Fi service remains uninterrupted 24 Introduction ACCESS GATEWAY GQ Network Architecture Sample The Access Gateway can be deployed effectively in a variety of wireless and wired broadband environments where there are many users usually mobile who need high speed access to the Internet The following example shows a potential Hospitality application Guest Room DSL Modem Introduction 25 D ACCESS GATEWAY Load Balancing and Link Failover 8 2 This section describes the optional NSE 8 2 Load Balancing features The 8 2 NSE supports individual configuration of multiple WANs on an Access Gateway supported on AG2400 AG5600 and AG5800 hardware Hotels can use this capability in a number of ways including load balancing failure protection and subscriber allocation This section provides use cases and scenarios to help you consider the full advantage of these capabilities Definitions and Concepts Load Balancing Load balancing refers to the general process of balancing user traffic across multiple ISP connections All load balancing appliances as well as the Nomadix NSE support load balancing Link Aggregation Link aggregation refers to the process of connecting multiple ISP connections to an appliance and having the sum of all of the ISP bandwidth available to be shared across all users However one individual connection is limited to the s
265. l unassigned ports for example ports above 1024 thus ensuring far fewer proxy related support calls than competitive products Introduction Il D ACCESS GATEWAY End User Licensee Count The NSE supports a range of simultaneous user counts depending on the Nomadix Access Gateway you choose In addition depending on your platform various user count upgrades are available for each of our NSE powered products that allow you to increase the simultaneous user count External Web Server Mode The External Web Server EWS interface is for customers who want to develop and use their own content It allows you to create a richer environment than is possible with your product s embedded Internal Web Server The advantages of using an External Web Server are e Manage frequently changing content from one location e Serve different pages depending on site sub location for example VLAN and user e Take advantage of the comprehensive Nomadix XML API to implement more complex billing plans e Recycle existing Web page content for the centrally hosted portal page If you choose to use the EWS interface Nomadix Technical Support can provide you with sample scripts See also Contact Information on page 353 Home Page Redirect The NSE supports a comprehensive HTTP redirect logic that allows network administrators to define multiple instances to intercept the browser s request and replace it with freely configurable
266. le Submit Please enter either an IP address or a DNS name and click on one of the provided buttons Note DNS name should not contain protocol port or path information Up to 300 Passthrough Addresses can be entered IP DNS Name Add Remove Current Passthrough Addresses DNS Names wuuy nomadix com loginp pavO hotmail com login msnia passport com IP addresses 1 23 4 2345 5 67 8 6 7 8 9 Number of Passthrough Addresses 7 If required enable Passthrough Addresses then click on the Submit button In the IP DNS Name field enter the IP address or DNS name of the pass through you want to add or remove from the system The system only accepts route DNS names for example www nomadix com Do E not include protocol port or path information 4 Ifadding this pass through click on the Add button otherwise click on Remove to delete this pass through from the list Assigning a PMS Service PMS E Your product license may not support this feature The Access Gateway can be integrated with existing Property Management Systems For example by integrating with a hotel s PMS the Access Gateway can post charges for Internet access directly to a guest s hotel bill In this case the guest is billed only once The Access Gateway outputs a call accounting record to the PMS system whenever a subscriber purchases Internet service and decides to post the charges to their room The Access Gateway offers post paid PM
267. le Requires ACC to be enabled to function properly Remote Port be Optional Leave blank zero if you want to connect to the device from any TCP UDP port of a network side workstation Protocol TCP Note Please make sure that the device with the Internal IP address has been added to the subscriber s table Add Reset 2 Enter the Internal IP Address Ensure that the device with the Internal IP Address has been added to the subscriber s table Enter the Internal Port reference Enter a valid MAC Address Enter the External IP Address The External IP address field will default to the IP address of the Access Gateway Enter the External Port reference Optional Enter the Remote IP Address Leave this field set to zero if you want to connect to the internal device from any network side workstation 8 Optional Enable the Protect with Source IP based Access Control option Enabling this will only allow address in the source based access control list to connect on this port mapping Source based access control needs to be enabled for this to be in effect 9 Optional Enter the Remote Port reference Leave this field set to zero if you want to connect to the device from any TCP UDP port of a network side workstation 272 System Administration Acc ESS GATEWAY D D 10 Select the protocol TCP or UDP from the pull down menu 11 Click on the Add button to add this static port or click on the Reset button t
268. les go to the Web Management Interface click on Network Info gt Routing pre 8 2 NSE or System gt Routing 8 2 See Displaying the Routing Tables Routing 8 2 for addition 8 2 specific information 188 System Administration ACCESS GATEWAY D The Routing Tables screen appears Routing Tables ROUTE NET TABLE destination gateway flags Refcent Use Interface 0 0 0 0 1 2 3 4 3 al 890 fei 4 2 75 0 5 6 7 8 101 0 0 fei r ENE S 3 4 5 6 101 0 0 feil ROUTE HOST TABLE destination gateway flags Refcent Use Interface 10 1 1 86 9 8 7 6 17 0 1448 fei 10 1 1 109 8 7 6 5 1 0 301 fein 10 1 1 205 7 6 5 4 a 0 8 feio 10 1 1 225 4 3 2 1 17 1 1846 fein i27 0 0 1 127 0 0 2 5 0 0 lo0 2 1 1 8 2 6 9 8 7 0 0 fein routing 4 bad routing redirects 4 dynamically created routes 0 new gateway due to redirects 0 destination found unreachable O use of a wildcard route Displaying the Routing Tables Routing 8 2 In the 8 2 NSE routing tables are available at System gt Routing The Routing Tables screen appears You will make all routing configuration additions and deletions from this screen In the 8 2 NSE this screen includes e Active Routing Table which provides routing configuration details and the ability to delete routes System Administration 189 ACCESS GATEWAY Active Routing Table etn Bernadine Gieway Fag wirace Typ 192 168 110 1 0x8c3 Eth1 system 40 0 2 1 0x8c3 Eth2 system
269. licly routable IP addresses The same public IP address can be used as a source IP to support concurrent tunnels to different termination devices offering unmatched efficiency in the utilization of costly public IP addresses If the protocol type can be supported without the use of a public IP for example HTTP FTP our proven Dynamic Address Translation functionality continues to be used Some of the benefits of iNAT include e Improves the success rate of VPN connectivity by misconfigured users thus reducing customer support costs and boosting customer satisfaction e Maintains the security benefits of traditional address translation technologies while enabling secure VPN connections for mobile workers accessing corporate resources from a public access location e Dynamically adjusts the mode of address translation during the user s session depending on the packet type e Supports users with static private IP addresses for example 192 168 x x or public different subnet IP addresses without any changes to the client IP settings e Dramatically heightens the reusability factor of costly public IP addresses Information and Control Console The Nomadix ICC is a HTML based pop up window that is presented to subscribers with their Web browser The ICC allows subscribers to select their bandwidth and billing options quickly Introduction I3 D ACCESS GATEWAY and efficiently from a simple pull down menu For credit ca
270. lling Options e Duration based Billing Plans System Administration 219 S ACCESS GATEWAY Setting Up a Normal Billing Plan including pricing and bandwidth Setting Up an X over Y Billing Plan Messages displayed to subscribers including an Introduction Message Offer Message and Policy Message Billing schemes units of access Free billing options free access Promotional code options for example when offering a percentage discount Duration based Billing Plans The purpose of this feature is to let hotels create billing plans that work in a similar fashion to pre paid telephone cards This means that an operator can set the Access Gateway s Internal Web Server IWS to allow users online on a time X over period Y basis Standard billing plans where time X period Y can be used concurrently with X over Y plans For example multiple plans with flexible billing event options can be rolled out such as Plan A 24 hours 256kbit s downstream 128Kbit s upstream public IP address 15 charge Plan B 8 hours to be used over 5 days 512Kbit s downstream 256Kbit s upstream private IP address 35 charge Plan C 1 week 1Mbit s downstream I Mbit s upstream public IP address 99 charge In addition to credit card billing Property Management Systems used by hotels are also supported along with the internal data base of the Access Gateway and billing via Nomadix se
271. llowing mandatory location information details shown in Figure 8 Ethernet port WAN interface configuration gt b Please enter your Company Name Your company name Please enter your Site Name Your site name Please enter your Address Line 1 Line 2 46 Installing the Access Gateway ACCESS GATEWAY Gp City Your site city State Your site state ZIP Postal Code Country Your site country Please enter your E Mail Address email address Please select the venue type that most reflects your location 1 Apartment 25 Other Please enter a number from the above list Venue Type Figure 8 Site location details Step 3 Retrieving Your License Key The system will now prompt you to accept or decline the End User License Agreement EULA You must accept the terms of the EULA before the AG can retrieve its license key To retrieve the license key enter y es as shown in Figure 9 The AG retrieves the license key from the Nomadix license key server then reboots PLEASE READ THE NOMADIX END USER LICENSE AGREEMENT AGREEMENT INCLUDED WITH THE NOMADIX PRODUCT BY USING THIS SOFTWARE YOU INDICATE YOUR ACCEPTANCE OF THE AGREEMENT I AGREE TO THE TERMS AND CONDITIONS OF THE NOMADIX END USER LICENSE AGREEMENT Y ES N O Y The sys
272. lt TIME gt lt ROOM_NUM gt max 20 characters lt ROOM_NUM gt lt AMOUNT gt max 10 characters lt AMOUNT gt lt TRANS_TYPE gt max 5 characters lt TRANS_TYPE gt lt USG gt Format for each field REC_NUM 00923 numbers only no alpha characters Access Gateway_ID 00020b PROPERTY_ID Any regular string DATE 03 30 2001 mm dd yyyy TIME 23 41 38 24 hour format ROOM_NUM Any regular string AMOUNT 234 34 TRANS_TYPE CC RESULT_VALUE OK or ERROR IP Standard IP address format 123 123 123 123 344 Quick Reference Guide ACCESS GATEWAY Gp The packet after the HTTP headers added looks like this POST http testing com brm HTTP 1 0 Content Type text xml Content Length 249 Host 172 168 0 4 lt USG COMMAND ADD_ REC gt lt REC_NUM gt 0000 lt REC_NUM gt lt USG_ID gt 012345 lt USG_ID gt lt PROPERTY ID gt USGII lt PROPERTY_ID lt DATE gt 03 19 2004 lt DATE gt lt TIME gt 10 12 56 lt TIME gt lt ROOM_NUM gt 5 lt ROOM_NUM gt lt AMOUNT gt 1800 00 lt AMOUNT gt lt TRANS_TYPE gt 2 lt TRANS TYPE gt lt USG gt XML to Access Gateway The Access Gateway accepts a single line of XML text in the specified format The XML string is acommand sent by the External Server to the Access Gateway product In this case the acknowledgement received from the External Server forms the command The Access Gateway expects the acknowledgement in the following format External Server to Access Gateway
273. lti WAN Interface Management 8 2 The 8 2 NSE supports multiple independently configurable WAN interfaces to optimize ISP resource allocation and provide load balancing optional fail over and upsell capabilities NTP Support The NSE supports Network Time Protocol NTP an Internet standard protocol that assures accurate synchronization to the millisecond of computer clock times in a network of computers NTP synchronizes the client s clock to the U S Naval Observatory master clocks Running as a continuous background client program on a computer NTP sends periodic time requests to servers obtaining server time stamps and using them to adjust the client s clock 16 Introduction ACCESS GATEWAY D Portal Page Redirect The NSE contains a comprehensive HTTP page redirection logic that allows for a page redirect before Portal Page Redirect and or after the authentication process Home Page Redirect As part of the Portal Page Redirect feature the NSE can send a defined set of parameters to the portal page redirection logic that allows an External Web Server to perform a redirection based on e Access Gateway ID and IP Address e Origin Server e Port Location e Subscriber MAC address e Externally hosted RADIUS login failure page This means that the network administrator can now perform location specific service branding for example an airport lounge from a centralized Web server See also Home Page Redir
274. luding the Internet The internal Web server is flashed into the system s memory and the login page is served directly from the Access Gateway In the external Web server model the Access Gateway redirects the subscriber s login request to an external server Either method is transparent to the subscriber however the advantage of using the internal Web server is obvious no login redirection tasks and a faster response time for the subscriber Language Support The Access Gateway s subscriber interface supports many Asian and European languages including English Chinese French German Japanese and Spanish Home Page Redirection The Access Gateway can be configured to redirect all valid subscribers to a Web portal or home page determined by the solution provider After a specified time from the first home page redirection determined by the system administrator subscribers are redirected again to the portal at the next Web page request The Subscriber Interface 281 ACCESS GATEWAY Subscriber Management The Access Gateway provides several subscriber management models including Free access for example no AAA functionality MAC address Port Location ID for example by room or unit number User name and password Credit card Combinations of two or more subscriber management models can be used When a subscriber connects to the network and attempts to access the Internet the Access Gateway looks for
275. ly English U S and Chinese simplified are provided Web Management Interface Language Selection Language Selection g 3 E800 Production Select Web Management Interface language Configuration Network Info E E English U S Port Location Q Subscriber Administration Chinese simplified Subscriber Interface System Submit Reset Logout 74 System Administration ACCESS GATEWAY D Using an SNMP Manager Once the SNMP communities are established you can connect to the Access Gateway via the Internet using an SNMP client manager for example HP OpenView SNMP is the standard protocol used in the Network Management NM system This system contains two primary elements e Manager The console client through which system administrators perform network management functions e Agent An SNMP compliant device which stores data about itself ina Management Information Base MIB The Access Gateway is an example of such a device The Access Gateway contains managed objects that directly relate to its current operational state These objects include hardware configuration parameters and performance statistics Managed objects are arranged into a virtual information database called a Management Information Base MIB SNMP enables managers and agents to communicate with each other for the purpose of accessing these MIBs and retrieving data See also Installing the Nomadix Private
276. ly consist of a home page that provides a clear and concise overview of the entire Web site together with the tools for accessing other pages and topics quickly and efficiently In this case the home page is the portal to the Web site See also Portal and URL Host Any computer that provides services to other computers that are linked to it by a network Generally the host is the more remote of the computers For example if a user in California accesses a computer in New York the computer in New York is considered the host HPR Home Page Redirection Nomadix Gateways enable solution providers to redirect subscribers to a portal home page of their choice This allows the solution provider to generate online advertising revenues and increase business exposure See also Home Page HTML HyperText Markup Language The programming language used to create hypertext documents for use on the Internet See also HTTP Hypertext and Internet 359 ACCESS GATEWAY HTTP HyperText Transfer Protocol The standard method used for publishing hypertext documents in HTML format on the Internet See also HTML Hypertext and Internet Hypertext Electronic documents that are structured to enable readers to go directly to the source of the information they need by following directional links unlike books which are generally read sequentially Help files and CD ROM encyclopedias are examples of hypertext documents ICMP In
277. mber Me option if you want to enable or disable this feature This option enables the Access Gateway to remember logins for a predetermined duration see next step The Remember Me option requires JavaScript to be enabled If you enabled the Remember Me option define the duration in days in the Remember for how many days field If required define a Help Hyperlink Message and a corresponding Help Hyperlink URL Define the location in the Locale field Define the currency labeling for example in the Currency field The currency must be defined using an ISO 4217 currency code for example USD for US Dollars GBP for Great British Pounds Enter a numeric value for the Number of decimals for amount This field defines the number of decimal places that are shown for the displayed amounts Define the appearance of the internal login screen Appearance settings include e Image File Name if you want to include a unique image e Page Background Color e Table Background Color e Page Title Font e Line Item Font System Administration 239 ACCESS GATEWAY 11 12 13 Take care when mixing font and background colors You may want to experiment before establishing these settings to ensure that your chosen color scheme is both presentable and readable to subscribers see notes You must reboot the Access Gateway for the Image File Name or Partner Image File Name settings to ta
278. n Default RADIUS Mode Disabled Realm Based Fixed O Default RADIUS Service Profile TermAction Reboot required to put changes of the following two parameters into effect Local Authentication Port 0 0 means port number will be selected dynamically Local Accounting Port 0 0 means port number will be selected dynamically I Later login supersedes previous Miscellaneous Options Default User Idle Timeout o seconds User Login Retry Timeout 3 seconds Enable Automatic Subscriber Reauthentication Enable URL Redirection Send NAS identifier NAS identifier Send NAS IP Send NAS Port type NAS Port Type 0 Send Framed IP v Enable Termination Action Radius Attribute Percent of Max Subscriber Data Volume to Trigger RADIUS Request Termination Action event 75 only applicable for volume based sessions Enable Session Terminate End Of Day When Authorized Enable Byte Count Reset On Account Start Enable Radius Subnet Attribute Enable Goodbye URL Enable Forgot your Password Forgot your Password URL Note This URL will be added to the passthrough address list 2 Under the Server Selection and Communication options choose the Default RADIUS Mode e Disabled to disable RADIUS authentication e Realm Based for Realm routing e Fixed for routing to predefined RADIUS servers 3 Select the Default RADIUS Service Profile from
279. n Page EWS Failover Port based Billing Policies Authorization Mode SSL Only encrypt sensitive data Certificate DNS Name Credit Card Service Portal Page Portal Page URL Parameter Passing Manus Psssthrough Address More listings TUE MAY 18 09 52 57 2010 AG 5000 v7 0 029 FRI APR 24 09 42 24 2009 01633f 00 50 E8 01 63 3F 00 50 E8 01 63 3E 00 50 E8 01 63 3D Enabled Enabled Enabled Enabled 67 130 149 167 67 131 213 194 0 0 0 0 Disabled o Disabled Disabled o Disabled Disabled Enabled Internal Web Server Disabled Enabled ssl certificate com Enabled Enabled http 67 120 149 167 content163 htm Disabled Disabled Setting the System Date and Time Time This procedure shows you how to set the system date and time 172 System Administration ACCESS GATEWAY D 1 From the Web Management Interface click on Configuration then Time The Set Date and Time screen appears Set Date and Time Current time WED MAY 19 12 44 22 2010 Time offset hh mm from UTC Fal Hours 7 Minutes 0 Note Select either Internal Time to use local hardware timer or External Time Server to use internet time server Internal Time Date and Time Year 44 2010 Month 1 12 Eo Day 1 31 C Hour 0 23 C Minute 0 59 mo C External Time Server NTP Configuration Server timeout max 200 sec 5 Time server 1 Time server 2 Time server 3 Time server 4
