Page 1: User Manual
LevelOne WHG-505 Secure WLAN Controller User Manual V1.00...
Page 2: Table Of Contents
3.4.3 System Overview ........................... 17 3.4.4 Main Menu ............................. 18 3.4.5 Online Help ............................19 Placing WHG-505 in a Network Environment ..........20 Network Requirement........................20 Setting up WAN1 Ports ........................20 4.2.1 Static IP ..............................21 4.2.2 DHCP (Dynamic IP) ..........................22 4.2.3...
Page 3 The Controller with Multiple Types of APs ..................86 Configure AP Template ........................87 AP Discovery ............................ 90 6.3.1 AP Background Discovery ........................92 Manually add AP ..........................93 AP with Service Zone ........................94 AP Security ............................96 Change managed AP settings ......................97 AP Operations from AP List ......................
Page 4 11.1.1 NTP ..............................159 11.1.2 Manual Settings ............................ 160 11.2 Management IP ..........................161 11.3 Access History IP ........................... 162 11.4 SNMP ............................. 163 11.5 Three-Level Administration ......................164 11.6 Change Password ..........................167 11.7 Backup / Restore and Reset to Factory Default ................168 11.8 Firmware Upgrade ..........................
Page 5 About 4ipnet The LevelOne Secure WLAN Controller series is powered by 4ipnet. LevelOne is partnered with 4ipnet to deliver most feature-rich product yet simple deployment in wireless networking infrastructure solution. 4ipnet is a leading provider of wireless networking solution for manageable, reliable, and secure wireless access. In...
Page 6: Before You Start
Besides this document, there is a “Quick Installation Guide” (QIG), which is for starting up WHG-505 quickly. It is recommended to start with the QIG, and then refer to this manual for further details. Some special topics are addressed separately in the Appendixes.
Page 7: Package Checklist
1.4 Package Checklist The standard package of WHG-505 includes: WHG-505 x 1 CD-ROM (with User’s Manual and QIG) x 1 Quick Installation Guide (QIG) x 1 Console Cable x 1 Ethernet Cable x 1 Straight-through Ethernet Cable x 1 Power Cord x 1...
Page 8: System Overview And Getting Start
2 System Overview and Getting Start 2.2 Introduction of WHG-505 WHG-505 is an all-in-one product specially designed for wired and wireless data network environments in middle scaled WLAN deployments. WHG-505 is a high-performance industrial grade network appliance with all Gigabit network interfaces, capable of supporting the network access management for a larger user base.
Page 9: Who Uses Whg-505
Because of its well integrated rich access management features and high performance, academic campuses, government agencies or enterprises’ IT departments will find WHG-505 is a money and time saver, sparing them from having to integrate multiple applications and multiple equipments on their own in order to manage and secure the internet/network access for both wired and wireless clients.
Page 10: System Concept
Gateway is a network node where a small network attaches to a bigger network. WHG-505 is a kind of gateway in a network environment; hence it has those features a typical gateway has, such as NAT, DHCP, DMZ, Firewall and etc.
Page 11 Service Zone is a logic partition of WHG-505’s LAN network. The concept of Service Zone is similar to the concept of virtual LAN (VLAN), which can be used to group the network traffic or network services for clients on the same VLAN segment, regardless of the clients’...
Page 12 Imagine the network administrator may wish to set different privileges and bandwidth limits for staff, students, and guests; he could use several Service Zones of WHG-505 – one for staff, one for students, and one for the guests. He also uses one zone for some shared servers in the diagram.
Page 13: Hardware Description
WAN1/ WAN2: Two WAN ports (10/100/1000 Base-T RJ-45) are connected to the external network, such as the ADSL Router from your ISP (Internet Service Provider). LAN1/ LAN2: Client machines connect to WHG-505 via these LAN ports (10/100/1000 Base-T RJ-45). Reset: Press and hold the Reset button for about 5 seconds and status of LED on front panel will start to blink before restarting the system.
Page 14: Real Panel
5.2.2 Real Panel Power Supply Socket: Connecting the power cord to the built-in open-frame power supply (Input: 100~240 VAC, 50/60 Hz). Power Switch: Power-On (|) & Power-Off ( O ). Device Cooling Fan: Don’t block the cooling fans. Leave enough open space for ventilation.
