WHG301_V3.00_EN_Manu..
Contents
1. Enable Disable Policy 1 Permitted Login Hours HOUR SUN MON TUE WED THU FRI SAT 00 00 00 59 01 00 01 59 02 00 02 59 03 00 03 59 04 00 04 59 05 00 05 59 06 00 06 59 07 00 07 59 08 00 08 59 DO DD DI sa Lal Lal Lal Lal Lal Lal Lal 96 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 6 3 4 Sessions Limit To prevent ill behaved clients or malicious software from using up the system s connection resources the administrator can restrict the number of concurrent sessions that a user can establish gt The maximum number of concurrent sessions TCP and UDP for each user can be specified in the Global policy which applies to authenticated users users on a non authenticated port privileged users and clients in DMZ zones Also this can be specified in the other policies to apply to the authenticated users When the number of a user s sessions reaches the session limit a choice of Unlimited 10 25 50 100 200 and 300 the user will be implicitly suspended upon receipt of any new connection request In this case a record will be logged to a Syslog server Since this basic protection mechanism may not be able to protect the system from all malicious DoS attacks it is strongly recommended to build some immune capabilities such as IDS or IPS solutions in network deployment to maintain network operation 97 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 6 4 QoS Traffic Class a2. Auth Option Auth Database Postfix Default Enabled Server 1 LOCAL local Gi Server 2 POP3 pop3 CH Authentication Options Server 3 RADIUS radius Server 4 LDAP Idap C On demand User ONDEMAND ondemand D IP SIP N A gt Authentication Required For the Zone When it is disabled users will not need to authenticate before they get access to the network within this Service Zone 67 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 5 Managing Wireless Network 5 1 WHG301 with Multiple Type of AP Beside the LAN ports in WHG301 you can connect AP to WHG301 to extent the network access by wireless AP EAP100 is one manageable AP for WHG301 Except EAP100 WHG301 can manager multiple type of AP such as EAP100 version1 10 1 11 2 00 2 10 4 00 CPE100 CPE110 version1 70 OWL500 OWL510 version1 10 and EAP700 version1 10 Almost all the settings of AP can be configuring from WHG301 Beside the personal or home usage most other environment always needs more than one AP to service a lot of people such as Hotspot or many offices But in these areas only Indoor AP can be satisfied On the other hand many complicated environment combine indoor and outdoor area For industrial usage it always combines office building and open air factory for campus usage it must combines classrooms lab office and many open air playgrounds So it must need to use Indoor AP and Outdoor AP at the same time For this reason the manage
3. Configure Mail Message go to System gt gt Service Zones Group Permission for this Service Zone Default Policy in this Service Zone Policy 1 Edit System Policies LS Enabled Email Message for Login Reminding i Edit Mail Message Disabled When enabled the system will automatically send an email to users if they attempt to send receive their emails using POP3 email program for example Microsoft Outlook before they are authenticated Click Edit Mail Message to edit the message in HTML format POPS Email Message Editing Service Zone S71 lt DOCTYPE HTML PUBLIC W3C DTD HTML 4 0 Transitional EN gt CS lt HIML gt lt HEAD gt lt META HTTP EQUIV Content Type CONTENT text html charset us ascii gt lt HEAD gt lt BODY gt ji W lt FONT face Times New Roman size 6 gt lt STRONG gt Welcome lt STRONG gt Kaazen lt DIV gt lt DIV gt FONT size 4 gt lt STRONG gt lt STRONG gt lt FONT gt lt DIV gt z 106 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 7 2 After User Login 7 2 1 Browse which Home Page after login success Configure Portal URL go to System gt gt General If enable this function enter the URL of a Web server as the homepage Once logged in successfully users will be directed to this homepage such as hito www google com regardless of the original homepage set in their computers Gener
4. Subnet mask Betault gateway Ce Obtain DNS server address automatically C Use the following DMS server addresses Advanced SES Prefered DHS server Alternate DAS szerver Cancel User s Manual WHG301 Secure WLAN Controller ENGLISH 4ipnet 5 Using Specific IP Address If you want to use a specific IP address acquire the following information from the network administrator the P Address Subnet Mask and DNS Server address provided by your ISP and the Gateway address of WHG301 d If your PC has been set up completely please inform the network administrator before proceeding to the following steps 5 1 Choose Use the following IP address and Internet Protocol TCP IP Properties l WK 2 x enter the P address Subnet mask If the DNS Bebe ep e Cou can get IP settings assigned automatically if your network supports Server field IS em pty select Using the this capability Othenwise you need to ask your network administrator for the appropriate IP settings following DNS server addresses and enter S Obtains ddies automatically the DNS Server address Then click OK 5 2 Click Advanced to enter the Advanced D TCP IP Settings window Subnet mask Default gateway Preferred DNS server Alternate DMS server Ok Cancel Advanced TCP IP Settings fe zi i 5 3 Click on the IP Settings tab and click Add below the Default gateways c
5. User s Manual WHG301 v3 00 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Copyright The contents of this publication may not be reproduced in any part or as a whole stored transcribed in an information retrieval system translated into any language or transmitted in any form or by any means mechanical magnetic electronic optical photocopying manual or otherwise without the prior written permission of 4IPNET INC Disclaimer AIPNET INC does not assume any liability arising out the application or use of any products or software described herein Neither does it convey any license Under its parent rights not the parent rights of others AIPNET further reserves the right to make changes in any products described herein without notice The publication is subject to change without notice Trademarks AIPNET 4ipnet is a registered trademark of 4IPNET INC Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH FCC CAUTION This equipment has been tested and proven to comply with the limits for a class B digital device pursuant to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This equipment generates uses and can radiate radio frequency energy and if not in
6. o S d O d ad O d d d adl d Interval D Hour i Hour v E Hour w 1 Hour w N A Sender E mail Address SMTP Server SMTP Auth Method None k SYSLOG Server Settings System Log IP Address Port ol On demand Users Log IP Address Port H Session Log IP Address Fort RH Hardware Log IP Address Port FTP Server Settings IP Address Port Server Folder ae diri dir2 S Send Log every Hours Note same as Interval of Session Log in the Notification E mail Session Log Settings Anonymous yes ONo FTP Setting Test Send Test Log 154 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 10 2 1 E Mail Notification E mail Settings gt Receiver Email Address es Up to 3 e mail address can be set up to receive the notification These are the receiver s e mail addresses There are four kinds of notification to selection Monitor IP Report Users Log On demand Users Log and AP Status Change and check which type of notification to be sent gt Interval The time interval to send the e mail report gt SMTP Setting Test To test the settings immediately gt Sender Email Address The e mail address of the administrator in charge of the monitoring This will show up as the sender s e mail gt SMTP Server The IP address of the sender s SMTP server gt SMTP Auth Method The system provides four authentication methods Plain Login CRAM MD5 and
7. 103 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 7 1 5 Walled Garden AD List Configure Walled Garden AD List go to Network gt gt Walled Garden AD List This function provides advertisement web pages for users to access free advertisement websites listed before login and authentication Advertisement hyperlinks are displayed on the user s login page Clients who click on it will be redirected to the listed advertisement websites Walled Garden Ad List URL Topic Item Gre Edit Display Description 1 R 2 o S 4 Edit Cl e S e Edit Click Edit to add a new item or make changes Click Apply the items will be added and shown in the list e Display Choose Display to display advertisement hyperlinks on the login pages Walled Garden Ad List Item 1 URL bin www yecafe com Topic YK Cafe Description Welcome to YK Cafe Walled Garden Ad List Item 3 Topic Google CS Walled Garden Ad List Item 3 URL httpaww yahoo com Topic Yahoo Description 104 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Item URL Topic Description httpivKcafe com YK Cafe Welcome to YK Cafe http vwww gooal e Com Google No 1 Search Engine bp Jangen yahoo com Yahoo User Login Username Password Remember Me wl YK Cafe Welcome YK Cafe Google No i Search Engine Yahoo 105 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 7 1 6 Mail Message
8. 192 192 192 192 168 0 166 0 166 0 166 0 166 0 166 0 166 0 166 0 166 0 166 0 Power Level Highest Highest Highest Highest Highest Highest Highest Highest Highest Highest m Sek m E rr Loading Offline Offline Offline Offline Offline Offline Offline Offline Offline Offline This function is trying to prevent the managed APs occur overloading When the system detects the occurrence of APs associated client numbers is exceeding the predefined threshold At circumstances other APs in the same group are still below the threshold the balancing function will be activated to decrease the transmit power of the overloading APs and increase other available APs transmit power This will let other available APs have more chance to be associated The system can divide the managed APs into groups define the group threshold and a time interval which will trigger the AP load balancing 225 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 1 Setup the Interval Configure Interval go to Access Points gt gt AP Load Balancing gt gt General Configuration General Configuration Interval ID 0 999 O Disable Input an Interval if you input 0 it means Disablea and system will not enable the AP Load Balancing function 2 Configure the Loading of Threshold of each Group Configure Group Confi
9. 4 1 2 POPS Choose POP3 from the Authentication Database field Except Local authentication the Local VPN option in other authentication option only can be enabled or disabled for the entire Authentication Database Authentication Option Server 2 Name Server 2 i Foce o Postfix pops l Black List None v Authentication Database POP vl Configure Group Group Enable Local VPN F Click the button of Configure for further configuration Enter the information for the primary server and or the secondary server the secondary server is not required The fields with red asterisk are necessary information These settings will become effective immediately after clicking the Apply button External POPS Server Related Settings Username Format Complete usert comesnynsme com Only ID jeg usert Primary POP3 Server server ke main Name lP Address Port fpem 110 SSL Connection C Enable Secondary POPs Server SSL Connection C Enable Username Format When Complete option is checked both the username and postfix will be transferred to the server for authentication When Only ID option is checked only the username will be transferred to the external server for authentication e Server The IP address of the external POP3 Server e Port The authentication port of the external POP3 Server e SSL Connection The system supports POP3S Check the check box beside to Enable SSL Connection to POP3
10. AP List IP Address Status AP Name No of Client Service Zone MAC Address Channel D E 192 168 0 2 Ee C NEWDEM OOT 34 0 Default SS 00 1F 04 00 0C CD ii 197 168 0 101 Offline L auto1o1 g Default 00 02 00 00 00 65 NA 197 168 0 102 Offline CI auto1o2 Default 00 02 00 00 00 66 NA 197 168 0 103 Offline D auto103 0 Default OO02 00 00 00 67 NA 197 168 0 104 Offline D autol 4 0 Default 00 02 00 00 00 68 NA 192 168 0 105 Offline D auto105 0 Default 00 02 00 00 00 69 NA wf Enable Disable Apply Template Apply Service Zone Total 11 e AP Name Click AP Name and enter the interface about related settings There are four kinds of settings General Settings LAN Interface Setting and Wireless Interface Setting Click the hyperlink to go on the configuration General Settings AP Name NEWDEV 00154 General Firmware 1 70 00 LAN Interface Settings IP Address 192 168 0 2 LAN Gateway 192 168 1 254 Wireless Interface Settings Channel Auto Wireless LAN Data Rate Auto 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH gt General Setting Click the link to enter the General Setting interface Firmware information also can be observed here Name Admin Password NTP SNMP SYSLOG Remark Firmware General Settings NEWDEv 00154 TEETE Time Zone e GMT 08 00 Taipei Taiwan Bi NTP Server 1 tick stdtime gov tw e NTP Ser
11. IP Address and enter DNS Server address Click Add and Disable DNS then click OK to complete the configuration Host Domain OWNS Serwer Search Order lt eg TD Hemare Domain Suffix Search Order oo Check the TCP IP Setup of Window 2000 J Control Panel s me zi 1 Select Start gt gt Control Panel gt gt Network and He Edt view Favorites Tools Help gem Back gt A Search L Folders E History AS LP Be XA IEE Dial up Connections Address aq Cortrdl end zl e e Date Time Display Folder Options Fonts a Ge S E d d Lem 5 D e o Game Internet Keyboard Mouse Controllers Options a S Phone and Power Options Printers Modem SI g Regional Scanners and Scheduled Sounds and Network and Dial up Connections Connects to other computers networks and the Internet Windows Update Windows 2000 Support Options Cameras Tasks Multimedia System Users and VMware Tools gt Connects to other computers networks and the Internet ka my Computer de 200 4ipnet 2 3 4 Right click on the Local Area Connection icon and select Properties Select Internet Protocol TCP IP and then click Properties Now you can choose to use DHCP or a specific IP address Using DHCP If you want to use DHCP choose Obtain an IP address automatically and then click OK This is also th
12. S Ed Certification Authority Opens property sheet For the current selection Command E 210 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 2 3 Step 3 Edit Profile Select the Advanced Tag Add a new attribute Add a new Vendor specific attribute Group3_Unlimited Properties Settings Specify the conditions that connection requests must match Policy conditions AIS BES EU KE Windowe Groups Gees 2 E Dial in Constraints IF bieti Authentication Encryption Advanced Specify addition PROP yer ties ACCESS Server Attributes To add an attribute to the Profile select the attribute and then click Add Add EE Generate Class Class Framed Protoce Service Type To add an attribute that is not listed select the Vendor Specific attribute IF connection req associated profile 5 Edit Profile Unless individual policy controls ace Attribute Gol angang y Ith CG r ALS ISTO PEC UG SUDDOTL OF DIODIIGLOaIV Mao PESIUes A P Allowed Certificate O1D Microsoft Species the certificate purpose or usage abject identifiers i Generate Class Athibute Microsoft Species whether AS automatically generates the class al If a connection re Generate Session Timeout Microsoft Species whether IAS automatically generates the session C Deny remote Ignore U ser Dialin Properties Microsoft Species that the user s dia
13. SZ5 SSID5 None Policy 1 Server 1 Disabled OD OD F SZ6 SSID6 None Policy 1 Server 1 Disabled QD OD F SZ7 SSID7 None Policy 1 Server 1 Disabled AIR JOJO A OD SZ8 SSID8 None Policy 1 Server 1 Disabled Port Base 27 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Service Zone Settings Service Zone Name VLAN Tag SSID WLAN Encryption Applied Policy Default Authen Option Status Details Default N A SSIDO None Policy 1 Server 1 Enabled Configure SZ1 1 SSID1 None Policy 1 Server 1 Disabled 522 2 SSID2 None Policy 1 Server 1 Disabled Configure SES 3 SSID3 None Policy 1 Server 1 Disabled Configure SZ4 4 SsID4 None Policy 1 Server 1 Disabled SZ5 5 SSIDS None Policy 1 Server 1 Disabled SZ6 6 SSIDG None Policy 1 Server 1 Disabled S27 7 SSID7 None Policy 1 Server 1 Disabled 528 a SSIDs None Policy 1 Server 1 Disabled Configure Tag Base e Service Zone Name Mnemonic name of the Service Zone e LAN Port Mapping Port Base only Choose which port is mapped to which Service Zone e VLAN Tag Tag Base only The VLAN tag number that is mapped to the Service Zone e SSID The SSID that is associated with the Service Zone e WLAN Encryption Data encryption method for wireless networks within the Service Zone e Applied Policy The policy that is applied to the Service Zone e Default Authen Option Default authentication method server that is used within the Service Zone e Status Each Service Zone can be enab
14. The Remark field is not necessary but is useful to keep track WHG301 allows privilege IP addresses at most These settings will become effective immediately after clicking Apply Granted Access by IP Address No IP Address Remark d 2 fT 3 sd 4 5 ee 6 7 8 9 e l 10 EH d Permitting specific IP addresses to have network access rights without going through standard authentication process under service zone may cause security problems 121 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 8 3 2 Privilege MAC Privilege MAC Address List In addition to the IP address the MAC address of the workstations that need to access the network without authentication can also be set in the Granted Access by MAC Address WHG301 allows privilege MAC addresses When manually creating the list enter the MAC address the format is xx xXx Xx Xx XX Xx as well as the remark not necessary These settings will become effective immediately after clicking Apply Granted Access by MAC Address No MAC Address Remark 1 Dees 2 3 VII i 5 El 6 7 l o 10 Ir Permitting specific MAC addresses to have network access rights without going through standard authentication process under service zone may cause security problems 22 4ipnet User s Manual WHG301 Secure WLAN Controller EN
15. X bi bi bi SN bi SN bi SN WO Ping host IP By sending ICMP echo request to a specified host and wait for the response to test the network status Trace routing path Trace and inquire the routing path to a specific target Display interface settings It displays the information of each network interface setting including the MAC address IP address and Netmask Display the routing table The internal routing table of the system is displayed which may help to confirm the Static Route settings Display ARP table The internal ARP table of the system is displayed Display system up time The system live time time for system being turn on is displayed Check service status Check and display the status of the system Set device into safe mode If the administrator is unable to use Web Management Interface via browser for the system failed inexplicitly The administrator can choose this utility and set it into safe mode which enables him to manage this device with browser again Synchronize clock with NTP server Immediately synchronize the clock through the NTP protocol and the specified network time server Since this interface does not support manual setup for its internal clock therefore we must reset the internal clock through the NTP Print the kernel ring buffer It is used to examine or control the kernel ring buffer The program helps users to print out their boot up messages instead of copying the messages
16. before proceeding further with the system configuration Settings for the two VLAN modes are slightly different for example the VLAN Tag setting is required for Tag Based mode e Select Service Zone Mode Select a VLAN mode either Port Based or Tag Based LAN Ports and Service Zone Mapping Select the mode for Service Zone Port Based Tag Based Specify a desired Service Zone for each LAN Port LANS LANG aes a LANI LAN2 LAN3 LAN4 34 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 2 The switches deployed under WHG301 in Port Based mode must be Layer2 Switches only The switch deployed under WHG301 in Tag Based mode must be a VLAN switch only gt Port Based When Port Based mode is selected traffic from different virtual Service Zones will be distinguished by physical LAN ports Each LAN port can be mapped to one Service Zone in the form of a many to one mapping between ports and Service Zones o Specify a desired Service Zone for each LAN Port For each LAN port select a Service Zone to which the LAN port is to be mapped from the drop down list box By factory default all LAN ports are mapped to Default Service Zone therefore the administrator can enter the web management interface via any LAN port upon the first power up of the system From the drop down list box all disabled Service Zones are gray out to activate any desired Service Zone please configure the desired Service Zone under the S
17. go to WHG301 support Remote VPN for user login to system from remote area After the user is login to system from the outside network of WAN the user will feel that it is look like login to WHG301 under the service zone locally They also can be applied Policy and are controlled by system to access the network Remote VPN for the Entire System Remote VPN Status Enable Disable K Se Start IP Address 192 168 6 1 Support up to 20 connections SIP Configuration Enable L WAN Interface WAN Auth Option Auth Database Postfix Default Enabled Server 1 LOCAL local Gi Authentication Options Server 2 POP pop O Server 3 RADIUS radius Server 4 LDAP Idap Group Permission Configuration CONE Applied Policy to Remote Client Remote VPN Login Page Policy 1 All settings are look like the settings in Service Zone It also can setup the SIP WAN Interface Authentication Options Group Permission Applied Policy and customizable Login Page After Remote VPN is enabled when you browse the home page with the WAN IP you will get the Remote VPN login page input the enabled authentication options username and password then you will login success to system After Remote VPN is enabled the default home page will be the Remove VPN login page If you want to A access the WMI of WHG301 please input login shtml after the WAN IP For example it may be htto 1 0 2 3 4 login shtnl 162 4ipne
18. rk WANT PPTP Connection ID Name E Dial on Demand Enable Disable WAN1 Interface Setting Static Use the following IP settings Dynamic IP settings assigned automatically PPPoE PPTP Type Static DHCP WAN Preferred DNS Server Ek Alternate DNS Server Ss PPTP Server IP Address ks Username h Password Be PPTP Connection ID Name O Dial on Demand Enable Disable 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 3 Configuring WAN Ports optional WHG301 also supports a second WAN port called WAN2 The second port is for connecting to a second feeding pipe upstream When WAN 1 is connected to an ISP and WAN2Z is connected to another ISP the network is referred as dual ISP homing or having dual homed Internet feed That is when the first ISP via WAN1 is down the second ISP via WAN2 still be able to service the client devices downstream of WHG301 When WAN2Z is enabled the system can be set up to support more features such as WAN Failover and Load Balance but not a necessity These two features will discuss in the next section Other WAN traffic Settings By default all Policies of WHG301 use WAN1 as the outgoing gateway that is all user groups traffic will use WAN1 as the Internet feed Administrator can change the Routing Profile of a Policy to se hola use WAN2 as default gateway that way for the groups bounded by the Policy will use WAN2 as t
19. select a billing plan and click Create It will create On demand user account 111 User s Manual WHG301 Secure WLAN Controller ENGLISH Hello you are logged in via 1 local To log out please click the Logout button To create accounts for guest or Ondemand users select the usage type and click the button below Plan 1 5 hr s Ki 10 hrs 6 mings 10 Mbytes Until 11 30 100 Mbyte s Ls This function is not for On demand User On demand users can not create another On demand user 112 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 7 2 7 Proxy Server Configure Proxy Server go to Network gt gt Proxy Server Basically a proxy server can help clients access the network resources more quickly This section presents basic examples for configuring the proxy server settings of WHG301 Using Internet Proxy Server The first scenario is that a proxy server is placed outside the LAN environment or in the Internet For example the following diagram shows that a proxy server of an ISP will be used Areess Point ISP Proxy Server N Follow the following steps to complete the proxy configuration Step 1 Log into the system by using the admin account Step 2 Network gt gt Proxy Server gt gt External Proxy Servers page Add the IP address leaving it blank means any IP address and port number of the proxy servers into External Proxy Servers setting Enable the
20. test local 152 54822 NA 1 577 192 168 1 64 00 06 1B DD 90 3 C 157 53323 Logout Refresh 149 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 10 1 6 User Logs View User Logs go to Status gt gt User Logs This page is used to check the traffic history of WHG301 The history of each day will be saved separately in the DRAM for at least 3 days 72 full hours The system also keeps a cumulated record of the traffic data generated by each user in the latest 2 calendar months Users Log Date Size Byte 2009 07 30 65 2009 07 29 65 2009 07 28 65 On demand Users Log Date Size Byte 2009 07 30 105 2009 07 29 105 2009 07 28 105 Roaming Out User Log Date Size Byte 2009 07 30 106 2009 07 29 106 2009 07 28 106 Roaming In User Log Date Size Byte 2009 07 30 112 2009 07 29 ii 2009 07 28 112 SIP Call Usage Log Date Call Count 2009 07 30 0 2009 07 29 0 2009 07 28 0 Monthly Network Usage of Local User Month No of Entries Usage Data 200907 2 BEE i Since the history is saved in the DRAM if you need to restart the system and at the same time keep the history please manually copy and save the traffic history information before restarting If the Receiver E mail Address es has been entered under the Notification Configuration page the system will automatically send out the history information to that specified email address 150 4ipnet User s Manual WHG301 Secure WLAN Controller ENGL
21. this Interface Status page is visited The total accumulated bytes in through this WAN port since the gateway boots up The delta shows the difference between the numbers from last time this Interface Status page is visited The total accumulated packets out through this WAN port since the gateway boots up The delta shows the difference between the numbers from last time this Interface Status page is visited Service Zone DHCP Server Default SZ1 SZ8 Service Zone Default SZ1 SZ8 146 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 10 1 3 Hardware Information View Hardware Information go to Status gt gt Hardware It will show the current CPU and Memory usage of the system Hardware Information CPU 0 00 Mem ory 10 67 147 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 10 1 4 Routing Table View Routing Table go to Status gt gt Routing Table All the Policy Route rules and Global Policy Route rules will be listed here Also it will show the System Route rules specified by each interface Policy 1 Destination Subnet Mask Gateway Interface Policy 2 Destination Subnet Mask Gateway Interface Policy 3 Destination Subnet Mask Gateway Interface J e J Global Policy Destination Subnet Mask Gateway Interface System Destination Subnet Mask Gateway Interface 192 168 235 0 239 32 2 00 0 0 0 0 MGMT 192 168 0 0 253 255 254 0 0 0 0 0 Default 192 168 14 0 2
22. 1 Rule Name Source Destination Interface Zone ALL v Interface Zone ALL v IP Address 0 0 0 0 IP Address 0 0 0 0 Subnet Mask 0 0 0 0 0 v Subnet Mask 0 0 0 0 0 k MAC Address Service Protocol ALL vi Schedule Always O Recurring One Time Action for Matched Packets Block Pass o Rule Number This is the rule selected 1 Rule No 1 has the highest priority rule No 2 has the second priority and so on o Rule Name The rule name can be changed here o Source Destination Interface Zone There are choices of ALL WAN1 WAN2 Default and the named Service Zones to be applied for the traffic interface o Source Destination IP Address Domain Name Enter the source and destination IP addresses Domain Host filtering is supported but Domain name filtering is not o Source Destination Subnet Mask Select the source and destination subnet masks o Source MAC Address The MAC Address of the source IP address This is for specific MAC address filter o Service Protocol There are defined protocols in the service protocols list to be selected o Schedule When schedule is selected clients assigned with this policy are applied the firewall rule only within the time checked There are three options Always Recurring and One Time Recurring is set with the hours within a week o Action for Matched Packets There are two options Block and Pass Block is to prevent packets from passing and Pass is to per
23. 12V power adapter to the power socket on the rear panel The Power LED should be on to indicate a proper connection 2 Connect an Ethernet cable to the WAN1 Port on the front panel Connect the other end of the Ethernet cable to an xDSL cable modem or a switch hub on the LAN of a company organization The LED of this port should be on to indicate a proper connection 3 Connect an Ethernet cable to one of the LAN1 LAN8 Ports on the front panel Per your needs connect the other end of the Ethernet cable to an administrator PC for configuring the WHG301 system an AP for extending wireless coverage a switch for connecting more wired clients or a client PC The LED of the connected port should be on to indicate a proper connection WHG301 supports Auto Sensing MDI MDIX You may use either a straight through or a cross over Ethernet 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Figure 3 below is a simple network diagram for the initial installation and configuration Start with this simple network topology to set up WHG301 for the first time it helps to plan a more sophisticated network topology to suits your specific application needs later WHGOSO1 The system s WAN port connecting to a device upstream such as a modem to the ISP If the ISP issues dynamic address the system s wil use the obtained IP as its WAN address Em Modem to ISP PC connecting to the system s LAN port By defau
24. 2009 06 18 11 09 21 2009 06 18 11 09 21 2009 06 18 11 09 21 2009 06 18 11 09 21 If there are some APs that are trusted by administrator or these APs are just temporary usage So you can add these APs to the Trust List and then system will ignore these APs and will not show in the Rogue AP List again Also you can check which AP had added to trust list by the Trusted AP List 10 44 BSSID 0A14 A3 08 09 56 ET TAS 08 09 56 00 14 43 08 09 56 SEP E Se Dn Sa EE 06 17 43 08 09 56 Trusted AP List Remark oap E Cip psk Cip wep Cip Cherry 224 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Appendix H AP Load Balancing Configure AP Load Balancing go to Access Points gt gt AP Load Balancing Interval Status AP Type CPE100 v C Group EI None None E None None EI Mone None None EI Mone EI None E None Device Name autoili auto1lo auto1o3 auto1o04 auto1ios auto 106 autolo autoigg auto1io9 aute110 General Configuration Disabled Group Configuration 1 3 Device List MAC Address 00 02 00 00 00 65 00 02 00 00 00 66 00 02 00 00 00 67 00 02 00 00 00 68 00 02 00 00 00 69 00 02 00 00 00 6A 00 02 00 00 00 65 00 02 00 00 00 6C 00 02 00 00 00 60 00 027 00 00 00 6E Add to None IP Address 192 192 192 192 192 192
25. 42 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 4 1 3 RADIUS Choose RADIUS from the Authentication Database field Except Local authentication the Local VPN option in other authentication option only can be enabled or disabled for the entire Authentication Database Authentication Option Servers Postfix radius st Black List None w Authentication Database RADIUS w Con gure Group Groupi Enable Local VPN F Click the button of Configure for further configuration The RADIUS server sets the external authentication for user accounts Enter the information for the primary server and or the secondary server the secondary server is not required The fields with red asterisk are necessary information These settings will become effective immediately after clicking the Apply button External RADIUS Server Related Settings 802 1 Authentication Enable Gi Disable Usemame Format O Complete 2 9 user1 companyname com Gi Only ID je a user NAS Identifier NAS Port Type Default 19 Range 0 35 Class Group Mapping Edit Class Group Mapping Primary RADIUS Server Server Peto Name IP Address Authentication Port Default 19123 Accounting Port d Default 1813 Secret Key Accounting Service Enable Disable Authentication Protocol Pap w Secondary RADIUS Server Server fo Domain Name IP Address Authentication Port Ys Accounting Port Ir Secret Key Accounting Serv
26. Controller ENGLISH Appendix G Rogue AP Detection Configure Rogue AP Detection go to Access Points gt gt Rogue AP Detection General Configuration Interval Disabled Edit Sensor List Configuration Sensors 0 151 Edit Trusted AP Configuration Status 0 40 Edit Rogue AP List C No Rogue AP BSSID ESSID Type Channel Encryption Report Time Add to Trusted AP List Delete This function is designed to detect the non managed or possibly malicious AP in the deployed environment It takes the managed AP as sensors to find out the non managed AP even if the AP uses the same SSID with the managed AP s You can setup the Detection Interval e g 5 minutes system will detect the rogue AP for every 5 minutes All of the detected rogue AP will list in the Rogue AP List it contain the AP s BSSID ESSID Type Channel Encryption and the detection time 222 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 1 Setup the Detection Interval Configure Detection Interval go to Access Points gt gt Rogue AP Detection gt gt General Configuration General Configuration Detection Interval 5 0 999 O Disable Input a Detection Interval if you input O it will Disable this function and system will not enable the Rogue AP Detection function 2 Let the managed AP be the sensor Configure Rogue AP Sensor go to Access Points gt gt Rogue AP Detection gt gt Sensor List Configuration Befo
27. D 10 See e e WE 11 Accessing Web Management Interface 13 Placing WHG301 in a Network Environment u cccssssssccsssssssccssssssscsssssscees 15 MOWO ROON OEN a S 15 Setting up UE EN RR e CN 15 3 2 1 BSG LE 16 332 DHCP Dynamic TP 17 3 23 PP DE 18 3 2 4 PPIP EE 19 Configuring WAN2 Ports optonal 20 Oiler WAIN Traic Semtine Seeron nerin In E aN RIERA IE ENEI EE E aN a aE ED a E a Er Ini E DaT 23 3 4 1 KREE 23 3 4 2 MOA NEE 24 3 4 3 Herner OM Me ton DCCC E 23 3 4 4 WAN E ene CONTO E 26 EAN EE Set 35 1 Planning your internal network cccccccsecccceeecceeeeeeeeeeeeeeeeeeeeeaeeeeeeeeeeseeeeeaeeeeseeeeeaeeeeseneeeaaeeeeeaeeeges 29 fe Configure Service Zone pnetwork neces eeeeeeeeeeeeeeeeeeeeseeeeeseeeeeeaeeeseeeeseeeeseeeeseneesaes 31 3 5 3 Jag B ss and Port B sse sosscraorsaiioriiass kadaa iia Eaa EEE EES 33 User Authentication and Grouping essssssscessssooccessssocccessssocceessssocceessssoseee 37 EE EELER 37 4 1 1 Eere E 39 4 1 2 POP ee on ne E T A A E A 42 4 1 3 IEN 43 4 1 4 LDAP E 44 4 1 5 NT DOIN WE 46 4 1 6 On Demand RE 47 Uer e 2 eeeeee eee armen Tere er nr een erate neat at ete een te neat aeee eC E ee one mn men ae ee eer creer 58 4 2 1 Assign users to a GLOUD sccocssccnccsesnaeadasasmaendatanniddedsecandenineangansueaadensgsaunodsmieusedswadagousweaudedcanansocsueendaaeocds 59 4 2 2 Permission in Service Zone 6l UST EOC D e E E E ead sseteutene 64 4 3 1 Delault ee ue EE 66 4 3 2 eer EE 66 4 3 3 Disable Aut