280. n order to use services such as file servers or printers See also ad hoc mode Internet Originally developed by the U S Defense Department the Internet is now a global collection of networks that transfer information between each other using the Internet Protocol IP Additionally the Internet carries the hypertext system commonly known as the World Wide Web See also Hypertext and Internet Protocol Internet Protocol The global standard used to regulate data transmissions between computers and the Internet Data is broken up into packets which are then sent over the network By using IP addressing Internet Protocol ensures that the data reaches its destination even though different packets may pass through different networks to get to the same location See also Internet and IP Address Internet Service Provider The agency that provides you with access to the Internet Your Internet Service Provider ISP may be a large commercial organization for example America Online or if you access the Internet via your employer then your employer is your Internet Service Provider See also Internet Intranet A network confined to a single organization but not necessarily a single site Usually thought of as a corporate mini Internet IP See Internet Protocol 360 ACCESS GATEWAY D IP Address The numeric address of a device in the format used on the Internet The actual numeric value takes the form of a 32 bit binary n
281. n wr wr wn wn wn wr wr wn wn wr ww wn wn ww wn wn ww ww ww www ee 001 MON APR 29 17 34 45 2002 admin 10 1 1 184 WMI Getting index htm 002 MON APR 29 17 34 42 2002 admin 10 1 1 184 WMI Getting intro htm 003 MON APR 29 17 34 41 2002 admin 10 1 1 184 WMI Getting index htm More listings The Uptime field displays the time in days hours minutes and seconds that the system has been up and running The Access and reboot History log fields include e Message Administrator Operator action e Login User name of the Administrator Operator e IP Source IP address see note The source IP displayed may be the source IP of a NAT router instead of the client of the person accessing the Access Gateway Establishing ICMP Blocking Parameters ICMP The Access Gateway includes the option to block all ICMP traffic from pending or non authenticated users that are destined to addresses other than those defined in the pass through 260 System Administration ACCESS GATEWAY D walled garden list The default setting for this option is disabled because ICMP pass through is a useful end user troubleshooting feature and is also required by certain smart clients for example GRIC 1 From the Web Management Interface click on System then ICMP The CMP screen appears ICMP EE Block ICMP from pending users I Enable Ping a
282. nd a Subscriber Profile screen appears Find a Subscribers Profile Enter MAC Address foo Show Reset 2 Inthe Enter MAC Address field enter the MAC address of the subscriber you want to find 3 Click on the Show button to view this subscriber profile or click on the Reset button if you want to reset the MAC Address value to the 00 state Finding Subscriber Profiles by User Name Find by User This procedure shows you how to find a subscriber profile from the Access Gateway s database of authorized subscribers based on the profile s user name Use this procedure when you want to see the statistics corresponding to the user name Statistics include the subscriber s MAC address and the access time remaining for this subscriber System Administration 215 S ACCESS GATEWAY 1 From the Web Management Interface click on Subscriber Administration then Find by User The Find a Subscriber Profile screen appears Find a Subscribers Profile Enter Username bwareing Show Reset 2 Inthe Enter Username field enter the user name of the subscriber you want to find 3 Click on the Show button to view this subscriber profile or click on the Reset button if you want to reset the Username value to its blank state Listing Subscriber Profiles by MAC Address List by MAC You can display the currently active database of authorized subscribers based on MAC addresses To view the list of Authorized Subs
283. ned in order to modify it The Add QoS Policy for Subscribers screen appears Add QoS HSI for Subscribers Name of QoS Policy test max 16 chars Description new policy max 128 chars Apply the following rules to subscriber s traffic up to 16 rules can be applied Tratfio descriptor 802 4p Class of Service Rule 1 bnet Cos3 There is 1 rule in this policy Default CoS for all other traffic CoS 1 x Submit Policy Add new rule Select Traffic Descriptor Select Classof Service descriptort iv coss ly Add Rule Back to Main QoS Settings page Enter a name for the policy in the QoS Policy field Enter a brief summary about the policy Description field The rule list displays a list of the rules that have been defined for this policy 8 Click Submit Policy to accept the parameters and rules defined and add the policy to the policy list on the main page 9 Select a traffic descriptor and a Class of Service for the rule and then click Add Rule Once added rules will be displayed in the list above Defining the RADIUS Client Settings RADIUS Client The Access Gateway supports Remote Authentication Dial In User Service RADIUS RADIUS is an authentication and accounting system used by many Internet Service Providers The Usernames function must be enabled for a RADIUS login See also Configuration Menu on page 76 Nomadix offers an integrated RADIUS client allowing service providers to track
284. need to be shared between guest and back office users 6 Is there a requirement to have certain users connected to a particular ISP 1 It may be a requirement to provide just a backup service to the primary ISP service in the case that the main HSIA ISP fails The backup service may be on a pay to use basis through a 3G or 4G wireless modem or be a low cost lower tier service such as a cable modem service that is only used when the main ISP link is down on the basis that providing a reduced HSIA service is better than no service at all when the main ISP link is down Alternatively the organization may have multiple ISP links and wants to be able to fully utilize all of them under normal conditions The Nomadix NSE supports both failover only and combined load balancing with failover 2 In some instances suitable high speed internet services required to meet the aggregate needs of the organization may not be available or are simply too expensive In this case it may be desirable to aggregate multiple lower cost lower speed lines together The Nomadix AG2400 and AG5600 can aggregate services from up to three ISP links and the AG5800 can handle up to five links 3 It is important to consider the relative quality of each ISP link If a second link is much lower quality than the main ISP link then it should only be used as a back up link in failover mode and not in a load balanced environment If the quality of the links is much the same th
285. network deployment options for different venue types For example e Allows for flexible WAN Connectivity T1 E1 Cable xDSL and ISDN e Supports 802 11a b g and hybrid networks utilizing wired Ethernet e Supports key requirements needed to be compliant with the Wi Fi ZONE program e Allows you to segment your existing network into public and private sections using VLANs then leverage your existing network investment to create new revenue streams e Enables you to provide Wi Fi access as a billable service or as an amenity to augment the main line of business for your venue e Contains an advanced XML interface for accepting and processing XML commands allowing the implementation of a variety of service plans and offerings e Offers three user friendly ways of remote management through a Web interface SNMP MIBs and Telnet interfaces allowing for scalable large public access deployments e 8 2 Provides capabilities for load balancing and fail over management across multiple ISPs Platform Reliability The Access Gateway is designed as a network appliance providing maximum uptime and reliability unlike competitive offerings that use a server based platform Local Content and Services The Access Gateway s Portal Page feature intercepts the user s browser settings and directs them to a designated Web site to securely sign up for service or log in if they have a pre existing account e Allows the provider to prese
286. nformation and Control Console Nomadix Logout Console Location of the Logout console Upper Left Corner Upper Right Corner Lower Left Comer Lower Right Comer aoo How should the subscriber session time be displayed Elapsed Time C Time Remaining What should the ICC do when a subscriber closes it Redisplay itself Logout return the user to a Pending state valid only with RADIUS Name Text Target URL Image Name ISP Logo Button Atyouroffice com httpywwaatyourotfice com AO ffice jpg Button 2 Altavista _ httpywwwaltavistacom s faltevistjpg SSCS Button 3 Travelscape http Aravelscapecom aei SS Button 4 BUY COM htpyAwwbuycom Dwi Button 5 Foodcom order httpywwioodcom Fedjg SSS Button 6 STORERUNNER htip ww storerunnercom Store jpg Button 7 Amazon Books htta zwww amazon com AMAZON GIF Button 8 JUBID where you htpywwwubidcom bidje S Button 9 Make the mostof httpyMww citysearchcom auwokkajpg Configure Banners NOTE You must reboot for Banner Image or Button Image settings changes to take effect Reboot after changes are saved I Yes Submit Reset 228 System Administration ACCESS GATEWAY D 2 If you want subscribers to see the ICC pop up window click on the check box for Display ICC Information and Control Console to enable this feature Choose which ICC you want to be displayed either the featured ICC or the simple Logout Consol
287. ng humidity 5 90 RH Storage humidity 5 95 RH non condensing Altitude Up to 15 000ft 318 Quick Reference Guide ACCESS GATEWAY G AG5800 Specifications REGULATORY FCC Class A UL UL US and Canada CE EN 55022 2010 Class A EN 61000 3 2 2006 A1 2009 A2 2009 EN 61000 3 3 2008 EN55024 2010 IEC 61000 4 2 2008 IEC 61000 4 3 2006 A1 2007 A2 2010 IEC 6100 4 4 2004 A1 2010 IEC 6100 4 5 2006 IEC 61000 4 6 2008 IEC 61000 4 8 2009 IEC 6100 4 11 2004 Australian Standard AZ NZS CISPR 22 2009 Class A CB Scheme PHYSICAL 1U rack space in a 19 rack 17 L x 12 W x 1 75 H 431mm L x 305 0mm W x 44 4mm H Weight 10 2 Ibs Weight 4 6 Kg LED INDICATORS Power Indicator Status Indicator ACT LINK and 10 100 1000 for each Ethernet port PERFORMANCE User Support Up to 4000 users or devices concurrently Throughput up to 970Mbits s As defined by RFC1242 Section 3 18 Quick Reference Guide 319 G ACCESS GATEWAY Sample AAA Log The following table shows a sample AAA log This log is generated by the Access Gateway and sent to the SYSLOG server that is assigned to AAA logging Access Type io Subscriber Expi Date Time Gateway of eons Log Message MAC ration Name Data Address Time Mar 18 23 10 nomad237 INFO AAA AAA_ Authentication 00 00 0E 32 2 2 hrs 31 nomadix 4207 Successful C BC 1 min com Mar 18 23 26 nomad237 INFO A
288. nk state will provide a faster response but using Interface Monitoring will assure that there is internet access through that port before assigning subscribers to it Run Time Status gives a useful summary of all Load Balancing settings and subscriber distribution System Administration 123 D ACCESS GATEWAY Establishing Your Location Location This command sets up your location and the corresponding IP addresses for the network interface subscriber interface subnet and default gateway You must provide your full location information 1 From the Web Management Interface click on Configuration then Location The Location Settings screen appears Location Settings E Company Name Nomadix Site Name Test Lab Address Line 1 Address Line 2 City Agoura Hills State CA ZIP Postal Code Country USA E mail Address support nomadix com Please select the venue type that most reflects your location Lab Test ISO Country Code Phone Country Code Calling Area Code Network SSID ZONE C Enable WAN 802 10 tagging Note Changing these settings could result in loss of connectivity VLAN ID 1 124 System Administration ACCESS GATEWAY G Note You must reboot for these settings to take effect Network Interface Configuration Method DHCP Client oO PPPoE Client Configure PPPoE Client Static Static Co ation Parameters Network IP Address 172 17 0 12 Subnet Mask 255 255 0 0
289. nstead of complicated numeric IP addresses by automatically converting the URLs into the correct IP addresses You can assign a primary secondary or tertiary third DNS server The Access Gateway utilizes whichever server is currently available You must configure DNS if you want to enter meaningful URLs instead of numeric IP addresses into any of the Access Gateway s configuration screens Use the following procedure to set the DNS configuration options 1 Enter c configuration at the Access Gateway Menu The Configuration menu appears 2 Enter dn dns at the Configuration menu The system displays the current domain the default is nomadix 3 Enter a valid domain name the Internet domain that DNS requests will utilize Installing the Access Gateway 69 ACCESS GATEWAY 1G Enter the host name the DNS name of the Access Gateway The host name must not contain any spaces After assigning the host name the system requests IP addresses for the primary secondary and tertiary DNS servers the default for the DNS primary address is 0 0 0 2 The secondary and tertiary DNS servers are only utilized if the primary DNS E server is unavailable Enter the IP addresses for the DNS servers located at the customer s network operating center where DNS requests are sent You must now reboot the system for your settings to take effect Enter y yes to reboot the Access Gateway Sample Screen Response
290. nt their customers with local services or have the user sign up for service at zero expense 4 Introduction ACCESS GATEWAY D e Offers both pre and post authentication redirects of the user s browser providing maximum flexibility in service branding Transparent Connectivity Resolving configuration conflicts is difficult and time consuming for network users who are constantly on the move and costly to the solution provider In fact most users are reluctant to make changes to their computer s network settings and won t even bother This fact alone has prevented the widespread deployment of broadband network services Our patented Dynamic Address Translation DAT functionality offers a true plug and play solution by enabling a seamless and transparent experience and the tools to acquire new customers on site DAT greatly reduces provisioning and technical support costs and enables providers to deliver an easy to use customer friendly service T NSPARENT CONNECTI Y DAT translates end user network settings Introduction 5 S ACCESS GATEWAY Billing Enablement The Access Gateway supports billing plans using credit cards scratch cards or monthly subscriptions or direct billing to a hotel s Property Management System PMS and can base the billable event on a number of different parameters such as time volume IP address type or bandwidth Access Control and Authentication
291. nterface e VSA ID 24 e VSA Name Nomadix Preferred WAN e VSA Value Either WAN Eth1 Eth2 Eth3 Eth4 or Eth5 to identify what interface the user will try to send traffic on The interface will internally select properly on the 5600 and 2400 90 System Administration ACCESS GATEWAY D 1 From the Web Management Interface click on Configuration then Auto Configuration The Autoconfiguration Settings screen appears Autoconfiguration Settings Autoconfiguration I Enable Radius Authentication Name admin Radius Password essee Confirm Password ecece Submit Reset NOTE You must reboot for configuration changes to take effect Reboot after changes are saved I Yes Enable or disable Autoconfiguration as required If you enabled Autoconfiguration you must enter the following information into the corresponding fields e RADIUS Authentication Name e RADIUS Password e Confirm Password 4 Click on the check box for Reboot after changes are saved to reboot the system when you submit your changes 5 Click on the Submit button to save your changes or click or the Reset button to reset all data to its previous state See Enabling Auto Configuration Enabling Auto Configuration As shown in the diagram below two subsequent events drive the automatic configuration of Nomadix devices 1 A flow of RADIUS Authentication Request and Reply messages between the Nomadix gateway and the central
292. nts screen appears List Port Location ann Location Port Description State Billing Modes Billing Plan Subnet 10 4 No Charge RAD TUN PMS CC All Plans 0 0 0 0 RAD RADIUS TUN TUNNEL PMS PMS CC Credit Card Subscriber Administration Menu Adding Subscriber Profiles Add This procedure shows you how to add subscriber profiles into a table of authorized users Three types of subscriber profiles are provided see the following sections for configuration information for the different profile types e Adding a Subscriber Type Profile on page 206 e Adding a Device Type Profile on page 208 e Adding a Group Type Profile on page 209 For more information about subscriber access and billing options see the following sections e Authorization and Billing on page 250 e Subscriber Management on page 256 e Subscriber Management Models on page 256 e Configuring the Subscriber Management Models on page 257 System Administration 205 D ACCESS GATEWAY Adding a Subscriber Type Profile 1 From the Web Management Interface click on Subscriber Administration then Add The Add a Subscriber Profile to the Database screen appears Add a Subscriber Profile to the Database Subscriber Device Group Account DHCP Address Type Private Public Only used if subscriber is configured for DHCP MAC Address IP Address D Subnet M Username D Password Expiration Time bp hrs b mins P
293. o WMI gt Subscriber Interface gt Local Web Server and add the names of the HTML or image files that were uploaded to the flash web directory Reboot the NSE System gt Reboot The pages can now be served by referencing the URL http nseip 1111 web lt filename gt or at https nseip 1112 web lt filename gt for preauthenticated end users 5 The post authentication pages and images are available at http nseip 3111 web lt filename gt These settings are available under Subscriber Interface Local Web Server menu GY acso00 1100 Business Center Circle S Configuration Network Info Port Location y Subscriber Administration I Subscriber Interface Billing Options ICC Setup Language Support Local Web Server Login UI Post Session UI Subscriber Buttons Subscriber Labels Subscriber Errors 1 of 2 Subscriber Errors 2 of 2 Subscriber Messages 1 of 3 Subscriber Messages 2 of 3 Subscriber Messages 3 of 3 E O O OOOO OOOO Subscriber Messages TOA 4 System Logout Local Web Server Setup Notes R 1 Limit the total size of Web Pages and Images to 200 KB 2 The Pre Authentication Pages and Images are available at http nseip 1111Aweb lt filename gt or at https nseip 1112 wveb lt filename gt 3 The Post Authentication Pages and Images are available at http nseip 3111Aveb lt filename gt Web Page File Name l Add Remove Current Web Pages Image File Name Add
294. o add delete or change unique subscriber profiles AA Export your configuration settings to an archive file 38 Installing the Access Gateway ACCESS GATEWAY Gp Powering Up the System Use this procedure to establish a direct cable connection between the Access Gateway and your laptop computer and to power up the system 1 Place the Access Gateway on a flat and stable work surface 2 Connect the power cord 3 Connect the DB9 serial cable between the Access Gateway s serial port or front Access RJ45 port and your computer Turn on your computer and allow it to boot up Turn on the Access Gateway Connect the serial cable here On other platforms connection may be via front access RJ45 port User Manual and Documentation The Nomadix product user manuals product documentation and support files including MIB XML DTD and sample dictionary files are located at the following URL http www nomadix com current_releases php If you have any problems please contact our technical support team at 1 818 575 2590 or email support nomadix com Installing the Access Gateway 39 ACCESS GATEWAY This quick start document provides instructions and reference material for getting started with the Nomadix Access Gateway products specifically the AG 2400 and AG 5800 Accessory Box Contents AG 2400 1 U S NEMA 5 15p Power Cord 1 EU Schuko CEE7 7
295. o reset all values to their previous state For more information about Static Port Mapping see also e Displaying the Static Port Mapping Table Static Port Mapping on page 191 e Deleting Static Ports Static Port Mapping Delete on page 273 Deleting Static Ports Static Port Mapping Delete Static Port Mapping allows the network administrator to setup a port mapping scheme that forwards packets received on a specific port to a particular static IP typically private and mis configured and port number on the subscriber side of the Access Gateway The advantage for the network administrator is that free private IP addresses can be used to manage devices such as Access Points on the subscriber side of the Access Gateway without setting them up with public IP addresses This procedure shows you how to add static ports 1 From the Web Management Interface click on System then Static Port Mapping Delete The Delete Static Port Mapping Entries screen appears elete Static Port Mapping Entries Internal Address Internal Port MAC Address lt gt External Address External Port gt Remote Address Remote Port Protocol 1 2 3 4 5 4 2 7 1 80 00 a0 8 53 b7 84 lt gt 8080 gt 0 0 0 0 0 TCP 10 0 0 13 23 00 03 47 15 cd c7 lt gt 4 2 7 1 8023 gt 0 0 0 0 0 TCP 10 208 134 5 80 00 60 1d 31 92 c0 lt gt 4 2 7 1 8081 gt 0 0 0 0 0 TCP 12 13 14 15 80 00 00 23 45 67 80 lt gt 4 2
296. oduction ACCESS GATEWAY S Main ISP Circuit for HSIA Main ISP circuit for Hotel Admin Network Back up for Hotel Admin Back up for Guest HSIA Freedom Internet HSIA Subscriber Network 9 lt gt Hotel Admin Network VS Guest HSIA Failover Only to Admin Network In this scenario the hotel has separate ISP circuits for the Guest HSIA network and Hotel Admin network The hotel wants the Admin network to be available as a back up link in case the Guest HSIA ISP link fails There is no back up for the Admin ISP network The Nomadix NSE is configured with link failover between the WAN port and port ETH2 which is connected to the hotel Admin network router Introduction 31 ACCESS GATEWAY ISP Circuit for Guest HSIA ISP circuit for Hotel Admin Network Back up for Guest HSIA ISP1 HSIA Subscriber Network yp VIS Sharing of Guest HSIA Network and Hotel Admin Network Amongst Multiple ISP Links In this scenario multiple ISP links are connected to the Nomadix NSE in a similar method to the first scenario but both the guest HSIA network and the Hotel Admin network are connected to the NSE and share the aggregate bandwidth of the combined ISP links Hotel Admin Network The Nomadix NSE is configured for load balancing and the back office router s MAC address is registered in as a device in the NSE with an appropriate bandwidth limit 32 Introduction ACCESS GATEWAY D ISP 1
297. of numeric IP addresses into any of the Access Gateway s configuration screens for example the Credit Card Server URL in the following step If the Credit Card Service is enabled enter the information for the following fields e Credit Card Server URL e Credit Card Server IP e Merchant ID a valid ID issued by the credit card reconciliation service provider Authorize net or Chainfusion Check the Use NSE s Hostname and DNS domain name box if you want the Hostname and domain name to be sent to the Credit Card server instead of the local NSE IP address Enable or disable the SIM Compliant feature as required With this feature enabled you can change the transaction key at your discretion To change the transaction key simply enter the key in the Change Transaction Key box then re enter the key in the Verify Transaction Key box E The SIM Compliant option refers to Authorize net s Simple Integration Method Enable or disable Smart Client Support as required You can assign a session idle timeout parameter for subscribers see following note To assign an idle timeout simply enter a numeric value in seconds in the Subscriber Idle Timeout box the default is 1200 Subscriber Idle Timeout does not apply to RADIUS and Post Pay PMS subscribers If you enabled or disabled SSL Support on this screen you must click the check box for Reboot after changes are saved the Access Gateway must be rebooted every time the SSL Sup
298. of the subscriber database sorted by user name go to Listing Subscriber Profiles by User Name List by User on page 217 1 From the Web Management Interface click on Subscriber Administration then Delete by User The Delete a Subscriber Profile by User screen appears Delete a Subscriber Profile Enter Username Delete Reset 2 Inthe Username field enter the user name of the profile you want to delete 3 Click on the Delete button to delete this subscriber profile or click on the Reset button if you want to reset the Username value to its blank state System Administration 213 S Displaying the Currently Allocated DHCP Leases DHCP Leases ACCESS GATEWAY You can display a listing of the DHCP Dynamic Host Configuration Protocol leases that are currently active on the system s DHCP server DHCP is a standard method for assigning IP addresses automatically to network devices DHCP leases define the amount of time that subscribers can utilize the system s DHCP service To view the list of Currently Allocated DHCP Leases go to the Web Management Interface click on Subscriber Administration then click on DHCP Leases To use this feature your Access Gateway must be set to act as its own DHCP E Server The DHCP function cannot be set to DHCP Relay Refer to Managing the DHCP service options DHCP on page 103 The Currently Allocated DHCP Leases screen appears 8 2 NSE screen is shown
299. og Enabled System Log Number 2 System Log Filter 7 System Log Server IP 10 10 10 10 System Log Save to file Enabled AAA Log Enabled AAA Log Number 2 AAA Log Filter 7 AAA Log Server IP 10 10 10 10 AAA Log Save to file Enabled RADIUS History Log Enabled RADIUS History Log Number 2 RADIUS History Log Filter 7 RADIUS History Log Server IP 10 10 10 10 RADIUS History Log Save to file Enabled System Report Log Enabled 60 Installing the Access Gateway ACCESS GATEWAY S System Report Log Number 2 System Report Log Server IP 10 10 10 10 System Report Log Interval in minutes 5 Tracking Log Enabled Tracking Log Number 2 Tracking Log Server IP 10 10 10 10 Tracking Log Save to file Disabled Tracking Name Reporting Enabled Tracking Port Reporting Enabled Tracking Location Reporting Enabled Tracking Report every 500th packet Enabled WARNING Communication between the gateway and the syslog server may need to be secured to comply with local laws Consider routing communication through an IPSec tunnel Configuration gt Assigning the Location Information and IP Addresses The location command in the Configuration menu establishes the Access Gateway s location settings the network interface IP address the subnet mask and the default gateway IP address All of these Access Gateway location parameters must be set up as part of the system s start up configuration otherwise the Access Gateway will not be
300. ommended ssesscscicesecuandicrernsarssvansssanveinerneassnvasestanonvuce 58 Assigning the Location Information and IP Addresses onnon 61 L gzing Qut and Powers Down the Systemi iii sscccrismiinonieeesnii i E 63 Connecting the Access Gateway to the Customer s Network eseseseseeesseeerersreeeseerrsreseses 63 Establishing the Basic Configuration for Subscribers se ssssssisisiusirsvsesssrsesisersssssovesevsrsesissesss 64 Senie Te DTCF ODE OUS os acess ER S O EE EEEE 65 DHCP Opions PONR E SI aorin E esata suidinabien iauimaenuaiectas nin eae 66 Senate TEPDNS OOIE a R RE t errs reer ant feet tear terre reer rere re 69 Archiving Your Configuration SOuings inc ssctsinsnepeonncsscnacagsens itera neuen ene 70 Tngtaline the Nomadix Private MIB suiers E a Chapter 3 System Administration o 0ccisscecasssscnnsonnesevvssvenivoseustnenerasnssunssvnnesteovonndnieueesss 73 Choosing a Remote Connettiti sccis nona aaa EEEE E EEA E 73 Using the Web Management Interface WMI rscosuncascrvssversarsocnvcascnassaunnsurancersonsuansans 74 D ACCESS GATEWAY ESCON SONME MINOC as ats soaci tashaacegstes aeaa e a eng 73 Pe Tomt CONT oase E aonnediantoommnacanes mnsdamieaTeameabian bass i UO PERETE A EA E EET A NTE ENAA N A A EEN A 76 Abot Yow Producir Licema a A A 76 Conn oiranon Mo ciana aaa coven tesabalsiuesaeehsebdlanse evaadenseteracceaubamauebiesekboemioeates 76 Defining Me AAA Services AAA aranana a EA AAR 76 Establishing Secure Administr
301. omplete description of all features available in the WMI see Using the Web Management Interface WMI on page 74 The following composite screen shows how the Access Gateway s WMI menus folders are organized shown here side by side for clarity and space See also About Your Product License on page 76 50 Installing the Access Gateway ACCESS GATEWAY D aca a Configuration a Network Info Port Location Subscriber Administration Subscriber Interface Sen Logout Configuration E o E D D E DEEG EO GOD D O D D o D D o D o 8 e AAA Access Control Auto Configurstion Bandwidth Mansgement Bill Record Mirroring DHCP DNS Dynamic DNS Gre Tunneling Home Page Redirect iNAT IPSec Location Logging MAC authentication Nomadix Services Passthrough Addresses PMS Port Location QoS RADIUS Client RADIUS Proxy Realm Based Routing SMTP SNMP Subnets Summary Time Traffic Descriptors URL Filtering User Agent Filtering Zone Migrstion amp I 3 DAT ICMP Interfaces P IPSec Login Page Failover Routing Sockets Static Port Mapping Subscriber Tunnels TCP O D D O D D e fe I 2 fe I UDP j 3 Port Location i Add Delete All Sr Delete by Location Delete by Port Export Find by Description Find by Location Find by Port 3 meon S List Note Your browser preferences or Internet options should be
302. on the chosen Role disabled Inet Access is Unknown oos Out of Service Non applicable Values are unnecessary for WAN Wide Area Network If Ports Link is Up and Inet Monitoring is SUB Subscriber Network 112 System Administration ACCESS GATEWAY D Click any individual interface name to view and set details of the individual WAN Ethernet Ports amp WAN Interface Configuration and Status Current Interface Settings for port WAN Role WAN X Cfg Mode Static X 3 Cateway ARP Refresh 7 IP Address 67 130 149 57 teaver 120 seconds Subnet Mask 255 255 255 128 Gateway 67 130 149 126 DNS Domain nomadix cam DNS Server 1 67 130 149 123 DNS Server 2 8 8 DNS Server 3 0 0 0 0 Uplink 15000 Kbps Uplink specd to nctwork Downlink 15000 Kops Downlink speed to subscribers WAN 802 10 tagging Enable VLAN ID 1 NAT IP Address Settings Current Additional NAT IP Addiesses Remove NATIP Additional NAT IP addresses El Enable NAT IP address Add 0 additional NAT IP addresses are configured Setting the Home Page Redirection Options Home Page Redirect This procedure shows you how to redirect the subscriber s browser to a specified home page Subscribers may also be redirected to a page specified by the solution provider without any interaction with the authentication process You must configure DNS if you want to enter meaningful URLs instead of numeric IP addresses into any of the Acces
303. on page 90 RADIUS Client Nomadix offers an integrated RADIUS Remote Authentication Dial In User Service client with the NSE allowing service providers to track or bill users based on the number of connections location of the connection bytes sent and received connect time etc The customer database can exist in a central RADIUS server along with associated attributes for each user When a customer connects into the network the RADIUS client authenticates the customer with the RADIUS server applies associated attributes stored in that customer s profile and logs their activity including bytes transferred connect time etc The NSE s RADIUS implementation also handles vendor specific attributes VSAs required by WISPs that want to enable more advanced services and billing schemes such as a per device per month connectivity fee See also RADIUS Proxy on page 18 RADIUS Proxy The RADIUS Proxy feature relays authentication and accounting packets between the parties performing the authentication process Different realms can be set up to directly channel RADIUS messages to the various RADIUS servers This functionality can be effectively deployed to e Support a wholesale WISP model directly from the edge without the need for any centralized AAA proxy infrastructure e Support EAP authenticators for example WLAN APs on the subscriber side of the NSE to transparently proxy all EAP types TLS SIM etc and to allow for th
304. on to save your changes and reboot the system or click on the Reset button if you want to reset all the values to their previous state You can now use your SNMP client to manage the Access Gateway via the Internet Enabling Dynamic Multiple Subnet Support Subnets Nomadix dynamic multiple subnet support allows you to create flexible and cost effective IP pool solutions to meet the demands of complex networks in large residential and public access networks For example Establish a maximum of 15 different DHCP pools for routable IP addresses at the same time Establish a maximum of 10 different public IP subnets that will not be address translated by Nomadix market leading Dynamic Address Translation DAT feature Define the user s subnet via the management interfaces System Administration 169 D ACCESS GATEWAY 1 From the Web Management Interface click on Configuration then Subnets The Public Subnets Settings screen appears Public Subnets Settings Subnet Netmask 2 5 3 1 255 255 255 224 Asa Click here to add a new Public Subnet tren lic DH n Subnet Netmak 2 5 3 1 255 255 255 224 Number of Public IP Pools 1 To edit this table go to the DHCP Configuration page 2 Click on the Add button to add a new public subnet The Add Public Subnets screen appears Add Public Subnets Subnet Subnet Mask Add Back to Main Subnet Configuration Page Enter a valid IP address for thi
305. onfigured I Enable SMTP Redirection Properly Configured Enable SMTP Server IP DNS Name For SMTP servers which support login authentication enter valid username and password for an account on that server SMTP Server Account Username SMTP Server Account Password Submit Reset 2 Click on the check box for SMTP Redirection Misconfigured to enable this feature for misconfigured subscribers 3 Click on the check box for SMTP Redirection Properly Configured to enable this feature for properly configured subscribers If you enable SMTP redirection you must provide the IP address of the SMTP server In the SMTP Server IP DNS field enter the address of the SMTP server you want to use For SMTP servers which support login authentication enter a valid username in the SMTP Server Account Username field 6 For SMTP servers which support login authentication enter a valid password in the SMTP Server Account Password field 7 Click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their previous state System Administration 167 D ACCESS GATEWAY Managing the SNMP Communities SNMP You can address the Access Gateway using an SNMP client manager for example HP OpenView SNMP is the standard protocol that regulates network management over the Internet To do this you must set up the SNMP communities and identifiers For more info
306. onnecting the unit You can still manage the Access Gateway when Bridge Mode is enabled but you have no other functionality If you enable the Bridge Mode option and then plug the Access Gateway into a network all you need to do is assign it routable IP addresses You can then set up all other features and disable the Bridge Mode option whenever you want to start using the Access Gateway in that network This procedure shows you how to enable the Bridge Mode option System Administration 299 D ACCESS GATEWAY 1 From the Web Management Interface click on System then Bridge Mode The Bridge Mode Passthrough Settings screen appears Bridge Mode Pass through Settings Bridge Mode El Enable NOTE You must reboot for setting changes to take effect Reboot immediately after changes are saved T Yes Submit 2 Click on the check box for Bridge Mode to enable this feature E The Access Gateway should be rebooted if this setting is changed 3 Ifyou want the changes to take effect immediately Select Yes to Reboot immediately after changes are saved 4 Click on the Submit button to save your changes or click on the Reset button if you want to reset the Enable option to its previous state Exporting Configuration Settings to the Archive File Export This procedure shows you how to export the current system authentication settings to an archive file for future retrieval This function is useful if you want
307. ons independent of http are included in the NSE s Access Control functionality for both the network and subscriber sides If the required certificates are not resident on the flash an attempted https connection will generate an error syslog System Administration 87 D ACCESS GATEWAY 1 Access Control screen appears From the Web Management Interface click on Configuration then Access Control The Access Control Configurable Ports Telnet Port B HTTP Port jo HTTPS Port fas Make sure that the port is not allocated already Make sure that the port is not allocated already Make sure that the port is not allocated already Block Network side Interfaces Submit Reset Please enter an IP address range Note Up to 50 Access Control IP addresses ranges can be entered Note Please make sure to enter the correct addresses Access Control Start IP Add Remove Currently Access is Permitted for IP s 172 30 30 173 Number of Acoess Control Addresses Ranges 1 Block Network side Telnet Access I Enable Block Network side Web Management Access HTTP E Enable Fiesse note that this will terminate the curent network side session Block Network side Web Management Access HTTPS C Enable Block Network side FTP Access I Enable Block Network side SFTP Access I Enable Block Network side SSH Shell Access I Enable Block Subscriber side Interfaces Block Subscriber side Telnet Access M En
308. ontrol End IP field If you are adding a single IP address enter None in the Access Control End IP field Click on the Add button to add the IP address or range of IP addresses to the list To remove an IP address or range of IP addresses from the list enter the starting IP address in the Access Control Start IP field If you are removing a range of IP addresses from the access control list you must now enter the ending IP address in the Access Control End IP field If you are removing a single IP address enter None in the Access Control End IP field Click on the Remove button to remove the IP address or range of IP addresses from the list for example because you ve forgotten your password you must establish a local serial connection with the CLI to disable the Access Control feature or change the range of allowed IP addresses to access the management interfaces If you have changed the serial port to act as a PMS interface please contact Nomadix technical support In this case refer to Contact Information on page 323 If you enabled Access Control and have locked yourself out of the system Defining Automatic Configuration Settings Auto Configuration The Access Gateway allows you to define parameters to enable the automatic configuration of the system See also RADIUS driven Auto Configuration 8 2 The 8 2 NSE provides a Radius VSA that supports assigning specific users to specific WAN i
309. or their user name and password whenever they try to access the Internet Solution providers can charge a fee for this service 6 Enable or disable the New Subscribers feature refer to the table in Enabling AAA Services with the Internal Web Server on page 81 New Subscribers must be enabled before enabling the Credit Card and PMS options If you enabled New Subscribers enable or disable the Relogin After Timeout option You can now enable or disable the Credit Card Service When this feature is enabled subscribers are prompted for their credit card information for billing purposes The Access Gateway is configured to use either Authorize net or Chainfusion selected from a pull down menu You will need to open a merchant account with Authorize net Chainfusion or Datacenter Luxembourg before this feature can be used Please contact Nomadix Technical Support for assistance Refer to Contact Information on page 323 All data communications between the Access Gateway and the credit card server are encrypted by the SSL Secure Sockets Layer protocol The Access Gateway never sees subscriber credit card numbers System Administration 83 ACCESS GATEWAY 10 11 12 13 14 15 16 If you enabled the Credit Card Service define which service you require Authorize net or Chainfusion from the pull down menu DNS must be configured if you want to enter meaningful URLs instead
310. ord Enter new manager login newmgr Enter new password Retype new password Installing the Access Gateway 55 S ACCESS GATEWAY The administrative login and password were changed Enter new operator login newop Enter new operator password Retype new operator password The operator login and password were changed Enter RADIUS remote test login rad Enter new RADIUS remote test password Retype new RADIUS remote test password The RADIUS remote test login and password were changed You must use the new login user name s and password s to access the system Setting the SNMP Parameters optional You can address the Access Gateway using an SNMP client manager for example HP OpenView SNMP is the standard protocol that regulates network management over the Internet To do this you must set up the SNMP communities and identifiers For more information about SNMP see Using an SNMP Manager on page 75 ia If you want to use SNMP you must manually turn on SNMP 1 Enter c configuration at the Access Gateway Menu The Configuration menu appears Enter sn snmp Enable the SNMP daemon as required The system displays any existing SNMP contact information and prompts you to enter new information If this is the first time you have initialized the SNMP command since removing the Access Gateway from its box the system has no information to display there are no
311. ork An SSID is also referred to as a network name because essentially it is a name that identifies a wireless network SSL Secure Sockets Layer A protocol developed by Netscape for transmitting private documents via the Internet SSL works by using a private key to encrypt data that is transferred over the SSL connection Both Netscape Navigator and Internet Explorer support SSL and many Web sites use the protocol to obtain confidential user information such as credit card numbers See also Protocol Static IP Address An IP address that is assigned to a computing device permanently or until the user changes it manually unlike a dynamic IP address which is assigned to a device temporarily by the DHCP server See also DHCP IP Address and Dynamic IP Address STP Spanning Tree Protocol A link management protocol that is part of the IEEE 802 1 standard for media access control bridges Using the spanning tree algorithm STP provides path redundancy while preventing undesirable loops in a network that are created by multiple active paths between stations Loops occur when there are alternate routes between hosts To establish path redundancy STP creates a tree that spans all of the switches in an extended network forcing redundant paths into a standby or blocked state STP allows only one active path at a time between any two network devices this prevents the loops but establishes the redundant links as a backup if the initial link