28. DoS Attacker Denial Time seconds 10 999 Session Timeout minutes 120 5 1440 Built in RADIUS 28 eee Server Settings Idle Timeout minutes 1o 1 120 Interim Update minutes IS krazen Upload File Certificate Upload Remaining Time Volume Enable Disable Reminder Time and Cut off Enable Disable MAC ACL Edit Control list to manage which client devices are allowed to access the login page When enabled a user can log in from different computers with the same account This function doesn t support On demand users and RADIUS authentication 7 2 4 DoS Attacker Denial Time Configure DoS Attacker Denial Time go to Users gt gt Additional Configuration It is the denial time to the DoS attacker When system detect the user has DoS behaviors system will prohibit the network access right of this user with this time period After this time period the user can access normally Additional Control Idle Timeout minutes 10 1 1440 i i A icati ions USI A 5 de S625 wi is User Session Control Multiple Login EI Authentication options using On demand and RADIUS databases will not support thi function DoS Attacker Denail Time seconds 20 F10 999 109 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 7 2 5 Local Users Change Password Privilege Configure Local Users Change Password Privilege go to gt Privilege Profile Change Password Group 1 Privilege Confi
29. E K Si JE j None E o 3 None S a User test has been added Adding User s to the List MAC Address No Username Password XKIXX KX XX KX XX Group Remark Enable Local VPN z I None E IT c a d None E 3 None i L e Search Enter a keyword of a username to be searched in the text filed and click this button to perform the search All usernames matching the keyword will be listed Add User Upload User Download User Search Local User List Applied Group Username Password MAC Address Local VPN Enabled Remark None test 1234 Yes Delete Total 1 First Prey Next Last e Del All Click on this button to delete all the users at once or click on Delete to delete the user individually 40 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Edit User If editing the content of individual user account is needed click the username of the desired user account to enter the User Profile Interface for that particular user and then modify or add any desired information such as Username Password MAC Address optional Applied Group optional Enable Local VPN optional and Remark optional Click Apply to complete the modification Editing Existing User Data Username test Password 1234 MAC Address Applied Group None v Enable Local VPN Remark 4 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH
30. External Proxy Servers setting Click Apply to save the settings Step 3 Make sure that clients use the same proxy server settings Please also configure appropriate exceptions if there is any traffic which is not needed to go through proxy server for example there is no need to use proxy server for the Default Gateway 192 168 1 254 116 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Local Area Network LAN Settings Automatic configuration Automatic configuration may override manual settings To ensure the use of manual settings disable automatic configuration Automatically detect settings D Use automatic configuration script Proxy server Use a proxy server For your LAN These settings will not apply to dial up or VPN connections Bypass proxy server For local addresses Proxy Settings Servers Proxy address to use Secure FTP Socks _ Use the same proxy server For all protocols Exceptions Caution It is required that the proxy server setting of the clients match with the proxy server setting of the system Otherwise users will not be able to get the Login page for authentication via browsers and it will show an error page in the browser 117 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 8 Networking Features of a Gateway Configure DMZ go to Network gt gt NAT gt gt DMZ Demilitarized Zone The system supports Internal IP addres
31. Figure 2 the administrator plans three logical Service Zones for an academic campus The first Service Zone with SSID Student and VLAN tag 1 is for students The second with SSID Faculty and VLAN tag 2 for faculties The third SSID Guest and VLAN tag 3 for guests A Service Zone may or may not require client authentication depending on how the administrator sets it up If a Service Zone requires user authentication the client will be prompted for the login in first before using the network services no matter the client is connecting to its SSID wirelessly or a switch port via wired line Group is a group of user accounts sharing the same access privileges QoS properties and network policies Each client account belongs to a Group Each Group may or may not have the access privilege of a Service Zone depending on the how the administrator define its policy If the administrator does not assign a new account to any specific Group the account belongs to a catch all group named None by default 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Policy is for defining rules privileges or properties for managing users Each user group is bound by a Policy within a given Service Zone The same group may or may not be bound to the same policy in different Service zones There are two tiers of Policies The first tier is a policy named Global Policy The Global Policy is a base policy which will
32. Group 4 w Reference 5 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 4 5 o Duration time with Absolute Expiration Time The scenario of this type is that a client goes to an exhibition and purchases an on demand account The exhibition is from 09 00 02 Jun 2009 18 00 07 Jun 2009 This account will be activated since 09 00 02 Jun 2009 and ok to use during the exhibition period and will be expired after a configured time such as 18 00 07 Jun 2009 Account Activation is the time that the account will be activated for use Expiration Time is the time that the account will become expired and not able to use any more Price is the unit price of this plan Editing Billing Plan Plan 4 Type Duration time Expiration Time Relative Expiration Time Absolute Expiration Time Activation Time 00 sw 05 Now we 01 2009 we Expiration Time 13 05 Hey 05 2009 100 Price Renee D 100000 o er de lp Group Group 4 w Reference External Payment Gateway This section is for merchants to set up an external payment gateway to accept payments in order to provide wireless access service to end customers who wish to pay for the service on line The options are Authorize Net PayPal SecurePay WorldPay or Disable External Payment Gateway Authorize Net PayPal SecurePay WorldPay CG Disable On demand Account Creation After at least one plan is enabled the administrator c
33. IPSec tunnel This problem can be fixed by upgrading patch KB889527 Before enabling IPSec VPN function on client devices please access the patch from Microsofts web at http support microsoft com default aspx scid kb en us 889527 This patch also fixes the problem of supporting active mode FTP inside IPSec VPN tunnel of Windows XP SP2 Please UPDATE clients Windows XP SP2 with this patch e The Termination of ActiveX The ActiveX component for IPSec VPN is running in parallel with the web page of Login Success To ensure that the built in IPSec VPN tunnel is always alive unless clients decide to close the session and to disconnect from WHG301 the following conditions or behaviors which may cause the Internet Explorer to stop the ActiveX should be avoided 1 The crash of Internet Explorer on running ActiveX If it happens please reboot the client computer Once Windows service is resumed go through the login process again 2 Termination of the Internet Explorer Task from Windows Task Manager Do NOT terminate this VPN task of Internet Explorer 159 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Windows Task Manager ia A Fie Options View VWiindoyves Help Applications Processes Performance Networking Task Status Li untitled Paint Rimming Ei hips Iiga peiyabetlogen pages fett aE a a Rimning Ga ctra INDD S Systema comdes Fuumnineg Precesses 47 3 Execution of instructions
34. Local authentication the Local VPN option in other authentication option only can be enabled or disabled for the entire Authentication Database Authentication Option Server 1 Name Se rver 1 Postfix nt ssi Black List None Authentication Database NT Domain Group Group ei Enable Local VPN C Click the button Configuration for further configuration Enter the server IP address and enable disable the transparent login function These settings will become effective immediately after clicking the Apply button Domain Controller sever cr Transparent Login Enable Disable Windows 2000 2003 or Sue s Server The IP address of the external NT Domain Server Transparent Login This function refers to Windows NT Domain single sign on When Transparent Login is enabled clients will log into the system automatically after they have logged into the NT domain which means that clients only need to log in once 46 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 4 1 6 On Demand Users On demand User Server Configuration The administrator can enable and configure this authentication method to create on demand user accounts This function is designed for hotspot owners to provide temporary users with free or paid wireless Internet access in the hotspot environment Major functions include accounts creation users monitoring list billing plan and external payment gateway support Authentica
35. NTLMv1 or None to use none of the above Depending on which authentication method selected enter the Account Name Password and Domain o NTLMvt1 is not currently available for general use o Plain and CRAM MD5 are standardized authentication mechanisms while Login and NTLMv1 are Microsoft proprietary mechanisms Only Plain and Login can use the UNIX login password Netscape uses Plain Outlook and Outlook express use Login as default although they can be set to use NTLMv1 o Pegasus uses CRAM MD5 or Login but which method to be used can not be configured 155 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 10 2 2 SYSLOG SYSLOG Server Settings There are 3 types of Syslog supported System Log On demand User Log Session Log and Hardware Log Enter the IP address and Port number to specify which and from where the report should be sent to When the number of a user s session TCP and UDP reaches the session limit specified in the policy a record will be logged to this Syslog server gt gt Note 10 2 3 FIP FTP Server Settings Session Log Log each connection created by users and tracking the source IP Port and destination IP Port Session Log will be sent to the FTP server automatically during every defined interval in Session Log email notification Session Log allows uploading the log file to a FTP server periodically The maximum log file size is 256K The log file also will be sent to the FTP
36. SecurePay GH WorldPay Disable WorldPay Payment Page Configuration Installation ID Payment Gateway URL https select wp3 rbsworldpay com wcc purchas S Currency GBP Pound Sterling Service Disclaimer Content We may collect and store the following personal information Physical contact information credit card numbers and transactional information based on your activities on the Internet service provided by us mE Choose Billing Plan for WorldPay Payment Page Plan Enable Disable Quota Price 1 Enable Disable 2 Enable Disable 3 Enable Disable 4 Enable Disable 3 Enable Disable 6 Enable Disable 7 Enable Disable 8 Enable Disable 9 Enable Disable 10 Enable Disable WorldPay Payment Page Remark Content You must fill in the correct credit card number and expiration date Card code is the last 3 digits of the security code located on the back of your credit card Sill gt gt WorldPay Payment Page Configuration Installation ID The ID of being associated with the Business Account Payment Gateway URL The default website of posting all transaction data Currency The currency to be used for the payment transactions gt Service Disclaimer Content View the service agreement and fees for the standard payment gateway services as well as add or edit the service disclaimer content here gt SecurePay Payment Page Billing Configuration 180 4ipnet User s Manual WHG301 Secure WLAN Con
37. State Charge Free Block Service Zone sz7 VLAN ID Start Number of VLAN _ Create Batch Start Room Number LS Room Number Prefix Room Number Posttrx Default Room State The default state of the rooms it may be Charge Free or Block Service Zone The service zone of these rooms VLAN ID Start The first VLAN ID Number of VLAN The total number of VLAN Start Room Number The start room number Room Prefix The prefix of room number Room Postfix The postfix of room number 218 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH After you had created the VLAN Tag and Room number mapping you can change all of the Room State in the same Service Zone gt Port Location Mapping Setup Change All Room State Default Room State Charge Free Block Change All Room State Service Zone SZT Default Room State The default state of the rooms it may be Charge Free or Block Service Zone The service zone of these rooms If you want to create the Room Mapping is not a contiguously VLAN Tag and Room number then you can create it one by one gt Port Location Mapping Setup Create One Default Room State Charge Free Block Service Zone SZ7 x VLAN ID i 4094 Create One CE Room Number I Room Description Room Default State The default state of the rooms it may be Charge Free or Block Service Zone The service
38. Users gt gt Authentication gt gt On demand User gt gt On demand Account List Backup Current Accounts Use this function to create a txt file with all current user account information and then save it on disk Restore Accounts After the current user accounts have backup you can restore all these accounts to another system Click Restore Accounts to enter the Restore On demand User Account interface Click the Browse button to select the text file for restore the user accounts and then click Submit to complete the restore process Username Password sa5k gv 4u54 z7 n as2k55 vms5 SxeBedk4 Bedh fa3mu9ws3 ayto 2nx5fsoh 4sbq 6n 3sar4z mcas e 95e 6u by9p r448qvav k3m5 927252wgm 6659 43vk57 bu Restore Accounts Backup Current Accounts Remaining Quota Until 2009 11 09 19 Until 2009 11 09 19 Until 2009 11 09 19 Until 2009 11 09 19 Until 2009 11 09 19 Until 2009 11 05 13 Until 2009 11 05 13 Until 2009 11 05 13 Until 2009 11 05 13 Until 2009 11 05 13 UO UG UG 09 UG O5 O5 05 035 O5 Total 25 First Prey Nex es cs On demand Account List Status Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Group Group 4 Group 4 Group 4 Group 4 Group 4 Group 4 Group 4 Group 4 Group 4 Group 4 185 Reference External ID Delete All Delete Delete Delete Delete Del
39. account is cut off made expired by the system on that day Unit is the day periods of this Cut off billing plan Please note that the Grace Period is an additional short period of time after the account is cut off during which a user is allowed to continue to use the on demand account to access the Internet without paying additional fee Unit Price is a daily price of this billing plan Editing Billing Plan Plan F Type Cut off i Cut off Time 13 o0 mmm range 1 00100 23 59 Unit 2 dayts Grace Period Account remains usable for 0 5 hour s after cut off 10 per day Unit Price Range 0 1600060 including tee digits after decimal point ep 1 99 Group Group 2 a Reference 50 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH o Volume Volume is the maximum Mbytes at which the on demand account could be used by the system Quota is the total Mbytes 1 2000 during which On demand users are allowed to access the network Editing Billing Plan Plan 3 Type volume w 1000 dbytare Quota 1000 Mbytes Range 1 2000 First time login must be done within 2 dayis D Account Activation rue H Range of hours De 231 they cannot both be zero Valid Period After activation account will be expired in 2 day s ti Must be larger than 0 40 Price ti Range O 100000 mcludimg ben digits after decimal poin Group Group 3 Reference o Duration time with Relative Expiration Time The scenario o
40. address for a special device with certain MAC address 32 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 5 3 Tag Base and Port Base Configure Tag Base or Port Base go to System gt gt LAN Port Mapping WHG301 supports multiple Service Zones in either of the two VLAN modes Port Based or Tag Based but not concurrently In Port Base mode each LAN port can only serve traffic from one Service Zone as each Service Zone is identified by physical LAN ports In Tag Based mode each LAN port can serve traffic from any Service Zone as each Service Zone is identified by VLAN tags carried within message frames By default the system is in Port Based mode with Default Service Zone enabled and all LAN ports are mapped to Default Service Zone Compare the two figures below to see the differences LAN Ports and Service Zone Mapping Select the mode for Service Zone Port Based O Tag Based Specify a desired Service Zone for each LAN Port LANS LANG aay DS JEE is LAN LAN3 rr 33 WHG301 Secure WLAN Controller ENGLISH xDSL Cable ammm ISP I _ SPI DSL Cable a Mode Modem al a WANI WANI pe uge we Sa RL Q Loyer Switch EE EE ayer Swich AP VLAN Switch Service Zone VLAN for Staff Service Zone VLAN Service Zone VLAN for Stoft for Guests f Port Based Tag Based It is recommended that the administrator decides which mode is better for a multiple service zone deployment
41. aeaiee 128 SNMP a haces et op re tte eae a etapa ncaa nen easter 129 Three Level erh 130 Ra PASS WOE E senses es cecueaenas eettca E E E E E 133 Backup Restore and Reset to Factory Default c ccc cccccccssecccseeeceeeseceeesecsseseesseseessseesauees 134 Firmware E 135 E EE 136 K Bee eee eee ee ee ee Se ee ce oe eee ae one eee Ae ae eee a eer eee ae eer eee eee eee ee eee eee eee eee eee 137 9 10 1 NY cm TAIN EE 137 9 10 2 E eege 137 9 10 3 Ae De sess satin E A ee ates een E A pened ete 137 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 9 10 4 OV ARE Ke Caen ee ee eee ee ee ee 137 9 11 Montor l Eu 138 9 12 Console Tint Ch ACS EE 139 10 System Status ANA Repor ts ssscccccsssssrrrcccssssssssccccssssssssccssssssssssccsssssssssecseesses 142 10 1 VT AS 0 E 142 10 1 1 BSS EE EE 143 10 1 2 PANU E ACS 19 CAUIS a E E EEE I T A 145 10 1 3 Hardware Mionna ON EE 147 10 1 4 Rou m TAL E E E E E O O 148 10 1 5 ne U eT aor AENA E E AAA A OAA 149 10 1 6 r e 150 10 1 7 Local User Monthly Network Usage Eesen ESE EEA 153 10 2 EE 154 10 2 1 tege EE 155 10 2 2 S RE 156 10 2 3 Lk E 156 11 Virtual Errerte NettrcomglkC ENK agebett 157 11 1 LOL YVE D ee 157 11 2 Remote VPN ccccccccccsseecceeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeeeeeeeseeeeeeeeeeeeeeeeeeeeeeaeeseeeesaeeeeeaeaeeeesaanseeeeaanees 162 11 3 AES VIN arose teem atce OS 163 12 Customization Of Portal PAGES ccccssssrrrcccssssssssccc
42. and send e mail messages To successfully set up your Internet mail account you must have already signed up for an e mail account with an Internet service provider and obtained important connection information If you are missing any information the wizard asks you to provide contact your Internet service provider Do you want to set up an Internet mail account now C Yes Internet Connection Wizard Completing the Internet Connection Wizard You have successfully completed the Internet Connection wizard Your computer is now configured to connect to your Internet account Internet at any time by double clicking the Internet After you close this wizard you can connect to the Si Explorer icon on your desktop P To connect to the Internet immediately select this box and then click Finish To close the wizard click Finish amp Control Panel Sees File Edit View Favorites Tools Help ar E Back Ki Search Kea Folders PO Address Control Panel sl 2 gt a Va Control Panel x d Le Accessibility Add Hardware Administrative Date and Time CL Switch to Category View Options Tools Display Folder Options Game See Also Hi Windows Update Controllers S i Help and Support te Keyboard Mouse Network Phone and Power Options Connections Modem NW 3 D Printers and Regional and Scannersand Scheduled Sounds and Faxes Language Cameras Audio Devices WW Ge Speech System Task
43. authentication a group can be chosen to govern SIP traffic The policy s login schedule profile will be ignored for SIP authentication Specific route and firewall rules of the chosen group will be applied to SIP traffic 192 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Appendix A Network Configuration on PC amp User Login Network Configuration on PC After WHG301 is installed the following configurations must be set up on the PC Internet Connection Setup and TCP IP Network Setup e Internet Connection Setup Windows 9x 2000 1 Choose Start gt gt Control Panel gt gt Internet Cr ale xl File Edit View Favorites Tools Help Options Back Ey Qsearch Gyrolders CBuistory HS GZ X wa EJ address oe ka E f a Da IS E Accessibility Add Remove Add Remove Administrative Date Time Control Panel Options Hardware Programs 28 Internet Options Configures your Internet display y and connections settings Folder Options Fonts windows Update R Windows 2000 Support S Keyboard Mouse Network and Phone and Power Options Dial up Co Modem E GE Oh Printers Regional Scannersand Scheduled Sounds and Options Cameras Tasks Multimedia System Users and YMware Tools Pacciinr de zl Configures your Internet display and connections settings e My Computer 2 Choose the Connections tab and then click aixi General Security Content Con
44. by hand Main menu Go back to the main menu Change admin password Besides supporting the use of console management interface through the connection of null modem the system also supports the SSH online connection for the setup When using a null modem to connect to the system console we do not need to enter administrator s password to enter the console management interface But connecting the system by SSH we have to enter the username and password 140 User s Manual WHG301 Secure WLAN Controller ENGLISH 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH The username is admin and the default password is also admin which is the same as for the web management interface Password can also be changed here If administrators forget the password and are unable to log in the management interface from the web or the remote end of the SSH they can still use the null modem to connect the console management interface and set the administrator s password again Although it does not require a username and password for the connection via the serial port the same A management interface can be accessed via SSH Therefore we recommend you to immediately change the WHG301 Admin username and password after logging in the system for the first time Reload factory default Choosing this option will reset the system configuration to the factory defaults Restart WHG301 Choosing this option wi
45. demand account is created at 2009 6 30 18 00 and its quota is 4 hours Thus it can become usable at 2009 6 30 18 00 and expired at 2009 6 30 22 00 Quota is the total period of time xx days yy hrs zz mins during which On demand users are allowed to access the network The total maximum quota is 364Days 23hrs 59mins 59secs even after redeem Account Activation is the time for the first login time If the first login time of this account is later that this settings This account will be expired Valid Period is the valid time period for using After this time period although the quota is not exhausted this account still is expired Price is the unit price of this plan 49 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Editing Billing Plan Plan 1 Type Usage time Expiration Time Relative Expiration Time No Expiration Time D j dayis 2 breit min s Quota Range of dayis 0 364 Range of hour s D 23 Range of minis i 0 59 they cannot all be zero i j 7 nope oe First time login must be done within 0 day s 1 Account Activation tu Si Range of hours 0 23 they cannot both be zero n oT ra r Zait bh Li LES F i T 3 Valid Period After activation account will be expired in 1 day s Must be larger than D 20 Price Si Range 100000 including two digits after decimal point g a9 Group Group 1 Reference o Cut off Cut off Time is the time of day at which the on demand
46. fusar share freeradius dictionary 3 6 Step 6 Include dictionary 4ipnet in the dictionary of RADIUS server Insert it in an incremental position that easy to find it again INCLUDE dictionary ascend INCLUDE dictionary bhay INCLUDE dictionary binteg S INCLUDE dictionary cabletron INCLUDE dictionary 4ipnet INCLUDE dictionary cisco 2 altiga dictionary 5 INCLUDE dictionary cisco vpnso000 S INCLUDE dictionary cisco vpn5000 INCLUDE dictionary cisco bbsm S INCLUDE dictionary colubris INCLUDE dictionary GE 3 7 Step7 Open the radius database 214 User s Manual WHG301 Secure WLAN Controller ENGLISH vivian linux mysql u root p radius Enter pas Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with 4 SWOOP Welcome to the My50L monitor Commands end with Your My50L connection id is 96 to server wersion Type help or h for help Type ic mysql gt 3 8 Step 8 Insert VSA into RADIUS respond In this example the maximum download and upload in bytes for group03 users is 1MBytes mysql gt INSERT INTO radgqroupreply GroupNarme Attribute op Value VALUES qroupOs 4ipnet Byte a mount 1O4es7e Query OF 1 row affected CU sec mysql gt exit Eye 3 9 Step 9 Restart RADIUS Demand to get your settings activated starting R
47. go to Status gt gt System This section provides an overview of the system for the administrator System Setting Overview Firmware Version Build System Name 3 00 00 02000 Wireless Hotspot Gateway Portal URL http www google com SYSLOG Server System Log MJANJA SYSLOG Server On demand Users Log N AN A Proxy Server Disabled Warning of Internet Disconnection Disabled WAN Failover Disabled Load Balancing Disabled SNMP Disabled Retained Days 3 days User Logs N A Receiver E mail Address es N A N A NTP Server tock usno navy mil system Time Time 2009 11 04 18 52 53 0800 Idle Time Out 10 Mints User Session Control Multiple Login Disabled Preferred DNS Server 168 95 1 1 DNS Alternate DNS Server N A 143 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH The description of the above mentioned table is as follows Firmware Version e present firmware version of WHG301 ee Weieen System Name The system name The default is WHG301 Homepage Redirect URL The page the users are directed to after initial login Success The IP address and port number of the external Syslog Server N A means Syslog server System Log B that it is not configured The IP address and port number of the external Syslog Server N A means Syslog server On demand Users Log o that it is not configured renge Enabled disabled stands for that the system is currently using the proxy Proxy Server server or not Enab
48. gt gt Discovery Background AP Discovery Click Configure to enter Background AP Discovery interface and go on related configuration Discovery Settings AP Type CPE100 ei Interface Default Factory Default IF Address 192 168 10 1 Admin Settings Used to Login ID root Discover Password admin Manual Background AP Discovery Status Disabled Configure Discovery Results IP Address AP Name Template AP Type Service Zone Add MAC Address Password Channel The configuration is the same as AP Discovery When Background AP Discovery function is enabled the system will scan once every 10 minutes or according to the time set by the administrator If any AP is discovered and Auto Add AP is enabled it will be assigned an available IP from the starting IP address and apply the selected template You can also set the channel of the AP would use Background AP Discovery AP Type CPE100 Interface Default Factory Default IP Address 192 168 10 1 Login ID root Password admin Admin Settings Used to Discover Manual Enable Disable Status Interval Auto Adding AP to The WM List Enable Disable AA The scanning process may take a long time if the IP range assigned to scan is too wide 83 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 5 7 5 Manually add AP Configure AP adding by Manually go to Access Points gt gt Adding The AP also can be added man
49. is only applicable for the network environment where the DHCP server is available on the upstream network Click the Renew button to get an IP address automatically WAN1 Interface Setting Static Use the following IP settings WANI Dynamic IP settings assigned automatically PPPoE PPTP 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 2 3 PPPoE If the ISP requires you use PPPoE Dialup connection then the ISP will issue you an account with a password You would need to enter the account credential in the WAN configuration page for dialing up to the ISP If you are using ADSL DSL Internet service most likely your ISP will require PPPoE connection PPPoE When selecting PPPoE to connect to the network please set the UserName Password gt MTU Short for Maximum Transmission Unit of a PPPoE frame The PPPoE protocol allows an Ethernet frame s size to be up to 1492 bytes but some ISP s network equipments may support a smaller frame size of than 1492 bytes In that case you have to enter a smaller number MTU number to meet the ISP s networking requirement gt MSS Short for Maximum Segment Size for a TCP connection An end to end TCP connection over PPPoE will consume additional overhead out of each packet At least 40 bytes are used for the address Hence MSS must be smaller than MTU by at least 40 gt Dial on demand function under PPPoE If this function is enabled a Maximum
50. ote customized logout page can be previewed by clicking Preview at the bottom of this page If restore to factory default setting is needed for the logout interface click the Use Default Page button lt form acton userlogout shtmi mathocE post name E nter gt lt input type text name nwusemame lt inpit type password name mypassword gt lt input type submit na me submit value Logout lt input type reset Dame dear value Clear lt Ton 170 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 13 Payment Gateways 13 1 Payments via Authorize Net Configure Payments via Authorize Net go to Users gt gt Authentication gt gt On demand gt gt External Payment Gateway gt gt Authorize Net Before setting up Authorize Net it is required that the merchant owners have a valid Authorize Net account gt Authorize Net Payment Page Configuration External Payment Gateway Authorize Net PayPal SecurePay WorldPay Disable Authorize Net Payment Page Configuration Merchant Login ID i a Merchant Transaction Key Gi Enable Disabl Verify SSL Certificate Trusted CA Management Test Mode Enable Disable Try Test MD5 Hash O Enable Disable Merchant ID This is the Login ID that comes with the Authorize Net account Merchant Transaction Key The merchant transaction key is similar to a password and is used b
51. 000 0 0 0 2007 11 28 14 58 39 None Plan 2 a a Ee GE Create_OD_User m5p 0 0 0 0 00 00 00 00 00 000 0 0 0 2007 11 28 02 58 47 None Plan 4 ihe Pag Benge ne OD_User_Login u96u 192 168 1 6400 09 6B CD 88 820 0 0 0 None pete a None e En ate OD_User_Logoutu96u 192 168 1 6400 09 6B CD 88 8285 31812 99 12350 None fees Logout ree Err el OD_User_Login bk35 192 168 1 6400 09 6B CD 88 820 0 0 0 None ara None E Ee GET OD_User_Logoutbk35 192 168 1 6400 09 6B CD 88 824 252 360 None Cute Logout e Roaming Out User Log As shown in the following figure each line is a roaming out traffic history record consisting of 14 fields Date Type Name NSID NASIP NASPort UserMAC SessionlD SessionTime Bytes in Bytes Out Pkts In Pkts Out and Message of user activities Roaming Out Traffic History 2005 03 22 Date Type Name NASID NASIP NASPort UserMAC sessionID sessionTime Bytes In Bytes Out Pkts In Pkts Out Message Roaming In User Log As shown in the following figure each line is a roaming in traffic history record consisting of 15 fields Date Type Name NSID NASIP NASPort UserMAC UserlIP SessionID SessionTime Bytes in Bytes Out Pkts In Pkts Out and Message of user activities Roaming In Traffic History 2005 03 22 Date Type Name NASID NASIP NASPort UserMAC UserlP SessionID SessionTime Bytes In Bytes Out Pkts In Pkts Out Message 151 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH SIP Call Usage Log The log provides the log
52. 3 Discovery AP Configure Discovery AP go to Access Points gt gt Discovery After AP template configuration is finish use this function to detect and manage all of the APs in the network segments Note that WHG301 can only manage APs that are connected to its LAN ports Therefore the AP discovery function is for adding locally connected APs to its management list The administrator must know the local IP addresses of the APs he she wishes to discover Or the better way is reset the AP to default setting for discovery Discovery Settings AP Type CPE100 Interface Default sc Factory Default IP Address 192 168 10 1 Admin Settings Used to Login ID root Discover i Password admin Manual Background AP Discovery Status Disabled Discovery Results IP Address AP Name Template AP Type Service Zone Add MAC Address Password Channel Total 0 First Prey Next Last e To discover AP gt AP Type Choose the type of AP you wish to discover gt Interface Set to default gt Admin Settings Used to Discover Choose from Factory Default or Manual if the AP is not using the default IP Then click the Scan Now button and the APs match the given settings will show in the list below If one of the IP addresses intended is used a warning message will show up In this case please change the IP range and then click Scan Now again e Discovery Results The discovered new APs will be listed here When the system s Serv
53. 33 255 254 0 0 0 0 0 S4 192 168 12 0 2353 2355 254 0 0 0 0 0 Da 192 168 10 0 233 299 294 0 0 0 0 0 Si 192 168 18 0 255 235 294 0 0 0 0 0 S28 192 168 16 0 2595 255 294 0 0 0 0 0 S26 10 2 0 0 235 255 0 0 0 0 0 0 WANT 0 0 0 0 0 0 0 0 10 2 3 30 WAN 1 Policy 1 24 Shows the information of the individual Policy from 1 to 24 Global Policy Shows the information of the Global Policy System Shows the information of the system administration gt Destination The destination IP address of the device gt Subnet Mask The Subnet Mask IP address of the port gt Gateway The Gateway IP address of the port gt Interface The choice of interface network including WAN1 WAN2 Default or the named Service Zones to be applied for the traffic interface 148 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 10 1 5 Online Users View Online Users go to Status gt gt Online Users In this page each online user s information including Username IP Address MAC Address Pkts In Bytes In Pkts Out Bytes Out Idle Access From and Kick Out will be shown Administrators can force out a specific online user by clicking the hyperlink of Kick Out and check the user access AP status by clicking the hyperlink of the AP name for Access From Click Refresh is to update the current users list Online Users List Username Pkts In Bytes In Idi Access From e No Sec IF Address MAC Address Pkts Out Bytes Out Kick Out
54. 5 02 17 e https 10 2 5 2 15 status history 2005 02 17 Microsoft Internet Explorer Fle Edt View Favorites Tools Help Qad O h a O A Seach lt Favortes gies ov a G d r GE D L Ee KEN Lal i Date TYPE Name IF MAC Packets In Bytes Im Packets Out Bytes Out 2005 02 17 18 09 03 0800 LOGIN aaaawis00 tw 192 168 30 189 O0 0C F1 28 BF D8 0 0 0 D On demand History https 10 2 3 213 status ondemand_history 2005 02 17 e https 10 2 5 21 3 status ondemand_hisbory 2005 02 17 Microsoft Internet Explorer File Edt View Favorites Tools Help Or O e A Gi ee Favores Meda Ee Date Sys tem Name Type Name IP Mac Packets In Bytes In Packets Out Bytes OutExplret ime Valid 2003 02 17 16 44 19 0800 GA WI300 Casper 213 Create_OD User NTE9 0 0 0 0 00 00 00 00 00 00 0 D 0 i 2005 02 17 16 44 57 0200 Q W1300 Caspar 213 OD User Login NTEQ 192 168 30 189 00 0c F1 28 BF pa amp D 0 0 2005 02 17 16 45 22 0800 QA W1300 Casper 213 DD User Logout NTEY 192 168 30 189 00 00 F1 28 BF DR 32 14499 30 128 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 9 4 SNMP Configure SNMP go to If this function is enabled the SNMP Management IP and the Community can be assigned to access the SNMP Configuration List of the system General Settings for the Entire System System Name Wireless Hotspot Gateway Information EE L Use the name on the security certificate Inte