312. ork WAN 67 130 149 160 27 67 130 149 163 0x101 0 Network WAN 172 30 30 0 24 172 30 30 172 0x101 0 Network WAN Destination IP Prefix Length l Gateway IP Add Reset 2 Enter the Destination IP Prefix Length address of the route you want to add to the routing table This is the Destination IP or Subnet that the Route is trying to reach included with the prefix length to determine how large the subnet might be 3 Enter the Gateway IP address for the Route being added so that the NSE knows what to use to try to reach the destination IP Subnet 4 Click on the Add button to add this route to the routing table or click on the Reset button if you want to reset all the values to their previous state Deleting a Route Route Delete This procedure shows you how to delete a route to a specific IP destination System Administration 269 D ACCESS GATEWAY 1 From the Web Management Interface click on System then Route Delete The Delete Static Routes screen appears Delete Static Routes Destination Gateway Flags Use Interface 0 0 0 0 8 46 5 2 3 965 Network 10 0 0 0 10 0 0 254 3 186 Network 6 46 1 0 6 46 16 1 101 0 Network 8 46 5 1 8 46 16 5 101 0 Subscriber 127 0 0 1 127 0 0 1 5 D Loopback Destination IP Delete Reset 2 Enter the Destination IP address of the route you want to delete from the routing table 3 Click on the Delete button to dele
313. ormance and up time of network devices SNMP Telnet HTTP and ICMP are all common protocols to accomplish network management objectives And within those objectives is the requirement to provide the highest level of security possible While several network protocols have evolved that offer some level of security and data encryption the preferred method for attaining maximum security across all network devices is to establish an IPSec tunnel between the NOC Network Operations Center and the edge device early VPN protocols such as PPTP have been widely discredited as a secure tunneling method As part of Nomadix commitment to provide outstanding carrier class network management capabilities to its family of public access gateways we offer secure management through the NSE s standards driven peer to peer IPSec tunneling with strong data encryption Establishing the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any preferred management protocol but also the secure management of third party devices for example WLAN Access Points and 802 3 switches on private subnets on the subscriber side of the Nomadix gateway See also Defining IPSec Tunnel Settings on page 179 Two subsequent events drive the secure management function of the Nomadix gateway and the devices behind it 1 Establishing an IPSec tunnel to a centralized IPSec termination server for example Nortel Contivity As part of the s
314. ors to edit the subscriber s input Only subscribers that are correctly identified and authenticated are authorized to access the system Once authorized the subscriber s activity is logged and billed through the Access Gateway s Accounting module The Accounting module fully supports the following functions e Credit card billing for example interaction with AuthorizeNet e User name and password verification e Billing verification e Per port location for example room or unit billing The Subscriber Interface 279 S ACCESS GATEWAY Process Flow AAA The following flowchart outlines the AAA and billing process All actions depicted in the chart are administered and tracked by the Access Gateway AG detects connection and verifies user against authorization table pein Login Page Specify lease time Yes required and Purchase Lease time choose a user ID and more time has expired password o Provide credit card details No Solution Provider s Portal Page Bill for goods and services and credit provider s bank account Online purchases 280 The Subscriber Interface ACCESS GATEWAY SG Internal and External Web Servers The Access Gateway supports both internal and external Web servers which act as a login interface between subscribers and the solution provider s network inc
315. osen provider in a seamless and transparent manner SMTP Enables the SMTP E mail redirection functions SNMP Establishes the SNMP parameters Quick Reference Guide 289 G ACCESS GATEWAY Item Description Subnets Enables dynamic multiple subnet support Summary Displays a summary listing of all configuration settings Time Sets the system date and time Traffic Descriptors Bandwidth consumed over time active allocated bandwidth number of using bandwidth and network capacity URL Filtering Dynamically adds or removes up to 300 specific IP addresses and domain names to be filtered for each property User Agent Filtering User agent Filtering is a capability that can filter software that is acting on behalf of a user such as browsers Zone Migration The present disclosure is directed to providing a network user the ability to travel between different zones or locations within a network environment such as for example a hospitality location without requiring a user to re login to the new location 290 Quick Reference Guide ACCESS GATEWAY G Network Info Menu Items ARP Displays the ARP table including the destination IP address and the gateway MAC address DAT Displays the DAT session table DNSSEC DNSSEC support adds authentication and integrity capability to DNS systems The DNSSEC feature in the NSE allows DNSSEC queries and respon
316. ough addresses 237 Label billing options plan 16 Location settings all fields 99 Partner Image File Name 12 Password adding subscriber profiles 128 Port Description finding ports by description 63 Redirection Frequency in minutes 2 147 483 647 recommend 3600 Reservation Number 24 Username adding subscriber profiles 96 Valid SSL Certificate DNS Name 64 52 Installing the Access Gateway ACCESS GATEWAY G Online Documentation and Help The Web Management Interface WMI incorporates an online help system which is accessible from the main window AG5000 Administration Mozilla Firefox al xj File Edt view Go Bookmarks Tools Help KE gt lt amp 3 A http 192 168 1 1 x c G amp acsooo 1100 Business Center Cirel Access Gateway 5800 I Configuration B AAA 9 Access Control E Auto Configuration h e l p 7 Bandwidth Management EEN ein S Bil Record Mirroring 3 bHcP ons S Dynamic DNS Gre Tunneling Home Page Redirect 3 mar support 8 IPsec EE S Location Logging 5 Passthrough Addresses who T PortLocation TEA EXTEND THE BROADBAND EXPERIENCE 9 RADIUS Client 9 RADIUS Proxy S Realm Based Routing S Roaming Serice 3 smTP RRA Click here to access the i eee Service Updates online Help system Time CC S URL Filtering Service Portal could not be contacted po Other online documentation
317. passthrough list automatically If you enabled the Portal Page feature provide the following supporting information e Portal Page URL e Parameter Passing enabled or disabled e Parameter Signing including Method Parameters and Shared Secret See Redirection Parameter Signing for more information about parameter signing e Portal XML POST URL e Portal XML Post Port 82 System Administration ACCESS GATEWAY D e Support GIS Clients enabled or disabled GIS stands for Generic Interface Specification a document written by iPass E Enabling the Smart Client option in the Access Gateway automatically supports all GIS compliant clients using the Internal Web Server Enabling Support for GIS Clients under the Portal Page feature means that the Access Gateway will defer the management of the GIS clients to the Portal Page server e Block IWS Login Page enabled or disabled 5 Enable or disable the Usernames feature as required refer to the table in Enabling AAA Services with the Internal Web Server on page 81 Some subscribers may want additional account flexibility and security for their services for example if they use more than one computer and their MAC address changes or if they move between port locations In this case a subscriber can define a unique user name and password which they can use from any machine or location without being re charged Subscribers who choose this option are prompted f
318. pdating the Access Gateway Firmware Upgrade Upgrading the Access Gateway firmware is performed from the Access Gateway s Command Line Interface CLI only Refer to the Firmware Upgrade Procedure separate document available from Nomadix Technical Support 274 System Administration ACCESS GATEWAY The Subscriber Interface This chapter provides an overview of the Access Gateway s Subscriber Interface and sections outlining the authorization and billing processes subscriber management models and the Information and Control Console ICC Overview The Subscriber Interface is the window to the solution provider s Web site and much more than that When a subscriber accesses the solution provider s high speed network the Access Gateway points the subscriber s browser to a sign in page The Access Gateway then creates a database entry that automatically records the subscriber s Media Access Control MAC address and integrates this address with a PMS interface for secure billing Like a router the Access Gateway continuously tracks subscriber IP and MAC settings eliminating the need for further sign ins and ensuring that subscriber usage and billing is recorded accurately The Access Gateway also eliminates configuration issues between the subscriber s computer and the network The Subscriber Interface is the portal Web site of the solution provider s broadband network and as such its appearance and functionality r
319. pe 296566 15388605 15685171 OFF 12 127 UnlimitedRadius 30 mins 0 00 19 B9 6E 1A 6C 10 149 67 13 0 grpbwj 1 1024 2048 433 433 alid Unlimited PA 730974 41479535 42210509 OFF 30 30 UnlimitedRadius 30 mins 0 2 00 15 C5 1C 3E 69 10 149 67 12 2 2 grpbwj 1 1024 2048 1106 1106 alid Unlimited mie 801092 37050143 37851235 OFF Establishing Billing Records Mirroring Bill Record Mirroring The Access Gateway can send copies of credit card transaction and PMS billing records to external servers that have been previously defined by system administrators The Access Gateway assumes control of billing transmissions and saving billing records By mirroring the billing data theAccess Gateway can also send copies of billing records to predefined carbon copy servers Additionally if the primary and secondary servers are down the Access Gateway can store up to 2 000 credit card transaction records When a connection is re established with either server the Access Gateway sends the stored information to the server no records are lost For more information about the bill record mirroring feature go to Mirroring Billing Records on page 313 1 From the Web Management Interface click on Configuration then Bill Record Mirroring The Credit Card PMS Mirroring Settings screen appears 98 System Administration ACCESS GATEWAY Credit Card Mirroring
320. pears Login Name and Password Administration Concurrency O Enable Manager Login admin Manager Password sses Confirm Password s s Operator Login operator Operator Password ssssssss Confirm Password sessssss Radius Remote Test Login rad Radius Remote Test Password Note only applies if Radius is used Centralized Management Authentication RADIUS Authentication Enable RADIUS Service Profile Fishnet RADIUS service profiles and Realm Routing Policies Session timeout 5 minutes Submit Reset 2 Click on the check box for Administration Concurrency if you want to assign concurrent Manager and Operator logins System Administration 263 D ACCESS GATEWAY 3 Inthe Manager Login field enter a login name for this manager Login names and passwords are case sensitive Use login names and passwords that are easy to remember up to 11 characters any character type 4 Inthe Manager Password field enter a password for this manager 5 Inthe Confirm Password field enter the password again to confirm it If you forget your password you will need to contact technical support See also Appendix A Technical Support on page 323 6 If you enabled Administration Concurrency repeat steps 3 to 5 for an operator login As part of its Smart Client feature the Access Gateway offers a remote RADIUS testing feature enabled by default With this feature the Access Gateway provides a password protected Web
321. peed of the ISP connection that is currently being used For example a hotel may aggregate 5 x 1 5Mbps DSL connections together This means that a total of 7 5Mbps of bandwidth is available to be shared across all users but a single user can receive a maximum of 1 5Mbps All load balancing appliances as well as the Nomadix NSE support link aggregation In most cases link aggregation and load balancing is effectively the same thing Link Failover Link failover sometimes referred to ISP redundancy is the process of providing a second or occasionally a third or more ISP link as a back up to the primary ISP link In the event that the primary link fails all traffic is re routed to the backup link until such time as the primary link becomes available Combined Load Balancing and Link Failover This is the process where both load balancing and link failover are combined together It represents the best of both worlds Where multiple ISP links are used in load balancing mode in the event that one or more links fail all traffic is automatically rerouted to the remaining surviving links When the failed links recover new connections are routed toward these until the normal balanced configuration is reached 26 Introduction ACCESS GATEWAY D ISP link Selection Criteria In a load balancing scenario some criteria must be used to decide which ISP is selected for outgoing traffic There a number of factors that influence this decis
322. pings List on page 205 1 From the Web Management Interface click on Port Location then Delete by Location The Delete Port Location Assignments by Location screen appears Delete Port Location Assignments by Location Location Delete Reset 2 Inthe Location field enter the location of the port location assignment you want to delete G Locations are case sensitive 3 Click on the Delete button to delete the specified port location assignment or click on the Reset button if you want to reset the location value to its blank state 198 System Administration ACCESS GATEWAY D Deleting Port Location Assignments by Port Delete by Port This procedure shows you how to delete a port location assignment based on its port The Access Gateway prompts you to confirm this action before deleting the requested port location If you are unsure which port locations are currently mapped to the system you can view a list at Displaying the Port Location Mappings List on page 205 1 From the Web Management Interface click on Port Location then Delete by Port The Delete Port Location Assignments by Port screen appears Delete Port Location Assignments by Port Port Delete Reset 2 Inthe Port field enter the port of the assignment you want to delete E The port is the VLAN ID when using 802 1Q 2 way 3 Click on the Delete button to delete the specified port location assignment or cl
323. port feature is enabled or disabled Note The Reboot after changes are saved checkbox does not appear in the 8 2 NSE You can reboot the system by selection System gt Reboot in the Web Management Interface Click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their previous state 84 System Administration ACCESS GATEWAY D Enabling AAA Services with an External Web Server You are here because you want to enable the AAA Services with an External Web Server EWS In the EWS mode the Access Gateway redirects the subscriber s login request to an external server 1 Select the External Web Server After enabling the External Web Server you must enter a Secret Key The Secret Key ensures that the response the Access Gateway gets from the EWS is valid 2 Enter the Secret Key The Access Gateway and the external authorization server must use the same secret key DNS must be configured if you want to enter meaningful URLs instead of numeric IP addresses into any of the Access Gateway s configuration screens for example the External login page URL in the following step Enter a valid External login page URL Configure the Parameter Signing options E See Redirection Parameter Signing for more information about parameter signing 5 Click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their
324. print server com by e ICC button link e Printout in the hotel room System Administration 79 G ACCESS GATEWAY 10 11 12 13 e Link from the hotel s HPR Page J Your product license may not support this feature Enable or disable the AAA Passthrough Port feature as required System administrators can set the Access Gateway to pass through HTTPS traffic in addition to standard port 80 traffic without being redirected When access to a non HTTPS address for example a Search Engine or News site has been requested the subscriber is then redirected as usual If AAA passthrough is enabled enter the corresponding port number LJ The port number must be different than 80 2111 1111 or 1112 Enable or disable the 802 1x Authentication Support feature as required Both AAA and RADIUS Authentication must be enabled for 802 1x Authentication support Enable or disable the Origin Server OS parameter encoding for Portal Page and EWS feature as required You can choose to Enable failover to Internal Web Server Authentication if Portal Page External Web Server is not reachable by placing a check in that box Enable or disable Port Based Billing Policies The Port Location capabilities on the NSE have been enhanced It is now possible to define a policy on a port The billing methods RADIUS Credit Card PMS L2TP Tunneling and the billing plans available on each port can now be individually conf
325. r 2 USB Connectors 1 Reset 1 Power Button POWER REQUIREMENTS Type Watts 12VDC 5A 60W Power Adapter Input AC 100 240V 50 60 HZ 6A Quick Reference Guide 305 D y ACCESS GATEWAY AG2400 Specifications DIMENSIONS 215 5 W x 44 H x 190mm D 1U Rack Mountable WEIGHT 1 2 kg ENVIRONMENTAL PARAMETERS Temperature Ambient Operating Storage 0 40 20 70 C Humidity RH Ambient Operating Ambient Non Operating 5 90 non condensing 5 95 non condensing REGULATORY FCC Class A UL UL US and Canada CE Emissions CB Scheme CE Safety CONCURRENT USERS 200 devices ACCESS CONTROL AND AUTHENTICATION Tri Modal Authentication Authentication and Accounting AAA Walled Garden Group Accounts Universal Access Method over SSL IEEE 802 1x Smart Client Support Boingo IPass MAC Authentication Remember Me Log in ADVANCED SECURITY iNAT IPSec Support PPTP Support Session Rate Limiting SRL User Agent Filtering Mac Address Filtering URL Filtering ICMP Blocking Proxy ARP for device to device communication 306 Quick Reference Guide ACCESS GATEWAY G AG2400 Specifications BILLING PLAN ENABLEMENT RADIUS CLIENT Radius AAA Proxy Port Based Policies Port Mapping Local Databases Credit Card Interface PMS Advanced XML Interface Bill Mirroring BRANDING ESTABLISHMENT Parameter Passing enabling branding NETWORK MANAGEMENT Web Management Interface WMI Command
326. r AuxX are unrestricted that is each port can be set to e WAN Network Side Link e SUB Subscriber or e OOS Out Of Service However designated WAN or LAN ports cannot be set to the opposite role but can be set to OOS Each configured and active WAN port can be used for NSE Management activity and the WMI is available on that address Multiple WAN interfaces may be configured and used for management activity but not subscriber traffic even without the Load Balancing license feature or with the feature disabled Out of the box the NSE will boot with one WAN port and one LAN port enabled and the remaining ports set to out of service System Administration Til D ACCESS GATEWAY To view and configure WAN interfaces select Configuration gt Ethernet Ports WAN The Current Interfaces Settings screen appears which summarizes all WAN connections Ethernet Ports amp WAN Interface Configuration and Status Current Interface Settings Static 67 130 149 57 255 255 255 128 67 130 149 126 Available 15000 15000 na n a na na na na Eth2 WAN DHCP 67 130 149 108 255 255 255 128 67 130 149 126 Up Available 15000 15000 Eth3 WAN DHCP 192 168 100 101 255 255 255 0 192 168 100 1 Up Available 0 0 Eth4 OOS nla n a n a n a Up na n a EthS WAN PPPoE 192 168 206 2 255 255 255 255 67 130 149 201 Up Available 15000 15000 Show summary Legend Role Configurati
327. r entry or click on the Reset button if you want to reset all the values to their previous state Deleting an ARP Table Entry ARP Delete Note NSE 8 2 consolidates ARP operations to a single screen See Adding and Deleting ARP Table Entries 8 2 ARP Address Resolution Protocol is used to dynamically bind a high level IP address to a low level physical hardware MAC address ARP is limited to a single physical network that supports hardware broadcasting This procedure shows you how to delete an ARP table entry 1 From the Web Management Interface click on System then ARP Delete The Delete ARP Table Entries screen appears Delete ARP Table Entries Internet Address Physical Address Flags Use Interface 4 5 6 7 00 90 27 bd c2 df 405 55 1 Network 5 6 7 8 OO cO 7b 61 ac bO 405 0 Network Enter IP Address Delete Reset Enter the IP address of the entry you want to delete Click on the Delete button to delete this entry or click on the Reset button if you want to reset the IP Address value to its blank state Adding and Deleting ARP Table Entries 8 2 NSE 8 2 consolidates the ARP interface You can add or delete table entries from a single screen System Administration 253 ACCESS GATEWAY 1 From the Web Management Interface click on System then ARP The ARP Tables screen appears You can view delete or add new ARP table entries from this screen ARP
328. rability possible SNMP uses a standard set of definitions known as a MIB Management Information Base which can be supplemented with enterprise specific extensions See also TCP IP and MIB Socket A communication path between two computer programs not necessarily running on the same machine Sockets are managed by a socket device driver that establishes network connections as needed Programs that communicate through sockets need not know anything about how the network functions Solution Provider Vendors are considered to be solution providers when they provide products and or services that meet their customer s specific needs Normally a solution provider is offering a solution that isn t readily available on the open market For example NOMADIX is a solution provider to its customers broadband network service providers and those customers are solution providers to their end users network subscribers SSID Service Set Identifier A 32 character unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to the BSS The SSID differentiates one WLAN from another so all access points and all devices attempting to connect to a specific WLAN must use the same SSID A device will not be permitted to join the BSS unless it can provide the unique SSID Because an SSID can be sniffed in plain text from a packet it does not supply any security to the netw