55. ADIUS serv Thu Oct 30 14 26 41 2008 Info Starting reading cont iguration files 215 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Appendix F Net Retriever and Port Mapping This section is trying to introduce the configuration of Net Retriever with VLAN Port Mapping Net Retriever is a middleware that communicates with the popular High Speed Internet Access HSIA hardware and Front Office System FOS software to provide a seamless integration of the two It can fill the void created by the hospitality industry s rapid adoption of High Speed Internet Access HSIA for their guest rooms and public areas Beside the communication between WHG301 and Net Retriever it also needs the VLAN Port Room Mapping to identify the fee in each room Each room will mapping to a unique VLAN Tag In addition it need to create at least one or more On demand Billing Plan to let the user to choose a satisfactory one for the internet access right Not For more detail of On demand Billing Plan configuration please refer to the section of ote On demand Users 1 Net Retriever Now let us begin to configure Net Retriever connection Configure Net Retriever go to Users gt gt Net Retriever gt gt Connection Setup gt Net Retriever Configuration Net Retriever Connection Setup Secret 1234567892088 Net Retriever Server Port 123 NR ID E 1 3999 GSDID SG Lu 9900 Link Test Interval 160 Leem s
56. AP Not all AP types support this option 75 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 5 5 AP Security Configure AP Security go to Wireless Settings SSID SSIDO Open System Ww Enable 802 1 Authentication RADIUS Server Settings 802 1X Authentication Security IP Address i Secret Key a Encryption gt Security For each service zone administrators can set up the wireless security profile including Authentication and Encryption gt Authentication Including Open System Share Key WPA WPA2 or WPA WPA2 Mixed gt Encryption WEP When Authentication is Open System or Share Key WEP will be enabled WPA When Authentication is WPA WPA PSK or WPA RADIUS will be the options of WPA For WPA PSK it also can select Passphrase or HEX WPA2 When Authentication is WPA WPA PSK or WPA RADIUS will be the options of WPA For WPA PSK it also can select Passphrase or HEX WPA WPA2 Mixed When Authentication is WPA WPA PSK or WPA RADIUS will be the options of WPA For WPA PSK it also can select Passphrase or HEX 76 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 5 6 Change managed AP settings Configure AP settings in AP List go to All of the APs under the management of WHG301 will be shown in the list The AP can be edited by clicking the hyperlink of AP Name and the AP status can be got by clicking the hyperlink of Status AP Type PEG egen sl Es
57. Blocked There is a problem with this website s security certificate The security certificate presented by this website was not issued by a trusted certificate autnority The security certificate presented by this website was issued for a different website s address We recommend that you close this webpage and do not continue to this website Click here to close this webpage Continue to this website not recommended More information 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH The administrator login page will appear Enter admin the default username and admin the default password in the UserName and Password fields Click LOGIN to log in Username Password Login If your PC is connecting to the Mgmt port and you cant get the Administrator s login screen the reasons may be 1 The PC is set incorrectly so that the PC can t obtain the IP address automatically from the Mgmt port 2 The IP address and the default gateway are not under the same network segment Please use default IP address such as 192 168 1 xx in your network and then try it again For the configuration on PC please refer to Appendix A Network Configuration on PC After a successful login a Home page will appear on the screen Logout Help System a Overview Main Menu 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 Placing WHG301 in a Network Env
58. Built in Proxy Server Click Apply to save the settings 113 User s Manual WHG301 Secure WLAN Controller ENGLISH External Proxy Servers No IP Address Port 10 E Total 40 First Prev Next Last Redirect Outgoing Proxy Traffic to Built in Proxy Server Built in Proxy Server Disable Step 3 Make sure that the proxy server settings match with at least one of the proxy server setting of the system for example in this case 203 125 142 1 3128 matches with blank 3128 Local Area Network LAW Settings Automatic configuration Automatic configuration may override manual settings To ensure the use of manual settings disable automatic configuration _ Automatically detect settings Use automatic configuration script Proxy server Use a proxy server For vour LAN These settings will nok apply to dial up or VPM connections Bypass proxy server For local addresses 114 4ipnet Proxy Settings Servers B Type ra m HTTP Secure FTF Socks User s Manual WHG301 Secure WLAN Controller ENGLISH Proxy address to use Port E E E E Wa _ Use the same proxy server For all protocols Exceptions A Do nok use proxy server For addresses beginning with Caution 1 Cancel It is required that the proxy server setting of the clients match with the proxy server setting of the system Otherwise users will not be able to
59. ESEL Tornga Ainii A 2 5 Step 5 Confirm the Vendor specific Attribute has been added success Multivalued Attribute Information 7 Edit Dial in Profile Dien Constraints iP M Authentication Encryption Advanced Attribute name Specily additional connection altributes to be retuned to the Remote Access Server Attribute number 26 Atiioute format OetetSting GanerateClassAlbibute Microsof False Class RADIUS Standard Class03 Franny Ge Ge chte PPP RADIUS Stendad 10000 Mes si A E x oder obo Max download upload traffic is 1 M Bytes 2 6 Step 6 Follow the same steps to create other Vendor specific Attribute as you need Z Z 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 VSA configuration in RADIUS server FreeRADIUS This section will guide you through a VSA configuration using the operating system Fedora FreeRADIUS version 1 0 5 Before getting start open the shell of RADIUS server for example use Putty to access the Linux Host CG PuTTY Configuration Category Session Basic options for your PuTTY session Logging Specity the destination you want to connect to E Terminal Keyboard Host Hame or IF address Fort Ball 10 23 217 22 Features Connection type Window Raw Telnet Alogin SSH Serial Appearance Behaviour Translation Saved Sessions Load save or delete a stored se
60. GLISH 8 4 IP Plug and Play Configure IP Plug and Play go to WHG301 supports IP PNP function User can login and access network with any IP address setting Client Mobility IP PNP O Enable Disable At the user end a static IP address can be used to connect to the system Regardless of what the IP address at the user end is using authentication can still be performed through WHG301 123 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 8 5 Dynamic Domain Name Service Configure Dynamic Domain Name Service go to Network gt gt DDNS Before activating this function you must have your Dynamic DNS hostname registered with a Dynamic DNS provider WHG301 supports DNS function to alias the dynamic IP address for the WAN port to a static domain name allowing the administrator to easily access WHG301 s WAN If the dynamic DHCP is activated at the WAN port it will update the IP address of the DNS server periodically These settings will become effective immediately after clicking Apply Dynamic DNS DDNS O Enable Disable Provider _DynDNS ora Dynamic Host Name Username E mail Password Key e DDNS Enable or disable this function e Provider Select the DNS provider s Host name The IP address domain name of the WAN port e Username E mail The register ID Username or e mail for the DNS provider e Password Key The register password for the DNS provider To apply for free Dynam
61. Group is None too For example a Local user user01 is assigned to Group None and the Local Authentication is also assigned to Group None If the Default Policy of Service Zone1 is None Then user01 login to Service Zone will apply the Global Policy So the Global Policy has the lowest policy priority on the other hand the User Policy will be the highest one 206 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Appendix C AP WDS Management Configure AP WDS go to Access Points gt gt WDS Management WDS Management Wireless Distribution System is a function used to connect APs Access Points wirelessly The WDS management function of the system can help administrators to setup a Tree structure of WDS network Default Settings for Newly Added WDS Tree Security None Channel Edit WDS Status WDS Tree Security Channel Edit Refresh Interval Disable Auto Refresh zs No WDS operation has been done WDS Update The Parent AP of this new connection The Child AP of this new connection The Parent AP of this updated connection The Child AP of this updated connection and the connection to the previous Parent AP will be deleted The AP selected including all the Child APs of it will be deleted e WDS Status Status shows the added APs in the WDS Tree with the Security and Channel settings The WDS could be set up more than one tree Click the Edit is to change the WDS connection settings for the
62. ISH e Users Log All activities occur on the system within the nearest 72 hours are recorded in date and time order As shown in the following figure each line is a traffic history record consisting of 9 fields Date Type Name IP MAC Pkts In Bytes In Pkts Out and Bytes Out of the user activities Users Log 2008 04 14 l Pkts Bytes Pkts Bytes Date Type Name IP MAC S d P in In Out Out en eee LOGIN 1 local192 168 13 2000 04 23 9A 6F 7B0 0 D 0 2008 04 14 Force l ee cone ieee 1 local19 168 13 2000 04 23 9A 6F 7B0 0 0 0 e On demand User Log As shown in the following figure each line is a on demand user log record consisting of 13 fields Date System Name Type Name IP MAC Pkts In Bytes In Pkts Out Bytes Out 1st Login Expiration Time Account Valid Through and Remark of user activities On demand User Log 2007 11 26 Pkts Bytes Pkts Date System Name Type Name IP MAC in mS Out a tst SCH Pram SCH Remark ee ea a GA Create_OD_User8s3q 0 0 0 0 00 00 00 00 00 000 0 0 0 2007 11 28 02 58 03 None Plan 1 pena Pre Create_OD_Useru96u 0 0 0 0 00 00 00 00 00 000 0 0 0 2007 11 28 14 58 10 None Plan 2 ne ene Create_OD_Userndka 0 0 0 0 00 00 00 00 00 000 0 0 0 2007 11 28 14 58 15 None Plan 3 ree ae GEN Create_OD_Userbk35 0 0 0 0 00 00 00 00 00 000 0 0 0 2007 11 28 02 58 19 None Plan 4 tase Pe ee Create_OD_User4z4m 0 0 0 0 00 00 00 00 00 000 0 0 0 2007 11 28 02 58 35 None Plan 1 E e EE Create_OD_UserkkxS 0 0 0 0 00 00 00 00 00
63. Idle Time will be available for input a value When the idle time is reached the system will automatically disconnect itself WAN1 Interface Setting Static Use the following IP settings Dynamic IP settings assigned automatically PPPoE Username Fila Password WANT l o MTU 1492 bytes Range 1000 1492 Clamp MSS 1350 bytes Range 380 1400 Dial on Demand Enable Disable PPIP 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 2 4 PPTP Although not a popular method PPTP protocol for dialup connections is adapted by some ISPs in European Countries WHG301 offers the PPTP dialup feature for the rare cases Your PPTP ISP will issue you an account with a password as well as the PPTP server address PPTP When selecting PPTP to connect to the network please specify the given PPTP Server IP Address and enter the User Name Password gt Static or DHCP Select Static to specify the IP address of the PPTP Client manually or select DHCP to get the IP address automatically gt Dial on demand function under PP TP If this function is enabled a Maximum Idle Time will be available for input a value When the idle time is reached the system will automatically disconnect itself WAN1 Interface Setting Static Use the following IP settings Dynamic IP settings assigned automatically PPPoE PPTP Type Static DHCP PPTP Server IP Address
64. Internet Protocol TCP IP Properties General You can get IP settings assigned automatically if your network support this capability Othenwise You need to ask your network administrator for the appropriate IP settings Subnet mask Default gateway CBs DIE SR eS een at Ab matical Preferred DNS server Slternate DNS server Advanced TCP IP Settings IP Settings DNS WINS Options IF addresses IF address Subnet mask DHCP Enabled Default gateways Gateway Met Automatic metric E 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Appendix B Policy Priority Global Policy Service Zone Policy Authentication Policy and User Policy WHG301 supports multiple Policies including one Global Policy and 24 individual Policy can be assign to different Group Global Policy is the system s universal policy and applied to all clients while other individual Policy can be selected and defined to be applied to any Service Zone On the other hand Service Zone also has a Default Policy For some authentication such as Local RADIUS and LDP user can assign to different Group individually The clients belonging to a Service Zone will be bound by an applied Policy In addition a Policy can be applied at a Group basis a Group of users can be bound by a Policy So one user may be applied different policy at the same time Which policy is actually applied to this user The Policy Priority mus
65. LAN devices such as AP and switch 802 1 Authentication Local User List It let the administrator to view add or delete local user account The Upload User button is for importing a list of user account from a text file The Download User button is for exporting all local user accounts into a text file Clicking on each user account leads to a page for configuring the individual local account Local user account can be assigned a Group and applied Local VPN individually Add User Upload User Download User Local User List Applied Group Username Password MAC Address Local VPN Enabled Remark None test 1234 Yes Delete Total 1 First Prev Next Last 39 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH o Add User Click this button to enter into the Adding User s to the List interface Fill in the necessary information such as Username Password MAC Address and Remark Select a desired Group to classify local users Check to enable Local VPN in the Enable Local VPN column Click Apply to complete adding the user s MAC address of a networking device can be bound with a local user as well It means this user must login to system with a networking device PC that has this MAC address so this user can not login with other networking device Adding User s to the List MAC Address No Username Password 000 0K EK EXER Group Remark Enable Local VPN 1 test JI ees None
66. Lker Management i TEST User Profile Company Name rue invest Comp Reports Date current up bo 1 Det Unen Merch acct MERCHAHTIOTAMI Copyright RES ol 200 STEP Select the Save Changes button STEP Input Installation ID and Payment Gateway URL in gateway UI gt Installation ID 2009test gt URL https select wp3 rbsworldpay com wcc purchase External Payment Gateway authorize Net PayPal SecurePay GH WorldPay Disable WorldPay Payment Page Configuration Installation ID Payment Gateway URL https select wp3 rbsworldpay com wec purchas Currency GBP Pound Sterling ln gt gt Note The WAN IP of gateway must be real IP 182 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 14 Additional Applications 14 1 Upload Download Local Users Accounts Configure Upload Download Local Users Accounts go to Users gt gt Authentication gt gt Local Server1 4 gt gt Configure gt gt Local User List add User Local User List Applied Group Username Password MAC Address Local VPN Enabled Del All Remark Upload User Click Upload User to enter the Upload User from File interface Click the Browse button to select the text file for uploading user accounts then click Upload to complete the upload process Note 1 The format of each line in the file is Username Password MAC Address Applied Group Remark L
67. Local User List gt gt Roaming Out amp 802 1X Client Device Settings In sometime WHG301 can act as a RADIUS server for Roaming Out from other system The Local User database will act as the RADIUS user database e Account Roaming Out amp 802 1X Authentication When Account Roaming Out is enabled the link of this function will be available to define the authorized device with IP address Subnet Mask and Secret Key Local User Database Settings Local User List Enable Disable Account Roaming Out gd i Local user database will be used as authentication database for roaming out users Enable Disable 302 1 Authentication Local user database will be used as internal RADIUS database for 802 1xX enabled LAN devices such as AP and switch Roaming Out amp 802 1 Client Device Settings Roaming Out amp 802 1 Client Device Settings Type IP Address Subnet Mask Secret Key Roaming Out 8000 255 0 0 0 8 sl eessesss Disable 255 255 255 255 32 Disable 255 255 255 255 32 Disable sc 255 255 255 255 32 Click the hyperlink Roaming Out amp 802 1x Client Device Settings to enter the Roaming Out amp 802 1x Client Device Settings interface Choose Roaming Out and key in the Roaming Out client s IP address and network mask and then click Apply to complete the settings In the other system such as another WHG301 setup it s RADIUS server to this WHG301
68. Modem er SSD De VLAN Switch VLANT TI LSS sso SSID 2 Sa lea ER et Gi o for Guests _ for Employees A The switch deployed under WHG301 in Tag Based mode must be a VLAN switch only 30 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 5 2 Configure Service Zone network Configure Service Zone go to System gt gt Service Zones Basic Settings Service Zone Status Enabled Service Zone Name Default Operation Mode NAT Router Network Interface IP Address 192 168 1 254 Subnet Mask 255 255 254 0 Disable DHCP Server Enable DHCP Server Start IP Address 192 168 1 1 End IP Address 192 168 1 100 Preferred DNS Server 192 168 1 254 e DHCP Server Alternate DNS Server Domain Name domain com WINS Server Lease Time 1 Day i Reserved IP Address List Enable DHCP Relay gt Service Zone Status Each service zone can be enabled or disabled except for the default service zone gt Service Zone Name The name of service zone could be input here gt Network Interface o VLAN Tag Tag Base only The VLAN tag of this service zone o Operation Mode Contains NAT mode and Router mode When NAT mode is chosen the service zone runs in NAT mode When Router mode is chosen this service zone runs in Router mode o IP Address The IP Address of this service zone o Subnet Mask The subnet Mask of this service zone gt DHCP Server Related information ne
69. N A Disabled 7 N A N A N A Disabled N A N A N A Disabled 9 N A N A N A Disabled 0 N A N A N A Disabled e Plan The number of a specific plan e Type Show one type of the plan in Usage time Duration time or Cut off e Quota The total time amount or period on how On demand users are allowed to access the network e Price The unit price of each plan e Status Show the status in enabled or disabled e Function Press Create button for the desired plan the Creating an On demand Account will appear for creation On demand Account Creation Plan Type Quota Price Status Function 1 Usage time 2 hris 20 Enabled 2 Cut off Until 13 00 20 Enabled 3 Volume 1000 Mbyte s 40 Enabled 4 Duration time From 2009 11 01 00 05 00 till 2009 11 05 13 05 00 100 Enabled 5 Duration time 5 days 2 hour s 40 Enabled 53 e t 4ipne User s Manual WHG301 Secure WLAN Controller ENGLISH Quota Until 13 00 Grace Period Account remains usable for 30 minute s after cut off Unit Price 10 per day Unit Reference EH Add a reference related to this account for example the customers name External ID IT ks an external ID such sg Library ID No Please confirm the information and press Create button to create an account Printer Interface 54 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 6 On demand Account Batch Creation After at least one plan is enabled the administrator can generate multiple
70. Q E nd Q S P Search gt Folders E SS e Network Connections LAN or High Speed Internet Network Tasks ocal Area Connection fl Create a new nabled ce C da PCNET Family PCI Goen Za Set up a home or small Disable office network st hi Disable this network gaer device E H Ki Repair this connection Cu Rename this connection view status of this connection Change settings of this connection Bridge Connections Other Places G Control Panel My Network Places CH My Documents 203 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 Click on the General tab and choose Internet Bacal Asada ET EE Protocol TCP IP and then click Properties General Authentication Advanced Now you can choose to use DHCP or a specific EE Bai AMD HCHET Family PCI Ethernet Adapter IP address CoD aE a Configure This connection uses the following thems El Client for Microsoft Networks d i File and Printer Sharing for Microsoft Networks Internet Protocol TCP IP 2 Description Transmission Control Protocalelntemnet Protocol The default Wide area network protocol that provides communication across diverse interconnected metvworks C Show icon in notification area when connected 4 Using DHCP If you want to use DHCP choose Internet Protocol TCP IP Properties Obtain an IP address automatically an
71. Service Zone 4 In each authentication option you can assign a Group with each authentication option All users login with same authentication server will belong to same Group Authentication Option Server 1 Name Server 1 Postfix local Black List None W Authentication Database Local Configure Group But there are some exceptions e In Local Authentication each user can assign to different Group one by one e In RADIUS Authentication the users can assign to different Group by Class Group Mapping In LDAP Authentication the users can assign to different Group by Attribute Group Mapping 60 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 4 2 2 Permission in Service Zone Configure Permission in Service Zone go to A Group can be allowed to access one Service Zone or multiple Service Zones Moreover a Group can be applied different Policies within different Service Zones Remote VPN is considered as a zone where clients log into the system via remote VPN Group Configuration Group 1 Select Group Group 1 QoS Profile Privilege Profile Remark Zone Permission Configuration amp Policy Assignment Group 1 To Group Permission Zone Name Enabled Policy Configuration Service Zone Default Policy 1 Default Service Zone S71 Policy 1 SFl Service Zone S72 Policy 1 wi S72 Service Zone S73 Policy 1 SF3 Service Zone S74 Policy 1 wi Sz4 Service Zone S75 Po
72. Web page you can decide which of the four connection options Static Dynamic PPPoE and PPTP to choose from 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 2 1 Static IP When the ISP assigns you static IP address or for other reason your network requires you to use a fixed IP address then you as the administrator of WHG301 will manually enter the fixed IP address as WHG301 s WAN address Static Manually specifying the IP address of the WAN Port The fields with red asterisks are required to be filled in gt gt IP Address The IP address of the WAN1 port Subnet Mask The subnet mask of the WAN1 port Default Gateway The gateway of the WAN1 port Preferred DNS Server The primary DNS server used by the system Alternate DNS Server The substitute DNS server used by the system This is an optional field WAN1 Interface Setting Static Use the following IP settings IP Address E Subnet Mask WANT Default Gateway D Preferred DNS Server Alternate DNS Server Dynamic IP settings assigned automatically PPPoE PPTP CH 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 2 2 DHCP Dynamic IP When the ISP issues dynamic IP addresses or there is a DHCP server upstream for issuing dynamic IP addresses then you as the administrator of WHG301 can configure WHG301 to receive an IP address dynamically as WHG301 s WAN1 address Dynamic It
73. XX XX XX 88 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 6 3 Policy Configure Policy go to WHG301 supports multiple Policies including one Global Policy and 12 individual Policy Each Policy consists of access control profiles that can be configured respectively and applied to a certain Group of users Global Policy is the system s universal policy and applied to all clients while other individual Policy can be selected and defined to be applied to any Service Zone The clients belonging to a Service Zone will be bound by an applied Policy In addition a Policy can be applied at a Group basis a Group of users can be bound by a Policy The same Group can be applied with different Policies within different Service Zones When the type of authentication database is RADIUS the Class Group Mapping function will be available to allow the administrator to assign a Group for a RADIUS class attribute therefore a Policy applied to this Group will be mapped to a user Group of a RADIUS class attribute When the type of authentication database is LDAP the Attribute Group Mapping function will be available to allow the administrator to assign a Group for LDAP attribute therefore a Policy applied to this Group will be mapped to a user Group of a LDAP attribute When the type of database is Local the Group selection function will be available to allow the administrator to assign a Group to each user one by one When the
74. able 10 Enable Disable 600 Mbyte s 6 99 Client s Purchasing Record Starting Invoice Number Spot m gogog Change the Number Description Item Name Internet Access E mail Header Enjoy Online o Service Disclaimer Content O View service agreements and fees for the standard payment gateway services here as well as adding new or editing services disclaimer o Choose Billing Plan for Authorize Net Payment Page O These 10 plans are the plans configured in Billing Plans page and all previously enabled plans can be further enabled or disabled here as needed O Client s Purchasing Record O Starting Invoice Number An invoice number may be provided as additional information with a transaction The number will be incremented automatically for each following transaction Click the Change the Number checkbox to change it O Description Item Name This is the item information to describe the product for example Internet Access O Email Header Enter the information that should appear in the header of the invoice 172 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH gt Authorize Net Payment Page Fields Configuration Authorize Net Payment Page Remark Content Authorize Net Payment Page Fields Configuration Item Displayed Text Required Credit Card Number Credit Card Number Credit Card Expiration Date Credit Card Expiration Date First Name First Name s Last Name Last Name C
75. administrator 3 4 1 WAN Failover Configure WAN Failover Go to System gt gt WAN Traffic WAN Traffic Settings Available Bandwidth Uplink 1000000 RE SR nates Amsa on WAN Interface Downlink 1000000 Kbps Range 10 1000000 Target for detecting Internet connection IP Domain Name IP Domain Name WAN Failover amp Connection Detection IP Domain Name Cl Enable Load Balancing C Enable WAN Failover TT Warning of Internet Disconnection e Enable WAN Failover Normally WHG301 uses WAN1 as it primary WAN interface When WAN Failover is enabled and WAN2 is available WAN1 s traffic will be routed to WAN2 when WAN1 connection is down On the other hand a Service Zone s policy could also use WAN2 as its interface in that case if WAN2 is down the WAN2 s traffic under its policy will also be routed to WAN gt Fall back to WAN1 when WANT is available again If WAN Failover is enabled the traffic will be routed to WAN2 automatically when WAN1 connection fails When fall back to WANT is enabled the routed traffic will be connected back to WAN1 when WAN1 connection is recovered 23 4ipnet 3 4 2 Load Balance Configure Load Balance User s Manual WHG301 Secure WLAN Controller ENGLISH Go to System gt gt WAN Traffic Available Bandwidth on WAN Interface WAN Failover amp Connection Detection WAN Traffic Settings Uplink 100000 Kbps Range 10 100000 Downlink 100000 Kbps R
76. aining time or volume or the cut off time that the account can continue to use to access the network e Status The status of the account O O O O O Normal the account is not currently in use and also does not exceed the quota limit Online the account is currently in use Expired the account is not valid any more even there is remaining quota to be used Out of Quota the account has exceeded the quota limit Redeemed the account has been applied for account renewal e External ID This is an additional information field for combined with a unique account only e Delete All This will delete all the users at once e Delete This will delete the users individually 56 4ipnet gt gt Note gt gt Note User s Manual WHG301 Secure WLAN Controller ENGLISH e Redeem On demand Accounts Hello you are logged in via 3p6z ondemand To log out please click the Logout button S 7 Login time 2009 06 02 11 11 ai eee Remaining Time Hour s9 Min Sec For Usage time accounts when the remaining quota is insufficient or if they are almost out of quota they can use redeem function to extend their quota After the user has got or bought a new account they just need to click the Redeem button in the login success page to enter Redeem Page input the new account Username and Password and then click Submit This new account s quota will be extended to the original account Howe
77. al Settings for the Entire System System Name Administrator Contact Information C Use the name on the security certificate Internal Domain Name SS EODN of this device for internal use e g controller office name com Enable Disable Portal URL Nap www google com Peng http vww example com If disable this function after users logged in successfully users will be directed to the original homepage 107 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 7 2 2 Idle Timer Configure Idle Timer go to Users gt gt Additional Configuration Additional Control Idle Timeout minutes 1 1440 Multiple Login C authentication options using On demand and RADIUS databases will not support this function Y DoS Attacker Denial Time seconds 10 999 User Session Control If a user has idled with no network activities the system will automatically kick out the user The logout timer can be set between 1 1440 minutes and the default idle time is 10 minutes 108 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 7 2 3 Multiple Login Configure Multiple Login go to Users gt gt Additional Configuration Additional Control Idle Timeout minutes 1 1440 pe iple i Authenticati ions using i a a A 5 databases will not s is User Session Control Aor Fi uthentication options using On demand and RADIUS databases will not support this unction
78. all Profile Click Setting for Firewall Profile The Firewall Configuration will appear Click Predefined and Custom Service Protocols to edit the protocol list Click Firewall Rules to edit the rules Global Policy Firewall Configuration Predefined and Custom Service Protocols Firewall Rules 1 Predefined Protocols Predefined and Custom Service Protocols There are predefined service protocols available for firewall rules editing Global Policy Service Protocols List No Name Description 1 ALL ALL 2 ALL TCP TCP Source Port 0 65535 Destination Port 0 65535 3 ALL UDP UDP Source Port 0 65535 Destination Port 0 65535 4 ALL ICMP ICMP Type Any Code Any 5 FTF TCP UDP Destination Port 20 21 6 HTTP TCP UDP Destination Port 80 7 HTTPS TCP UDP Destination Part 443 8 POPS TCP Destination Port 110 g SMTP TCP Destination Port 25 10 DHCP UDP Destination Port 67 68 Goes Total 27 First Prey Next Last The administrator is able to add new custom service protocols by clicking Add and delete the added protocols with Select All and Delete operations A The Predefined Service Protocols can not be deleted Click Add to add a custom service protocol The Protocol Type can be defined from a list of service by protocols TCP UDP ICMP IP and then define the Source Port range and Destination Port range click Apply to save this protocol 1 4ipnet User s Manual WHG301 Secure WLAN Controll
79. an be restored to the factory default settings here Backup System Settings Restore System Settings File Name l Browse Restore Reset to the Factory Default O Reset e Backup System Settings Click Backup to create a db database backup file and save it on disk File Download E EA Do you want to open or save this file 4 Name 20050303 db Type Data Base File From 10 2 3 70 com swe JS Jh Always ask before opening this type of file harm your computer IF you do not trust the source do not open or wi While files bom the Internet can be useful some files can potentially save this file What s the risk e Restore System Settings Click Browse to search for a db database backup file created by WHG301 and click Restore to restore to the same settings at the time when the backup file was saved e Reset to Factory Default Click Reset to load the factory default settings of WHG301 134 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 9 8 Firmware Upgrade Configure Firmware Upgrade go to The administrator can download the latest firmware from website and upgrade the system here Click Browse to search for the firmware file and click Apply for the firmware upgrade It might take a few minutes before the upgrade process completes and the system needs to be restarted afterwards to activate the new firmware System Firmware Upgrade Current Version 3 00 00 EN N File Name Bro
80. an generate single on demand user accounts here Click this to enter the On demand Account Creation page Click on the Create button of the desired enabled plan to create an on demand account The username and password of to be created on demand account is configurable Select Manual created in Username Password Creation and then administrator can enter desired username and password for the on demand account In addition an External ID such as student s school ID can be entered together with account creation After the account is created you can click Printout to print a receipt which will contain the on demand user s information including the username and password to a network printer Moreover you can click Send to POS to print a receipt to a POS device 52 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH If no Billing plan is enabled accounts cannot be created by clicking Create button Please goes back to Billing Plans to active at least one Billing plan by clicking Edit button and Apply the setting to RS activate the plan The printer used by Print is a pre configured printer connected to the administrator s computer On demand Account Creation Plan Type Quota Price Status Function 1 Usage time 2 hris 20 Enabled 2 Cut off Until 13 00 20 Enabled 3 Volume 1000 Mbyte s 40 Enabled A Duration time From 2009 11 01 00 05 00 till 2009 11 05 13 05 00 100 Enabled 5 Duration time 5 day s 2 hour s 40 Enabled 6 N A N A
81. ange 10 100000 Target for detecting Internet connection romain Name o romain Name IP Domain Name Enable Load Balancing WANI Weight Range 1 99 Base Warning of Internet Disconnection Sessions e eee GC Packets When Internet connection is down the system will display the Sorry The service is temporarily unavailable e Enable Load Balancing Outbound load balancing is supported by the system When enabled the system will allocate traffic between WAN1 and WAN2 dynamically according to designed algorithms based on the weight ratio gt WAN1 Weight The percentage of traffic through WAN1 Range 1 99 by default it is 50 gt Base The weight ratio between WAN1 and WAN2 can be based on Sessions Packets or Bytes Packets and Bytes are based on historic data New connection sessions will be distributed between WAN1 and WAN2 by a weight ratio using random number 24 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 4 3 Internet Connection Detection The system will periodically check to see if the Internet uplink connection is down by seeing if it can get responses from three target sites The administrator can specify the three target sites Go to System gt gt WAN Traffic WAN Traffic Settings Available Bandwidth Uplink 100000 Kbps Range 10 100000 on WAN Interface Downlink 100000 Kbps Range 10 100000 Target for detecting Internet connection IP Doma