329. rameters are exchanged for example Hash Algorithm Security Association Lifetimes etc 2 The exchange of management traffic either originating at the NOC or from the edge device through the IPSec tunnel Alternatively AAA data such as RADIUS Authentication and Accounting traffic can be sent through the IPSec tunnel See also Defining Automatic Configuration Settings Auto Configuration on page 90 802 11 Infrastructure VPN inati RADIUS Termination Esse Aa gt NMS lt D bn P NOC ove Access Server Gateway m This procedure allows system administrators to establish the peer to peer IPSec connection Basic IPSec parameters must be entered by the system administrator to successfully establish the VPN session We recommend that you create different private subnets behind the VPN termination device and the Access Gateway 180 System Administration ACCESS GATEWAY D Network Info Menu Displaying ARP Table Entries ARP You can display a table that shows the current status of the ARP Address Resolution Protocol assignments ARP is used to dynamically bind a high level IP address to a low level physical hardware MAC address ARP is limited to a single physical network that supports hardware broadcasting To view the ARP Table go to the Web Management Interface click on Network Info then click on ARP The ARP Table screen appears ARP Table LINK LEVEL
330. ration Page Available NIS Services SSS SSS Nomadix Support Services Software hardware and call center support for your NSE Gateway SMIP Relay Application prioritization sen ce designed to imit SMTP SPAM abuse Enter a valid DHCP Server IP address for the DHCP server Enter the DHCP Server Netmask Enter the starting and ending IP addresses for the DHCP address pool you want to use e DHCP Pool Start IP e DHCP Pool Stop IP Enter the DHCP Lease Minutes Select Public Pool or Private Pool as required E A public IP address will not be translated by DAT If required make this an IP Upsell Pool and or the Default Pool by checking the appropriate boxes 3 Do not allow pools to overlap 106 System Administration ACCESS GATEWAY D 15 Optional if the gateway router for the DHCP Pool is other than that of the DHCP Server IP select Specify and enter the IP address of the gateway router of choice 16 When finished establishing your DHCP Pools click on the Back to Main DHCP Configuration Page to return to the previous page 17 You must now reboot the system for the new settings to take effect Click the check box for Reboot after changes are saved then click on the Submit button to save your changes and reboot the system or click on the Reset button if you want to reset all the values to their previous state The existing lease pool and lease table are deleted and the Access Gateway reboots The Ac
331. rd accounts the ICC displays a dynamic time field to inform subscribers of the time remaining on their account A Information and Control Console Microsoft Intern a 3 x Shop here to Plan A 256 128 vj mam Nomadix Subscriber Console Information and Control Console ICC Additionally the ICC contains multiple opportunities for an operator to display its branding or the branding of partners during the user s session as well as display advertising banners and present a choice of redirection options to their subscribers See also e 5 Step Service Branding e Logout Pop Up Window e Information and Control Console Initial NSE Configuration 8 2 See Installing the Access Gateway on page 37 for initial installation and configuration instructions Internal Web Server The NSE offers an embedded Internal Web Server IWS to deliver Web pages stored in flash memory These Web pages are configurable by the system administrator by selecting various parameters to be displayed on the internal pages When providers or HotSpot owners do not want to develop their own content the IWS is the answer A banner at the top of each IWS page is configurable and contains the customer s company logo or any other image file they desire To support PDAs and other hand held devices the NSE automatically formats the IWS pages to a screen size that is optimal for the particular device being used See also e 5 Step Se
332. re Enter a secret key in the Accounting Secret Key field Select the Default RADIUS Service Profile from the pull down menu see note RADIUS requests originating from this Upstream NAS will be routed via the specified profile if it cannot be routed based on realm Leave this field blank if default routing is not desired 156 System Administration ACCESS GATEWAY D 7 Place a check in the box of the Nomadix VSAs to be enforced by the Proxy for this entry Enforce Bandwidth Up VSA The Radius VSA for Bandwidth Up will be passed on to the Upstream NAS when enabled Enforce Bandwidth Down VSA The Radius VSA for Bandwidth Down will be passed on to the Upstream NAS when enabled Enforce Redirect URL VSA The Radius VSA for Redirect URL will be passed on to the Upstream NAS when enabled Enforce IP Upsell VSA The Radius VSA for Ip Upsell will be passed on to the Upstream NAS when enabled Enforce Subnet VSA The Radius VSA for Subnet will be passed on to the Upstream NAS when enabled Enforce QoS Policy VSA The Radius VSA for QoS Policy will be passed on to the Upstream NAS when enabled 8 2 The 8 2 NSE provides a Radius VSA that supports assigning specific users to specific WAN interface e VSA ID 24 e VSA Name Nomadix Preferred WAN VSA Value Either WAN Eth1 Eth2 Eth3 Eth4 or Eth5 to identify what interface the user will try to send traffic on The interface will internally select properly on the 5600 an
333. re allowed after authenticating their user name and password Disabled Disabled You will not use this combination unless you want to lock out all subscribers 1 Select the Internal Web Server System Administration 8l TM ACCESS GATEWAY N Enable or disable the SSL Support feature as required If you enable SSL Support you must provide a valid Certificate DNS Name For more information about setting up SSL go to Setting Up the SSL Feature on page 300 SSL support allows for the creation of an end to end encrypted link between the Access Gateway and its clients by enabling the Internal Web Server IWS to display pages under a secure link important when transmitting AAA information in a network Adding SSL support to the Access Gateway requires service providers to obtain digital certificates from VeriSign to create HTTPS pages Instructions for obtaining certificates are provided by Nomadix To enable SSL Support your Access Gateway s flash must include the server pem E cakey pem and cacert pem certificate files the cacert pem file is provided with your Access Gateway For assistance contact Appendix A Technical Support You must reboot the Access Gateway every time you enable or disable SSL Support If you want to designate a portal page you must enable the Portal Page feature otherwise leave this feature disabled The Portal Page IP or DNS address are added to the IP
334. re case sensitive In the Port field enter the port the VLAN ID when using 802 1Q 2 way In the Description field enter a meaningful description for this port location assignment Enter a Subnet for the port assignment you are adding You must now assign a State for this port location Possible states are No Charge for using this port location Charge for Use and Blocked If you do not assign a conditional state the state is registered as No Charge by default If applicable select the Default QoS Policy for the port assignment you are adding Select the conditional state you want to assign to this port location e Ifyou choose Charge for Use additional configurations are available Refer to the Note Port based Policies should be enabled from the Configuration gt AAA page for these settings to take effect e Choose Enable RADIUS Billing if you want RADIUS billing to be enabled on this port e Choose Enable Tunneling if you want L2TP Tunneling based billing to be enabled on this port e Choose Enable PMS Billing if you want PMS based room billing to be enabled on this port e Choose Enable Credit Card Billing if you want Credit Card based billing to be enabled on this port You can select any number of billing methods per port A specific billing plan can be assigned to a port or all the existing billing plans defined on the NSE can be enabled on the port Please select the appropriate option from the dropdown list for B
335. re to view the archive txt file 2 Click on the OK button to replace the current system configuration settings with the settings contained in the archive txt file see notes above Establishing Login Access Levels Login This procedure shows you how to assign differentiated access levels for operators and managers at login The Access Gateway allows you to define 2 concurrent access levels to differentiate between managers and operators where managers are permitted read write access and operators are restricted to read access only Once the logins have been assigned managers have the ability to perform all write commands Submit Reset Reboot Add Delete etc but operators cannot change any system settings Administrative Concurrency may be enabled to further restrict the amount of management sessions allowed at one time When this feature is enabled one manager and three operators can access the Access Gateway at any one time the default is disabled This feature supports the following interfaces 262 System Administration ACCESS GATEWAY D e Telnet e Command Line Interface CLD serial e Web Management Interface WMI e FTP and SFTP no operator access allowed e SSH Shell Access e SSL Only managers can assign a username and password for the remote RADIUS testing login option 1 From the Web Management Interface click on System then Login The Login Name and Password screen ap
336. redirects as well as one at session termination Smart Client Support The NSE supports authentication mechanisms used by Smart Clients by companies such as Adjungo Networks Boingo Wireless GRIC and iPass SNMP Nomadix Private MIB Nomadix Access Gateways can be easily managed over the Internet with an SNMP client manager for example HP OpenView or Castle Rock To take advantage of the functionality provided with Nomadix private MIB Management Information Base simply import the nomadix mib file from the Accessories CD supplied with the product to view and manage SNMP objects on your product See also e Using an SNMP Manager e Installing the Nomadix Private MIB Static Port Mapping This feature allows the network administrator to setup a port mapping scheme that forwards packets received on a specific port to a particular static IP typically private and misconfigured and port number on the subscriber side of the NSE The advantage for the network administrator is that free private IP addresses can be used to manage devices such as Access Points on the subscriber side of the NSE without setting them up with Public IP addresses Tri Mode Authentication The NSE enables multiple authentication models providing the maximum amount of flexibility to the end user and to the operator by supporting any type of client entering their network and any type of business relationship on the back end For example in addition to suppo
337. ributes Authentication Request Username Password Service Type NAS Port port number NAS Identifier Framed IP Address NAS IP Address NAS Port Type Acct Session ID Log Off URL EAP Packet used for 802 1x Message Authenticator used for 802 1x State used tested for 802 1x Called Station ID Calling Station ID Authentication Reply Accept Reply Message Reject Message State used tested for 802 1x Quick Reference Guide 325 5 ACCESS GATEWAY Class Session Timeout Idle Timeout EAP Packet used for 802 1x Message Authenticator used for 802 1x Acct Interim Interval Nomadix VSAs Nomadix Bw Up Nomadix Bw Down Nomadix URL Redirection Nomadix IP Upsell Nomadix MaxBytesUp Nomadix MaxBytesDown Nomadix Net VLAN Nomadix Session Terminate End Of Day Nomadix Subnet Nomadix Expiration Accounting Request Username Acct Status Type Start Stop Update Acct Session ID Acct Output Octets Acct Input Octets Acct Output Packets Acct Input Packets Class Nomadix VSAs e Nomadix Subnet e Nomadix URL Redirection e Nomadix IP Upsell 326 Quick Reference Guide ACCESS GATEWAY G e Acct Session Time Stop e Terminate Cause Stop e NASID e NAS IP Address e NAS Port Type e NAS Port e Framed IP Address e Acct Delay Time e Called Station ID e Calling Station ID Selected Detailed Descriptions Acct Session ID The Acct Session ID is created when the RADIUS authentic
338. rk History Displays a history log of the system s activity including Access Reboot and Uptime ICMP Sets up ICMP blocking for traffic from pending or non authenticated users that are destined to addresses other than those defined in the pass through walled garden list Import Imports previously exported system configuration settings from an archive file Quick Reference Guide 297 D ACCESS GATEWAY Items Description Login Sets up the login name and password Mac Filtering Blocks malicious users based on their MAC address Up to 50 MAC addresses can be blocked at any one time Reboot Reboots the Access Gateway Route Add Adds a route into the Access Gateway s routing table Route Delete Deletes a route to a specific IP destination Session Limit Limits the number sessions any one user can take over a given time period and if necessary then blocks malicious users Static Port Mapping Add Sets up static port mapping schemes Static Port Mapping Delete Deletes static port mapping schemes Subscriber Interfaces Blocks subscriber interfaces Syslog Displays syslog history System Utilization Displays system utilization information Upgrade Obtain the latest Firmware Upgrade Procedure from Nomadix Technical Support User Settings Blocks IPPROTO traffic from misconfigured subscribers 298 Quick Referenc
339. rmation about SNMP see Using an SNMP Manager on page 75 3 If you want to use SNMP you must manually turn on SNMP 1 From the Web Management Interface click on Configuration then SNMP The SNMP Settings screen appears SNMP Settings SNMP Daemon M Enable System Contact Jnewname domainnamecom System Location Nomadix Agoura Hils ca Get Read Community pice o Set Write Community private CS Trap Community foni23 Trap Recipient IP fons DAT Trap Interval 15 600 sec fo Subscriber1 Link Traps I Enable Subscriber2 Link Traps TD Enable NOTE You must reboot for setting changes to take effect Reboot after changes are saved TD Yes Submit Reset 2 Click on the check box for SNMP Daemon to enable this functionality 168 System Administration ACCESS GATEWAY D 3 Enter the SNMP parameters communities and identifiers including System Contact System Location Get Read Community Set Write Community Trap Community Trap Recipient IP Specify DAT Trap Interval 15 600 sec check the box to enable Subscriber Link Traps check the box to enable SUbscriber2 Link Traps Your SNMP manager needs this information to enable network management over the Internet 4 When finished you must reboot the system for the new settings to take effect Click on the check box for Reboot after changes are saved to reboot the system after saving your changes 5 Click on the Submit butt
340. rname and Password Couldn t establish tunnel Please check your Username and Password Tunneling not enabled Please see your system adminstrator Tunneling not enabled Please see your system administrator The promotional code you have entered is not correct Please try again The promotional code you have entered is not correct Please try again Revert Revert all fields to default values Submit _ Reset If you want to reset all field values to their default state click on the Revert button 248 System Administration ACCESS GATEWAY GD Defining Subscriber Messages Subscriber Messages This procedure allows you to define how other subscriber messages are displayed G There are 3 three pages of subscriber messages available 1 From the Web Management Interface click on Subscriber Interface then Subscriber Messages 1 of 3 The Subscriber Page Other Message Definitions 1 of 3 screen appears Subscriber Page Other Message Definitions 1 of 3 Other Messages 1 of 3 Please select the Billing Mode Please selectthe Billing Mode Bill by Credit Card Bill by Credit Card Bill by Hotel Room Bill by Hotel Room Choose a User ID optional Choose a User ID optional Choose a Password optional Choose a Password optional Retype the Password if entered above Retype the Password if entered above Free access to the Internet Free access to the Inte
341. rnet Are you a new user Click this button Are you a new user Click this button Are you an existing user Are you an existing user Submitted data protected by SSL encryption Submitted data protected by SSL encryption Revert Revert all fields to default values Submit _Reset System Administration 249 ACCESS GATEWAY S N Enter the definitions you want for each subscriber message in the corresponding fields Click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their previous state If you want to reset all field values to their default state click on the Revert button 4 Repeat Steps 1 3 for page 2 of 3 see following screen Subscriber Page Other Message Definitions 2 of 3 Other Messages 2 of 3 If this is not correct please go back to the previous page If this is not correct please go back to the previous page and make the necessary changes land make the necessary changes Please select purchase time Please select purchase time Your request was declined Your request was declined Your request was successful Your request was successful Warning Warning You are already logged in You are already logged in Credit card confirmation received although you are already logged in Credit card confirmation received although you are already logged in You may have been do
342. rom the Archive File Import oseese 261 Establishing Login Access Levels LO osinaren tena som A ER Nan 262 Defining the MAC Filtering Options Mac Filtering ssssssssesessssseressesseeseseseseesesesesess 265 UNR me Packer Capturi Packet CAPTUTE rsrsrs annere T TAANA 266 R boonne Me Syste RE DOO airiem E A EAO 268 PUTT PE RONE ROVE IGF rsioithcoinciuhih coumsaal taluuieacktanih a 268 Pelee a Route Route Delite seiorn E A 269 Establishing Session Rate Limiting Session Limit ccscsssessssssssesosscsssnoessneseseeees 270 Adding Static Ports State Port Mapping Add cise cssvosssonsvsivexiseccooniassneniiiansonsewonensives 271 Deleting Static Ports Static Port Mapping Delete ssscsscsesessesetsseeseseeseenseeeees 275 Blocking a Subscriber Interface Subscriber Interfaces csccscsscsessesessesseeseesenseeeeees 274 Updating the Access Gateway Firmware Upgrade ssescsserencesereeeesenesetenseneess 274 Chapter 4 The Subscriber Tater lace 0 ccecsevcssscensvsnevessoonesveonneposconseyeoduanvveavensosoes 275 ONEI VIEW rnaen n R EER nied an eiaiod arn are 215 Authorization and BMG sisirin e R 276 TREAAA STUCI Earainn n R E RAA E E RS 277 Frocess TIW ABAD icoaiccasticcsnscrmciansentoiniete R a EEEE 280 PLOT RGN amnad EONA WED SEVENE ceria ereire ie E E EE Eia 281 DOWIE SUD UOT rE anu ioabuanadaimoe meaauenst 281 Home Foco REG CCCOW siiperi innisin e a RAAE R cue EE ATE 281 ACCESS GATEWAY G
343. room with a plan A that is 9 99 for a day with PMS billing and have a meeting room with a plan of 14 99 an hour with Credit Card billing This new feature is called Port based Policies In order for the port based policies to work it has to be enabled from the Configuration gt AAA page System Administration 193 D ACCESS GATEWAY Authentication Authorization and Accounting Settings AAA Serices M Enable XML Interface M Enable XML SERVER 1 IP 67 131 213 212 XML SERVER 2 IP 671 30 148 216 Print Billing Command I Enable AAA Passthrough Port I Enable Port fo Port must be different from 80 2111 1111 and 1112 802 1X Authentication Support I Enable Note 802 1 requires that both AAA and RADIUS Authentication be enabled Enable Origin Server OS parameter encoding for Portal Page and EWS I Enable Enable failover to Internal Web Server Authentication if Portal Page External Web Server is not reachable I Enable Port based billing policies M Enable Adding and Updating Port Location Assignments Add Port locations can be assigned at any level for example a specific room in a hotel or apartment building a floor number wing or building There may even be multiple ports assigned to a single room or location The Access Gateway uses a port location authorization table to manage the assigned ports and ensure accurate billing for the services used by a particular port Adding a Port Location Assignment
344. rting the secure browser based Universal Access Method UAM via SSL Nomadix is the only Introduction 21 D ACCESS GATEWAY company to simultaneously support port based authentication using IEEE 802 1x and authentication mechanisms used by Smart Clients MAC based authentication is also available See also e Access Control and Authentication e Smart Client Support URL Filtering The NSE can restrict access to specified Web sites based on URLs defined by the system administrator URL filtering will block access to a list of sites and or domains entered by the administrator using the following three methods e Host IP address for example 1 2 3 4 e Host DNS name for example www yahoo com e DNS domain name for example yahoo com meaning all sites under the yahoo com hierarchy such as finance yahoo com sports yahoo com etc The system administrator can dynamically add or remove up to 300 specific IP addresses and domain names to be filtered for each property Walled Garden The NSE provides up to 300 IP passthrough addresses and or DNS entries allowing you to create a Walled Garden within the Internet where unauthenticated users can be granted or denied access to sites of your choosing Web Management Interface Nomadix Access Gateways can be managed remotely via the built in Web Management Interface where various levels of administration can be established See also Using the Web Management