82. aracter abbreviation or the full text name of the state o Zip The ZIP code represents the five or nine digit postal code associated with the billing or shipping address of a transaction This may be entered as five digits nine digits or five digits and four digits o Country The country is associated with both the billing and shipping address of a transaction This may be entered as either an abbreviation or full value o Phone A phone number is associated with both a billing and shipping address of a transaction Phone number information may be entered as all number or it may include parentheses or dashes to separate the area code and number o Fax A fax number may be associated with the billing information of a transaction This number may be entered as all number or contain parentheses and dashes to separate the area code and number gt Authorizie Net Payment Page Remark Content Enter additional details for the transaction such as Tax Freight and Duty Amounts Tax Exempt status anda Purchase Order Number if applicable 174 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 13 2 Payments via PayPal Configure Payments via PayPal go to User gt gt Authentication gt gt On demand gt gt External Payment Gateway gt gt PayPal Before setting up PayPal it is required that the hotspot owners have a valid PayPal Business Account After opening a PayPal Business Account the hotspot owners should
83. ard Type e Card Type Visa American Express Master Card Discover Card Code Card Code E mail E mail O C Customer ID Room Number A Hl Company Company m Address Address O city City S State State C Zip Zip m Country Country A Phone Phone Fax Fax TI Displayed text fileds must be filled Authorizie Net Payment Page Remark Content Zou must fill in the correct credit card number and el expiration date Card code is the last 3 digits of the security code located on the back of your credit card If Wi gt Authorize Net Payment Page Fields Configuration o Item Check the box to show this item on the customer s payment interface o Displayed Text Enter what needs to be shown for this field o Required Check the box to indicate this item as a required field o Credit Card Number Credit card number of the customer The Payment Gateway will only accept card numbers that correspond to the listed card types o Credit Card Expiration Date Month and year expiration date of the credit card This should be entered in the format of MMYY For example an expiration date of July September 2009 should be entered as 0709 o Card Type This value indicates the level of match between the Card Code entered on a transaction and the value that is on file with a customer s credit card company A code and narrative description are provided indicating the results returned by the processor o Card Code The three or four dig
84. ask and Default Gateway here if desired Configure the NTP Servers and Time Zone Besides it can enable SYSLOG server to receive the log from AP and enable SNMP read write ability SSID Broadcast Band Data Rate Preamble IAPP Wireless Client Isolation Transmit Power Wireless Qos WMM Fragment Threshold RTS Threshold Beacon Interval ms Wireless CPE100 TEMPLATE1 Ge A Long Only Ser Highest 2346 Default 2346 Range 256 2346 2346 Default 2346 Range 1 2346 100 Defaults 100 Range 100 500 70 4ipnet gt Wireless User s Manual WHG301 Secure WLAN Controller ENGLISH SSID Broadcast Select this option to enable the SSID to broadcast in your network When configuring the network it is suggested to enable this function but disable it when the configuration is complete With this enabled someone could easily obtain the SSID information with the site survey software and get unauthorized access to a private network With this disabled network security is enhanced and can prevent the SSID from being seen on networked Band There are 3 modes to select 802 11b 2 4G 1 11Mbps 802 119 2 4G 54Mbps and Mix mode b and g Data Rate The default is Auto Available range is from 1 to 54Mbps The rate of data transmission should be set depending on the speed of the wireless network Select from a range of transmission speed or keep the default setting Auto to make the Access Point aut
85. ass through gt Without patch ICMP Ping and PORT command of FTP can not work in Windows XP SP2 gt The forced termination through CTRL ALT DEL Task Manager of the Internet Explorer will stop the running of ActiveX It causes that IPSec tunnel cannot be cleared properly at client device A reboot of client device is needed to clear the IPSec tunnel gt The crash of Windows Internet Explorer may cause the same result Internet Connection Firewall In Windows XP and Windows XP SP1 the Internet Connection Firewall is not compatible with IPSec Internet Connection Firewall will drop packets from tunneling of IPSec VPN Please TURN OFF Internet Connection Firewall feature or upgrade the Windows OS into Windows XP SP2 158 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Ett KH x A Ethernet Properties General Support General Authentication Se Internet Connection Firewall Statys Connected Protect my computer and network by limiting or preventing Durata 5 days 04 59 39 access to this computer from the Internet Speed 100 0 Mbps Learn more about Internet Connection Firewall Internet Connection Sharing Allow other network users to connect through this Activity computer s Internet connection S Hecetved Packets 45 176 578 Learn more about Internet Connection Sharing BEE e ICMP and Active Mode FTP In Windows XP SP2 without patching by KB889527 it will drop ICMP packets from
86. associated WDS Tree e WDS Update Update the WDS connection with the following operations gt Add Add anew WDS connection with a Child AP not in the WDS and a Parent AP from the AP List A new WDS Tree will be added if the selected Parent AP is not in any of the current WDS Trees Click Edit is to change the WDS connection settings for the new added WDS Tree gt Move Update a WDS connection with a Child AP from WDS and a Parent AP which could be anymore from WDS and the previous WDS connection of the Child AP to the previous Parent AP will be deleted gt Delete All the WDS connections of the selected AP will be deleted including the WDS connections to its Child APs and the Child APs without wired connection will become unreachable 207 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Appendix D Monitoring 3rd Party AP Configure Monitoring 3 Party AP go to Network gt gt Monitor IP If you are using 3 party AP you can use Monitor IP function to monitor the AP connection status Because WHG301 can not manage these APs Monitor IP is a better way to monitor the AP connection status WHG301 will send out a packet periodically to monitor the connection status of the IP addresses on the list If the monitored IP address does not respond the system will send an e mail to notify the administrator that such destination is not reachable After entering the necessary information click Apply to save the settings M
87. ault and SZ1 Z8 WANI MAN Packets In Packets Out Bytes In Bytes Out Service Zone Default Service Zone Default DHCP Server Service Zone S71 Service Zone S78 Network Interface MAC Address IP Address Subnet Mask WAN 156956 4 156956 38073 A 38073 12914288 A 12914288 16753482 A 16753482 Mode MAC Address IP Address Subnet Mask Status WINS IP Address Start IP Address End IP Address Lease Time 145 00 03 01 7A 35 1E 233 233 0 0 Disabled WANZ 0 4 0 D A 0 D A 0 o A 0 NAT 00 03 01 7A 35 1C 192 168 1 254 255 255 255 0 Enabled N A 192 168 1 1 192 168 1 100 1440 Mints Disabled Disabled 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH The description of the above mentioned table is as follows Item Description MAC Address The MAC address of the WAN1 port WAN1 IP Address The IP address of the WAN1 port The Subnet Mask of the WAN1 port MAC Address The MAC address of the WAN2 port WAN IP Address The IP address of the WAN2 port The Subnet Mask of the WAN2 port Ki The total accumulated packets in through this WAN port since the gateway Packets Out Bytes Out boots up The delta shows the difference between the numbers from last time this Interface Status page is visited The total accumulated packets out through this WAN port since the gateway boots up The delta shows the difference between the numbers from last time
88. bandwidth allowed for an individual client belonging to this Group The Individual Maximum Uplink cannot exceed the value of Group Total Uplink o Individual Request Uplink Defines the guaranteed minimum bandwidth allowed for an individual client belonging to this Group The Individual Request Uplink cannot exceed the value of Group Total Uplink and Individual Maximum Uplink 98 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 7 Users Login and Logout 7 1 Before User Login 7 1 1 Login with SSL Configure HTTPS go to System gt gt General HTTPS HTTP over SSL or HTTP Secure is the use of Secure Socket Layer SSL or Transport Layer Security TLS as a sublayer under regular HTTP application layering HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server This function will let the client s login with https for more security Enable to activate https encryption or disable to activate http non encryption login page General Settings for the Entire System System Name Administrator Contact Information iej Dodisin Name ss XL Use the name on the security certificate FQDN of this device for internal use e g controller office name cami Enable Disable Portal URL panna o 7 http iiw ww google com FCe g http waw example comi User Log Access IP Address fe g 152 168 2 1 Management IP Address List Setup Management IP Address L
89. bar and User Accounts Mware Tools 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 2 Choose the Connections tab and then click Internet Properties Setup General Security Privacy Content Connections Programs Advanced es To set up an Internet connection click Setup Dial up and Virtual Private Network settings Add Remove Choose Settings iF you need to configure a proxy Settings server For a connection Always dial my default connection irent None Local Area Network LAN settings LAN Settings do not apply bo dial up connections LAN Settings Choose Settings above For dial up settings 3 When the Welcome to the New Connection New Connection Wizard Wizard window appears click Next Welcome to the New Connection Wizard This wizard helps you Connect to the Internet Connect to a private network such as your workplace network Get up a home or small office network To continue click Mert 4 Choose Connect to the Internet and then New Connection Wizard click Nex t Hetwork Connection Type What do you want to do C Connect to the network at my workplace Connect to a business network using dial up or VPN zo you can work from home afield office or another location Set up a home or small office network Connect to an existing home or small office network or set up a new one Set up an advanced connection Connect
90. be applied all users The second tier is called Group Policy or simply Policy which can be chosen to bound the network behaviors of a Group The administrator can define the Firewall Profile Route Profile Schedule Profile and Max Sessions in a Policy The following Figure 1 depicts an example relationship of Service Zone Group and Policy In this example Students and faculties logging into Service Zone 1 will be governed by Policy A Guests only have the access of Service Zone 3 and will be bounded by Policy C Faculties have the access to both Service Zone 1 and Service Zone 2 under two different policies Figure2 An example relationship of Service Zone Group and Policy The following Figure 2 depicts an example using WHG301 in managing network internet access in an academic campus environment Imagine the network administrator may wish to set different privileges and bandwidth limits for Staff students and guests he could use several Service Zones of WHG301 one for staff one for students and one for the guests He also uses one zone for some shared servers in the diagram The access points at a physically location like the administration building may only allow the access of faculties hence the access points there are added only to the second Service Zone enabling only the Faculty SSID On the other hand the access points in the Cafeteria may allow the access of all groups hence the APs a
91. bets a z or A Z dash underline _ and dot within a maximum of 40 characters All other characters are not allowed Black List There are 8 sets of black lists provided by the system A user account listed in the black list is not allowed to log into the system the client s access will be denied The administrator may select one or None black list from the drop down menu and this black list will be applied to this specific authentication option Authentication Database Click Configure button to enter the configuration page For example select Local from the drop down list box and then click Configure button to enter the Local User Database Settings Then click the hyperlink of Local User List Group Select one Group from the drop down list box for this specific authentication option 38 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 4 1 1 Local Choose Local from the Authentication Database field Authentication Option Server 1 Name Server 1 Postfix local i Black List None v Authentication Database Local S Group Group i E Click the button Configure for further configuration Local User Database Settings Local User List gt Enable Disable Account Roaming Out Ee Reg Local user database will be used as authentication database for roaming out users Enable Disable Local user database will be used as internal RADIUS database for 802 1x enabled
92. bnet for mapping to the remote site Local Site Information Local Interface WANI sE Remote VPN Gateway Remote Site As Edit Host Add a New Host Local Subnet EEN in prefix notation x x x x yy Remote Subnet 192 168 111 111 32 x Encryption AES256 Phase Proposal a Se Authentication 5HA 1 K Key s Life Time 24 h sel The time is a 5 digit number e g 36h stands for 1 day and 12 hours Cl Enable Rekey Rekey okey RE 9 Um 4 The time is a 5 digit number eg 36h stands for 1 day and 12 hours Enable PFS PFS Group Group 2i Perfect Forward Secrecy Such as 192 168 11 0 24 of WHG301_A gt gt 192 168 111 0 24 of WHG301_B after the tunnel is created the users within these two subnets can reach each other M You can create more than one VPN tunnel but the IP segment mapping can not be overlap that same IP segment has more than one routing rule 164 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 12 Customization of Portal Pages 12 1 Customizable Pages Configure Customizable Pages go to System gt gt Service Zones There are several users login and logout pages for each service zone that can be customized by administrators Go to System Configuration gt gt Service Zone gt gt Authentication Settings gt gt Custom Pages Click the button of Configure the setup page will appear Click the radio button of page selections to have further configurat
93. c IP address acquire the following information from the network administrator the P Address Subnet Mask and DNS Server address provided by your ISP and the Gateway address of WHG301 d If your PC has been set up completely please inform the network administrator before proceeding to the following steps 4 1 Click on the IP Address tab and choose Specify an IP address Enter the P Bindings Advanced NeBios DNS Configuration Gateway WINS Configuration IP Address Address Subnet Mask and then click OK An IP address can be automatically assigned to this computer If pour network does not automatically assign IP addresses ask your network administrator for an address and then type it in the space below ar cence 199 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 4 2 Click on the Gateway tab Enter the gateway address of WHG301 in the New gateway Bindings l Advanced NetBIOS DNS Configuration Gateway WINS Configuration IP Address field and click Add Then click OK The first gateway in the Installed Gateway list will be the default The address order in the list will be the order m which these machines are used New gateway fT C ap Installed gateways Remove 4 3 Click on DNS Configuration tab If the DNS Server field is empty select Enable DNS Bindings l Advanced NetBIOS l DAS Configuration Gateway WINS Configuration
94. count you can use your phone line and a modem to connect to it IF your computer is connected to a local area network LAN you can gain access to the Internet over the LAN How do you connect to the Intemet connect through a phone line and a modem e connect through a local area network LAN a lt Back Hest gt Cancel SS 5 DO NOT choose any option inthe following LAN GEIS x Local area network Internet configuration window for Internet configuration and just click N ex t e Select the method you would like to use to configure your proxy settings IF you are not sure which option to select select automatic discovery or contact your network administrator Automatic configuration may override manual settings To ensure the use of manual settings disable automatic configuration Automatic Configuration Automatic discovery of proxy server recommended Use automatic configuration script Address 7 Manual Proxy Server We D zeen 194 4ipnet 6 Choose No and then click Next 7 Finally click Finish to exit the Internet Connection Wizard Now the set up is completed Windows XP 1 Choose Start gt gt Control Panel gt gt Internet Option E User s Manual WHG301 Secure WLAN Controller ENGLISH Internet Connection Wizard k x Set Up Your Internet Mail Account An Internet mail program is installed on your computer Internet mail allows you to receive
95. cssssssssccssssssssssccsssssssscseees 165 12 1 EE 165 12 2 Loading a Customized Login Page 166 12 3 L ad a Customized Logout Page sicnt e a e aaae Rir a R aa aR N ataei 170 13 FPayjymeni E ET enia tna su vest vaceenseveceesssestnwenees 171 13 1 Payments Via Authorize Nolsoe aaneaeaeoassencnaues 171 13 2 Payment via Pavbal neces eeeeeaeeeeeeeeeeeseeeeeeaeeeeeaeseeseeeeesaeseesaeneeeaages 175 13 3 Payments Wid SeCULCE AY een ar A tesa eneseee teense ees 178 13 4 Payments via World Ee 180 14 Additional Applications seessssooseessssocceessssooceessssocceessssocceesssoocceessssocecesssoceeee 183 14 1 Upload Download Local Users Accounts 183 14 2 Backup and Restore New On demand Users Accounts 185 14 3 POP3 losin with complete name formal zstebsebs stAERRsAERASEASRRAEERSAEAEARKEAEAEREAEAEKEA POr ri i Sio i ea 186 14 4 RADIUSA TC o A S nee eter anne cere er errata et rete sete etet et yet rt rte str nen nt ctr sr rte torent 187 14 5 LDAP Advance settings Attribute Group Mapping sssessseesssensssesssersssessssrsssersssrsssersseessseres 188 14 6 ING TAs de NOW ea EENEN E NN 189 14 7 Poa 0 i ee he ee 190 14 8 SEENEN 191 Appendix A Network Configuration on PC amp User LOGti ccccsssscccsssssscccssssscsessssccees 193 Appendix B Policy Priority Global Policy Service Zone Policy Authentication POMC and Us r Te T H 206 Appendix C AP WDS Management sseesssooooeesssoocceessscoccessssocccess
96. ctions are Additional Control provided in Built in RADIUS Server Settings such as session timeout In Customization the administrator can upload certificate to the system Remaining Time Reminder provides remaining time information to clients on the screen The administrator can manage the access control to the system via clients MAC address in the MAC ACL Access Control List Operator The operator can only access the configuration page of Create On demand User to create new on demand user accounts and print out the on demand user account receipts User Name operator Password operator 131 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH eS s5 D d e E System Users Access Points Network Utilities Status Authentication Black List Group Policy Additional Control Main Menu gt Users gt Authentication gt On demand User Server Configuration gt Create On demand User Plan Type Quota Price Status Function 1 N A N A N A Disabled Create 2 Time 5 hr s 1 Enabled 3 N A N A N A Disabled Create 4 N A N A N A Disabled Create 5 N A N A N A Disabled Create 6 N A N A N A Disabled Create 7 N A N A N A Disabled Create 8 N A N A N A Disabled Create 9 Time 6 hr s 28 min s 85 93 Enabled 0 N A N A N A Disabled Create 132 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 9 6 Change Password Configure Change Password go to There are three levels of authori
97. cy iB 28 Remote VPN Policy1 Remote VPN 58 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 4 2 1 Assign users to a Group Configure users to a Group go to Users gt gt Authentication This section shows how to group users how to rule each grouped user with different policy as he moves to different service zone The following examples will help you better understand this section Group Configuration Group 1 Select Group Group 1 QoS Profile Privilege Profile Zone Permission Configuration amp Policy Assignment Group 1 To Group Permission Configuration Service Zone Default Policy 1 v Default Zone Name Enabled Policy Service Zone SZ1 Policy 3 wi Szi Service Zone S72 Policy1 SF2 Service Zone S73 Policy1 S73 Service Zone S74 Policy 8 Sra Service Zone S75 Policy 1 ei 75 Service Zone SZ6 Policy1 w S76 Service Zone S77 Policy1 SZT Service Zone SZ8 Policy 1 SC Remote VPN Policy1 Remote VPN 59 WHG301 Secure WLAN Controller ENGLISH de a th we E Service Zone 8 Service Zone 0 Policy 3 Service Zone 1 access the internet Service Zone 2 Disabled Service Zone A In this example Group 1 users are allowed to access the internet in 5 places Service Zone 0 1 4 6 and 8 They must follow policy 1 at Service Zone 1 6 and 8 They are ruled by Policy 3 at Service Zone 1 and by Policy 8 at
98. d click General Alternate Configuration OK This is also the default setting of Windows e GE the appropriate IP settings Then reboot the PC to make sure an IP address is obtained from WHG301 Ce Obtain an IP address automatically 5 Using Specific IP Address If you want to use a Obtain DNS server address automatically specific IP address acquire the following Use the following DNS server addresses information from the network administrator the P ee Ee Address Subnet Mask and DNS Server address provided by your ISP and the Gateway address of ee WHG301 d If your PC has been set up completely please inform the network administrator before proceeding to the following steps 204 4ipnet 5 1 Choose Use the following IP address and enter the P address Subnet mask If the DNS Server field is empty select Using the following DNS server addresses and enter the DNS Server address Then click OK 5 2 Click Advanced to enter the Advanced TCP IP Settings window 5 3 Click on the IP Settings tab and click Add below the Default gateways column and the TCP IP Gateway Address window will appear 5 4 Enter the gateway address of WHG301 in the Gateway field and then click Add After back to the IP Settings tab click OK to finish the configuration 205 User s Manual WHG301 Secure WLAN Controller ENGLISH
99. d on the screen Ticket Customization Receipt Header 1 Welcome Receipt Header 2 Receipt Header 3 Receipt Footer 1 Thank You Receipt Footer 2 Receipt Footer 3 Remark None Background Image Default Image O Uploaded Image Edit Number of Tickets 1 02 Receipt Header There are 3 receipt headers supported by the system The entered content will be printed on the receipt These headers are optional Receipt Footer The entered content will be printed on the receipt These footers are optional Background Image You can choose to customize the ticket by uploading your own background image for the ticket or choose none Click Edit to select the image file and then click Upload The background image file size limit is 100 Kbytes No limit for the dimensions of the image is set but a 460x480 image is recommended Remark Enter any additional information that will appear at the bottom of the receipt Number of Tickets Enable this function to print duplicate receipts Another Remark field will appear when Number of Ticket is selected to 2 and the content will appear at the bottom of the 2nd duplicate receipt Preview Click Preview button the ticket will be shown including the information of username and password with the selected background Print the ticket here 48 4ipnet 3 User s Manual WHG301 Secure WLAN Controller ENGLISH Billing Plans Administrators can configure several billing plans Click Edit button to
100. d to allow clients of the enabled Groups to log in to this Service Zone under constraints of the selected Policies Check Enabled of each individual Group to assign it to the Service Zone listed For example the above figure shows clients in Group 1 8 can access Service Zone 1 where they are governed by the individual Policy respectively o Policy Select a Policy that the Group will be applied with when accessing this Service Zone o To Zone Permission Configuration Click the hyperlink in the To Zone Permission Configuration column to enter Zone Permission Configuration amp Policy Assignment interface which is based on the role of Group to configure the relation between Group and Zone 62 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH User Group 1 User Group 2 FS User Group C Policy 11 Service Zone 1 At Service Zone 1 Group 1 user is ruled by Policy 3 Group 2 is by Policy 9 and Group 3 is by Policy 11 Other Groups are not enabled to access Service Zone 1 63 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 4 3 User Login An Example of User Login Normally users will be authenticated before they get network access through WHG301 This section presents the basic authentication flow for end users Please make sure that the WHG301 is configured properly and network related settings are done 1 Open an Internet browser and try to connect to any website in this exa
101. d upgrade all managed Access Points APs from a single centralized AP management interface 2 1 1 Key Features Like other Aner WLAN Controller products WHG301 is designed to be a multi service network access controller for enterprise or campus environment it is also deployed as a hotspot subscriber gateway often Itis a pre integrated multi function network appliance providing the following key features Standard based user authentications including Web based login and 802 1x RADIUS Customizable login portal pages and walled gardens to simplify branding User groups roles and user management Supports for multiple authentication databases Local On demand RADIUS POP3 LDAP NTDS Virtual service zones and policy management Simple visitor account provisioning and billing plans by time or traffic volume Payment gateway supports including PayPal Authorize net and SecurePay Account roaming across multiple sites branches AP management and wireless roaming across APs Virtual Private Network VPN tunnels note WHG301 s VPN only supports Windows client Converged network for Data Voice and Video traffics Dual uplinks WAN for better reliability and load balancing Firewall and Denial of Service DoS attack prevention Monitoring notification and reporting Network gateway features including NAT DHCP DMZ firewall and port forwarding 4ipnet User s Manual WHG301 Secure WLAN Contr
102. desired numbers to be created of the plan J5 4ipnet 7 On demand Account List User s Manual WHG301 Secure WLAN Controller ENGLISH All created On demand accounts are listed and related information on is also provided Username Password qv64u546 n es2k55 5xeGeok4 f a3smu9w3 2nx5fs9h on sa 4z e 95e 6u r448qvev HAAG Awom 43vk57bu Restore Accounts Remaining Quota Until 2009 11 09 19 Until 2009 11 09 19 Until 2009 11 09 19 Until 2009 11 09 19 Until 2009 11 09 19 Until 2009 11 05 13 Until 2009 11 05 13 Until 2009 11 05 13 Until 2009 11 05 13 Until 2009 11 05 13 UG UG UG 09 UG Ak O5 O5 O5 03 Backup Current Accounts ees On demand Account List Status Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Group Group 4 Group 4 Group 4 Group 4 Group 4 Group 4 Group 4 Group 4 Group 4 Group 4 Reference External ID Delete All Delete Delete Delete Delete Delete Delete Delete Delete Delete Delete Total 25 First Prey Next Last e Search Enter a keyword of a username External ID or reference to be searched in the text filed and click this button to perform the search All usernames External ID or reference matching the keyword will be listed e Username The login name of the account e Password The login password of the account e Remaining Quota The rem
103. directly to another computer using Your serial parallel or infrared port or set up this computer so that other computers can connect to tt Set Ser 196 e t 4ipne User s Manual WHG301 Secure WLAN Controller ENGLISH 5 Choose Set up my connection manually and then click Next New Connection Wizard Getting Ready The wizard rs preparing to set up your Internet connection How do you want to connect to the Internet C Choose froma lis nternet service providers I5Ps Of a dar Corre ston wll need your account name password and a phone number for your ISF For a broadband account you won t need a phone number O Use the CD got from an ISP s fei 6 Choose Connect using a broadband New Connection Wizard connection that is always on 7 and then cl ick Internet Connection How do vou want to connect to the Interet eil Next Connect using a dial up modem This type of connection uses a modem and a regular or ISON phone line O Connect using a broadband connection that requires a user name and password This ts a high speed connection using ether a OSL or cable modem our ISP may refer to this type of connection as PPPoE A Cancel 7 Finally click Finish to exit the Connection New Connection Wizard Completing the New A Connection Wizard Your broadband connection should already be configured and ready to use IF your connection is not working properly c
104. dwidth come from your ISP e Uplink It specifies the maximum uplink bandwidth that can be shared by clients of the system e Downlink It specifies the maximum downlink bandwidth that can be shared by clients of the system 26 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 5 LAN Partition Service Zone Configure Service Zone go to A Service Zone is a logical network area to cover certain wired and wireless networks in an organization such as SMB or branch offices By associating a unique VLAN Tag and SSID with a Service Zone administrators can separate wired network and wireless network into different logical zones Users attempting to access the resources within the Service Zone will be controlled based on the access control profile of the Service Zone such as authentication security feature wireless encryption method traffic control and etc There are up to nine Service Zones to be utilized by default they are named as Default SZ1 SZ8 as shown in the table below Service Zone Settings Service Zone LAN Port WLAN Applied Default Authen e Name Mapping SSID Encryption Policy Option Status Details Default z SSIDO None Policy 1 Server 1 Enabled SZ1 SSID1 None Policy 1 Server 1 Disabled OD QD OD D SZ2 SSID2 None Policy 1 Server 1 Disabled QD OD F SZ3 SSID3 None Policy 1 Server 1 Disabled OD QD F DJ Dd Od DDd Od Od O SZ4 SSID4 None Policy 1 Server 1 Disabled JO JO F
105. e default setting of Windows Then reboot the PC to make sure an IP address is obtained from WHG301 201 User s Manual WHG301 Secure WLAN Controller ENGLISH E Network and Dial up Connections 8 x File Edit View Favorites Tools Advanced Help pak gt gt 2 Qsearch yFolders nton i H X A E Address L Network and Dial up Connections D GG on Network and Dial Make New Connection up Connections Disable Status Local Area Connection T Type LAN Connection Status Enabled AMD PCNET Family PCI Ethernet Adapter VK Displays the properties of the selected connection Local Area Connection Properties General Connect uzing BS AMD PENET Family PEI Ethernet Adapter Components checked are used by this connection bi e etwork s lent for Microsort H E nana nie DDE att SLO Microsoft Hetbworkz Internet Protocol TCP ZIP Transmission Control Protocolelnternet Protocol The default wide area network protocol that provides communication across diverse interconnected networks Install Description Uninstall Show icon in taskbar when connected Internet Protocol TCP IP Properties General Cou can get IF settings assigned automatically if your network supports this capability Othenwise you need to ask your network administrator for the appropriate IP settings IP address
106. ecked by the following windows Manage Add ons View and manage add ons that are installed on your computer Disabling or deleting add ons might prevent some webpages from working correctly Show Add ons that have been used by Internet Explorer w Name Publisher Status Type File eil K Google Script Object Google Inc Enabled Activex Control googlel 3 Google Toolbar Helper Google Inc Enabled Browser Helper Object google E IExpress Enabled Browser Helper Object iexpres E Java Plug in 1 3 1_02 Sun Microsystems Inc Enabled Activex Control ss dl K Java Plug in 1 5 0_10 Sun Microsystems Inc Enabled Activex Control se dl S Searchassistantoc Microsoft Corporation Enabled ActiveX Control shdocy E Shockwave Flash Object Adobe Systems Incorpora Enabled Activex Control Flashot K SS Helper Class Sun Microsystems Inc Enabled Browser Helper Object ssv dll K Sun Java Console Sun Microsystems Inc Enabled Browser Extension ss dll TGSearch Enabled Activex Control TGSear PE VPNClient ipsec D Link Corporation Enabled ActiveX Control PNClie S Windows Messenger Enabled Browser Extension XML Document Microsoft Corporation Enabled ActiveX Control msxmlz 7 gt Settings Delete Activex Click an add on name above and Enabl Click the name of an and then click Enable or Disable NU Activex control above and Disable then click Delete Download new add ons for Internet Explorer Learn more about add ons Windows Inte
107. econds 216 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Secret The secret key between Guest Service Device and Net Retriever for challenge and response MD5 Hash to test the link It should contain one or more lowercase letters uppercase letters numbers and symbols It also should be between 8 16 characters Net Retriever Server Port The port used by Net Retriever the default is 8324 NR IR The ID of the Net Retriever GSD IR The ID of the Guest Service Device Link Test Interval The time interval of the Link Test the default is 300 seconds Now the Net Retriever connection is finished in the Guest Service Device side In the Net Retriever side it has to know the P address of Guest Service Device and then they can communicate to each other 2 VLAN Port Room Mapping Configure VLAN Port Mapping go to System gt gt Port Location Mapping Port Location Mapping Configuration Port Location Mapping Status Enable Disable Port Location Mapping Setup gt Port Location Mapping Status Enable or Disable the Port Location Mapping clicking Configure to enter its setup After the Net Retriever connection is finished you must setup the Room mapping Each Room is mapping to one VLAN Tag And each Room can be assign to different Service Zone to get different policy Furthermore you can configure the Room to different state Charge Free or Block e If the state is Charge it is
108. eded on setting up the DHCP Server is listed here Please note that when Enable DHCP Relay is enabled the IP address of clients will be assigned by an external DHCP server The system will only relay DHCP information from the external DHCP server to downstream clients of this service zone o Start IP Address End IP Address A range of IP addresses that built in DHCP server will assign Al 4ipne User s Manual WHG301 Secure WLAN Controller ENGLISH to clients Note please change the Management IP Address List accordingly at System Configuration gt gt System Information gt gt Management IP Address List to permit the administrator to access the WHG301 admin page after the default IP address of the network interface is changed o Preferred DNS Server The primary DNS server that is used by this Service Zone o Alternate DNS Server The substitute DNS server that is used by this Service Zone o Domain Name Enter the domain name for this service zone o WINS Server The IP address of the WINS Windows Internet Naming Service server that if WINS server is applicable to this service zone o Lease Time This is the time period that the IP addresses issued from the DHCP server are valid and available o Reserved IP Address List Each service zone can reserve up to 40 IP addresses from predefined DHCP range to prevent the system from issuing these IP addresses to downstream clients The administrator can reserve a specific IP