345. rvice Branding 14 Introduction ACCESS GATEWAY Gp e International Language Support International Language Support The NSE allows you to define the text displayed to your users by the IWS without any HTML or ASP knowledge The language you select determines the language encoding that the IWS instructs the browser to use See also Internal Web Server on page 14 NSE 8 2 also allows you to change the language of the Web Management Interface text See Selecting the language of the Web Management Interface on page 74 The available language options are e English e Chinese Big 5 e French e German e Japanese Shift_JIS e Spanish e Other with drop down menu IP Upsell System administrators can set two different DHCP pools for the same physical LAN When DHCP subscribers select a service plan with a public pool address the NSE associates their MAC address with their public IP address for the duration of the service level agreement The opposite is true if they select a plan with a private pool address This feature enables a competitive solution and is an instant revenue generator for ISPs The IP Upsell feature solves a number of connectivity problems especially with regard to L2TP and certain video conferencing and online gaming applications The 8 2 NSE provides additional flexibility for configuring up sell scenarios Users can be assigned WAN s of different bandwidth capabilities for example hotel
346. s TiO 8 asinis 203 Displaying the Fort Location Mappings LAS sccscascccosasiwstssnciad imenasa 205 Subsenber Administration Men errecirornniein ka n E EEE 205 PSIG DUURCTIDED Fran ES ANO inni an a EA 205 Displaying Current Subscriber Connections Current arrnemerminmanionmermmi 211 Deleting Subscriber Profiles by MAC Address Delete by MAC ccsccsceseeteeseeees 212 Deleting Subscriber Profiles by User Name Delete by User 213 Displaying the Currently Allocated DHCP Leases DHCP Leases nossos 214 Deleting All Expired Subscriber Profiles Expired ccsssorecceresorsesesesseverenensenes 214 Finding Subscriber Profiles by MAC Address Find by MAC 219 Finding Subscriber Profiles by User Name Find by User 2415 Listing Subscriber Profiles by MAC Address List by MAC 216 Listing Subscriber Profiles by User Name List by USe7 c sscscssseceseeseenseeseneneseees 217 Viewing RADIUS Proxy Accounting Logs RADIUS Session History ccc1cececeees 218 Displaying Current Profiles and Connections Statistics siirisritisissiciisirisriivrsritesisin 219 G ACCESS GATEWAY mubscriber aber MEMI prunon a AN ET 219 Defining the Billing Options Billing QpnOns socvissoccortersirerscinsevarsesarsncesuscecevennvennniaes 219 Setting Up the Information and Control Console ICC Setup c ssssccscssertesseseeseeees 226 Denne Languages Laneudor SUPPOVI iceiecivis cxrescsaaccrtarouansteies reacts aosncrinceuanaagion
347. s Accept determines the current rates for the entire group System Administration 95 D ACCESS GATEWAY The lifetime of a group policy record in the collection is determined by the session time of the authorized i e VALID subscribers participating in the group Group policy records are removed from the collection when the last subscriber device belonging to the group is logged out of the NSE regardless of the reason e g session timeout idle timeout deletion of the subscriber by an administrator etc The NSE does not support the ability to enforce both per subscriber and group bandwidth rates simultaneously for the same subscribers The RADIUS server must specify either per subscriber or group bandwidth attributes However in case a RADIUS Access Accept contains both individual and group bandwidth attributes the NSE will use the group attributes and ignore the per subscriber attributes The NSE can concurrently support some subscribers as part of a group and some others with limits set on a per subscriber basis However a single subscriber cannot be assigned group membership and individual limits at the same time Group Bandwidth Limit Policy Enable The Group Bandwidth feature is globally enabled via an option on the Bandwidth management page 96 System Administration ACCESS GATEWAY GD ac 5600 tdag561 Configuration D aaa SPP PP PPP Pll amp amp amp O E fe fe le E
348. s Gateway s configuration screens System Administration 113 D ACCESS GATEWAY 1 From the Web Management Interface click on Configuration then Home Page Redirect The Home Page Redirection Settings screen appears Home Page Redirection Settings Home Page Redirection V Enable Horne Page URL htt Awww msn com Parameter Passing I Enable Redirection Frequency Beo minutes euy Submit Reset 2 Click on the check box for Home Page Redirection to enable this feature If you enable home page redirection you must provide a URL for the redirected home page Enter the URL of the redirected home page in the Home Page URL field If required click on the check box for Parameter Passing Parameter passing allows the Access Gateway to track a subscriber s initial Web request usually their home page and pass the information on to the solution provider The solution provider uses this information to ensure that the subscriber can return to their home page easily 5 In the Redirection Frequency field specify the frequency in minutes for home page redirection This is the interval at which the subscriber is redirected to the solution provider s home page automatically 6 Click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their previous state Enabling Intelligent Address Translation NAT The Nomadix patented iNAT feature contains an advance
349. s disables blocking of Web Management access from the subscriber side to the NSE WMI Default setting is enabled Web Management Access HTTPS enables disables blocking of secure Web Management access from the subscriber side to the NSE WMI Default setting is enabled FTP Access enables disables blocking of FTP access from the subscriber side to the NSE Default setting is enabled SFTP Access enables disables blocking of SFTP access from the subscriber side to the NSE Default setting is enabled SSH Shell Access enables disables blocking of SSH shell access from the subscriber side to the NSE CLI Default setting is disabled 5 Click the check box for Access Control if you want to enable this feature then click on the Submit button to save your change If you enabled Access Control administrator access is restricted only to the IP addresses shown under the Currently Access is Permitted for IPs listing If you want to add to or remove IP addresses from the list go to Step 6 through Step 8 The Access Control list can contain up to 50 fifty valid administrator IP addresses or ranges of IP addresses System Administration 89 ACCESS GATEWAY 10 To add an IP address or range of IP addresses to the list enter the starting IP address in the Access Control Start IP field If you are adding a range of IP addresses to the access control list you must now enter the ending IP address in the Access C
350. s from file Port Location iNAT Enable translation for transparent VPN access Interfaces Display performance statistics for interfaces Configuration Network Info Mariss Display IP performance statistics Network Info Language Support Define different languages Subscriber I face List Display the room file Port Location List by MAC List the subscriber database sorted by MAC address Subscriber Admin List by User List the subscriber database sorted by user name Subscriber Admin Location Establish your location and network IP parameters Configuration Logging Enable system and AAA logging options Configuration Login Establish access for managers and operators System Login UI Establish the internal login screen settings Subscriber I face Mac Filtering Blocks traffic based on MAC address System Passthrough Addresses Establish up to 100 IP pass through addresses Configuration Port Location Post Session UI RADIUS Client Establish the access concentrator settings Sets up the post session Goodbye page Sets up RADIUS client options Configuration RADIUS Proxy Establishes RADIUS proxies Configuration RADIUS Routing Sets up service profiles and realm based routing policies Configuration REDOOE aieiaiei Reboot the operating system ssissssrsisirssnsassivnivisv saseivessissass System Configuration Subscriber I face
351. s involved with the Internet and the Web The organization s purpose is to develop open standards so that the Web evolves in a single direction rather than being splintered among competing factions The W3C is the chief standards body for HTTP and HTML See also HTML and HTTP WAN Wide Area Network Take two local area networks hook them together and you ve got a WAN Wide area networks can be made up of interconnected smaller networks spread throughout a building a state a country or the entire globe 367 ACCESS GATEWAY WEP Wired Equivalent Privacy A security protocol for wireless local area networks WLANs defined in the 802 11b standard WEP is designed to provide the same level of security as that of a wired LAN LANs are inherently more secure than WLANs because LANs are somewhat protected by the physicalities of their structure having some or all of the network inside a building that can be protected from unauthorized access WLANs which are over radio waves do not have the same physical structure and therefore are more vulnerable to tampering WEP aims to provide security by encrypting data over radio waves so that it is protected as it is transmitted from one end point to another Wi Fi Wireless Fidelity Used generically when referring of any type of 802 11 network whether 802 11b 802 11a dual band etc The term is promulgated by the Wi Fi Alliance Any products tested and approved as Wi Fi Certified
352. s subnet in the Subnet field Enter the subnet mask for this subnet in the Subnet Mask field Click on the Back to Main Subnet Configuration Page link to return to the previous screen Public Subnets Settings 170 System Administration ACCESS GATEWAY D To edit the Current Public DHCP Subnets table go to Managing the DHCP E service options DHCP on page 103 For additional information about the multiple subnet feature go to Contact Information on page 323 for Nomadix Technical Support Displaying Your Configuration Settings Summary You can display a summary listing of all your current Configuration settings To view the summary listing go to the Web Management Interface click on Configuration then click on Summary System Administration 171 ACCESS GATEWAY The Summary of Configuration Settings screen appears partial screen shown here Summary of Configuration Settings Current time Read Only Values Operating System Version Operating System Installed NSE ID Network MAC Address Subscriber MAC Address Interface 1 Subscriber MAC Address Interface 2 Dynamic Address Translation DNS Redirection Authenticstion And Authorizstion Settings AAA Services XML Interface XML Server 1 IP XML Server 2 IP XML Server 3 IP AAA Passthrough Port AAA Passthrough Port Print Billing Command Print Server URL 802 1X 802 1X Re suth period secs OS Encoding Logi
353. s with NAS Network Access Server devices to determine if access to the service network should be granted and if so with what privileges Public Internet Router ID Ng Subscriber ISP NOC a See Aggregation Pig AG Equipment Subscriber RADIUS S Server E All subscribers attempting to gain access to the network are validated by RADIUS When a subscriber attempts to access the service provider s network the Access Gateway delivers a Web page to the subscriber asking for a login name and password This information password is encrypted and sent across the network to the ISP s RADIUS server The RADIUS server decrypts the information and compares it against its list of valid users If the subscriber can be authenticated the RADIUS server replies to the Access Gatewaywith a message instructing it to grant access to the subscriber Optionally the RADIUS server can instruct the NAS to perform other functions for example the RADIUS server can tell the Access Gatewaywhat upstream and downstream bandwidth the subscriber should receive If RADIUS cannot authenticate the subscriber it will instruct the NAS to deny access to the network 324 Quick Reference Guide ACCESS GATEWAY G The Nomadix Access Gateway RADIUS functionality can be broken down into the following categories Authentication Request Authentication Reply Accept Accounting Request Selected Detailed Descriptions Nomadix Vendor Specific Att
354. sable it unless you want to lose all your DHCP services B By default the Access Gateway is configured to act as its own DHCP server and the relay feature is disabled If you want the Access Gateway to act as its own DHCP server do not enable the relay Go directly to Step 8 104 System Administration ACCESS GATEWAY D To route DHCP through an external server enable the DHCP Relay If you enabled the DHCP Relay feature you must assign a valid DHCP Server IP address the default is 0 0 0 0 and a valid DHCP Relay Agent IP address The DHCP Relay Agent allows the Access Gateway to request a specific range of IP addresses from different IP pools from the DHCP Server Leaving these fields blank forces the system to use the IP pool that contains IP addresses that are on the same subnet as the Access Gateway You must disable the DHCP server before enabling the DHCP relay Both features cannot be enabled concurrently If the DHCP Relay Agent IP address is set for an address that is already used or AN the IP address of the server the other system will get an IP conflict and will not have Internet access 5 If you want the Access Gateway to act as its own DHCP Server you did not enable the DHCP Relay enable it now 6 Ifrequired you can make the DHCP Server feature Subnet based by checking the appropriate box 7 Ifrequired enable the IP Upsell feature System administrators can set two different DHCP pools for th
355. sed by the subscriber management module for user administration The XML interface allows the NSE to accept and process XML commands from an external source XML commands are sent over the network to your NSE powered product which executes the commands and returns data to the system that initiated the command request XML enables solution providers to customize and enhance their product installations This feature allows the operator to use Nomadix popular XML API using the built in SSL certificate functionality in the NSE so that parameters passed between the Gateway and the centralized Web server are secured via SSL If you plan to implement XML for external billing please contact technical support for the XML specification of your product Refer to Contact Information on page 353 Session Rate Limiting SRL Session Rate Limiting SRL significantly reduces the risk of Denial of Service attacks by allowing administrators to limit the number sessions any one user can take over a given time period and if necessary then block malicious users 20 Introduction ACCESS GATEWAY Gp Session Termination Redirect Once connected to the public access network the NSE will automatically redirect the customer to a Web site for local or personalized services if the customer logs out or the customer s account expires while online and the goodbye page is enabled In addition the NSE also provides pre and post authentication
356. sed on the interface being used This feature allows administrators to block access from Telnet Web Management and FTP sources Administration can now be performed after unblocking the interfaces for the Subscriber side of the NSE The Administrative ports are configurable as well See Establishing Secure Administration Access Control on page 87 Introduction 9 D ACCESS GATEWAY Bandwidth Management The NSE optimizes bandwidth by limiting bandwidth usage symmetrically or asymmetrically on a per device MAC address User basis and manages the WAN Link traffic to provide complete bandwidth management over the entire network You can ensure that every user has a quality experience by placing a bandwidth ceiling on each device accessing the network so every user gets a fair share of the available bandwidth With the Nomadix ICC feature enabled subscribers can increase or decrease their own bandwidth and pricing plans for their service dynamically Bandwidth selection pull down a Information and Control Console Microsoft Shop here to amazon com CLIC HERE Plan A 256 128 TONA Nomadix Subscriber Console Information and Control Console ICC Billing Records Mirroring NSE powered devices can send copies of credit card billing records and optionally PMS to external servers that have been previously defined by system administrators The NSE assumes control of billing transmissions and the
357. ses to traverse the NSE between subscribers and the NSE s configured DNS servers The NSE itself does not participate in DNSSEC trust relationships with subscribers Hosts Displays the host table including host names associated IP addresses and any assigned aliases ICMP Displays the ICMP Internet Control Message Protocol performance statistics Interfaces Displays statistics for the interfaces IP Displays the IP performance statistics IPSEC IPsec is an end to end security scheme operating in the Internet Layer of the Internet Protocol Suite It can be used in protecting data flows between a pair of hosts host to host between a pair of security gateways network to network or between a security gateway and a host network to host Can be used in the transport layer or used to create a secure tunnel Login Page Failover For installations that use an External Web Server or a Portal Server to provision their Login and Authentication Pages to the subscribers the Login Page Failover feature provides a way for administrators to configure secondary or tertiary Login Pages in case the primary Login Page becomes unavailable This mechanism guarantees that the subscribers will have some way of authenticating themselves and accessing the Internet if the External and Portal Servers fail Quick Reference Guide 291 G ACCESS GATEWAY Item Description NAT IP Interface A new separate iNAT interf
358. set button if you want to reset all the values to their previous state If you want to reset all field values to their default state click on the Revert button Defining Subscriber UI Labels Subscriber Labels This procedure allows you to define how the user interface UI field labels are displayed to subscribers System Administration 245 D ACCESS GATEWAY 1 From the Web Management Interface click on Subscriber Interface then Subscriber Labels The Subscriber Page Field Label Definitions screen appears Subscriber Page Field Label Definitions Input Field Labels Username Usemme Password Paswa Features Feawess Plan Name Panne S Price Pie Minute Mne Hour Bor Day Day Week Wek Month Moth S Price per Minute peMne Price per Hour petor Price per Day eDy Price per Week pewek Price per Month peMon PMS Username Usemme PMS Room Number Room Number PMS Registration Number Registration Number CC Confirmation 4 digits ConNumber CC Expiration MM YY Expiration S Revert Revert all fields to default values Submit Reset Enter the definitions you want for each label in the corresponding fields Click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their previous state If you want to reset all field values to their default state click on the Revert button 246 System Administration ACCESS GATEWAY D
359. sions Interim Accounting Updates The Access Gateway parses the attribute Acct Interim Interval in an Access Accept If this attribute is present the Access Gateway tries every Acct Interim Interval seconds to send a Radius Accounting Interim message for the specific subscriber If this attribute is not present or equal to 0 no Interim message is sent The precision is 2 minutes The Access Gateway will not send Interim messages more frequently than every 2 minutes Called Station ID This is the Media Access Control MAC address of the Access Gateway Calling Station ID This is the Media Access Control MAC address of the client s computer New Attributes in Acct Request The Access Gateway has to send the following attributes in an Accounting Stop e Acct Output Packets number of packets sent by subscriber e Acct Input Packets number of packets received by subscriber Upon a reboot these 2 attributes are saved in currfile dat the same way as for Acct Input Octets and Acct Input Octets If you plan to implement RADIUS go to Contact Information on page 353 for Nomadix Technical Support Nomadix Vendor Specific Attributes Nomadix Bw Up This attribute value in Kbps restricts the speed at which uploads are performed 328 Quick Reference Guide ACCESS GATEWAY G Nomadix Bw Down This attribute value in Kbps restricts the speed at which downloads are performed Nomadix URL Redirection This attribute allo
360. sk Your subnet mask Gateway IP Your gateway IP addrss WAN 802 10 tagging Disabled VLAN ID 1 DNS Domain Name nomadix com DNS Server 1 Your primary DNS IP address DNS Server 2 DNS Server 3 0 0 0 0 Additional NAT IP addresses Disabled show all Show all WAN Interface configuration show interface lt name gt Show a single WAN Interface configuration modify interface lt name gt Modify a single WAN Interface configuration Type b to go back lt esc gt to abort for help Ethernet port WAN interface configuration gt Figure 3 WAN port static IP configuration summary page If everything is correct in the summary type b ack to return to the previous menu and proceed to Step 2 to enter the location information Otherwise select an option from the Ethernet port configuration menu to display or make changes to the WAN port settings When finished with the settings type b ack to return to the previous menu and go to Step 2 Installing the Access Gateway 43 S ACCESS GATEWAY Step 1b DHCP Client Configuration Type d hcp for the configuration mode as shown in Figure 4 Configuring minimal WAN interface connectivity parameters Configuration Mode static static dhcp pppoe d WAN 802 1Q tagging Disabled VLAN ID 1 DNS Server 3 0 0 0 0 Figure 4 Selecting DHCP Client for WAN configuration A WAN port summary page will then be displayed as shown in Figure 5 Port Name