109. eeeeeeeeeeeeeeeeasessenseesneeeaneees 100 Are Administrator Contact Information cccccceccccseeccceeeeceeeeeeeneeeseeeeeeeeeeseeeeeeeeeeseneeeeaeessensesanseeaeneees 102 7 1 4 Walled ee 103 7 1 5 Walled Garden AD Tiet 104 7 1 6 EG WE 106 GT Ci Ee 107 Sech Browse which Home Page after login SUCCESS cceccccsesccceeecceeeceeeeceseseeceeeeseeeeeaeeecaeneeeeeeeeneneees 107 Tel MGS KEE 108 ES Malie Er E 109 7 2 4 DOS E Denial TMG oa oiss supieo ase naann se sectans veaclioscnasadnetareionsubsedanaovelouduasedeadtesdunrauacetenttaseuanniadudenttos 109 Tada Local Users Change Password Drivilege 110 7 2 6 On demand Account Creation Privilege ccccccccccccceeeccceeeeseeeeceeeeesencecseeceseneeeseseceeeeeseneesansesaenes 111 Ja ENEE 113 Networking Features Of a GAtTCWAY sssccccccsssssrrssccssssssssccccsssssssccsssssssscceees 118 IR 118 WV MUA COV Cb Ye sceta ceca A eet A E A A A E A A E 119 Pon deee Oy ea E E eee E E ee ee ee 120 8 3 1 Eed 121 8 3 2 Privilese NIAC scrcinuascntnciassetnestooniechate a a 122 IP PEs and EE 123 Dynami Domain Name Ser V1 C6 aeree aeaa a ANO AE Ea an aa EAEAN 124 POR an BEE 125 System Management and Utltttes cccccccsssssssscccsscccsssssssssssccccccesssssssscees 126 EEN Cit aan ee ca aa ae E TT rr E E cee 126 9 1 1 KOR NEE 126 9 1 2 Manual Senge 126 INU TA Th Vee ct ect eesti reir sinter enc erento erste eet E 127 INCCESS HLO IP aerea enr EEA ER EIERE EE EAI DARE I Nei ene
110. en the AP is added it will show up in the list below and be given a new IP address set here ex 192 168 0 1 Check the Add box to add the AP and it will be listed to the AP list AP List IP Address Status Fi AF Name No of Client Service Zone MAC Address Channel Online 192 168 0 2 z Enabled E NEWDEV 00154 0 Default ee 00 1F 04 00 00 CB 11 73 WHG301 Secure WLAN Controller ENGLISH 5 4 AP with Service Zone Configure AP with Service Zone go to System gt gt Service Zones e Service Zone Settings Assigned IP Address for AP Management Assigned IP Address for AP Management Start IP Address 192 168 0 1 i IP Range 2 End IP Address 192 168 0 190 Under port based service zone each service zone can designate an IP segment for IP address assignment to the managed AP when the newly discovered AP is added into the service zone Under tag based service zone only default service zone will designate an IP segment for IP address assignment to the managed AP when the newly discovered AP is added into the selected service zones e Service Zone Settings Managed AP in this Service Zone All managed APs that belong to this service zone are listed here for reference Managed AP s in this Service Zone IP Address AP Type AP Name Status MAC Address 192 168 0 2 Online CPE100 NEWDEV 00154 00 1F D4 00 0C cD Pepe e Service Zone Settings SSID for Service Zone All managed APs that belong to this ser
111. ence roomN 101 220 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 4 View the Event Login After all of the configuration has completed User may try to login from the Charge room Connect the user s notebook laptop to the Ethernet port of this room Enable DHCP client in this notebook laptop Open a browser and try to access internet The browser will show the Login page user may chose a billing plan click the Confirm button Then user can access internet now Welcome to Broadband Internet Service Please choose from the following service selection Plan Price Gei Shr s 5 10 hr s 6 minis g 10 Mbyte s 0 99 Until 11 30 3 100 Mbytes 3 Service Agreement Please kindly note that there will be no refund once connectivity is confirmed Please click CONFIRM to accept the usage charge or CANCEL to exit The selected service charge will be posted directly into your guest folio CONFIRM CANCEL lf you already have an user account please click here to login If you already have the user account you can click the here link to login with the user account that you have After the user select a billing plan and buy it to access Internet You can check the Net Retriever Event Log View Net Retriever Event Log go to Users gt gt Net Retriever gt gt Event Log Net Retriever Event Log Date Size Byte 2009 08 20 207 221 4ipnet User s Manual WHG301 Secure WLAN
112. enter the page of Editing Billing Plan Click Apply to save the plan Go back to the screen of Billing Plans check the Enable checkbox or click Select all button and then click Apply the plan s will be activated Plan 1 Billing Plans Enable Privilege Type Quota Price C u Group Function eae 3 hriz S AT OUD Em HEI E EA EU P Edit Usage time EN el kel Edit Cut off Until 13 00 20 Gi ap Edit volume 1000 Mbyte s 40 bel bel SR Edit Duration From 2009 11 01 00 05 00 tH 2009 11 05 D I o Group ema time 13 03 00 100 Si vl 4 Edit Durati n e denten 3 an Group ECH time 5 day s 2 hour s 40 el 4 Edit N A None Edit N A None Edit N A None Edi 3 N A None Edit N A None Edit e Plan The number of the specific plan e Type This is the type of the plan based on which it defines how the account can be used including Usage time Cut off and Duration time e Quota The limit on how On demand users are allowed to access the network e Enable Check the checkbox to activate the plan e Function Click the button Edit to add one billing plan o Usage time The scenario of this type is that a client goes to a cyber cafe and purchases an on demand account This account will be activated and ok to use once creation quota will start to count down while creation and non stop when logs out and be expired after a configured time such as 4 hours or at 22 00 the day For example an on
113. er ENGLISH Add Service Protocol Name Protocol Type TCP Source Port 4 wae 65535 Destination Port 1 65535 If the Protocol Type is ICMP it will need to define Type and Code Add Service Protocol Name Protocol Type ICMP v Type Code If the Protocol Type is IP it will need to define Protocol Number Add Service Protocol Name Protocol Type mp Protocol Number 2 Rules After the custom protocol is defined or just use the Predefined Service Protocols you will need to enable the Firewall Rule to apply these protocols o Firewall Rules Click the number of Filter Rule No to edit individual rules and click Apply to save the settings The rule status will show on the list Check Active checkbox and click Apply to enable that rule This link leads to the Firewall Rules page Rule No 1 has the highest priority Rule No 2 has the second priority and so on Each firewall rule is defined by Source Destination and Pass Block action Optionally a Firewall Rule Schedule can be set to specify when the firewall rule is enforced It can be set to Always Recurring or One Time Global Policy Firewall Rules Source No Active Action Rule Name Service Schedule Destination ANY 4 F Pass ALL Always ANY ANY 2 F Pass ALL Always ANY 92 4ipne User s Manual WHG301 Secure WLAN Controller ENGLISH Selecting the Filter Rule Number 1 as an example Global Policy Edit Filter Rule Rule Number
114. er device can be used as an external RADIUS database External Authentication Database is useful for implementing account roaming for example multiple WHG301 devices in multiple campuses can share one common external database A user needs only one account in the common database to access the network from different campuses Service Zone is a logic partition of WHG301 s LAN network The concept of Service Zone is similar to the concept of virtual LAN VLAN which can be used to group the network traffic or network services for clients on the same VLAN segment regardless of the clients physical locations That is several VLAN segments may be in service at one physical network location while devices belonging to one VLAN segment may appear in multiple physical locations Each Service Zone can also be viewed a virtual machine of WHG301 because each Service Zone can define its own customized login portal page and its own gateway properties such as LAN IP address DHCP on off and address range The feature of Multiple Service Zone is also useful to service multiple hotspot franchises in shopping malls or airport terminals by a single WHG301 A Service Zone is uniquely defined by a VLAN tag id and an associated SSID attribute When a managed access point MAP is added to a Service Zone through WHG301 by the administrator the associated SSID will be activated in the MAP along with the VLAN tag of the Service Zone For example in the following
115. ervers within the managed network Different virtual servers can be configured for different sets of physical services such as TCP and UDP services in general Enter the External Service Port Local Server IP Address and Local Server Port Select TCP or UDP for the service s type In the Enable column check the desired server to enable These settings will become effective immediately after clicking the Apply button Public Accessible Server External Local Server No Service Port Local Server IP Address Port Type Enable Remark r l i i CH TCP 1 e c upp TCP 2 9 a S a UDP A TCP 3 P UDP ry F TCP ei upp TCP z F UDP TCP 6 a d UDP 1 TEF 7 C m 3 UDP TCP B a E UDP CH TCP g x F UDP i l TEP 10 ix TT 119 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 8 3 Privilege List Configure Privilege List go to Setup the Privilege IP Address List and Privilege MAC Address List The clients in the list can access the network without any login Privilege List IP Address List MAC Address List 120 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 8 3 1 Privilege IP Privilege IP Address List lf there are workstations inside the managed network that need to access the network without authentication enter the IP addresses of these workstations in the Granted Access by IP Address
116. ervice Zone tab and enable its Service Zone Status LAN Ports and Service Zone Mapping Select the mode for Service Zone Port Based Tag Based Specify a desired Service Zone for each LAN Port LANS LANG LAN LANS LAN2 LAN3 LANA s7one 2 Servic 5 gt Tag Based When the Tag Based mode is selected traffic from different virtual Service Zones will be distinguished by VLAN tagging instead of by physical LAN ports Select Jag Based and then click Apply to activate the Tag Based VLAN function When a restart message screen appears do NOT restart the system until you have completed the configuration under the Service Zones tab first Sie 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH LAN Ports and Service Zone Mapping Select the mode for Service Zone Port Based Tag Based Notice Under Tag Based mode Service Zones will be distinguished by VLAN tagging instead of physical LAN ports LANS LANG LAN LANS LANI LANZ LAN3 LAN4 36 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 4 User Authentication and Grouping 4 1 Type of Users Configure Authentication go to This section is for administrators to pre configure authentication servers for the entire system Concurrently up to four servers can be selected in the meantime and pre configured here by administrators from the five types of authentication databases LOCAL POP3 RADIUS LDAP and NTDOMAIN In addit
117. ete Delete Delete Delete Delete Delete rr Last User s Manual WHG301 Secure WLAN Controller ENGLISH 4ipnet 14 3 POP3 login with complete name format Configure POPS login with complete name format go to Users gt gt Authentication gt gt POP3 Server1 4 gt gt Configure For POP3 authentication there have an option to send the complete username with postfix or username only Username Format When Complete option is checked both the username and postfix will be transferred to the POPS server for authentication When Only ID option is checked only the username will be transferred to the external server for authentication External POPS Server Related Settings Username Format O Complete fe g useri campanyname com Gi Only ID fe g useri Primary POPS Server Server Pe temin Vermeil address Port toe faut 110 SSL Connection C Enable Secondary POP3 Server Server Le Port SSL Connection C Enable 186 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 14 4 RADIUS Advance settings Configure RADIUS Advance settings go to Users gt gt Authentication gt gt RADIUS Server1 4 gt gt Configure Complete Name vs Only ID For RADIUS authentication there have an option to send the complete username with postfix or username only Username Format When Complete option is checked both the username and postfix will be transferred to the RADIUS server for authentication On t
118. evice for internal use e g controller office name com Enable Disable Portal URL i ihttp www google com_ Joie g http vmm example com User Log Access IP Address bas 192 168 2 1 Management IP Address List Setup Management IP Address List The default value is 0 0 0 0 0 0 0 0 It means that the WMI can be accessed by any IP address for security consideration please change this value before the system provides service Management IP Address List No IP Address Segment No IP Address Segment 1 0 0 0 0 0 0 0 0 _ 2 3 B i 4 i q 5 amp 7 a g N 9 10 ii 12 13 14 15 16 17 18 19 l 20 127 WHG301 Secure WLAN Controller ENGLISH 9 3 Access History IP Configure Access History IP go to System gt gt General General Settings for the Entire System System Name LH Information ten EE EE Ol Use the name on the security certificate FQDN of this device for internal use e g controller office nmame com Enable Disable Portal URL ee e eE http www google com Lea http weaw example com User Log Access IP Address e g 192 168 2 1 Specify an IP address of the administrator s computer or a billing system to get billing history information of WHG301 with the predefined URLs The file name format is yyyy mm dd An example is provided as follows Traffic History https 10 2 3 213 status history 200
119. f this type is that a client purchases an on demand account pre paid card or a gift coupon with certain quota This account must be activated before a configured activation time will be activated and ok to use since the first login its quota will be cut down while using only and will not be expired unless its quota is used up For example an on demand account is created at 2009 6 30 09 30 and must be activated before 2009 7 1 09 30 its quota is 24 hours and there is no expiration time unless its quota is used up Thus its first login must be done before 2009 7 1 09 30 the account becomes usable once activation when first login for example at 2009 7 01 08 00 and will not be expired unless its quota is used up Account Activation is the time that the account will be activated for use Itis set to account creation time of this type Relative Expiration Time is the total usage time xx hrs yy mins during which On demand users are allowed to access the network The usage time will be cut down while using only The account will be expired while usage time is run out Price is the unit price of this plan Editing Billing Plan Plan 5 Type Duraton oOme Expiration Time Relative Expiration Time Absolute Expiration Time Activation Time Account Creaton Time Relative Expiration 2 i Drei min s Time Range of davis D 364 Range of hour s 1 0 23 Range KE L P e SS Ehe al e D 40 Price Range D o 100000 x sitar T Group
120. fault certificate and key Click restart to validate the changes You just overwrote the setting with default KEY amp default CA file You should restart the system to activate this Click to restart 101 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 7 1 3 Administrator Contact Information Configure Administrator Contact Information go to System gt gt General Administrator Contact Information will appear in the user Login Fail window When the user login fail with duplicate IP address or MAC address system will show this contact information to the user by the Login Fail window General Settings for the Entire System System Name Administrator Contact Information 102 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 7 1 4 Walled Garden Configure Walled Garden go to Network gt gt Walled Garden This function provides certain free services for users to access the websites listed here before login and authentication Up to 20 addresses or domain names of the websites can be defined in this list Users without the network access right can still have a chance to experience the actual network service free of charge Enter the website IP Address or Domain Name in the list and click Apply to save the settings Walled Garden List No Domain Name IP Address No Domain Name IP Address 1 2 5 H 6 7 8 o 10 11 12 13 14 15 16 17 18
121. figures network hardware and sol EI My Computer Microsoft Home Technical Support 2 Click on the Configuration tab and select Network setz TCP IP gt gt AMD PCNET Family Ethernet Configuration Identification Access Contro Adapter PCI ISA and then click Properties The following network components are installed Client Tor Pirre atl Hetwork zs Now you can choose to use DHCP or a specific D 2 AMD PONET Family Ethernet Adapter PEISA IP address Frima Hetwork Logon Client tor Microsoft Metwork s Eile and Print Sharing Description TCPvIP ts the protocol pou use to connect to the Internet and wide area networks OF Cancel 198 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 Using DHCP If you want to use DHCP click on the IP Address tab and choose Obtain an IP Bindings Advanced NetBIOS OAS Configuration Gateway WINS Configuration IP Address address automatically and then click OK This An IF address can be automatically assigned to this computer is also the default setting of Windows Then IF Your pebauork does not automatically assign IP addresses ask your network administrator for an address and then type it in the space below reboot the PC to make sure an IP address is obtained from WHG301 IP eddfess Subnet Mask 4 Using Specific IP Address If you want to use a specifi
122. find the Identity Token of this PayPal account to continue PayPal Payment Page Configuration gt External Payment Gateway PayPal Payment Page Configuration External Payment Gateway Authorize Net PayPal SecurePay WorldPay Disable PayPal Payment Page Configuration Business Account 2 e a E M IMM bet Cd Payment Gateway URL ihttps WWW paypal ca TEEN n webscr Identity Token Enable Disable Verify SSL Certificat Sk SES Trusted CA Management Currency USD U S Dollar Gi Business Account The Login ID an email address that is associated with the PayPal Business Account Payment Gateway URL The default website address to post all transaction data Identity Token This is the key used by PayPal to validate all the transactions Verify SSL Certificate This is to help protect the system from accessing a website other than PayPal Currency The currency to be used for the payment transactions 175 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH gt Service Disclaimer Content Billing Configuration for Payment Page Service Disclaimer Content We may collect and store the following personal acht information email address physical contact information credit card numbers and transactional information based on your activities on the Internet service provided by us If the information you provide cannot be verified we may Si Ch
123. formation that will appear in the header of the PayPal payment page 176 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH PayPal Payment Page Remark Content The message content will be displayed as a special notice to end customers in the page of Rate Plan For example it can describe the cautions for making a payment via PayPal 177 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 13 3 Payments via SecurePay Configure Payments via SecurePay go to Users gt gt Authentication gt gt On demand gt gt External Payment Gateway gt gt SecurePay Before setting up SecurePay it is required that the hotspot owners have a valid SecurePay Merchant Account from its official website External Payment Gateway Authorize Net PayPal SecurePay WorldPay Disable SecurePay Payment Page Configuration Merchant ID Merchant Password Payment Gateway URL Verify SSL Certificate Currency Service Disclaimer Content We may collect and store the following personal information physical contact information credit card numbers and transactional information based on your activities on the Internet service provided by us Choose Billing Plan for SecurePay Payment Page Plan Enable Disable Quota Price 1 Enable Disable 2 Enable Disable 3 Enable Disable A Enable Disable 5 Enable Disable 6 Enable Disable 7 Enable Disable 8 Enable Disable 9 Enable Disable 10 E
124. g boxes Please use arrow keys on the keyboard to browse the menu and press the Enter key to make selection or confirm what you enter 3 Once the console port of WHG301 is connected properly the console main screen will appear automatically If the screen does not appear in the terminal simulation program automatically please try to press the arrow keys so that the terminal simulation program will send some messages to the system where the welcome screen or main menu should appear If the welcome screen or main menu of the console still does not pop up please check the connection of the cables and the settings of the terminal simulation program Please select functions lagqaqqagqaqqaqaqadc qaqgqqqqagqqqqqqqqaqqqqqqqqqqq qq qaqqqqqqqaq qq qqa qad qaqa qqk Utilities for network debugging Hassword Change admin password Heset Reload factory default Mestar t Restart 139 4ipnet Utilities for network debugging The console interface provides several utilities to assist the Administrator to check the system conditions and to debug any problems The utilities are described as follows VW V WV Please Re qqgqqaqqaqaqaqqaqqaqaqaqqaaqaac aqaqk Xi Trace routing path Display interface settings Display routing table Display ARP table Display system up time Check service status W Set device into safe mode W Synchronize clock with NIP server W Print the kernel ring buffer W W W J Hain menu x 2
125. get the Login page for authentication via browsers and it will show an error page in the browser What the Built in Proxy Server is enabled all the outgoing proxy traffic will be automatically redirected to the built in proxy server 115 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Using Extranet Proxy Server The second scenario is that a proxy server is placed in the Extranet such as DMZ which all users from the Intranet or the Internet are able to access For example the following diagram shows that a proxy server of an organization in the DMZ will be used Desktop i i Access Point Access Point f Notebook Notebook Proxy Server Caution A special scenario is that a proxy server is placed in a zone like Intranet where users can reach each other without going through the system In this case whenever any one of users in the Intranet has been authenticated and connects to the network via the proxy server other users using the same proxy setting in their browsers will be able to access the network without any authentication Therefore to stop the risk it is strongly recommended to put all proxy servers outside the Intranet Follow the following steps to complete the proxy configuration Step 1 Log inthe system by using the admin account Step 2 Network gt gt Proxy Server gt gt External Proxy Servers page Add the IP address and port number of the Proxy server into
126. given by the following Windows messages gt Close the Windows Internet Explorer Click Logout on Login Success page Click Back or Refresh of the same Internet Explorer browser page Enter a new URL in the same Internet Explorer browser page v v v V Open a URL from the other application e g email of Outlook that occupies this existing Internet Explorer Click Cancel if you do not intend to stop the IPSec VPN connection e Non supported OS and Browser Currently Windows Internet Explorer is the only browser supported by the system Windows XP and Windows 2000 are the only two supported OS along with this release 160 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 6 FAQ 1 How to clean IPSec client ANS Open a command prompt window and type the commands as follows C gt cd windir system32 C gt Clean_IPSEC bat Or C gt cd windir system32 C gt ipsec2k exe stop 2 How to remove ActiveX component in client s computer ANS Uninstall and delete ActiveX component Close all Internet Explorer windows Open a command prompt window and type the commands as follows C gt cd windir system32 C gt regsvr32 u VPNClient_1_5 ocx C gt del VPNClient_1_5 0cx 3 What can do if unable establish IPSec connection for Windows XP SP1 ANS Disable Windows XP firewall 161 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 11 2 Remote VPN Configure Remote VPN
127. guration Ondemand Account Privilege Enable Disable Change Password Privilege gt Enable Disable o Change Password Privilege When Change Password Privilege is enabled the authenticated local users within this Group are allowed to change their password via the Login Success Page AA This function is only for Local User 110 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 7 2 6 On demand Account Creation Privilege Configure On demand Account Creation Privilege go to gt Privilege Profile On demand Account Creation Group 1 Privilege Configuration Ondemand Account Privilege Enable Disable Change Password Privilege Enable Disable o When On demand Account Creation Privilege is enabled the authenticated users within this Group are allowed to create On demand account via the Login Success Page gt Privilege Profile On demand Billing Plans Configure On demand Billing Plans go to Users gt gt Authentication gt gt On demand User gt gt Billing Plan Billing Plans Enable Privilege Plan Type Quota Price C E Group Function 1 Usage time 2 hris 20 R 2 Cut off Until 13 00 20 SE 3 Volume 1000 Mbyte s 40 EE 4 fee From 2009 1 REECH till 2009 11 05 ER GE 5 eae 5 day s 2 hour s 40 SC 6 N A None 7 N A None B N A None 9 N A None o N A None o Enable the On demand Account Creation Privilege of the plans After the user login success in the Login Success Page
128. guration go to Access Points gt gt AP Load Balancing gt gt Group Configuration Group Configuration Group Status Loading Threshold 1 Enabled es gt Disabled ES 3 Enabled v 10 You can choose the Loading Threshold of each group Also you can disable the AP group if the group is disabled this group of AP will not enable the Load Balancing function 226 4ipnet 3 Add the AP to the Group Configure AP to the Group go to Access Points gt gt AP Load Balancing gt gt Device List Before setup the AP Load Balancing you must discovery the APs and apply template first gt gt Note Group None E None None None None EI None None EI None None Device Name NEWDEV 00154 autoilo1 auto1l0 autol0os auto104 autoio5 auto106 autoloy auto108 autoio9 Device List MAC Address OO 1F D4 00 0C CD 00 02 00 00 00 65 00 02 00 00 00 06 00 02 00 00 00 67 00 02 00 00 00 508 00 02 00 00 00 59 00 02 00 00 00 5A 00 02 00 00 00 6B 00 02 00 00 00 07 00 02 00 00 00 6D Add to None User s Manual WHG301 Secure WLAN Controller ENGLISH IP Address 192 168 0 2 192 168 0101 192 168 0 102 192 168 0 103 192 168 0 104 192 168 0 1035 192 168 0 106 192 168 0 107 192 168 0 108 192 168 0 109 Power Level Highest Highest Highest Highest Highest Highest Highest Highest Highest Highest Loading Offline Offline Offli
129. he WAN side network is called WAN ports The Ethernet ports leading to the LAN side network is called LAN ports Local User is a type of user with its account credential stored in a database named Local within WHG301 The Local database of WHG301 allows local user accounts A local user account does not have an expiration date once they are created If administrator wishes to terminate the account he must remove it A local database can be used as an external RADIUS database to another WLAN Controller product for account roaming On demand User is a type of user with its account credential stored in a database named On demand within WHG301 The On demand database of WHG301 allows on demand account records On demand User is used for short term usage purpose it has an expiration period An on demand account record will be recycled for creating new on demand account if it has expired for over certain days or has been modified by the Administrator Manager manually 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH External Authentication Database is a user account database that is not built inside WHG301 Besides Local database and On demand database WHG301 allows up to three additional External Authentication databases simultaneously The types of external Authentication databases supported are RADIUS POP3 LDAP including ActiveDirectory and NTDomain Win2K s NTDS The database of another WLAN Controll
130. he other hand when Only ID option is checked only the username will be transferred to the external RADIUS server for authentication NAS Identifier System will send this value to the external RADIUS server if the external RADIUS server needs this NAS Port Type System will send this value to the external RADIUS server if the external RADIUS server needs this Class Group Mapping This function is to assign a Group to a RADIUS class attribute sent from the RADIUS server When the clients classified by RADIUS class attributes log into the system via the RADIUS server each client will be mapped to its assigned Group RADIUS Group Mapping Server 1 Enable Disable No Class Attribute Value Group Remark 1 Class01 Group 1 e 2 Class Group 2 E 3 Class03 Group3 e mmi 187 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 14 5 LDAP Advance settings Attribute Group Mapping Configure LDAP Attribute Group Mapping go to This function is to assign a Group to a LDAP attribute sent from the LDAP server When the clients classified by LDAP attributes log into the system via the LDAP server each client will be mapped to its assigned Group To get and show the attribute name and value from the configured LDAP server enter Username and Password and click Show Attribute Then the table of attribute will be displayed Enter the Attribute Name and Attribute Value chosen from the attrib
131. heir Internet feed If dynamic WAN Load Balancing feature is not turned on using the Policy s Routing Profile to route some users traffics to WAN2 is considered a way of doing static Load Balancing The configuration of WAN2 is similar to WAN1 s except that WAN2 connection can be disabled and WAN2 s connection type does not have the PPTP choice If you only have one Internet feed from one ISP please leave the WAN2 at its default option None so the WAN interface remains disable If you want to use a second Internet feed from an ISP or from your corporate headquarter select one of the three connection types for your WAN2 port Static Dynamic and PPPoE Now let us enable and configure WAN2 port optional Go to System gt gt WAN2 None The WAN2 Port is disabled WAN Interface Setting None Static Use the following IP settings Dynamic IP settings assigned automatically PPPoE WAN Static Manually specifying the IP address of the WAN port The red asterisks indicate required fields to be filled in 20 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH WAN Interface Setting None Static Use the following IP settings IP Address Subnet Mask WAN Default Gateway Preferred DNS Server Alternate DNS Server Dynamic IP settings assigned automatically PPPoE gt IP Address the IP address of the WAN2 port gt Subnet Mask
132. hentication in Service Zone 67 Managing Wireless NCL Oger ege egen 68 WHG30L With M lipl e Type O1 AP essaies 68 Con we Ee 69 DEET AI e E S E E ee eee eee 12 AP WIth SEEVICE LONE serpere re AP N E A IEEE EIAI E AP Tan pE ean 74 Re eee ee ee ee ee eee eee eee ere tee ee ere ee eee ere ee eee een see ee er ee ee Seer eee ere 76 Change Managed AP Sees ee 77 4ipnet 57 6 1 6 2 6 3 6 4 7 1 1 2 8 1 8 2 8 3 8 4 8 5 8 6 9 1 9 2 9 3 9 4 9 5 9 6 9 7 9 8 9 9 9 10 User s Manual WHG301 Secure WLAN Controller ENGLISH AP Operations OMAP Ae 80 5 7 1 Reboot Enable Disable and Delete the Ab o oo eee cecncoecececccccccecevccececscscsescesavacaecenecscvenes 80 5 7 2 EEN L MAM NU a E E ae auto E E E E E be otncausncees 81 5 7 3 Caan e e E 82 5 7 4 AP SACK SOMO Eege 83 5 7 5 E Tee A en a E E A E A E E te onceaenceee 84 5 7 6 Firmware management and e EE 85 POUCIES and Access Coni e TE 86 B EE 86 MAC Address Control msni herides npsnnp e o E pI IARR EP IESI EIENEN DNE NENE DESE DESETE T ENEDES AIND 88 Eeer 89 6 3 1 MH Sy edel 91 6 3 2 SERA 94 6 3 3 RCTS UOT beten 96 6 3 4 NCS S LORS MAN EE 97 QoS Trathic Class and Bandwidth Control eege 98 Users Logom and LOGON ox sic csavstac cacesavcasessaccsuecsaccezevsareaasvsavesacsiasesstevavcatestacesuesess 99 Beroe U er E Mepa eane IE IET eA e II eE T n TE Eee ae pi 99 7 1 1 Login WiN E 99 dek Internal Domain Name with Cerpfcate ccccccccccseecccseeeccneceeeeeeeeeeeeee
133. ic DNS service you may go to http www dyndns com services dns dyndns howto html gt gt Note 124 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 8 6 Port and IP Redirect Configure Port and IP Redirect go to This function allows the administrator to set the IP addresses for redirection purpose When the user attempts to connect to a destination IP address listed here the connection packet will be converted and redirected to the corresponding destination Please enter the IP Address and Port of Destination and the IP Address and Port of Translated to Destination Select TCP or UDP for the service s type These settings will become effective immediately after clicking Apply Port and IP Forwarding Destination Translated to Destination No Type Remark IP Address Port IP Address Port TCE UDP TCP UDP TCP upp tcp UDP TCP UDP Ter UDP TCP UDP TCP UDP Tce UDP TCP 10 Ei A UDP 125 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 9 System Management and Utilities 9 1 System Time Configure System Time go to System gt gt General 9 1 1 NTP NTP Network Time Protocol communication protocol can be used to synchronize the system time with remote time server Please specify the local time zone and the IP address of at least one NTP server for adjusting the time automat
134. ically Universal Time is Greenwich Mean Time GMT System Time 2009 07 30 10 18 51 Time Zone GMT 08 00 Taipei NTP NTP Server Time NTP Server NTP Server NTP Server NTP Server Manually set up 9 1 2 Manual Settings eh tock usno navy mil vie a tock usno nevy mil Intp 1 fau de iclock cuhk edu hk intps 1 pads ufr br ntp1 cs mu OZ AU The time can also be manually configured by selecting Manually set up and then select the date and time in these fields System Time 2009 07 30 10 18 51 Time Zone GMT 08 00 Taipei el Time SS NIE E a an Manually set up a Year sc Month Day Hour Minute ze Second 126 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 9 2 Management IP Configure Management IP go to System gt gt General Only PCs within this IP range on the list are allowed to access the system s web management interface For example 10 2 3 0 24 means that as long as an administrator is using a computer with the IP address range of 10 2 3 0 24 he or she can access the web management page Another example is 10 0 0 3 if an administrator is using a computer with the IP address of 10 0 0 3 he or she can access the web management page General Settings for the Entire System System Name Administrator Contact Information literal Poma Mame E bh Cl Use the name on the security certificate FQDN of this d
135. ice Enable Disable Authentication Protocol CHAP v 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 4 1 4 LDAP Choose LDAP from the Authentication Database field Except Local authentication the Local VPN option in other authentication option only can be enabled or disabled for the entire Authentication Database Authentication Option Server 4 Name server 4 Postfix idap Black List None Authentication Database LDAP cd Group Group1 Enable Local VPN C Click the button Configure for further configuration Enter the information for the primary server and or the secondary server the secondary server is not required The blanks with red asterisk are necessary information which should be filled in These settings will become effective immediately after clicking the Apply button Primary LDAP Server Server l Domain Name IP Address Port e g 389 for LDAP 636 for LDAPS Service Protocol LDAP OLDAPS OLDAP StartTLs Base DN ei e g cn users dc domain dc com Binding Type User Account vd Account Attribute vID OCN Secondary LDAP Server Server Port Service Protocol LDAP OLDAPS OLDAP StartTLs Base DN Binding Type User Account v Account Attribute uID OCN Group Mapping Attribute Group Mapping Map LDAP Attributes to Group 44 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH e Server The IP add
136. ice Zone is set to Tag based mode service zones also can be assigned here After clicking Add the current management page is directed to AP List where the newly added APs will show up with a status of configuring It may take a couple 72 4qipne User s Manual WHG301 Secure WLAN Controller ENGLISH of minutes to see the status of the newly added AP to change from configuring to online or offline Discovery Results IP Address AP Name Template AP Type Service Zone Add MAC Address Password Channel 192 168 0 2 NEWDEV 00154 TEMDLATEZ ze SE dee Ee E ZE e 00 1F D4 00 0C CD admin Auto Total 1 First Prey Next Last AP Type This is the supported type of APs for centralized management IP Address IP address of the specified AP MAC Address MAC address of the specific AP AP Name Mnemonic name of the specific AP Admin Password Password required for this AP Template The template which will be applied to the added AP Channel The selected channel will be applied to the added AP Y Y WWW VV WV Service Zone The item is only shown when Tag Based mode is selected Select the name of Service Zone such as Service Zone 1 Guest or Employee gt Add The administrator can click Add button to register the APs to the List for management Input the desired name and password for the AP Select one template one channel check the Add checkbox and then click Add to add it under the managed list Wh
137. ick Upload Firmware Upload File Name Browse Upload List File Name AP Type Version Size Actions Checksum Configure Firmware upgrade go to Access Points gt gt Upgrade AP Upgrade Select the APs which need to be upgraded and select the upgrade version of firmware and click Apply to upgrade firmware AP Type CPE100 List Name Type Version Ze iaelgegen Next Version Selection WEWDEV 00154 CPE100 1 70 00 N A N A 85 WHG301 Secure WLAN Controller ENGLISH 6 Policies and Access Control 6 1 Black List Configure Black List go to The administrator can add delete or edit the black list for user access control Each black list can include up to 40 users Users accounts that appear in the black list will be denied of network access The administrator can use the pull down menu to select the desired black list Black List Settings Select Black List 1 Blacklist1 v Name Bacher User Remark Total 0 First Prey Next Last Add User s e Select Black List There are 5 lists to select from for the desired black list e Name Set the black list name and it will show on the pull down menu above e Add User s Click the hyperlink to add users to the selected black list Adding User s to Blacklist1 No Username Remark 1 someone hacker After entering the usernames in the Username blanks and the related information in the Remark blank not required click Apply to add the users If rem
138. in Name P Domain Name i O 1P Domain Name WAN Failover amp Connection Detection Enable Load Balancing WANI Weight Range 1 99 Base Warning of Internet Disconnection When Internet connection is down the system will display the message as Sorry The service is temporarily unavailable Administrator can further specification a warning text which will be displayed to the client Login Success Page e Warning of Internet Disconnection When enabled there is a text box available for the administrator to enter a reminding message This reminding message will appear on clients screens when Internet connection is down 29 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 4 4 WAN Bandwidth Control The section is for administrators to configure the control over the entire system s traffic though the WAN interface WAN1 and WAN2 ports To configure WAN Bandwidth Limit Go to System gt gt WAN Traffic WAN Traffic Settings Available Bandwidth Uplink 100000 Kbps Range 10 100000 on WAN Interface Downlink 100000 Kbps Range 10 100000 Target for detecting Internet connection IP Domain Name Cid IP Domain Name sd WAN Failover amp l Connection Detection IP Domain Name O Enable Load Balancing LC Enable WAN Failover LJ Warning of Internet Disconnection These parameters in the raw of Available Bandwidth on WAN Interface are used for matching to the real ban
139. in and logout activities of SIP clients device and soft clients such as Start Time Caller Callee and Duration seconds SIF Call Usage Log Start Time Caller Callee Duration seconds 152 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 10 1 7 Local User Monthly Network Usage View Local User Monthly Network Usage go to Status gt gt User Logs e Monthly Network Usage of Local User The system keeps a cumulated record of the traffic data generated by each Local user in the latest 2 calendar months As shown in the following figure each line in a monthly network usage of local user record consists of 6 fields System Name Connection Time Usage Packets In Bytes In Packets Out and Bytes Out of user activities Monthly Report 2007 11 Username Connection Time Usage Packets In Bytes In Packets Out Bytes Out user D mins 427 secs 195 a6 OR 202 23E user 1 min 43 secs ZTE ZA LN Z1 3K 12 1 Total 2 First Previous Next Last o Username Username of the local user account o Connection Time Usage The total time used by the user o Pkts In Pkts Out The total number of packets received and sent by the user o Bytes In Bytes Out The total number of bytes received and sent by the user e Download Monthly Network Usage of Local User Click on the Download button for outputting the report manually to a local database Monthly Network Usage of Local User Month No of Entries Usage Data 2009 07 5 Downl
140. ing the Web Management Interface Identify an upstream device to plug in WHG301 in your network such as ADSL CABLE modem or other edge devices Collect the DNS server address provided by your ISP needs The recommended general steps for the configuration are Set up system s Time Zone NTP server DNS server and WAN address Configure LAN address range for at least one Service Zone and enable its authentication The Default Service Zone is enabled by the factory default Create user accounts to test the login page via wire line in the enabled Service Zone Try to generate on demand user and test the account Configure Wireless environment of Service Zone then add in AP Configure more Service Zones base on your application Set up Group and Policy including Firewall rules and Session Limit Customize the portal login page and add walled garden Advertisement links if needed Set up Payment gateway if you want to use credit card for the on demand accounts Load SSL certificate for the Web Server before operation Monitor the status pages and reports generated Perform other advanced setting for your specific application User s Manual WHG301 Secure WLAN Controller ENGLISH 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 2 5 Hardware Installation Please follow the steps below to install the hardware of WHG301 o Reset Console 4ipnet WHG301 2 z A D e cee 1 Connect the
141. ion Login Page Port Location Mapping Free Login Page Port Location Mapping Charge Login Page Configure Logout Page Custom Pages Login Success Page Configure Login Failed Page Configure _ Login Success Page for On demand User Logout Success Page Logout Failed Page Now let us discus two examples Login Page and Logout Page 165 WHG301 Secure WLAN Controller ENGLISH 12 2 Loading a Customized Login Page The administrator can use the default login page or get the customized login page by setting the template page uploading the page or downloading from a designated website After finishing the setting click Preview to see the login page e Custom Pages gt gt Login Page gt gt Default Page Choose Default Page to use the default login page Login Page Selection for Users Service Zone Default Default Page Template Page Uploaded Page External Page Default Page Setting Service Zone Default This is the default login page for users You could click Preview to preview the default login page Preview e Custom Pages gt gt Login Page gt gt Template Page Choose Template Page to make a customized login page Click Select to pick up a color and then fill in all of the blanks You can also upload a background image file for your template Click Preview to see the result first 166 4ipnet Color for Title Background Color for Tithe Text Color for Page Background Color for Page Te
142. ion there are two optional servers On demand User and SIP which also can be selected by the system Authentication Settings Auth Option Auth Database Postfix Group Server 1 LOCAL local Group 1 Server 2 POPS pops Group 1 Server 3 RADIUS radius Group 1 Server 4 LDAP ldap Group 1 On demand User ONDEMAND andemand Group 1 SIP SIP N A Group 1 e Auth Option There are several authentication options supported by WHG301 Server 1 to Server 4 On demand User and SIP Click the hyperlink of the respective Server Name to configure the authentication server e Auth Database There are different authentication databases in WHG301 LOCAL POP3 RADIUS LDAP and NTDOMAIN ONDEMAND and SIP are not depend on Server 1 to Server4 so these two authentication options always can be enabled in each service zone e Postfix A postfix represents the authentication server in a complete username For example user1 local means that this user user1 will be authenticated against the LOCAL authentication database e Group An authentication option such as POP3 or NT Domain can be set as a Group with the same QoS or Privilege Profile setting gt Not Concurrently only one server is allowed to be set as Local or NIDOMAIN authentication method ote simultaneously For example you can set two RADIUS authentication servers simultaneously 37 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH e Authentication Option Configuration Click o
143. ironment 3 1 Network Requirement Typically in a network environment WHG301 plays the role of a gateway On a gateway device a network port leading upstream to the Internet or the backbone network is called a WAN port or an uplink port while a network port used for branching out to the service the clients downstream is referred as LAN port WHG301 consists of two gigabit WAN ports which are normally linking up to another routers or modems leading to ISP A gateway needs one WAN port only but if you want dual homing or dual uplink to add reliability and throughput the second WAN port let you achieve the goal WHG301 has two gigabit LAN ports There could be other network bridge devices such as Layer 2 switches or VLAN switches between WHG301 s LAN ports and the client devices 3 2 Setting up WAN1 Ports WHG301 s two WAN ports are marked as WAN1 and WAN2 on the front panel WAN1 port supports four connection types Static Dynamic PPPoE and PPTP WAN2 port supports 3 connection types Static Dynamic and PPPoE These connection types are enough to support most ISP Depending on ISP or the upstream device the WAN port connects you only need to select one connection type for the port For example if your ISP is Cable modem issuing Dynamic address then you would select Dynamic connection when setting up the WAN ports Now let us begin to configure WAN1 port Go to System gt gt WANT On the WAN1 Configuration
144. isconnect itself 21 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH WAN Interface Setting None Static Use the following IP settings Dynamic IP settings assigned automatically PPPoE Username een Password e MTU 1492 bytes frange 1000 1492 Clamp M55 1350 bytes range 980 1400 Dial on Demand Enabled Disabled 22 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 4 Other WAN Traffic Settings It is a good idea to have two Internet feeds to the system especial from two different ISP it adds the service reliability to your clients by turning on WAN Failover feature When one feed is out of service the other feed automatically picks up the responsibly of serving the clients under the feed that goes outage By default the system assumes there is only one feed to WAN1 All the Policies by default route all clients internet traffic via WAN1 using the Internet pipe at WAN1 When you have two pipes you certainly want to set some Policies to utilize the bandwidth of the second pipe at WAN2 rather then just when the WAN1 pipe fails Beside the static load balancing by setting Policy route alternatively you can use the system s dynamic Load Balancing feature When the feature is turned on the system can distribute the load of the up going traffics to the two WAN pipes according to the weight percentage assigned by the
145. ist Enable Disable SNMP i Setup Somp Management IP and Community List HTTPS Protected Login Enable Disable 77 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 7 1 2 Internal Domain Name with Certificate Configure Internal Domain Name go to System gt gt General Internal Domain Name is the domain name of the WHG301 as seen on client machines connected under service zone It must conform to FQDN Fully Qualified Domain Name standard A user on client machine can use this domain name to access WHG301 instead of its IP address In addition when Use the name on the security certificate option is checked the system will use the CN Common Name value of the uploaded SSL certificate as the domain name General Settings for the Entire System System Name Wireless Hotspot Gateway en mec SE Information a a ES L Use the name on the security certificate FQDN of this device for internal use e g contraller office name com Configure Certificate go to Users gt gt Additional Configuration gt gt Certificate Certificate A data record used for authenticating network entities such as a server or a client A certificate contains X 509 information pieces about its owner called the subject and the signing Certificate Authority called the issuer plus the owner s public key and the signature made by the CA Network entities verify these signatures using CA certificates You can ap
146. it code assigned to a customer s credit card number found either on the front of the card at the end of the credit card number or on the back of the card o E mail An email address may be provided along with the billing information of a transaction This is the 173 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH customer s email address and should contain an symbol o Customer ID This is an internal identifier for a customer that may be associated with the billing information of a transaction This field may contain any format of information o First Name The first name of a customer associated with the billing or shipping address of a transaction In the case when John Doe places an order enter John in the First Name field indicating this customer s name o Last Name The last name of a customer associated with the billing or shipping address of a transaction In the case when John Doe places an order enter Doe in the Last Name field indicating this customer s name o Company The name of the company associated with the billing or shipping information entered on a given transaction o Address The address entered either in the billing or shipping information of a given transaction o City The city is associated with either the billing address or shipping address of a transaction o State A state is associated with both the billing and shipping address of a transaction This may be entered as either a two ch
147. k the checkbox and then click Apply Template select one template to apply to the AP TEMPLATE1 Template TEMPLATE1 Band 802 11b 802 119g Subnet Mask 20o 200 2 94 0 Gateway 192 168 111 254 Note If the Band of the template cannot match current Channel the Channel will be changed to Auto 8 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 5 7 3 Change Service Zone Select any AP by the check the checkbox and then click Apply Service Zone to select which Service Zones this AP associates to For example if SZ3 and SZ5 are selected for this AP then these two Service Zones will be available under this AP This AP will have two VAPs with two SSIDs according to two Service Zones for clients to associate If a user connected to one SSID for example SSID3 of this AP and wishing to access the Internet this user must log into these Service Zones SZ3 first service Zone Name SSID WLAN Encryption F 0 Default SsiDo None F 3 GC SsiD3 None F 2 AH oolDS None Check the checkbox to select the available Service Zones from the list Click Apply to finish the settings 0 1 This function only support in Tag Base mode 2 Not all AP types support this feature only Multi VAP AP can Apply Service Zone in Tag Based mode 82 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 5 7 4 AP Background Discovery Configure AP Background Discovery go to AP Management
148. l in properties are ignored Cone eee ee 2 MG Quarantine PFilter Microsoft Specifies the ID traffic filter that is used by the Routing anc MS Quarantine S ession T imeout Microsoft Speches the time fin seconds that the connection can rer Tunnel T ag Microsoft Description not yet defined USA ACCM Type US Robotics Inc Description not yet defined USR AT Call Input Filter US Robotics Inc Description not yet defined USR AT Call Output Filter US Robotics Inc Description not yet defined USR AT Input Filter UG Robotics Inc Description not yet defined USA AT Output Filter U S Robotics Inc Description not yet defined USA 4T RTMP Input Filter U S Robotics Inc Description not yet defined USA 4T ATMP Output Filter U S Robotics Inc Description not yet defined USA 4T 2ip lnput Filter U S Robotics Inc Description not yet defined w 4 2 4 Step 4 Add a new attribute under Vendor specific Set Vendor Code 31932 Set it conforms to the RADIUS RFC Configure Attribute Set Vendor assigned attribute number 10 Set Attribute format Hexadecimal Set Attribute Value 1000000 211 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Piati ali ined Ad fi Brit e Dirt itia eil sl e F Tae heier e that Ze veer dal ken procesties ae ignored a th naiv Sia Ghat i used by the Hoi anc Dm line fi seconds that a connection carier md Comlhuge Wen AFC compliant Ma I
149. le the image file path in the HTML code must be the image file to be uploaded Remote VPN lt img src images xx jpg gt Default Service Zone lt img src images0 xx jpg gt Service Zone 1 Service Zone 2 Service Zone 3 Service Zone 4 lt img src images1 xx jpg gt lt img src images2 xx jpg gt lt img src images3 xx jpg gt lt img src images4 xx jpg gt Click the Browse bution to select the file to upload Then click Submit to complete the upload process Next enter or browse the filename of the images to upload in the Upload Images field on the Upload Images Files page and then click Submit The system will show the used space and the maximum size of the image file of 512K If the administrator wishes to restore the factory default of the login page click the Use Default Page bution to restore it to default After the image file is uploaded the file name will show on the Existing Image Files field Check the file and click Delete to delete the file After the upload process is completed and applied the new login page can be previewed by clicking Preview button at the button 168 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH e Custom Pages gt gt Login Pages gt gt External Page Login Page Selection for Users Service Zone Default Default Page Template Page Uploaded Page External Page External Page Setting Ex
150. led Disabled stands for the connection at WAN is normal or abnormal Warning of Internet Disconnection Internet Connection Detection and all online users are allowed disallowed to log in the network WAN Failover Enabled Disabled stands for the function currently being used or not Load Balancing Enabled Disabled stands for the function currently being used or not Enabled disabled stands for the current status of the SNMP management function Retained Days The maximum number of days for the system to retain the users information User Logs Receiver Email The email address to which the traffic history or user s traffic history Address es information will be sent NTP Server The network time server that the system is set to align System Time e De system time is shown as the local time The minutes allowed for the users to be inactive before their account expires Idle Time Out automatically User Session Control _ Enabled disabled stands for the current setting to allow disallow multiple Multiple Login logins form the same account Preferred DNS IP address of the preferred DNS Server Server Alternate DNS IP address of the alternate DNS Server Server 144 4ipnet 10 1 2 Interface Status View Interface Status go to Status gt gt Interface User s Manual WHG301 Secure WLAN Controller ENGLISH This section provides an overview of the interface for the administrator including WAN1 WAN2 SZ Def
151. led or disabled e Details Configurable detailed settings for each Service Zone Click Configure button to configure each Service Zone Basic Settings SIP Interface Configuration Authentication Settings Wireless Settings and Managed AP s in this Service Zone 28 WHG301 Secure WLAN Controller ENGLISH 3 5 1 Planning your internal network 1 Simple network environment For most simple internal network such as there are just only two subnets Using Port Based model is an easy and better way In Port Based mode each LAN port can only serve traffic from one Service Zone An example of network application diagram is shown as below one Service Zone for Employees and one for Guests xDSL Cable Modem Gg TT ao DPI L2 Switch L2 Switch a Sa Ze Ze A for Guests AA The switches deployed under WHG301 in Port Based mode must be Layer 2 switches only 29 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 2 Multi subnet network environment On the other hand if the internal network is a multi subnets network environment Tag Based model will satisfy to your conditions In Tag Based mode each LAN port will only serve traffic from Default Service Zone So you need a VLAN switch or VLAN AP to take care the VLAN tags carried within the message frames An example of network application diagram is shown as below more than two Service Zones for different departments xDSL Cable
152. les that can be configured respectively and applied to a certain Group of users The clients belonging to a Service Zone will also be bound by an applied Policy In addition a Policy can be applied at a Group basis a Group of users can be bound by a Policy The same Group can be applied with different Policies within different Service Zones Policy Configuration Policy 1 Select Policy Policy 1 v Firewall Profile Specific Route Profile Schedule Profile Maximum Concurrent Sessions 300 sessions per user Select Policy Select Policy 1 Policy 12 to set the Firewall Profile Specific Route Profile Schedule Profile and Maximum Concurrent Sessions Firewall Profile Each Policy has a firewall service list and a set of firewall profile consisting of firewall rules Specific Route Profile The default gateway of WAN1 WAN2 or a desired IP address can be defined ina policy When Specific Default Route is enabled all clients applied this policy will access the Internet through this gateway settings include default gateway Schedule Profile The Schedule table in a 7X24 format is used to control the clients login time When Schedule is enabled clients applied policies are only allowed to login the system at the time which is checked in the applied policy Maximum Concurrent Sessions Set the maximum concurrent sessions for each client 90 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 6 3 1 Firewall Firew
153. lick the following link Wizard Now the setup is completed To close this wizard click Finish E 197 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH e TCP IP Network Setup If the operating system of the PC in use is Windows 95 98 ME 2000 XP keep the default settings without any changes to directly start restart the system With the factory default settings during the process of starting the system WHG301 with DHCP function will automatically assign an appropriate IP address and related information for each PC If the Windows operating system is not a server version the default settings of the TCP IP will regard the PC as a DHCP client and this function is called Obtain an IP address automatically If checking the TCP IP setup or using the static IP in the LAN1 LAN2 or LAN3 LAN4 section is desired please follow these steps Check the TCP IP Setup of Window 9x ME seid ti clea e DI A BA 1 Choose Start gt gt Control Panel gt gt Network Bach Fonverd r Cut Copy Paste e Delete Properties Views Address E Control Panel x aaa AddNew Add Remove Date Time Ei Options Hardware Programs Control i anei H ai 8 Display Fonts Game Internet Network Controllers Options Configures network a hardware and software e 3 D Keyboard Modems Mouse Multimedia E Ru ODBC Data Passwords Power Sources 32bit Management Cno 28 et e E Con
154. licy 1 S75 Service Zone 576 Policy 1 SZ6 Service Zone S77 Policy 1 SEF Service Zone S78 Policy 1 Sz Remote VPN Policy 1 wi Remote VPN gt Zone Name The name of Service Zones and Remote VPN gt Enabled Select Enabled to allow clients of this Group to log into the selected Service Zones For example the above figure shows that users in Group 1 can access network services via every Service Zone as well as Remote VPN under constraints of Policy 1 gt Policy Select a Policy that the Group will be applied with when accessing respective Service Zones gt To Group Permission Configuration The relation between Group and Service Zone is many to many every Group can access network services via more than one Service Zone and meanwhile each Service Zone can serve more than one Group Click the hyperlink in the To Group Permission Configuration column to enter the Group Configuration interface which is based on the role of Service Zone to configure the relation between Group and Service Zone 61 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Group Permission Configuration amp Policy Assignment Service Zone S71 To fone Permission Group Option Enabled Policy SSeS Group 1 Group 1 Group 2 Group 2 Group 3 Group 3 Group 4 Group 4 Group 5 Group 5 Group 6 Group 6 Group 7 Group 7 Group 8 Group 8 o Group Option The name of Group options available for selection o Enabled Select Enable
155. ll be kicked out from system For example if administrator set 4ipnet Byte Amount 1048576 4ipnet MaxByteln 1048576 and 4ipnet MaxByteOut 1048576 It means that whatever the downlink or uplink or total traffic exceeded the limit the user will be kicked out from system 2 VSA configuration in RADIUS server IAS Server This section will guide you through a VSA configuration in your external RADIUS server Before getting start please access your external RADIUS server s desktop directly or remotely from other PC 2 1 Step 1 Assume there are already have users in RADIUS Server Assume there are already have Groups and assigned users to belong these Groups in RADIUS Server Assume there are already have Policies and assigned Groups to belong these Policies in RADIUS Server 2 2 Step 2 Run Internet Authentication Server Open Remote Access Policies Select a Policy Right click and scroll down to its properties page Recycle Bin Get 2 3 1 RADIUS Server Desktop SF RADIUS MAC Ethereal Internet eg stressuses_il_s1 Authenticati Employee ish_sizh Groupd_Idle3m_SessionSm Group session lem Internet ak Group4_IdleSm M45 ID match cipher Informatica Groups NAS ID match other e EX Connections to Microsoft Routing and F Delete H D EX Connections to other access servers Rename TER ASS Daemon ETE r ups Inlimited 4 se E i iii Se Kee ove Up Move Down Director
156. ll restart WHG301 14 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 10 System Status and Reports 10 1 View the status This section includes System Interface Hardware Routing Table Online Users User Logs and E mail amp SYSLOG to provide system status information and online user status System Interface Hardware Routing Table Online Users User Logs E mail amp SYSLOG Status Display current settings of the system Display the current settings of all network interfaces Display current CPU amd memory usage List all Policy Route rules and Global Policy Route rules The System Route rules are shown here as well The Policy Route rule has higher priority than the Global Policy route rule The System Route rule has the lowest priority Display the information of the online users Content of the information includes Username IP Address MAC Address Packet Count In Out Byte Count In Out and idle time Administrator can remove the online user via clicking the Logout button in each record Display detailed user access records on daily basis History record of up to 3 days is kept in the system The system can send various reports via up to 3 email accounts such as Monitor IP report Users log and Session Log The external SYSLOG server and FIP server are configured here 142 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 10 1 1 System Status View System Status
157. lso revise some settings for demand If copy is not desired please select NONE Input the Name and Remark if you want to change these to memorize easily If not then click the button of Configure to go on configuration Template Editing CPE100 Name TEMPLATE1 Copy Settings From None EI Remark Template 1 gt Template Editing Here is the section that administrators can configure template name template source and template remark Name The name shown for this particular template will change according to what given by administrators Copy Settings From Select an existing AP and click Apply to save its settings as the template settings Remark The remark of this template profile e Template Configuration The administrator can set the template configuration manually Click Configure button to have detailed configurations 69 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH General CPE100 TEMPLATE1L Subnet Mask 255 255 254 0 Default Gateway 192 168 1 254 Time Zone GMT 08 00 Taipei Taiwan M iii NTP Server 1 tick stdtime gov tw_ NTP Server 2 tock stdtime gov tw Enabled Community String Read public x ge ei Write private Trap Enabled v Trap Server IP 0 0 0 0 SYSLOG Server IP Address 0 0 0 0 SYSLOG l SYSLOG Server Port 314 Log Level Emergency gt General Setting In this section revise the Subnet M
158. lt the system s will issue an IP address in the range of 192 168 1 to the PC at LAN port Figure 3 A simple network diagram for the initial setup 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 2 6 Accessing Web Management Interface WHG301 supports web based configuration Upon the completion of hardware installation WHG301 can be configured via web browsers with JavaScript enabled such as Internet Explorer version 6 0 and above or Firefox To access the web management interface connect a PC to one of the LAN ports and then launch a browse Make sure you have set DHCP in TCP IP of your PC to get an IP address dynamically Next enter the gateway IP address of WHG301 at the address field The default gateway IP address from LAN Port is https 192 168 1 254 https is used for a secured connection 7 4ipnet WHG301 Windows Internet Explorer Ge gt e i https 192 168 1 254 File Edit View Favorites Tools Help w d ipnet WHG301 For the first time if WHG301 is not using a trusted SSL certificate there will be a Certificate Error because the browser treats WHG301 as an illegal website Please press Continue to this website to continue The default user login page will then appear in the browser Certificate Error Navigation Blocked Windows Internet Explorer i https 192 166 1 254 Fle Edt View Favorites Took Help BEB Certificate Error Navigation
159. ment of multiple type of AP is very important Let us introduce the management of multiple type of AP View AP Overview go to Access Points gt gt Overview In the Overview page all of the supported AP type will list here AP Type List AP Type No of AP OnLine OffLine No of Client CPE100 g g g g CPE110 0 0 0 g EAP100 g g J g EAP ZOO g g g g OWLS5S00 0 0 0 g OWL510 g g J g Because WHG301 can manage up to 12 Single RF access points and 50 Wall Jack access points the best and easy way to configure a log of APs is by AP Template You can configure one template and then apply this template to all or a log of APs by a simple way Or when you are adding discovery APs to your network with same configurations and then you also can apply this template to the discovered APs very easily 68 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 5 2 Configure AP Template Configure AP Template go to Template is a model that can be copied to every AP and not necessary to configure the AP individually There are three templates provided for each type of AP Select an AP Type and click Edit to go on configuration Template Selection AP Type CPE100 Li Zen Template Name CPE110 OI EAbLOU EAPYOO OWL500 OWLS 10 Another easy way to configure the template it is copy the configuration from an existing AP to the template Select a Source AP and without configuring the template from the beginning administrators can a
160. mit packets passing 93 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 6 3 2 Routing gt Specific Route Profile Click the button of Setting for Specific Route Profile the Specific Route Profile list will appear 1 Specific Route gt Specific Route Profile The Specific Route is use to control clients to access some specific IP segment by the specified gateway Global Policy Specific Routes Destination Gateway Route No IP Address Subnet Netmask IP Address 1 255 255 255 255 32 2 255 255 255 255 32 3 255 255 255 255 32 4 255 255 255 255 32 5 255 255 255 255 32 6 255 255 255 255 32 7 255 255 255 255 32 8 255 255 255 255 32 9 255 255 255 255 32 10 255 255 255 255 32 o Destination IP Address The destination network address or IP address of the destination host Please note that if applicable the system will calculate and display the appropriate value based on the combination of Network IP Address and Subnet Mask that are just entered and applied o Destination Subnet Netmask The subnet mask of the destination network Select 255 255 255 255 32 if the destination is a single host o Gateway IP Address The IP address of the gateway or next router to the destination 94 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 2 Default Gateway gt Default Gateway The default gateway
161. mple we try to connect to www google com a For the first time if the WHG301 is not using a trusted SSL certificate for more information please see 4 2 5 Additional Configuration there will be a Certificate Error because the browser treats WHG301 as an illegal website gt Certificate Error Navigation Blocked Windows Internet Explorer z IIG http www google com File Edit View Favorites Tools Help w di Certificate Error Navigation Blocked vi There is a problem with this website s security certificate The security certificate presented by this website was not issued by a trusted certificate authority The security certificate presented by this website was issued for a different website s address Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server We recommend that you close this webpage and do not continue to this website D Click here to close this webpage amp Continue to this website not recommended Gei More information b Please press Continue to this website to continue c The default user login page will appear in the browser User Login Username Password Login Remember Me 2 Enter the username and password for example we use a local user account test local here and then click Submit button If the Remember Me check box is checked the browser will remember this user s name and
162. n the server name to set the configuration for that particular server After completing and clicking Apply to save the settings go back to the previous page to select a server to be the default server and enable or disable any server in each service zone Users can log into the default server without the postfix to allow faster login process Server 1 4 There are 5 authentication methods Local User POP3 RADIUS LDAP and NT Domain to select from Authentication Option Server 1 Name Server 1 i Postfix lo cal Fs Black List None Authentication Database Group POPS RADIUS LDAF NT Domain Name Set a name for the authentication option by using numbers 0 9 alphabets a z or A Z dash underline _ space and dot only The length of this field is up to 40 characters This name is used for the administrator to identify the authentication options easily such as HQ RADIUS Postfix A postfix is used to inform the system which authentication option to be used for authenticating an account e g bob BostonLdap or tin TaipeiRadius when multiple options are concurrently in use One of authentication option can be assigned as default For authentication assigned as default the postfix can be omitted For example if BostonLdap is the postfix of the default option Bob can login as bob without having to type in bob BostonLdap Set a postfix that is easy to distinguish e g Local and the server numbers 0 9 alpha