361. specific to the NSE system itself System Report Log These are Periodic Syslogs that report the status of the NSE and carry information about the NSE ID NSE IP Address and the current number of Subscribers on the NSE Example INFO nse_product_name version SYSRPT ID 012345 IP 11 222 333 444 unresolved Subscribers 010 Additional Configuration System Report Log Interval This is the time interval in minutes between the system report syslogs 130 System Administration ACCESS GATEWAY D Subscriber Tracking Log Enabling this checkbox enables the Subscriber Tracking log Use this to track the network usage of specific Subscribers on the network by receiving a syslog of every Session that is opened by each subscriber Each new DAT session that is created for subscribers is logged in these syslogs Proxy state type of access and Username are included besides the source and destination information of each session There are IN and OUT messages for the beginning and ending of each session Examples INFO Access Gateway v2 4 113 LI IN gt THU JUN 23 11 43 58 2007 testlab S 192 168 2 4 3444 D 66 163 175 128 80 X 67 130 149 4 5004 non proxy 00 90 27 78 8 1 00 RADIUS IPASS OU0000 INFO Access Gateway v2 4 113 LI OUT gt THU JUN 23 11 44 01 2007 testlab S 192 168 2 4 3444 D 66 163 175 128 80 X 67 130 149 4 5004 non proxy 00 90 27 78 8 1 00 RADIUS IPASS OU0000 Field formats explained LI IN
362. sshfUNP lucyeL3 dOndF3 Ow SBL8cJip nt Yt K4fnvUt n7 zDKpZChy19G zYME4NQu Create a Public Key File server pem VeriSign Purchasing Process The signing process varies by Certificate Authority Generally you will need to send a Certificate Signing Request to the Certificate Authority CA and the CA will create a public key base on the certificate request 338 Quick Reference Guide ACCESS GATEWAY This is the procedure to get a 40 bit encryption or 128 bit Public Key from VeriSign With IE or Netscape go to www verisign com products site index html Commerce Site Services 128 bit or 40 bit SSL Server IDs and Payflow Pro online payment management service plus other valuable services for e merchants and online stores Secure Site Services 128 bit or 40 bit SSL Server IDs plus unique benefits for intranets extranets and any site that requires the leading Web site security and services L sw Iry Guide Price Renew OnSite for Server IDs Secure all your Web sites intranets and extranets by issuing multiple SSL Server IDs Select this option for load balancing cluster environments or multiple servers sw Learn More Guide Price Renew Select Buy for Secure Site Service Secure Site Services For intranets extranets or any security focused Web site that requires the leading SSL certificates and Web site solutions Secure Site Services provide you with
363. state of its own links and it also sends the complete routing structure topography The advantage of shortest path first algorithms is that they result in smaller more frequent updates everywhere They converge quickly thus preventing such problems as routing loops and count to infinity when routers continuously increment the hop count to a particular network This makes for a stable network OSPF version 2 is defined in RFC 1583 and is rapidly replacing RIP on the Internet as the preferred routing protocol See also RFC and Router Packet How data is distributed over the Internet A packet contains the source and destination addresses as well as the data An ethernet packet is normally 1 518 bytes In IP networks packets are often called datagrams See also Forwarding Rate Packet Switching Network pps and Throughput 362 ACCESS GATEWAY G Packet Switching Network Refers to protocols in which messages are divided into packets before they are sent Each packet is then transmitted individually and can even follow different routes to its destination Once all the packets forming a message arrive at its destination they are recompiled into the original message Most modern Wide Area Network WAN protocols including TCP IP X 25 and Frame Relay are based on packet switching technologies By contrast normal telephone services use a circuit switching technology in which a dedicated line is allocated for transmission between two pa
364. t currently support and still be able to bill directly to the room Nomadix has certified interoperability with a variety of Property Management Systems Encore FCS Galaxy GEAC GuestView Holodex AutoClerk Hilton 1 Hilton 2 Hotel Info Sys HIS Igets net Innquest LanMark LIBICA Logistics 136 System Administration ACCESS GATEWAY D e Maestro e Marriott e Megasys Hospitality Systems e Micros Fidelio FIAS Serial TCP IP and Query Post interface e MSI e NH Hotels e Protocol Technologies e Ramesys ImagInn PMS e OnQ System 21 e Xeta Virtual XL For Micros Fidelio FIAS Nomadix also supports a serial Redirector Service which provides a means to send FIAS command messages through the NSE XML interface Nomadix offers the following standards based interfaces generally used to establish an interface to any of the PMS systems that are not proprietary e HOBIC RSI e HOBIC TSPS e HOBIC 1BT2 e HOBIC TEST e HOBIC OSPS System Administration 137 S ACCESS GATEWAY 1 From the Web Management Interface click on Configuration then PMS The Property Management System Settings screen appears aa a S ead PMS services disabled Oo PMS Redirector Configure Type of PMS Pre paid Post paid Pre paid Post paid ASCII Serial Printer O O Micros Fidelio Query amp Post O O Holidex AutoClerk O Micros Fidelio Post Onl O O HoBIc osPS OO ers Fase omy aro o O HOBIC TSPS O O Mi
365. t interface The start up configuration must be established before connecting the Access Gateway to a customer s network The start up configuration settings include e Assigning Login User Names and Passwords You must assign a unique login user name and password that enables you to administer and manage the Access Gateway securely User names and passwords are case sensitive e Setting the SNMP Parameters optional The SNMP Simple Network Management Protocol parameters must be established before you can use an SNMP client for example HP OpenView to manage and monitor the Access Gateway remotely e Enabling the Logging Options recommended Servers must be assigned and set up if you want to create system and AAA billing log files and retrieve error messages generated by the Access Gateway 54 Installing the Access Gateway ACCESS GATEWAY D e Assigning the Location Information and IP Addresses e Assigning the Network Interface IP Address This is the public IP address that allows administrators and subscribers to see the Access Gateway on the network Use this address when you need to make a network connection with the Access Gateway e Assigning the Subnet Mask The subnet mask defines the number of IP addresses that are available on the routed subnet where the Access Gateway is located e Assigning the Default Gateway IP Address This is the IP address of the router that the Access Gatew
366. t name If the Skip First Char in Last Name feature is enabled the space is reserved for purposes other than the first character of the last name so the Access Gateway will skip the first space in the last name field for name verification 5 Post paid PMS only If you selected a Post paid PMS option you can define an Idle Timeout in minutes and an Idle Data Threshold in bytes These selections determine the thresholds when a post paid hotel guest will be automatically disconnected from the service Property Management Systems generally operate at different baud rates You must now select an appropriate baud rate for your chosen PMS 6 Select the Speed of PMS Interface and Serial Settings from the available list If you are not sure which baud rate to choose select Not Sure and the system will attempt to use the default peed of PMS interface Not Sure will try to use default 300 BAUD 4800 BAUD 600 BAUD 9600 BAUD 1200 BAUD 19200 BAUD 2400 BAUD 38400 BAUD Serial Settings Data Bits a Stop Bits 1 Parity None 7 You must now select the Type of Service Post Mappings you require relative to the billing plans you established in Defining the Billing Options Billing Options on page 219 Because some Property Management Systems do not allow you to enter characters you must enter these service descriptions as a numeric value only no characters or delimiters System Administration 14 ACCES
367. tablish in the SNMP agent of a network device for example a router Standard minimal MIBs have been defined and vendors often have their own private enterprise MIBs In theory any SNMP manager can talk to any SNMP agent with a properly defined MIB See also SNMP 361 CA y ACCESS GATEWAY Misconfigured User A Nomadix Inc term used to describe users who have IP address configurations that are different from the current network For example if the current network is 123 45 67 89 but the user s IP address is 10 10 10 15 then this user is considered to be misconfigured NAT Network Address Translation An Internet standard that enables a Local Area Network LAN to use one set of IP addresses for internal traffic and a second set of IP addresses for external traffic A NAT box located where the LAN meets the Internet performs all the necessary IP address translations NAT provides a type of firewall by hiding its internal IP addresses Additionally NAT enables companies to use more internal IP addresses because the addresses are only used internally and there s no possibility of conflicting with IP addresses used by other companies NAT also allows companies to combine multiple ISDN connections into a single Internet connection See also ISDN Node An addressable point on a network A node can connect a computer system a terminal or various peripheral devices to the network Each node on a network has a distinct n
368. te this route from the routing table or click on the Reset button if you want to reset the Destination IP value to its blank state Establishing Session Rate Limiting Session Limit Session Rate Limiting SRL significantly reduces the risk of Denial of Service attacks by allowing administrators to limit the number of DAT sessions any one user can take over a given time period and if necessary then block malicious users 1 From the Web Management Interface click on System then Session Limit The Session Rate Limiting screen appears Session Rate Limiting Session Rate Limiting O Enable Mean Rate 200 Sessions per Time Interval defined below Default 200 Burst Size 400 Sessions per Time Interval defined below Default 400 Time Interval 60 Seconds Default 60 Add offenders to MAC filtering O Enable Note MAC filtering must be enabled 270 System Administration ACCESS GATEWAY D 2 Click on the check box for Session Rate Limiting to enable or disable this feature as required 3 Enter values for the following session limiting parameters e Mean Rate e Burst Size e Time Interval in seconds 4 Click on the Submit button to save your changes For advanced security see also Defining the MAC Filtering Options Mac Filtering on page 265 Adding Static Ports Static Port Mapping Add Static Port Mapping allows the network administrator to setup a port mapping scheme th
369. tem will now try to contact the Nomadix License Key Server Please wait Received key from License Key Server If the license key is successfully processed the unit will reboot Figure 9 License key retrieval NOTE The date and time Software License Subscription start date Step 4 Configuring the System Log in to the AG and use the graphical Web Management Interface WMI to configure the product s features You have now established a basic configuration for the AG that enables internet connectivity Installing the Access Gateway 47 S ACCESS GATEWAY For additional information about the available AG features refer to Chapter 2 of the User Guide specific to your AG For example e To establish various billing and authentication methods see Defining the AAA Services e To establish hotel billing see Assigning a PMS Service Step 5 Configuring AG DHCP Server Settings DHCP Server is enabled by default To configure the DHCP Server go to DHCP under the Configuration menu You can either modify the default DHCP pool or delete add another DHCP pool The total lease pool size recommendation is 75 more than the number of licensed subscribers DHCP Services Disable no DHCP Relay Yes No no If No skip to DHCP Server DHCP Relay Server IP Address blank DHCP Relay Agent IP Address blank DHCP Server Yes No yes Only if the DHCP Relay is disabled DHCP Server IP Address 10
370. ternet Control Message Protocol A standard Internet protocol that delivers error and control messages from hosts to message requesters An ICMP echo test can determine whether a target destination is reachable An ICMP echo test is also called a ping See also Ping IEEE Institute of Electrical and Electronics Engineers Founded in 1884 the IEEE is an organization composed of engineers scientists and students The IEEE is best known for developing standards for the computer and electronics industry In particular the IEEE 802 standards for Local Area Networks are widely followed iNAT Intelligent Network Address Translation Nomadix iNAT feature creates an intelligent mapping of IP addresses and their associated VPN tunnels allowing multiple tunnels to be established to the same VPN server creating a seamless connection for all the users at the public access location infrastructure mode An 802 11X networking framework in which devices communicate with each other by first going through an Access Point AP In infrastructure mode wireless devices can communicate with each other or can communicate with a wired network When one AP is connected to a wired network and a set of wireless stations it is referred to as a Basic Service Set BSS An Extended Service Set ESS is a set of two or more BSSs that form a single subnetwork Most corporate wireless LANs operate in infrastructure mode because they require access to the wired LAN i
371. the pull down menu 4 Enter a Local Authentication Port and a Local Accounting Port System Administration 15 D ACCESS GATEWAY 5 Select whether Later Login Supersedes Previous This will allow a secondary form of authentication to override MAC authentication if necessary and use the credentials of the last login to succeed See Miscellaneous Options Miscellaneous Options 1 In the Miscellaneous Options category Enter a value for the time in seconds in the Default User Idle Timeout field This value determines how much idle time elapses before the subscriber s session times out and they must login again 2 The Access Gateway can reauthenticate repeat subscribers who return to the system within 720 hours To enable this feature click on the check box for Enable Automatic Subscriber Reauthentication 3 Ifyou want to enable the URL redirection feature click on the check box for Enable URL Redirection 4 Fora Network Access Server NAS if you want to send a NAS identifier with your account access request click on the check box for Send NAS identifier then define the NAS identifier in the NAS identifier field 5 To send the NAS IP address with your account request click on the check box for Send NAS IP 6 To senda NAS port type with your account request click on the check box for Send NAS Port type then define the NAS port in the NAS Port Type field 7 To send the Framed IP address with
372. they have their own unique server ID number assigned between 0 and 7 When managing multiple properties the properties are identified in the log files by their IP addresses When system logging is enabled the standard SYSLOG protocol UDP is used to send all message logs generated by the Access Gateway to the specified server 1 Enter log logging at the Configuration menu The system displays the current logging status enabled or disabled 2 Enable or disable the system and or AAA logging options as required If you enable either option go to Step 3 otherwise logging is disabled and you can terminate this procedure 58 Installing the Access Gateway ACCESS GATEWAY D Assign a valid ID number 0 7 to each server Enter the IP addresses to identify the location of the system and AAA SYSLOG servers on the network the default for both is 0 0 0 0 When logging is enabled log files and error messages are sent to these servers for future retrieval To see sample reports go to Sample SYSLOG Report on page 321 and Sample AAA Log on page 320 Sample Screen Response Configuration gt log Enable disable System Log disabled enable Enter System Log Number 0 7 0 132 Enter System Log Filter Emergency Alert Critical Error Warning Notice Info Debug af OL en a Select an option from above 7 7 Enter System Log ServerIP 255 255 255 255 10 10 10 10 Enable disable System Log
373. to save your changes or click on the Reset button if you want to reset all the values to their previous state See Adding an Upstream RADIUS NAS System Administration 155 D ACCESS GATEWAY Adding an Upstream RADIUS NAS 1 Ifyou want to add a new Upstream RADIUS NAS for example an 802 11 Access Point on the subscriber side of the Access Gateway click on the Add button The Add Upstream RADIUS NAS screen appears Add Upstream RADIUS NAS Entry Active O Padres _ Authentication Secret Key Accounting Secret Key Note RADIUS requests originating from this Upstream NAS ron E will be routed via the specified profile if it cannot be routed Default RADIUS Senice Profile none based on realm Leave field blank if default routing is not desired Nomadix VSAs to be enforced by the Proxy for this entry O Enforce Bandwidth Up VSA C Enforce Bandwidth Down VSA C Enforce Redirect URL VSA O Enforce Ip Upsell VSA C Enforce Subnet VSA C Enforce QoS Policy VSA Back to Main RADIUS Proxy Settings page To make this entry the active NAS entry click on the Entry Active check box Enter an IP Address for the Upstream NAS Enter a secret key in the Authentication Secret Key field During the authentication process the server and client exchange secret keys The secret keys must match for communication between the server and the client to continue The secret key is a valuable and necessary security measu
374. ts of options can be configured for different pools A given DHCP option consists of an option code and a value RFC 2132 details the various available options and the data type for each The NSE will validate the data entered to ensure that it is type correct for the option code in question If it is incorrect the option is not accepted Numerical integer values can be entered in decimal format or hex format using a 0x prefix The following DHCP option codes are supported Option Description Option Code Single IP address 16 28 32 66 Installing the Access Gateway ACCESS GATEWAY G Option Description Option Code List of one or more IP addresses 3 5 7 11 41 42 44 45 48 49 65 69 76 List of zero or more IP addresses 68 List of one or more pairs of IP addresses or 215 33 address mask pairs 32 bit unsigned integer value 2 24 35 38 16 bit unsigned integer value 13 22 26 8 bit unsigned integer value 23 37 46 List of 1 or more 16 bit unsigned integer values 25 Single octet Boolean value may be 1 or 0 19 20 27 29 31 34 36 39 Sequence of 1 or more octets 43 Ascii string of 1 or more printable characters 12 14 17 18 40 47 64 66 67 Disallowed options Some option codes are not allowed for one of the following reasons e Items that are already configured elsewhere as a separate DHCP pool or NSE configuration parameter and or are
375. tties Circuit switching is ideal for fast data transmissions where the data must arrive in the same order in which it is sent This is the case with most real time data such as live audio and video Packet switching is more efficient and robust for data that can withstand some delays in transmission such as e mail messages and Web pages See also Forwarding Rate Packet pps and Throughput PDF Portable Document Format A type of file format developed by Adobe Systems that displays documents identically on any computer system PDF files retain their original formatted design unlike HTML documents which adjust the format depending on the users viewing medium for example monitor size Ping Packet INternet Groper A program that transmits a signal to a host and expects a response within a predetermined time This is useful when troubleshooting network transmission problems See also ICMP Portal A portal is a Web site The portal consists of a collection of links to the most popular Web services on the Internet Generally speaking a portal is a door to the Internet See also Internet PPP Point to Point Protocol PPP has superseded SLIP as the standard protocol for serial data communications over the Internet See also SLIP pps packets per second The rate at which packets are delivered to their destination See also Forwarding Rate Packet and Packet Switching Network PPTP Point to Point Tunneling Protocol Develope
376. ttn Technical Support 353 G ACCESS GATEWAY This page intentionally left blank 354 ACCESS GATEWAY D Glossary of Terms 802 11x Refers to a family of specifications developed by the IEEE for wireless LAN technology 802 11 specifies an over the air interface between a wireless client and a base station or between two wireless clients The IEEE accepted the specification in 1997 There are several specifications in the 802 11 family 802 11 Applies to wireless LANs and provides 1 or 2 Mbps transmission in the 2 4 GHz band using either Frequency Hopping Spread Spectrum FHSS or Direct Sequence Spread Spectrum DSSS 802 11a An extension to 802 11 that applies to wireless LANs and provides up to 54 Mbps in the 5GHz band 802 11a uses an Orthogonal Frequency Division Multiplexing OFDM encoding scheme rather than FHSS or DSSS 802 11b also referred to as 802 11 High Rate or Wi Fi An extension to 802 11 that applies to wireless LANs and provides 11 Mbps transmission with a fallback to 5 5 2 and 1 Mbps in the 2 4 GHz band 802 11b uses only DSSS 802 11b was a 1999 ratification to the original 802 11 standard allowing wireless functionality comparable to Ethernet 802 119 Applies to wireless LANs and provides 20 Mbps in the 2 4 GHz band 802 1Q An IEEE standard for providing a virtual LAN capability within a campus network 802 1Q establishes a standard format for frame tagging Layer 2 VLAN markings