163. nable Disable SecurePay Payment Page Remark Content You must Fill in the correct credit card number and expiration date Card code is the last 3 digits of the security code located on the back of your credit card 178 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH gt Payment Page Configuration Merchant ID The ID that is associated with the Business Account Password This is the key used by Secure Pay to validate all the transactions Payment Gateway URL The default website address to post all transaction data Verify SSL Certificate This is to help protect the system from accessing a website other than Secure Pay Currency The currency to be used for the payment transactions gt Service Disclaimer Content View the service agreement and fees for the standard payment gateway services as well as add or edit the service disclaimer content here gt SecurePay Payment Page Billing Configuration These 10 plans are the plans in Billing Configuration and the desired plan s can be enabled gt SecurePay Payment Page Remark Content The message content will be displayed as a special notice to end customers 179 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 13 4 Payments via World Pay Configure Payments via WorldPay go to Users gt gt Authentication gt gt On demand User gt gt External Payment Gateway gt gt WorldPay External Payment Gateway Authorize Net PayPal
164. nd Bandwidth Control Configure QoS go to gt QoS Profile Set parameters for traffic classification Group 1 Traffic Configuration Traffic Class Best Effort v Group Total Downlink Unlimited Individual Maximum Downlink Unlimited v Individual Request Downlink None G Group Total Uplink Unlimited Individual Maximum Uplink Unlimited Individual Request Uplink None a o Traffic Class A Traffic Class can be chosen for a Group of users There are four traffic classes Voice Video Best Effort and Background Voice and Video traffic will be placed in the high priority queue When Best Effort or Background is selected more bandwidth management options such as Downlink and Uplink Bandwidth will appear o Group Total Downlink Defines the maximum bandwidth allowed to be shared by clients within this Group o Individual Maximum Downlink Defines the maximum downlink bandwidth allowed for an individual client belonging to this Group The Individual Maximum Downlink cannot exceed the value of Group Total Downlink o Individual Request Downlink Defines the guaranteed minimum downlink bandwidth allowed for an individual client belonging to this Group The Individual Request Downlink cannot exceed the value of Group Total Downlink and Individual Maximum Downlink o Group Total Uplink Defines the maximum uplink bandwidth allowed to be shared by clients within this Group o Individual Maximum Uplink Defines the maximum uplink
165. ne Offline Offline Offline Offline Offline Offline Offline View View View View View For more detail of AP Management please refer to the section of Managing Wireless Network All of the managed AP can join to any of the Load Balancing Group so the Device List will list all of the managed AP Select the APs chose a Group and click Apply The APs will join into this group If the overloading is happened you can check the Power Level from this List It will record the changing process such as Highest to High Low to Medium gt gt Note gt gt Note Group Group 227 It is strongly recommended that don t choose different type of AP to create the Load Balance It is strongly recommended that don t choose the Multi SSID AP to create the Load Balance P N V30020091104
166. nections Programs Advanced Ze Use the Internet Connection Wizard to connect your computer to the Internet Dial up settings Add Remove Sethings Dial whenever a network connection is mot present Setup Ce Never diala connection Always dial my default connection Gurren More Seb Default Local Area Network LANI settings LAN Settings 123 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 Choose I want to set up my Internet x connection manually or want to connect Welcome to the Internet Connection Wizard The Internet Connection wizard helps you connect your computer to the Internet ou can use this wizard to set up a new or existing Internet account through a local Area network LAN and then click Next want to sign up for a new Internet account My telephone line is connected to my modem want to transfer my existing Internet account to this computer My telephone line is connected to my modem want to set up my Internet connection manually or want to connect through a local area network LAN To leave your Internet settings unchanged click Cancel To learn more about the Internet click Tutorial Tutorial 4 Choose I connect through a local area Internet Connection wizard EL network LAN and then click Next Setting up your Internet connection If jou have an Interet service provider ac
167. nt gateway WHG301 allows users to easily pay the fee and enjoy the Internet service using credit cards through Authorize net PayPal SecurePay PayPal or WorldPay With centralized AP management feature the administrator does not need to worry about how to manage multiple wireless access point devices Furthermore WHG301 introduces the concept of Service Zones multiple virtual networks each with its own definable access control profiles This is very useful for hotspot owners seeking to provide different customers or staff with different levels of network services The following portion of this section explains the basic concepts of WHG301 the same concepts also apply to the other WLAN Controller products With the understanding of these concepts the administrator will be able to do more advanced network planning and to manipulate the configurations of WHG301 to suit his own specific application It is sufficient for most of administrators to use the default configuration with minor WAN DNS address changes for simple deployments Gateway is a network node where a small network attaches to a bigger network WHG301 is a kind of gateway ina network environment hence it has those features a typical gateway has such as NAT DHCP DMZ Firewall and etc Conventionally the bigger network is referred as the gateway s WAN side or upstream network while the small network is referred as the gateway s LAN side The Ethernet ports leading to t
168. oad A warning message will then appear Click Save to download the record into txt format File Download Some files can harm your computer If the file information below looks suspicious or you do not fully trust the source do not open or save this file Filename 2007 08 txt Filetype Text Document From 192 168 2 254 Would you like to open the file or save it to your computer Cancel More Info 153 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 10 2 Notification Configure Notification go to Status gt gt E mail amp SYSLOG WHG301 can automatically send the notification of Monitor IP Report Users Log On demand Users Log Session Log and AP Status Change to up to 3 particular e mail addresses The notification of AP Status is triggered by the event when a managed AP becomes unreachable while the other types of emails are sent periodically in given intervals such as 1 hour A trial email is provided by the system for validation In addition the system supports recording of System Log On demand Users Log Session Log and Hardware Log via external SYSLOG servers In addition the Session Log can be sent to a specified FTP server Enter the related information and select the desired items and then apply the settings Notification E mail Settings Receiver E mail Address es Monitor IP Report Users Log On demand Users Log Session Log AP Status Change BW BW d BW RW d o m o S S Le E O
169. ocal Log Status AP Name AP Type LAN Interface MAC Address Wireless Interface MAC Address Report Time SSID Number of Associated Clients AP Status Summary cpe110 00152 CPE110 00 1F 7D 91 23 8B DD LE ZDDI 23 DC 2009 08 06 14 25 01 SSID0 Service Zone Default 0 AP Status Details System LAN Interface Wireless Interface Associated Clients Local Log Status 79 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 5 AP Operations from AP List Configure AP List go to Access Points gt gt List 5 7 1 Reboot Enable Disable and Delete the AP Select any AP by the check the checkbox and then click the button below to Reboot Enable Disable and Delete the selected AP if desired AP Type CPEIOO S CI AP Name NEWDEV 00154 autoi i autolio2 autoio3 autoio4 autoi s No of Client Ap Name AP List IP Address MAC Address 192 168 0 2 O00 1F D4 00 0C CD 192 168 0 101 00 02 00 00 00 65 192 168 0 102 00 02 00 00 00 66 192 168 0 103 00 02 00 00 00 67 192 168 0 104 00 02 00 00 00 08 192 168 0 105 00 02 00 00 00 69 enable 80 a Status Service Zone Channel Online A Enabled Default S ae ii Offline Default NA Offline Default NA Offline Default NA Offline Default NA Offline Default NA i Total 11 e t 4ipne User s Manual WHG301 Secure WLAN Controller ENGLISH 5 7 2 Apply Template Select any AP by chec
170. ocal VPN Enabled without quotes There must be no space between the fields and commas The MAC Address field could be omitted but the trailing comma must be retained When adding user accounts by uploading a file existing accounts in the embedded database that are also defined in the data file will not be replaced by the new ones Note 2 If users need to use Local VPN please set Local VPN Enabled field to 1 Note 3 Only 0v9 Av aez xv and _ are acceptable for password field Upload User from File File Name Browse When uploading a file any format error or duplicated username will terminate the uploading process and no account will be uploaded Please correct the format in the uploading file or delete the duplicated user account in the database and then try again Local VPN Enabled Username Password MAC Address 1 enable 0 disabled ser3 iser3 00 00 00 00 00 00 8 aser3 4 d Applied Group Remark e Download User Use this function to create a txt file with all built in user account information and then save it on disk 183 4ipnet Username Download User to File MAC Password ESA Download 184 User s Manual WHG301 Secure WLAN Controller ENGLISH Applied Group Local VPN Enabled Remark 0 0 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 14 2 Backup and Restore On demand Users Accounts Configure Backup Restore On demand Users Accounts go to
171. of WAN1 WAN2 or a desired IP address can be defined in each Policy except Global Policy When Specific Default Route is enabled all clients applied with this Policy will access the Internet through this default gateway Policy 1 Specific Default Route Enable L Default Gateway UIP Address vl Policy 1 Specific Routes Destination Gateway Route No IP Address Subnet Netmask IP Address 1 255 255 255 255 32 2 255 255 255 255 32 3 255 255 255 255 32 4 255 255 255 255 32 Y 5 255 255 255 255 32 6 255 255 255 255 32 7 255 255 255 255 32 8 255 255 255 255 32 9 255 255 255 255 32 10 255 255 255 255 32 o Enable Check Enable box to activate this function or uncheck to inactivate it o Default Gateway It may be WAN1 Default Gateway WAN2 Default Gateway or to specific an IP Address if you select IP Address you may need to fill the IP address of the gateway 95 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 6 3 3 Schedule gt Schedule Profile Click Setting of Schedule Profile to enter the configuration page Select Enable to show the Permitted Login Hours list This function is used to limit the time when clients can log in Check the desired time slots checkbox and click Apply to save the settings These settings will become effective immediately after clicking Apply
172. oller ENGLISH 2 1 2 Who Uses WHG301 Because of its well integrated rich access management features and high performance academic campuses government agencies or enterprises IT departments will find WHG301 is a money and time saver sparing them from having to integrate multiple applications and multiple equipments on their own in order to manage and secure the internet network access for both wired and wireless clients With its billing plan and payment features WISPs and hospitalities such as hotels conventions will find WHG301 is an instant revenue generator without requiring hefty equipment investment or long term outsourcing service supports WLAN Controller products are most affordable best price performance appliances comparing to the similar equipments in the fields of Network Access Controllers Wireless Controllers Clientless VPN Gateway or Hotspot Subscriber Gateway 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 2 2 System Concept If you have experienced other 4ipnet WLAN Controller products before and are familiar with its system concept you may skip the concept description below Please proceed to the next section on Hardware Description WHG301 is capable of managing user authentication authorization and accounting AAA The user account information is stored in the local database or a specified external database server Featured with user authentication and integrated with external payme
173. olumn and the E TCP IP Gateway Address window will appear DHCP Enabled IP Settings ONS WINS Options Add Edit Remove Default gateways Remove Interface metric Cancel 202 e t 4ipne User s Manual WHG301 Secure WLAN Controller ENGLISH 5 4 Enter the gateway address of WHG301 in the TCP IP Gateway Address EE ai xj Gateway field and then click Add After back to the IP Settings tab click OK to Gateway W Automatic metric Metric Cats D cmn complete the configuration Check the TCP IP Setup of Window XP SRR DER 1 Select Start gt gt Control Panel gt gt Network a E Me e e Q Bac gt Ki pe Search a Folders EE Connection BI control pan Jg p d D f p Vg Control Panel x CS Le Accessibilty Add Hardware Add or Administrative Date and Time D Switch to Category View Options Remov Tools See Also A j 4 Display Folder Options Game Internet Windows Update Controllers Options GI Help and Support ee j f Se b amp Keyboard Mouse Phone and Power Options Modem b eI P e Printers and Regionaland Scannersand Scheduled Sounds and Faxes Language Cameras Tasks Audio Devices U kh 8 e Speech System Taskbar and User Accounts Mware Tools 2 Right click on the Local Area Connection icon S Network Connections d t Cp Pr r ti an File Edit view Favorites Tools Advanced Help Ss SES ES
174. omain Name ARP Table Status Done PING www real wal b yahoo com 209 131 36 158 56 84 bytes of data 64 bytes from fl www vip spl yahoo com 209 131 36 158 mp sel ttl 54 time 183 64 bytes from fl www vip spl yahoo com 209 131 36 158 icmp_seq 2 ttl 54 time 147 GA bytes from fl www vip spl yahoo com 209 131 36 158 icmp_seq 3 ttl 54 time 148 GA bytes from fl www vip spl yahoo com 209 131 36 158 icmp_seq 4 ttl 54 time 147 Result www real wal b yahoo com ping statistics 4 packets transmitted 4 received 0 packet loss time 3004ms rtt min avg max mdev 147 591 156 658 183 102 15 276 ms E g 9 10 1 Wake on LAN It allows the system to remotely boot up a power down computer with Wake On LAN feature enabled in its BIOS and it is connect to any service zone Enter the MAC Address of the desired device and click Wake Up button 9 10 2 Ping It allows administrator to detect a device using IP address or Host domain name to see if it is alive or not 9 10 3 Trace Route It allows administrator to find out the real path of packets from the gateway to a destination using IP address or Host domain name 9 10 4 Show ARP Table It allows administrator to view the IP to Physical address translation tables used by address resolution protocol ARP 137 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 9 11 Monitor IP Link Configure Monitor IP Link go to Network gt gt Monitor IP WHG301
175. omatically use the fastest rate possible Preamble The length of the CRC Cyclic Redundancy Check block for communication between the Access Point and roaming wireless adapters Select either Short Preamble or Long Preamble IAPP Inter Access Point Protocol is designed for the enforcement of unique association throughout a ESS Extended Service Set and for secure exchange of station s security context between current access point AP and new AP during handoff period Wireless Client Isolation The default value is Disabled When select Enabled all the wireless clients will be isolated each other Transmit Power The default is Auto Select from the range or keep the default setting Auto to make the Access Point use different transmit power as you wish Wireless QoS WMM Select Enabled the packets with QoS WMM will has higher priority Fragment Threshold Breaking a packet into smaller units when transmitting over a network medium that cannot support the original size of the packet RTS Threshold Request To Send A packet sent when a computer has data to transmit The computer will wait for a CTS Clear To Send message before sending data Beacon Interval ms Enter a value between 20 and 1000 msec The default value is 100 milliseconds The entered time means how often the beacon signal transmission between the access point and the wireless network 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 5
176. on Service Zone 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 2 3 2 Real Panel DC 03 1 Reset Press this button to restart the system 2 Console The system can be configured via a serial console port The administrator can use a terminal emulation program such as Microsoft e HyperTerminal to login to the configuration console interface to change admin password or monitor system status etc 3 Power Socket The power adapter attaches here 4ipnet 2 4 Preparation before the Installation Before you start the installation by either following this User Manual or the Quick Installation Guide below is a short preparation list to do 1 2 3 4 5 If you use WLAN Controller product for the first time it is recommended that you follow the Quick Installation Guide to start up the WHG301 in a near default state with minimum configuration changes such as WAN settings and admin password then refer to this manual later when you want to configure the system for specific application Unpack the WHG301 and go thorough the package checklist Review the front panel and the back panel and identify each control and network interface that is described in the previous Hardware Description section Prepare a couple of CAT5 Ethernet cables with using RJ 45 connectors The cables are for connecting IP devices including this WHG301 IP switches and your PC Prepare a PC with Web browser for access
177. on demand user accounts once by batch creation Click this to enter the On demand Account Batch Creation Enter the desired number of accounts of enabled plans to create a batch of on demand accounts together The Number of Accounts field of disabled plans will not be able to enter any number The sum of all Number of Accounts will be constrained not to over the available account limits in database Click Create button to start batch creation Next page will show Success or Failed message to indicate the batch creation status Once creation is successful all created accounts can be exported to a text file for extended usage Moreover you can click Send to POS to print a receipt to a POS device via Serial or Ethernet network Please notice that it takes time if you create lots of on demand accounts by batch creation On demand Account Batch Creation Plan Type Quota Price Number of Accounts 1 Usage bme 2 hris 20 5 2 Cut off Until 13 00 20 5 3 volume 1000 Mbyte s 40 5 4 Duration time From 2009 1 1 0 i Lage till 2009 11 05 100 5 5 Duration time 5 day s 2 hour s 40 5 N A M A H N A M A N A Success Users have been successfully created Download to File Send ta POS e Plan The number of a specific plan e Type Show one type of the plan in Usage time Duration time or Cut off e Quota The total time amount or period on how On demand users are allowed to access the network e Price The unit price of each plan s Number of Accounts The
178. onitor IP List No Protocol IP Address Hyperlink Remark Create http Si Create 3 http J Create 3 em m i Create 5 hte M Create 5 http E Create 7 http E Create B http sl Create R mp m Create SE http i Create 11 http Create CS http M Create 13 http d Create 14 http si Create 15 http Create 16 http E Create 17 ben E Create 18 http E Create 19 http J Create 20 http i Create Click Monitor Now to check the current status of all the monitored IP The system supports monitoring on IP addresses listed in the Monitor IP List Monitor IP result s 208 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Appendix E RADIUS Accounting This section is trying to organize the basic configuration with RADIUS server to work with VSA The aim is trying to control the maximum usage upload download or upload download traffic of clients in each session This VSA will send from RADIUS server to gateway along with an Access Accept packet In other words when the external RADIUS server accepts the request it will not only reply with an Access Accept and it will also carry a maximum value in bytes that each user is allowed to transfer This value may be the maximum upload traffic download traffic or the summation of each user s download plus upload traffic in bytes Gateway will check this value every min
179. oose Billing Plan for PayPal Payment Page Plan Enable Disable Quota Price 1 Enable Disable 5 ris 5 mints 0 A Enable Disable 3 Enable Disable 10 hris 6 mints 9000 4 Enable Disable 3 Enable Disable Until 18 30 88 D Enable Disable 7 Enable Disable 20 73 Mbyte s 0 59 g Enable Disable g Enable Disable 10 Enable Disable 600 Mbyte s 6 99 Service Disclaimer Content View the service agreement and fees for the standard payment gateway services as well as add or edit the service disclaimer content here Choose Billing Plan for PayPal Payment Page These 10 plans are the plans in Billing Configuration and the desired plan s can be enabled gt Client s Purchasing Record PayPal Payment Page Remark Content Client s Purchasing Record Starting Invoice Number Hot fi C Change the Number Description Item Name Internet Access Title for Message to Seller Special Note to Seller PayPal Payment Page Remark Content IA Fayment is accepted via PayPal PayPal enables you Co a send payments securely online using PayPal account a credit card or bank account Clicking on Buy How button S i Client s Purchasing Record Invoice Number An invoice number may be provided as additional information against a transaction This is a reference field that may contain any kind of information Description Enter the product service description e g wireless access service Title for Message to Seller Enter the in
180. oving a user from the black list is desired click the user s Delete link or click the Del All button to remove all users from the black list 86 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Black List Settings Select Black List a Blacklist1 Name Blacklist1 User Remark Del All someone hacker Delete Total 1 First Prey Next Last Add User s After the Black List is setup completed You can select the Black List in each Authentication Server to let it to become effective Authentication Option Server 1 Postfix local j Black List Authentication Database Blacklist1 2 Blacklist2 3 Blacklist3 Group Blacklist4 Blacklist5 E 87 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 6 2 MAC Address Control Configure MAC Address Control go to MAC ACL With this function only the users with their MAC addresses in this list can login to WHG301 There are 200 users maximum allowed in this MAC address list User authentication is still required for these users Click Edit to enter the MAC Address Control list Fill in these MAC addresses select Enable and then click Apply Access Control List O Enable Disable No MAC Address No MAC Address 1 RE 2 3 Ld 4 5 po d 6 oo 7 e g 9 Ir 10 WS RK Ir 12 ch 13 14 ee 15 hl 16 J 17 18 Le 19 e 20 o AA The format of the MAC address iS XX XX XX XX XX XX OI XX XX XX
181. password so that he she can just click Submit next time he she wants to login 64 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Check the Remember Me box to store the username and password on the current computer in order to automatically login to the system at next login Then click the Submit button The Remaining button on the User Login Page is for on demand users only where they can check their Remaining quota User Login Username test local password eee ES Remember Me 3 Successful The Login Successful page appearing means you are connected to the network and Internet now Leet Ett Tt 7 oe KEEEEEEEELX Hello you are logged in via test local To log out please click the Logout button EE St FRR SS LELET LELET J eee 05 Login time 2009 06 02 11 26 gt gt Note When On demand accounts are used the system will display more information as shown below Hello you are logged in via 3p oz ondemand To log out please click the Logout button Login time 2009 06 02 11 11 e i E E E e Remaining Time Hour Min 61 se eee LEE EL EE LEE LEE KEE LE Fet EE LCE e 65 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 4 3 1 Default Authentication In each Service Zone there are different types of authentication database LOCAL POP3 RADIUS LDAP NTDOMAIN ONDEMAND and SIP that are supported by the entire s
182. ply for a SSL certificate at CAs such as VeriSign If you already have an SSL Certificate please Click Browse to select the file and upload it Click Apply to complete the upload process Upload Certificate Private Key Browse Customer Certificate Browse Certification Path Verification Enable Disable Use Default Certificate Without a valid certificate users may encounter the following problem in IE7 when they try to open the login page 100 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Certificate Error Navigation Blocked Windows Internet Explorer Kr Kai Y el http www google com File Edit View Favorites Tools Help wt Certificate Error Navigation Blocked x There is a problem with this website s security certificate The security certificate presented by this website was not issued by a trusted certificate authority The security certificate presented by this website was issued for a different website s address Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server We recommend that you close this webpage and do not continue to this website Click here to close this webpage Continue to this website not recommended Gei More information Click Continue to this website to access the user login page To Use Default Certificate Click Use Default Certificate to use the de
183. re setup the AP sensor you must discovery the APs and apply template first gt gt Note For more detail of AP Management please refer to the section of Managing Wireless Network Basically all of the managed AP can become a Rogue AP sensor but some earlier version AP will not support this function they will list in the Sensor List but they are not available for selection so the Sensor List will list all of the managed AP Select the APs and click Apply AP Type CPE100 ze Sensor List Name MAC Address IP Address Log yes 00151 00 1F D4 00 0D 13 192 168 0 151 View 3 Add the non managed AP to the Trust List Configure Trust AP List go to Access Points gt gt Rogue AP Detection gt gt Trusted AP Configuration After the AP detection is finished All of the non managed AP will show in the List 223 4ipnet No Rogue AP BSSID E 1 00 037F0C 82F4 FI 3 LI LI d M d LI d 00 06 19 00 A8 D3 H 0606 1900AB D3 A 0A11A3 08 0956 5 0E1TtA3 08 0956 00 17 43 08 09 56 Rogue AF List ESSID SD AP OOF D400 0D 14 CPETO0 APTEST AP Cip AP AP Cip Cherry AP Cip psk AP Cip wep AP FAP100 1 AP FAP 100 tag1 AP Add to Trusted AP List User s Manual WHG301 Secure WLAN Controller ENGLISH 6 Type Channel Encryption NONE WEP NONE WPA WPA WEP NONE NOME Report Time 2009 06 18 11 09 21 2009 06 18 11 09 21 2009 06 18 11 09 21 2009 06 18 11 09 21
184. responds to a topic Indicates that clicking this button will apply all of your settings Cancel Indicates that clicking this button will clear what you have set before the settings are applied a The red asterisk indicates that information in this field is compulsory 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 1 3 Package Checklist The standard package of WHG301 includes 4ipnet WHG301 x 1 CD ROM with User s Manual and QIG x 1 Quick Installation Guide QIG x 1 e Console Cable x 1 Ethernet Cable x 1 Power Adaptor x 1 It is highly recommended to use all the supplies in the package instead of substituting any components by other suppliers to guarantee best performance 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 2 System Overview and Getting Start 2 1 Introduction of WHG301 WHG301 is an all in one product specially designed for wired and wireless data network environments in middle scaled WLAN deployments WHG301 is a high performance industrial grade network appliance capable of supporting the network access management for a larger user base WLAN Controller products feature integrated management secured data transmission and enhanced accounting and billing System administrators can effectively monitor wired or wireless users including employees and guest users via its user management interface Moreover administrators can discover configure monitor an
185. ress of the external LDAP server e Port The authentication port of the external LDAP server e Service Protocol The transferring type of service protocol for LDAP authentication with 3 types available LDAP LDAPS and LDAP StartTLs e Base DN The Base DN Distinguished Name is the LDAP search base telling which part of the external directory tree to search from Think of the Base DN as the top of the directory for your LDAP users although it may not always be the top of the directory itself The search base may be something equivalent to the organization group or domain name AD of external directory e Binding Type This specifies the binding type and search scope for LDAP authentication with 4 binding types available User Account Anonymous Specified DN and Windows AD User Account Use the user account with base DN to authenticate user account password Anonymous Use anonymous to login LDAP server and use the user account with base DN to authenticate user account password Specified DN Use the Admin DN Bind password to login LDAP server and use the users account with base DN to authenticate users account password Windows AD Add a domain after user account with base DN to authenticate users account password e Account Attribute The attribute of LDAP accounts 45 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 4 1 5 NT Domain Choose NT Domain from the Authentication Database field Except
186. rnal Domain Name FQDN of this device for internal use e g cantroller office name cam Enable Disable Portal URL http www google com e g http uew google com User Log Access IP Address KH eg 152 168 2 1 Management IP Address List Setup Management IP Address List Enable Disable SNMP Manager IP Address 19 7 168 1 214 Community 129 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 9 5 Three Level Administration WHG301 supports three kinds of account interface You can log in as admin manager or operator The default usernames and passwords show as follows Admin The administrator can access all configuration pages of WHG301 User Name admin Password admin Usemame E Login After a successful login to WHG301 a web management interface will appear DLogout Help Setup Wizard Quick Links System Overview Manager The manager can only access the configuration pages under User Authentication to manage the user accounts but without the permission to change the settings of the profiles of Firewall Specific Route and Schedule User Name manager Password manager 130 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Username manager eS s5 d e L System Vars Access Points Network Utilities Status AN ee NK gt Authentication Black List Group Policy Additional Control A Main Menu gt Users Use
187. rnet Explorer From the Tools menu click on Internet Options Select the Programs tab and click Manage add ons bution to enter the Manage add ons dialogue box where you can see VPNClient ipsec is enabled 157 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH During the first time login to WHG301 with Local VPN Internet Explorer will ask clients to download an Activex component of IPSec VPN Once this ActiveX component is downloaded it will run in parallel with the Login Success Page after the page being brought up successfully The ActiveX component helps set up individual IPSec VPN tunnels between clients and WHG301 and check the validity of IPSec VPN tunnels between them If the connection is down the ActiveX component will detect the broken link and decompose the IPSec tunnel Once the IPSec VPN tunnel was built all sent packets will be encrypted Without connecting to the original IPSec VPN tunnel a client has no alternative way to gain network connection beyond this IPSec VPN feature supported by WHG301 directly solves possible data security leak problem between clients and the system via either wireless or wired connections without extra hardware or client software installed Limitations The limitation on the client side due to ActiveX and Windows OS includes gt Internet Connection Firewall of Windows XP or Windows XP SP1 is not compatible with IPSec protocol It shall be turned off to allow IPSec packets to p
188. rs The internal or external account databases include Local POP3 RADIUS LDAP NT Domain On demand and SIP The administrator needs to activate and configure at least one of these authentication databases Postfix is used for the system to identify which authentication Authentication 3 8 b E option will be used for the specific user account when multiple options are concurrently in use One of the authentication options can be set as default so that end users can choose NOT to type the complete account name id postfix when logging in Black List 8 sets of black list profiles can be defined Each active authentication option may be configured with one of these 8 black list profiles 16 sets of group profiles including QoS Configurations Instant Account Privilege Change Group Password Privilege and Zone Permission Configuration amp Policy Assignment can be defined for each group option to enforce the access management for different groups of users A policy can be selected to apply to a group of users within a zone 24 sets of policy profiles Policy including Firewall Profile Specific Route Profile Schedule Profile and Session Limit Management can be defined Additional configurations are in this section They are User Session Control Built in RADIUS Server Settings Customization Remaining Time Reminder and MAC ACL The administrator can control user session such as idle timeout in User Session Control Three fu
189. s LAN to External IP address WAN mapping in the Static Assignments The External IP Address of the Automatic WAN IP Assignment is the IP address of External Interface WAN that will change dynamically if WAN1 Interface is Dynamic When Automatic WAN IP Assignments is enabled the entered Internal IP Address of Automatic WAN IP Assignment will be bound with WAN1 interface Each Static Assignment could be bound with the chosen External Interface WAN1 or WAN2 There are static Internal IP Address and External IP Address available Enter Internal and External IP Addresses as a set After the setup accessing the WAN will be mapped to access the Internal IP Address These settings will become effective immediately after clicking the Apply button Automatic WAN IP Assignment Enable External IP Address External Interface Internal IP Address Remark E van Beer E ees Static Assignments No External IP Address External Interface Internal IP Address Remark Een E ees z See fl leg fr Ct 1 a a S s See fl leg s See Hl fl eg 7 ll eg e SS Cl E fr CP 1 10 J D Total 40 First Prey Next Last 118 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 8 2 Virtual Server Configure Virtual Server go to Network gt gt NAT gt gt Public Accessible Server This function allows the administrator to set virtual servers so that client devices outside the managed network can access these s
190. server once the file size reaches its maximum size IP Address Port IP address and port number of FTP server Server Folder The folder directory on FTP server for upload Send Log every hour The time interval for sending the log report VV V WV FTP Setting Test To test the FTP settings correct or not 156 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 11 Virtual Private Network VPN 11 1 Local VPN Configure Local VPN go to The system is equipped with IPSec VPN feature To utilize IPSec VPN supported by Microsoft Windows XP SP2 with patch and Windows 2000 operating systems the system implements IPSec VPN tunneling technology between client s windows devices and the system itself regardless of wired or wireless network By pushing down Activex to the dente Windows device from the system no extra client software is required to be installed except ActiveX in which a so called clientless IPSec VPN setting is then configured automatically At the end of this setup a build in IPSec VPN feature will be enabled and ready to serve once it is launched for setup The goal of this design is to eliminate the configuration difficulty from IPSec VPN users At the client side the IPSec VPN implementation of the system is based on ActiveX and the built in IPSec VPN client of Windows OS e ActiveX Component The ActiveX is a software component running inside Internet Explorer The ActiveX component can be ch
191. ssion r ee Selection Colours B Connection Data Proxy Telnet Hlogom H SSH Serial Default Settings Close window on exit Always Never Co Only on clean exit 3 1 Step 1 Assume there are already have users in RADIUS Server Assume there are already have Groups and assigned users to belong these Groups in RADIUS Server 3 2 Step 2 Login the Linux Host of the RADIUS server Le a a a g Wivian linux login as vivian Wivianh10 2 5 217 s password Last login Thu oer 30 13 53 37 2008 from 10 29 2 97 vivian linux 3 3 Step 3 Create a file dictionary 4ipnet under the freeradius folder wiviani linux wi usr share freeradius dictionary 4ipnet 213 User s Manual WHG301 Secure WLAN Controller ENGLISH 3 4 Step 4 Edit and save the content of the file dictionary 4ipnet as the following 4ipnet interger 4ipnet VENDOR 4ipnet H Standard attribute ATTRIBUTE 4Sipnet Byte Amount interger 4ipnet ATTRIBUTE tipnet MaxbyteIn interger tipn ATTRIBUTE Sipnet HaxbytetIn 2 interger 4ipn ATTRIBUTE ipnet Byte A mount 4G8 2 interger 4ipn ATTRIBUTE tipnet MNaxbyteIn 4GB 2 interger 4ipn In 4G8 EE interger 4ipn os dl e CT m m mMm mm m ct ct yte ATTRIBUTE 4tipnet MaxBbyte l 3 5 Step 5 Edit the file dictionary under the folder freeradius vivian linux wi
192. ssocccesssococeesssoocceessssoceeesso 207 Appendix D Monitoring 3rd Party AP ssssseessssooeeeesssocceeeessocceesesooceceessooceeeessooceeeessooceeeseo 208 App ndi E RADIUS ACCOUN cisscssssscsvevsctiscaicsiacensethosetavbscvacivaieeesevicsvaxtedlsoetevbuceenevibeweteets 209 Appendix F Net Retriever and Port Mapping sesssssosceesssocccessssooceesssoccccesssoocceesssooceeesso 216 Appendix G Rogue AP Detection ssssssseesssoocceesssooceeesssooccesssococcessssocceesssococeesssoccceessssoceeesso 222 Appendix H AP Load Balancing sessseoeessooceessoocesssoceessooceessocceessoccesssoocessscoceessoceesssoceesssoeee 225 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 1 Before You Start 1 1 Preface This WHG301 User Manual is for WLAN service providers or network administrators to set up a network environment using the WHG301 system It contains step by step procedures and graphic examples to guide MIS staff or individuals with basic network system knowledge to complete the installation Besides this document there is a Quick Installation Guide QIG which is for starting uo WHG301 quickly It is recommended to start with the QIG and then refer to this manual for further details Some special topics are addressed separately in the Appendixes 1 2 Document Conventions a Represents essential steps actions or messages that should not be ignored view Contains related information that cor
193. stalled and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Consult the dealer or an experienced radio TV technician for help 4ipnet 1 1 1 2 1 3 2 1 See 2 3 2 4 2 6 3 1 i 3 3 3 4 3 5 4 1 4 2 4 3 User s Manual WHG301 Secure WLAN Controller ENGLISH Table of Contents Ee e 1 ENEE l Docomon CONV OS ee a E Package Checker l System Overview and Getting StAE ccccsscccccccsssssscccccsssscssccccessscsssccccessscees 2 PROC C HOM On TE RM 2 Zll e E 2 2 1 2 WO ee WEE Wh states cise atrewintiras se sateen E sg bent AE EAE N A A e faite A A aneaieaas 3 SyS EC ODCEP aois 4 Hardware Desc tip Oieee E 8 2 3 1 Front Fane tg sasecsorassoascna sens tres sou vans oasictnenoown wan sean cine te nase ienai ies denser toast aaenes vais oes aad oanouss pes eeeeaeaioss 8 Ge RIP D EE 9 Preparation Detote the KEE e
194. t User s Manual WHG301 Secure WLAN Controller ENGLISH 11 3 Site to Site VPN Configure Site to Site VPN go to WHG301 support Site to Site VPN for more than 2 WHG301 create VPN tunnel to each other over the WAN network For example if there are 2 WHG301 you can create a VPN tunnel to let a subnet of one WHG301 to access the subnet of another WHG301 Remote Site Configuration Name IP Address Pre shared Key Edit Delete Add A Remote Site Local Site Configuration Local Subnet Local Interface Remote VPN Gateway Remote Subnet Edit Delete Add A Local Site First you need to add a Remote Site with remote subnet Remote VPN Gateway Name IP Address Authentication Method Pre shared Key Pre shared Key Encryption AES256 ze Phase1 Proposal ei ap Geen Authentication SHA 1 Diffie Hellman Group Group 1 C Group 2 JGroup 5 IKE Life Time Ig E The time is a 5 digit number e g 36h stands for 1 day and 12 hours DPD Delay 10 second Dead Peer Detection E DPD Timeout 15 second Remote Subnet No Network Mask 1 255 255 255 255 32 v 2 255 255 255 256 32 3 255 255 255 255 32 4 255 255 255 255 32 5 255 255 255 255 32 v o e ke A The IPSec settings in both sites must be same 163 e t 4ipne User s Manual WHG301 Secure WLAN Controller ENGLISH And then create a Local Site with su
195. t login automatically and all SIP traffic can pass through Configure SIP Trusted Registrar go to Users gt gt Authentication gt gt SIP 191 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Authentication Server SIP IP Address Remark Trusted Registrar Group Group 1 Group selection applied to clients login with SIP authentication e SIP SIP authentication supports 4 Trusted SIP Registrar e IP Address The IP address of the Trusted SIP Registrar e Remark The administrator can enter extra information in this field for remark e Group A Group option can be applied to the clients who login with SIP Authentication Be noted that the specific route of the applied Policy for the selected Group cannot conflict with the assigned WAN interface for SIP authentication SIP Interface Configuration Configure SIP WAN Interface go to System Configuration gt gt Service Zones SIP Interface Configuration Enabled C WAN Interface WANI The system provides SIP proxy functionality which allows SIP clients to pass through NAT When enabled all SIP traffic can pass through NAT via a fixed WAN interface The policy route setting of SIP Authentication must be configured carefully because it must cooperate with the fixed WAN interface for SIP authentication SIP Transparent Proxy can be activated in both NAT and Router mode SIP Authentication must support in either mode For users logging in through SIP
196. t Cafeteria are added to all Service Zones enabling SSID Student SSID Faculty and SSID Guest There traffic of students faculties and guests will be segregated by the three VLAN segments User s Manual WHG301 Secure WLAN Controller ENGLISH intemmet i o SSIDI Student S1D2 Faculty Managed APs e SSID3 Guest Mail Server i KE Es Web Server D A i gt App Server JJ Q d JJ J E DMZ zone S Admin Building ES Guests Library Cafeteria amp Union Center Figure 2 An example of managed network 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 2 3 Hardware Description 2 3 1 Front Panel 4ipnet WHG301 1 LED There are four kinds of LED Power Status WAN and LAN to indicate different status of the system gt gt gt gt Power LED ON indicates power on Status While system power is on status OFF indicates BIOS is running BLINKING indicates the Data is sending and receiving and ON indicates system is ready WAN LED ON indicates connection to the WAN port LAN LED ON indicates connection to the LAN port 2 WAN1 WAN2 Two WAN ports 10 Base T 100Base TX RJ 45 are available on the system 3 LAN LANG Client machines connect to WHG301 via LAN ports 10 Base T 100Base TX RJ 45 By default all LAN ports are set with Port based Default Service Zone for Service Zone gt gt Note configuration please refer to 3 5 LAN Partiti
197. t be User Policy gt gt Authentication Policy gt gt Service Zone Policy gt gt Global Policy Now let us discus different user policy type 1 For Local RADIUS and LDAP if these users are assigned to different Group individually these users can be assigned to their Group For example a Local user user01 is assigned to Group1 and the Local Authentication is assigned to Group2 If Group1 in Service Zone can be applied Policy1 Then user01 login to Service Zone will get Policy1 This is a common case for users that can assign Group individually 2 For Local RADIUS and LDAP if these users do not assigned any Group individually so they are same as other authentication server users that they can not assign to Group individually For example a POPS user pop01 the POP3 Authentication is assigned to Group1 If Group1 in Service Zone1 can be applied Policy1 Then pop01 login to Service Zone will get Policy1 This is another common case for users that can assign Group by authentication server 3 If Authentication server also do not assign to a Group then the user will applied the Service Zone Default Policy For example a Local user user01 is assigned to Group None and the Local Authentication is also assigned to Group None If the Default Policy of Service Zone is applied Policy1 Then user01 login to Service Zone will get Policy1 d Ifthe Default Service Zone Policy is None Authentication server does not assign to a Group and user
198. ternal URL http Preview Choose the External Page selection and get the login page from a designated website In the External Page Setting enter the URL of the external login page and then click Apply After applying the setting the new login page can be previewed by clicking Preview button at the bottom of this page The user defined logout page must include the following HTML codes to provide the necessary fields for username and password lt form action userlogin shtml method post name Enter lt input type text name myusername lt input type password name mypassword Input type submit name submit value E nter lt input type reset names clear values Clear gt lt form gt 169 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 12 3 Load a Customized Logout Page e Custom Pages gt gt Logout Page The administrator can apply their own logout page in the menu As the process is similar to that of the Login Page please refer to the Login Page gt gt Uploaded Page instructions for more details Uploaded Page Setting File Name See Existing Image Files Total Capacity 512 K Now Used K Upload Image Files Upload Images Browse Preview The different part is the HTML code of the user defined logout interface must include the following u Not HTML code that the user can enter the username and password After the upload is completed the
199. the most normally usage to charge the user If the user opens a browser and tries to access internet it will pop up a Login page with disclaimer user can select a satisfactory billing plan and begin access internet until the quota has run out e If the state is Free the user can access internet in this room without any charge e If you do not want to provide any internet access right in the rooms you may change the state of the rooms to Block If the user opens a browser and tries to access internet it will pop up a Blocking message to notice the user 217 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH Port Location Mapping Setup Default Room State Charge Free Block Service Zone SZ7 vi VLAN ID Start Number of VLAN Create Batch i Start Room Number Room Number Prefix Room Number Postfix Default Room State Charge Free Block Change All Room State Service Zone SZ7 Default Room State Charge Free Block Service Zone SZ7 wl VLAN ID 1 4094 Create One Room Number Room Description Now let us begin to configure the Port Mapping There are three main group of setting Create Batch Change All Room State and Create One You can create the Room Mapping by a batch processing that if you want to create a contiguously VLAN Tag and Room number gt Port Location Mapping Setup Create Batch Port Location Mapping Setup Default Room
200. the subnet mask of the network WAN2 port connects to gt Default Gateway a gateway of the network WAN port connects to gt Preferred DNS Server The primary DNS server used by the system gt Alternate DNS Server The substitute DNS server used by the system This is an optional field e Dynamic It is only applicable for the network environment where a DHCP server is available Click the Renew button to get an IP address WAN Interface Setting None Static Use the following IP settings Dynamic IP settings assigned automatically PPPoE WAN2 PPPoE When selecting PPPoE to connect to the network please set the User Name Password gt MTU Short for Maximum Transmission Unit of a PPPoE frame The PPPoE protocol allows an Ethernet frame s size to be up to 1492 bytes but some ISP s network equipments may support a smaller frame size of than 1492 bytes In that case you have to enter a smaller number MTU number to meet the ISP s networking requirement gt MSS Short for Maximum Segment Size for a TCP connection An end to end TCP connection over PPPoE will consume additional overhead out of each packet At least 40 bytes are used for the address Hence MSS must be smaller than MTU by at least 40 gt Dial on demand function under PPPoE If this function is enabled a Maximum Idle Time will be available for input a value When the idle time is reached the system will automatically d
201. ties admin manager or operator The default usernames and passwords are as follows Admin The administrator can access all configuration pages of WHG301 User Name admin Password admin Manager The manager can only access the configuration pages under User Authentication to manage the user accounts but without permission to change the settings of the profiles of Firewall Specific Route and Schedule User Name manager Password manager Operator The operator can only access the configuration page of Create On demand User to create new on demand user accounts and print out the on demand user account receipts User Name operator Password operator The administrator can change the passwords here Please enter the current password and then enter the new password twice to verify Click Apply to activate this new password gt gt Note Only login with admin can change password Admin Password Original New Verify Apply Change Manager Password Verify Apply Change Operator Password New Verify ae R If the administrator s password is lost the administrator s password still can be changed through the text mode management interface at the serial console port Es 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 9 7 Backup Restore and Reset to Factory Default Configure Backup Restore and Reset to Factory Default go to This function is used to backup restore the WHG301 settings Also WHG301 c
202. tion Server On demand User General Settings Ticket Customization Billing Plans External Payment Gateway On demand Account Creation On demand Account Batch Creation On demand Account List 1 General Settings This is the common setting for the On demand User authentication option Postfix Currency Group Name WLAN ESSID Wireless Key Remaining Volume Sync Interval Terminal Server Expired Accounts Remain Days Delete All Expired Accounts General Settings andemand Gei None Susp E cep EUR laput other desired monetary whi Group i SSIDO D 10min s 15min s 20min s 15 1 30 Delete Currency Select the desired specified unit WLAN ESSID It will show the ESSID of Public Zone Wireless Key It will show the wireless key that configured in Public Zone Remaining Volume Sync Interval Enable it and input the count down minute system will remind users that their quota will run out soon when their quota reaches this time The reminding message will not show up if the Remaining Reminder time is configured longer than the quota of billing plans Expired Accounts Remain Days It will delete the expired accounts after the certain days Delete All Expired Accounts It will delete all expired accounts immediately 47 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 2 Ticket Customization On demand account ticket can be customized here and previewe
203. troller ENGLISH These 10 plans are the plans in Billing Configuration and the desired plan s can be enabled gt SecurePay Payment Page Remark Content The message content will be displayed as a special notice to end customers Before setting up WorldPay it is required that the hotspot owners have a valid WorldPay Merchant Account from its official website RBS WorldPay Merchant Services A Payment Processing going to rbsworldpay com gt gt support center gt gt account login STEP Log in to the Merchant Interface gt Login url www rbsworldpay com support index php page login amp c WW gt Select Business Gateway Formerly WorldPay gt Click Merchant Interface gt Username user2009 gt Password user2009 STEP Select Installations from the left hand navigation STEP Choose an installation and select the Integration Setup button for the specific environment gt Installation ID 239xxx LE ei W I LS US GC g i gt 5 STEP Check the Enable Payment Response checkbox STEP Enter the Payment Response URL gt URL lt wpdisplay item MC_callback gt STEP Check the Enable the Shopper Response 181 e t 4ipne User s Manual WHG301 Secure WLAN Controller ENGLISH de e BE g ift Iarini Atminainton m A D RRO Installatio d B Profile T oother actions Command Batch Installation ID 239TEST Risk Management Administration Code TEST
204. type of database is On demand the Group selection function will be available in each Billing Plan to allow the administrator to assign a Group to each Billing Plan also it can assign a Group to each user one by one when the On demand user is creating Global Policy Global is the system s universal policy including Firewall Rules Specific Routes Profile and Maximum Concurrent Session which will be applied to all users unless the user has been regulated and applied with another Policy Policy Configuration Global Policy Select Policy Global Firewall Profile Setting Specific Route Profile Maximum Concurrent Sessions 300 sessions per user e Select Policy Select Global to set the Firewall Profile Specific Route Profile and Maximum Concurrent Session e Firewall Profile Global policy and each policy have a firewall service list and a set of firewall profile which is composed of firewall rules e Specific Route Profile The default gateway of WAN1 WAN2 or a desired IP address can be defined in a 89 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH policy When Specific Default Route is enabled all clients applied this policy will access the Internet through this gateway settings include default gateway Maximum Concurrent Sessions Set the maximum concurrent sessions for each client Policy Beside Global Policy there have Policy 1 to Policy 12 each Policy consists of access control profi
205. ually even though when it is offline Input the related data of the AP and select a Template After clicking Add the AP will be added to the managed list VV VV VV V v Adding An AP to the List AP Type EAP100 ei AP Name Admin Password admin IP Address MAC Address Remark Default Service Zone D sz7 Template Applied TEMPLATE1 zi Channel 1 v AP Type This is the supported type of APs for centralized management AP Name Mnemonic name of the specific AP Admin Password Password required for this AP IP Address IP address of the specified AP MAC Address MAC address of the specific AP Remark Some extra information to be filled in for this AP if desired Service Zone Tag Based only This item is only shown when Tag Based mode is selected in System Configuration gt gt LAN Port Mapping Select the name of Service Zone such as Service Zone 1 Guest or Employee And it is only for Multi VAP AP only Template Applied The template which will be applied to the added AP Channel The selected channel will be applied to the added AP 84 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 5 7 6 Firmware management and upgrade Configure Firmware management go to Access Points gt gt Firmware Firmware Upload displays the current version of the AP s firmware New firmware can be uploaded here to update the current firmware To upload click Browse to select the file and then cl
206. ute if the user is reached this value gateway will stop the session of this user and send a Stop to RADIUS server 1 Description This Attribute is available to allow vendors to support their own extended Attributes not suitable for general usage It MUST not affect the operation of the RADIUS protocol The standard Attribute Type of VSA is 26 Also we need to know the Vendor ID in this example the Vendor ID of 4ipnet is 31932 There must have other attribute to define the amount of traffic with Attribute Number and Attribute Value Attribute Name Attribute Number Attribute Value 10 To be defined by administrator for ae ee 11 To be defined by administrator for TTT Teen 4ipnet MaxByteOut 12 To be defined by administrator for ee Teen 20 i 4ipnet Byte Amount 4ipnet MaxByteln 4ipnet Byte Amount 4GB To be defined by administrator for storage 4ipnet MaxByteln 4GB 21 To be defined by administrator for TTT ees 4ipnet MaxByteOut 4GB 22 To be defined by administrator for ee Ieroee lf the amount of traffic is larger than 4 GB then the attribute of XXXX 4GB is for the carry For example if the amount is 5 GB you must set 4ipnet Byte Amount 1048576 and 4ipnet Byte Amount 4GB 1 209 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH On the other hand if administrator fills in all attributes it means that if any condition is reached the user wi
207. ute table and select a Group from the drop down list box Attribute Name Attriubute Value Ch LISEROL E TW LDAP Group Mapping Server 4 JEnable Cig able VI LOAP Attribute Name LDAP Attribute Value Group Renmark 1 GM SERD Group I z L T Group T oa 188 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 14 6 NT Transparent Login Configure NT Transparent Login go to Users gt gt Authentication gt gt NT Domain Server1 4 gt gt Configure This function refers to Windows NT Domain single sign on In Windows NT or AD environment users must need to login to Domain first and then they will be assigned the access right in this domain On the other hand user also need to login to WHG301 to get the network access right So user must login twice for network access right and domain resource access right So this function is use to combine these by a single user login Users only need to login once and then they will be assigned the access right in this domain and network access right from WHG301 When Transparent Login is enabled clients will log into the system automatically after they have logged into the NT domain Domain Controller Server Poa ees Transparent Login Enable Disable windows 2000 2003 or above 189 WHG301 Secure WLAN Controller ENGLISH 14 7 Roaming Out Configure Roaming Out go to Users gt gt Authentication gt gt Local Server1 4 gt gt Configure gt gt
208. ver Redeem function must redeem to same billing type account only Redeem Welcome to Redeem Page Please enter the username and password to Redeem Username Ss password SSS The total maximum quota is 364Days 23hrs 59mins 59secs even after redeem If the redeem amount exceeds this number the system will automatically reject the redeem process Duration time and Cut off type are support redeem function Sie 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 4 2 Users Group Configure Users Group go to There are 8 groups for divide users A Group which can be allowed to access a Service Zone or not and it also can be applied with a Policy within a Service Zone The same Group within different Service Zones can be applied with different Policies as well as different Authentication Options Group Configuration Group 1 Select Group Group 7 Qos Profile Privilege Profile Remark Zone Permission Configuration amp Policy Assignment Group 1 To Group Permission Zone Name Enabled Policy Configuration Service Zone Default Policy i S Default Service Zone S71 Policy 1 Szi Service Zone S72 Policy i sl S272 Service Zone S73 Policy 1 E S73 Service Zone S74 Policy1 Sr4 Service Zone S75 Polic cyi wl 575 Service Zone 576 Policy 1 v S76 Service Zone S77 Policy 1 E SZF Service Zone SZ8 Poli
209. ver 2 tock stdtime g ov tw Disabled v Disabled 1 70 00 gt LAN Setting Click the link to enter the LAN Setting interface Input the data of LAN including IP address Subnet Mask and Default Gateway of AP IP Address Subnet Mask Default Gateway Primary DNS Secondary DNS LAN 192 168 0 2 F 255 255 254 0 f 192 168 1 254 192 168 1 254 b gt Wireless LAN Click the link to enter the Wireless interface SSID Broadcast Channel Band Data Rate Fragment Threshold RTS Threshold Beacon Interval ms Preamble Transmit Power Wireless QoS WMM Wireless Client Isolation IAPP Wireless Enabled x 802 11b 802 119 Auto ze 2346 Default 2346 Range from 256 to 2346 2346 Default 2346 Range from i to 2346 100 Default 100 Range from i100 to 500 Long Only el Highest v Enabled v Disabled Disabled 78 4ipnet e Status User s Manual WHG301 Secure WLAN Controller ENGLISH After clicking the hyperlink in the Status column there are two areas of information shown AP Status Summary and AP Status Details AP Status Summary includes AP Name AP Type LAN Interface MAC address Wireless Interface MAC address Report Time SSID and Number of Associated Clients AP Status Details include System Status LAN Status Wireless LAN Status Associated Client Status and L
210. vice zone have same SSID Wireless Settings SSID sz0 Open System wl Authentication Se Se Security J Enable 802 1X Authentication Encryption None Status D i 5 abl ed User Limit ES Range from i to 32 1 Disabled 2 Disabled RE sl Disabled 4 Disabled 5 Disabled 6 Disabled 7 Disabled zl 8 Disabled d Disabled 10 Disabled i 74 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH e Service Zone Settings Access Control for Service Zone All managed APs VAP that belong to this service zone have same ACL table When the status is Allowed only these clients whose MAC addresses are listed in this list can be allowed to connect to the AP on the other hand when the status is Denied the clients whose MAC addresses are listed in the list will be denied to connect to the AP When Disabled is selected any clients can connect to the AP The default is Disabled Wireless Settings SSID sz0 Open System Authentication Se ag SA Security C Enable 802 1 Authentication Encryption None E Status Disabled l User Limit ES Range fram 1 to 32 1 Disabled 21 Disabled ACCESS Control r Leran me amea raa b r eS al Disabled 4 Disabled 5 Disabled ei Disabled 7 Disabled zl ai Disabled d _ Disabled 10 Disabled o User Limit Limit the number of users connected to that
211. will send out a packet periodically to monitor the connection status of the IP addresses on the list On each monitored item with a WEB server running administrators may add a link for the easy access by entering the IP select the Protocol to http or https and then click Create After clicking Create button the IP address will become a hyperlink and administrators can easily access the host by clicking the hyperlink remotely Click the Delete button to remove the setting Monitor IP List No Protocol IP Address Hyperlink Remark o http E SR gt _ gt ht _ ht D s es E H eE _ e hap e ht SS wm mes E O hep 2 eA O u mes Oo 1s hep e es v het E DO 1 __ wo hep IS nn Mem D 138 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 9 12 Console Interface Via this port to enter the console interface for the Port Settings administrator to handle the problems and situations occurred during operation 1 In order to connect to the console port of WHG301 a Bee 3600 console modem cable and a terminal simulation program such as the Hyper Terminal are needed Data bits E 2 Ifa Hyper Terminal is used please set the parameters Parity we as 9600 8 None 1 None Parity None Stop bits S Flow control None Restore Defaults coed zm _ d The main console is a menu driven text interface with dialo
212. with same postfix then the local user in this WHG301 can login success from another WHG301 by RADIUS authentication 190 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 14 8 SIP Proxy SIP Session Initiation Protocol is a protocol for making real time calls over IP network Currently most of the SIP extensions address audio communication WHG301 can act like a SIP Proxy Server it forwards end point requests and responses In other words SIP Proxy server needs to log in the trusted registrar to verify identities of 2 clients After enabling SIP proxy server all SIP traffic pass through NAT with a selective but fixed WAN interface In this example client extension 301 is trying to call 303 WHG301 asks an external trusted SIP registrar to verify both identities After SIP registrar responds with a YES call is established through WHG301 SIP Proxy Authentication Server Trusted a SIP Proxy Server Wireless Wired Network Network 3 d WiFi Phone F301 1 Making A Call 301 gt 303 2 Get Authenticated A 3 Call Established SIP Softphone 303 The system provides SIP proxy for SIP clients devices or soft clients pass through NAT After enable SIP proxy server all SIP traffic can pass through NAT with a selective but fixed WAN interface If the SIP Registrar settings in SIP client is same as the system setting when the client try to access the SIP Registrar system will let this clien
213. wse Note For better maintenance we strongly recommend you backup system settings before upgrading firmware 1 Firmware upgrade may cause the loss of some data Please refer to the release notes for the limitation 2 before upgrading 2 Please restart the system after upgrading the firmware Do not power on off the system during the upgrade or restart process It may damage the system and cause malfunction 130 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 9 9 Restart Configure Restart go to This function allows the administrator to safely restart WHG301 and the process might take approximately three minutes Click YES to restart WHG301 click NO to go back to the previous screen If the power needs to be turned off it is highly recommended to restart WHG301 first and then turn off the power after completing the restart process Do you want to RESTART the system d The connection of all online users of the system will be disconnected when system is in the process of restarting 136 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 9 10 Network Utility Configure Network Utility go to System provide some network utilities to allow administrators to use the functions including Wake on LAN Ping Trace Route by entering IP or Domain Name and showing ARP Table Network Utilities Wake on LAN mac e g NOCH NK CH Ping www yahoo com f1B Domain name a L IP D
214. xt Title Welcome Information Username Password Submit Cancel Remaining Copyright Remember Me Logo Image File Background Image File User s Manual WHG301 Secure WLAN Controller ENGLISH Template Page Setting CCO000 Select RGB values in hex mode FFFFFF Select RGB values in hex mode FFFFFF Select RGB values in hex mode 000000 Select RGB values in hex mode User Login Page Welcome To User Login Page Please Enter Your Name and Password to Sign In Username ooo Remaining Copyright c Remember Me Preview and Edit the Image File Preview and Edit the Image File e Custom Pages gt gt Login Page gt gt Uploaded Page Choose Uploaded Page and upload a login page File Name Total Capacity 512 K Now Used 0 Upload Images Uploaded Page Setting Existing Image Files Upload Image Files Browse Preview The user defined login page must include the following HTML codes to provide the necessary fields for user name and password 167 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH lt form action userlogin shtml method post name Enter lt input type text name myusername lt Inputtype password name mypassword input type submit name submit value E nter lt input type reset names clear values Clear gt lt iform gt And if the user defined login page includes an image fi
215. y Authorize Net to authenticate transactions Payment Gateway URL This is the default website address to post all transaction data Verify SSL Certificate This is to help protect the system from accessing a website other than Authorize Net Test Mode In this mode merchants can post test transactions for free to check if the payment function works properly MD5 Hash If transaction responses need to be encrypted by the Payment Gateway enter and confirm a MD5 Hash Value and select a reactive mode The MD5 Hash security feature enables merchants to verify that the results of a transaction or transaction response received by their server were actually sent from the Authorize Net 171 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH gt Service Disclaimer Content Choose Billing Plan for Authorize Net Payment Page Client s Purchasing Record Service Disclaimer Content We may collect and store the following personal SS information email address physical contact information credit card numbers and transactional information based on your activities on the Internet service provided by us m Choose Billing Plan for Authorize Net Payment Page Plan Enable Disable Quota Price 1 Enable Disable 5 hris 5 minis o s Enable Disable 3 Enable Disable 10 hris 6 min s 000 d Enable Disable a Enable Disable Until 18 30 as D Enable Disable 7 Enable Disable 20 73 Mbyte s 0 59 a Enable Disable g Enable Dis
216. ystem There are up to six authentication options can be enabled and one of them can be set as the Default Authentication so that users do not have to type in the postfix string while entering username during login A postfix is used to inform the system which authentication option to be used for authenticating an account e g bob BostonLdap or tim TaipeiRadius when multiple options are concurrently in use One of authentication option can be assigned as default For authentication assigned as default the postfix can be omitted For example if BostonLdap is the postfix of the default option Bob can login as bob without having to type in bob BostonLdap 4 3 2 Login with postfix Set a postfix that is easy to distinguish e g Local user login with which authentication server The acceptable characters are numbers 0 9 alphabets a z or A Z dash underline _ and dot within a maximum of 40 characters All other characters are not allowed Beside the Default Authentication all other authentication server users login to system the username must contain the postfix to identify the user is belong to which authentication server 66 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 4 3 3 Disable Authentication in Service Zone Configure Authentication in Service Zone go to System gt gt Service Zones Authentication Settings Authentication Required For the Zone Enabled Disabled
217. zone of these rooms VLAN ID The VLAN ID to be added Room Number The room number mapping to this VLAN ID Room Description The reference or remark information of this room R The VLAN Tag used in here VLAN Port Room Mapping must not be conflict with the VLAN Tag that has been assigned to each Service Zone 219 4ipnet User s Manual WHG301 Secure WLAN Controller ENGLISH 3 Check or modify the VLAN Port Room Mapping If you want to check the room mapping information or you want to change any setting of the room mapping Configure Port Location Mapping List go to System gt gt Port Location Mapping Port Location Mapping List VLAN ID Room Num State Description Service Zone Ei 101 101 Charge S27 Delete 102 102 Charge SZ7 Delete 103 103 Charge SZ7 Delete 104 104 Charge S27 Delete 105 105 Charge SE Delete 106 106 Free SZ7 Delete 107 107 Free Sz7 Delete OO 108 108 Free Siz Delete EI 109 109 Block SE Delete 8 110 110 Block SZ7 Delete Click the VLAN ID link will go to the Port Mapping Profile page You can change the Room State or Service Zone of this room You also can check the presently user account information Port Mapping Profile VLAN ID 101 Room Number 101 Room State Free Charge Block Room Description Service Zone ez ei Room Available User Name Password feh9 Ssk7 qg282 Plan Type TIME Plan Quota 5 hris Remaining Quota 5 hris User Account Status Online Refer
Download Pdf Manuals
Related Search
WHG301_V3.00_EN_Manu..