377. uble charged You may have been double charged Revert Revert all fields to default values Submit Reset 250 System Administration ACCESS GATEWAY S 5 Repeat Steps 3 for page 3 of 3 see following screen Subscriber Page Other Message Definitions 3 of 3 Other Messages 3 of 3 Thank you for your business Thank you for your business We are verifying your account Please wait We are verifying your account Please wait Tunnel being set up to your ISP Please wait Tunnel being set up to your ISP Please wait Please verify proxy setting compatibility with ISP proxy server Pease verify proxy setting compatibility with ISP proxy server You will be billed directly by your hotel You will be billed directly by your hotel You will be purchasing Internet access with these options You will be purchasing Internet access with these options You have been logged in via 802 1x You have been logged in via 802 1x You have been logged in via MAC authentication You have been logged in via MAC authentication Please point your browser to the site of your choice Please point your browser to the site of your choice Please wait you are now being redirected Please wait you are now being redirected Please Enter your promotional code Please enter your promotional code Forgot Your Password ForgotYourPassword Revert Revert all fields to default values
378. umber broken up into four 8 bit groups with each group separated by a period for example 198 43 7 85 To make it easier for the user the IP address is mapped to a meaningful domain name IP addresses can be static permanent or dynamic assigned each time you connect See also Domain Name Dynamic IP Address Internet Protocol and Static IP Address IP Address Translation Nomadix Gateways use adaptive configuration technology which can accommodate all network configurations including dynamic and static IP address assignments This enables it to solve IP addressing problems in environments where the service provider does not have control over the subscriber s network settings Whenever a subscriber logs on your Nomadix Gateway automatically translates their computer s network settings to provide them with seamless access to the broadband network Subscribers no longer need to alter their computer s settings See also Dynamic IP Address IP Address and Static IP Address ISDN Integrated Services Digital Network An international communications standard for sending voice video and data over digital telephone lines or normal telephone wires ISDN supports data transfer rates of 64 Kbps 64 000 bits per second ISP See Internet Service Provider LAWN Local Area Wireless Network A type of Local Area Network that uses high frequency radio waves rather than wires to communicate between nodes Also referred to as WLAN See also No
379. umber in this box S N Patent Information Please see the Nomadix website for a list of US and foreign patents covering this product release Disclaimer Nomadix Inc makes no warranty either express or implied including but not limited to any implied warranties of merchantability and fitness for a particular purpose regarding the product described herein In no event shall Nomadix Inc be liable to anyone for special collateral incidental or consequential damages in connection with or arising from the use of Nomadix Inc products S ACCESS GATEWAY WARNING Risk of electric shock do not open no user serviceable parts inside AVERTISSEMENT Risque de choc electrique ne pas ouvrir ne pas tenter de demontre l appareil WARNUNG Nicht ffnen elektrische Bauteile AVISO Riesgo de shock el ctrico No abrir No hay piezas configurables dentro CAUTION Read the instruction manual prior to operation ATTENTION Lire le mode d emploi avant utilisation ACHTUNG Lesen Sie das Handbuch bevor Sie das Ger t in Betrieb nehmen PRECAUCI N Leer el manual de instrucciones antes de poner en marcha el equipo D NOMADI X 30851 Agoura Rd Suite 102 Agoura Hills CA 91301 USA head office ACCESS GATEWAY iS Table of Contents Sections marked with D include new features of the 8 2 NSE Chapier 1 TO CaN sian a D ADOUE Ihis Guide errereen e E EREE ENTERAR SRE
380. ure enter the URL for the link in the Hyper Text Link URL field 5 Define the following Field Label Definitions for your Goodbye Page e Session Summary e IP Address e Authen Type e Start Time e Stop Time e Byte Sent e Byte Received e GoTo If you enabled the Partner image for the Login UI you will also see the same image in the IWS Post Session page 6 Click on the Submit button to save your changes Alternatively you can click on the Reset button to reset all values to their previous state or click on the Revert button to revert all values to their default state Defining Subscriber UI Buttons Subscriber Buttons This procedure allows you to define how each of the control buttons are displayed to subscribers 244 System Administration ACCESS GATEWAY D 1 From the Web Management Interface click on Subscriber Interface then Subscriber Buttons The Subscriber Page Control Button Definitions screen appears Subscriber Page Control Button Definitions Control Buttons Back Back Login Login New User New User OK ox Purchase Purchase See Submit Submit Caukon Try Again Try Again Revert Revert all fields to default values Submit Reset 2 Enter the definitions you want for each control button in the corresponding fields Only the Login button should be named Login Do not assign this name to AN any other button 3 Click on the Submit button to save your changes or click on the Re
381. uring a server to support signing can be obtained by contacting Nomadix Technical Support Establishing Secure Administration Access Control The Access Gateway allows you to block administrator access to interfaces Telnet WMI and FTP SSH and SFTP and incorporates a master access control list that checks the source IP address of administrator logins A login is permitted only to the interfaces that have not been blocked and only if a match is made with the master Source IP list contained on the Access Gateway If a match is not made with the Source IP list the login is denied even if a correct login name and password are supplied The access control list for source IPs supports up to 50 fifty entries in the form of a specific IP address or range of IP addresses This procedure allows you to enable the Access Control feature and block administrator access to specific interfaces and add or remove administrator Source IP addresses The NSE supports secure https connections to the Web Management Interface WMI Correct certificates must be installed on the NSE flash memory for these connections to function properly The same certificate set that is used to support SSL connections for subscribers is used for this purpose For documentation about configuring the system to support secure connections contact technical support See Appendix A Technical Support In addition corresponding options to block https connecti
382. using Port based access If you are using an access concentration device that cannot handle VLAN IDs select one of the available Access Concentrator Query options The devices in the following list must be assigned an IP address on the same subnet as the Access Gateway You must remove old concentrator types before entering new ones e Tut Systems Expresso e Lucent DSL Terminator e Tut MDU Lite Systems e RFC1493 Compliant Systems e RiverDelta 1000B e Elastic Networks 144 System Administration ACCESS GATEWAY D These options enable an SNMP query to ask the access concentration device which card slot or port the information is coming from The information can then be sent to and billed by the PMS You must enter the IP address not name SNMP community and SNMP query duration maximum time it takes to detect subscriber migration of all access concentrators connected to the site You can also opt to Relogin after migration by checking the Relogin after migration Enable box For cascading Tut and RFC1493 compliant systems click on the associated Cascading button The Cascading Support screen appears allowing you to enter the IP address and SNMP community for the primary and all cascading devices connected to the site For RFC1493 compliant systems you have the additional option of defining the Uplink port Port Location Settings Cascading Support Note Up to
383. ust have a unique label different from other plans Enter a description for this billing plan in the Description of Service field Enter the cost the plan in the Plan Cost field Enter a duration value for this plan in the Plan Duration X field Define the time unit for the duration value you entered in Step 5 The time unit can be defined as either Minute Hour or Day Enter plan validity value for this plan in the Plan Validity Y field Define the time unit for the plan validity value you entered in Step 7 The time unit can be defined as either Day Week or Month Define the Up to network and Down to subscribers bandwidth range for this billing plan System Administration 225 D ACCESS GATEWAY 10 Define the DHCP Pool public or private see following note The public option requires IP Upsell to be turned on otherwise subscribers will receive private IP addresses 11 Click on the Submit this Plan button to save your changes and establish this billing plan Alternatively you can click on the Delete this Plan button if you want to delete this plan or click on the Reset button if you want to reset all the values to their previous state 12 Click on the Back button at any time to return to the Internal Billing Options Setup previous screen Setting Up the Information and Control Console ICC Setup The Nomadix ICC is a HTML pop up window that is presented to subscribers allowing them
384. uting information when sending to RADIUS server This box must always be unchecked in order to pass realm information to the RADIUS server s for matching of realm information to its defined tunnel profiles which contain the needed tunnel parameters The checkbox Strip off routing information when sending to tunnel server may or may not be checked depending on the configuration of the tunnel server and how it will be authenticating subscribers In this example it is checked and so realm information will be stripped leaving only the simple username and password to be passed to the tunnel server 162 System Administration ACCESS GATEWAY D The tunnel server in this case is configured to authenticate users via another RADIUS server that handles a single realm Since it handles a single realm no realm information is needed for users and so must be stripped In this case it is stripped by the NSE but it could easily have been stripped by the tunnel server or by the tunnel server s RADIUS server This is by design and for maximum flexibility Also note that the Local hostname field is blank which means that the NSE s default local hostname of usg_lac will be used by the NSE This allows for setting the local hostname to any desired value other than the default The L2TP peers exchange their local hostnames during tunnel negotiation 1 To add a RADIUS Service Profile click on the appropriate Add button on the Re
385. vious state 240 System Administration ACCESS GATEWAY D Subscriber Login Screen Sample The following sample shows a subscriber login screen G NOMADIX Defining the Post Session User Interface Post Session UI The Post Session UI Goodbye Page can be defined either as a RADIUS VSA or be driven by the Access Gateway s Internal Web Server IWS Using the IWS option means that this functionality is available for other post paid billing mechanisms for example post paid PMS if your product license supports PMS The IWS page displays the details of the user s connection such as e IP address of the user e Type of AAA e Start Stop time e Bytes sent received System Administration 241 ACCESS GATEWAY e Freely configurable hypertext link in case the ISP wants to link the user back to a sign up help page http logout nomadix com Microsoft Internet Explorer o xi Fie Edit View Favorites Tools Help E ene 3 D 9 R Back Forward Stop Refresh Home Search Favorites Media History Mail Print Realcom Messenger Address 7 Go Links Customize Links J Free AOL amp Unlimited Internet Free Hotmail Microsoft Windows Update ReslPlayer G Webtest2 G WindowsMedia Windows Logged Out Thank You G NOMADIX Session Summary IP Address Authen Type Start Time Stop Time Byte Sent Byte Received 64 209 75 210 Radius THU AUG 21 13 56 07 20
386. way 4 When finished click on the Submit button to save your changes or click on the Reset button if you want to reset all the values to their previous state 5 To return to the previous screen click on the Configure ICC link Pixel Sizes Use the following parameters when defining images for buttons and banners Banners 373 pixels width x 32 pixels height ISP Button 98 pixels width x 26 pixels height Small buttons 45 pixels width x 26 pixels height 232 System Administration ACCESS GATEWAY D Banner 373 x 32 pixels E Information and EEE GL B E Shop here to amazon com CLIC HERE Small Buttons 45 x 26 pixels ISP Button 98 x 26 pixels Time Formats Use the following formats when defining times e Duration for Banners 1 through 9999 or more e Start or Stop times for Banners hh mm PM AM for example 2 35 PM Defining Languages Language Support The Access Gateway allows you to define the text displayed to your users by the Internal Web Server IWS without any HTML or ASP knowledge The language you select here will determine the language encoding that the Access Gateway s Internal Web Server instructs the browser to use The available language options are e English e Chinese Big 5 System Administration 233 ACCESS GATEWAY e French e German e Japanese Shift_JIS e Spanish e Other with drop down menu see not
387. ws the Web Management Interface WMI displayed with Asian language characters Z USG Microsoft Internet Explorer 70 REO RTV BANW YD AIH R3 gt OAA Anz Gen Gre sSR PEVAO E http 6 2 71 x erm gt Y usc Number Active Label amp Configuration 0 Yes DDAN Show Change Netware 1 Yes JsuU B Show Chanee q Port Location Q Subscriber Administration 2 No FIC Esc Subscriber Interface 3 No Label 3 _Show Chanee_ E E 4 No Label4 Show Change 9 ICC and Language Setup 5 No Label5 Show Chanee 3 Login UI S Subscriber Buttons S Subscriber Labels Introduction py TOTS DPD EIN 3 Subscriber Errors 1 of 2 Message 9 Subscriber Errors 2 of 2 Offer Message i B Ric MRICR0SSM Subscriber Messages 10 Policy FEAT ON acd She EROI EATON aH RN abe S Subscriber Messages 2 o Message 1 Subscriber Messages 3 o E E mi ABE Bic Close Subscriber Interface Menu A2I H EZ View Defect 11927 Gttp edminadmines JUSG Microsoft int USG Microsoft ts 3h fA 1528 WMI System Administration 235 ACCESS GATEWAY Enable Serving of Local Web Pages Local Web Server Here are the quick setup instructions to enable serving of local web pages 1 Upload the required pages and images to the flash web directory using FTP Total file size of all pages and images cannot exceed 200 KB File names should be labeled using the 8 3 format 2 Got
388. ws the administrator to redirect the user to a page of the administrators choice each time the user logs in Nomadix IP Upsell This attribute allows the user to receive a public address from a DHCP pool when the Access Gateway has the IP Upsell feature enabled Nomadix Volume Based Session Timeout This attribute allows you to terminate a session once a specified data volume has been reached Nomadix Session Terminate End Of Day This attribute allows business policies to terminate the session at midnight of every day Nomadix Subnet This attribute allows you to allocate a specific subnet to a user Nomadix Expiration This attribute defines a fixed time and date at which a session will be terminated This feature can be used to cut off access to a certain profile for a defined user group at a specified time Quick Reference Guide 329 D ACCESS GATEWAY Setting Up the SSL Feature This section describes how to set up the Access Gateway s SSL feature Prerequisites e You should be a business that is qualified to obtain an SSL secure server ID from different Certificate Authorities CAs such as VeriSign The Certificate Authority sets this qualification criterion e You will need to generate your own Private Key and Certificate Signing Request these instructions are provided below e You must obtain your own Signed Public Key from the Certificate Authority The selected Certificate Authority should be commonly supported
389. y code US US Please enter your phone country code 1 1 Please enter your calling area code 818 818 Please enter your network SSID Zone samplezonename The system must be reset to function properly Reboot yes no y Your new settings are displayed and the Access Gateway reboots When the system restarts the Telnet interface is enabled based on your new configuration settings which are saved to the Access Gateway s on board flash memory Start up configuration is now complete however before connecting the Access Gateway to the customer s network you must power down the system Go to Logging Out and Powering Down the System on page 63 Logging Out and Powering Down the System Use this procedure to log out and power down the Access Gateway 1 Enter 1 logout at the Access Gateway Menu Your serial session closes automatically 2 Turn off the Access Gateway and disconnect the power cord 3 Disconnect the serial cable between the Access Gateway and your computer Connecting the Access Gateway to the Customer s Network Use this procedure to connect the Access Gateway to the customer s network after the start up configuration parameters have been established Installing the Access Gateway 63 GD ACCESS GATEWAY 1 Choose an appropriate physical location that allows a minimum clearance of 4cm either side of the unit for adequate airflow 2 Connect the Access Gateway to the router
390. y over a network If an error is detected the data is transmitted again in its original form See also TCP IP TCP IP Transmission Control Protocol Internet Protocol A suite of protocols that regulates data communications for the Internet See also Internet Protocol Protocol and TCP Telnet A software program and command utility used to connect between remote locations and services Telnet connects you to the login prompt of another host that you have access rights to See also Host Throughput The net data transfer rate between an information source and its destination using the maximum packet size without loss Throughput is expressed as Megabits per second Mbps defined by RFC1242 Section 3 17 See also Forwarding Rate Mbps Packet Packet Switching Network pps and RFC TLS Transport Layer Security A protocol that guarantees privacy and data integrity between client server applications communicating over the Internet The TLS protocol is made up of two layers TLS Record Protocol Layered on top of a reliable transport protocol such as TCP it ensures that the connection is private by using symmetric data encryption and ensures that the connection is reliable The TLS Record Protocol also is used for encapsulation of higher level protocols such as the TLS Handshake Protocol TLS Handshake Protocol Allows authentication between the server and client and the negotiation of an encryption algorithm and cryptographic k
391. you must reboot the Access Gateway for your changes to take effect Sample Screen Response Configuration gt loc Please enter your company name companyname Please enter your site name sitename Please enter your address lt Line 1 gt lineladdress lt Line 2 gt line2address lt City gt city lt State gt state lt Zip Postal Code gt zip lt Country gt country Please enter your email address em em com Please select the venue type that most reflects your location OmANINNNMNBWNHE Apartment Bar Coffeeshot Restaurant Convention Center Corporate Guest Access Education Hospitality Marina Camp Ground Public Space Public Transport Airport Truckstop Rest Area Car Rental Facility Club Health Club Bar Retail Business Marina Arena Theatre Metro Area HotZone Indoor Public Space Hospital Museum Library Gas Station Resort Lab Test Other newname Coffee House newlinel newline2 newcity newstate newzip newcountry newmail email com 62 Installing the Access Gateway ACCESS GATEWAY G Please enter a number from the above list 1 Select Network Interface Configuration Mode 0 Static 1 DHCP Client 2 PPPoE Client Select the Network Interface Configuration Mode 0 Enter network interface IP 1 Enter subnet mask Enter default gateway IP E Please enter your ISO countr
392. ype of data monopolizes the line ATM can offer multi gigabit bandwidth See also Bandwidth and Packet Bandwidth The maximum speed at which data can be transmitted between computers across a network usually measured in bits per second bps If you think of the communication path as a water pipe the bandwidth represents the width of the pipe which consequently determines how many gallons of water can flow through it at any given time See also Broadband Beacon Interval The frequency interval of the beacon which is a packet broadcast by a router to synchronize a wireless network Broadband A high speed data transmission medium capable of supporting a wide range of varying frequencies Broadband can carry multiple signals at fast rates of speed by dividing the total capacity of the medium into multiple independent bandwidth channels where each channel operates only on a specific range of frequencies See also Bandwidth BSS Basic Service Set See infrastructure mode Carrier frequency A frequency in a communications channel modulated to carry analog or digital signal information For example an FM radio transmitter modulates the frequency of a carrier signal and the receiver processes the carrier signal to extract the analog information An AM radio transmitter modulates the amplitude of a carrier signal 356 ACCESS GATEWAY Gp CoS Class of Service A category based on the type of user type of application or some oth
Download Pdf Manuals
Related Search