Page 15: Getting Started
4. Prepare a PC with Web browser for accessing the Web Management Interface. 5. Identify an upstream device to plug in WHG-505 in your network, such as ADSL, CABLE modem or other edge devices. Collect the DNS server address provided by your ISP.
Page 16: Hardware Installation
Figure 3 below is a simple network diagram for the initial installation and configuration. Start with this simple network topology to set up WHG-505 for the first time; it helps to plan a more sophisticated network topology to suits your specific application needs later.
Page 17: Accessing Web Management Interface
Mgmt port, the IP address will be the default gateway IP address of Default Service Zone. Next, enter the gateway IP address of WHG-505 at the address field. The default gateway IP address from Mgmt Port is“https://172.30.0.1” (“https” is used for a secured connection).
Page 18: Home Page
After a successful login, a “Home” page will appear on the screen. For the first time, if WHG-505 is not using a trusted SSL certificate, there will be a “Certificate Error”, because the browser treats WHG-505 as an illegal website. Please press “Continue to this website” to continue. The default user login page will then appear in the browser.
Page 20: Setup Wizard
5.2.2 Setup Wizard The administrator can configure the WHG305 via its web management interface as specified. In order to connect to the Internet, System’s outbound TCP/IP related information such as IP address, subnet mask, and gateway address, must first be obtained from your ISP. The Configuration Wizard uses four simple steps to provide easy setup of the WHG305.
Page 21: Quick Links
5.2.2 Quick Links The Quick Links provide the shortcut to eight links for administrators to directly access frequently used functions of the web management interface. The eight functional links are: System Status, Local User Management, Policy Management, AP Management, Online User List, On-demand Account Management, Authentication Configuration and Firmware Management.
Page 22 On-demand Account Management links to the On-demand User Configuration page under 4.3.1 Authentication in Users. Please refer to the section on On-demand Account Configuration for details. Link 5. Policy Management Policy provides information from the Policy Configuration, a shortcut to 4.3.4 Policy in Users sections. It lets the administrator select one of the defined policies to apply to specific authentication option.
Page 23: System Overview
5.2.2 System Overview This page displays important system related information that the administrator might need to be aware of at a glance, which includes General System settings, Network Interface and Online Users etc. A drop-down menu is available for selecting the information refresh rate for this page.
Page 24: Main Menu
5.2.2 Main Menu This feature leads to all the detailed configuration pages on the Web Management Interface, allowing you to set various networking parameters, enable and customize network services, manage user accounts and monitor user status. Administration functions are separated into 6 categories: System, Users, Access Points, Network, Utilities and Status.
Page 25: Online Help
5.2.2 Online Help The Help button is at the upper right corner of the WHG305 display screen. Click Help for the Online Help window, and then click the hyperlink of the relevant information required. Online Help Corner...
Page 26: Placing Whg-505 In A Network Environment
4.2 Network Requirement Typically, in a network environment, WHG-505 plays the role of a gateway. On a gateway device, a network port leading upstream to the Internet or the backbone network is called a ‘WAN port’ or an uplink port, while a network port used for branching out to the service the clients downstream is referred as ‘LAN port’.
Page 27: Static Ip
When the ISP assigns you static IP address, or for other reason, your network requires you to use a fixed IP address, then you (as the administrator of WHG-505) will manually enter the fixed IP address as WHG-505’s WAN address.
Page 28: Dhcp (Dynamic Ip)
5.2.2 DHCP (Dynamic IP) When the ISP issues dynamic IP addresses or there is a DHCP server upstream for issuing dynamic IP addresses, then you (as the administrator of WHG-505) can configure WHG-505 to receive an IP address dynamically as WHG-505’s WAN1 address.
Page 29: Pppoe
5.2.2 PPPoE If the ISP requires you use PPPoE Dialup connection, then the ISP will issue you an account with a password. You would need to enter the account credential in the WAN configuration page for dialing up to the ISP. If you are using ADSL/DSL Internet service, most likely, your ISP will require PPPoE connection.
Page 30: Pptp
Although not a popular method, PPTP protocol for dialup connections is adapted by some ISPs (in European Countries). WHG-505 offers the PPTP dialup feature for the rare cases. Your PPTP ISP will issue you an account with a password as well as the PPTP server address.
Page 31: Configuring Wan2 Ports (Optional)
4.4 Configuring WAN2 Ports (optional) WHG-505 also supports a second WAN port, called WAN2. The second port is for connecting to a second feeding pipe upstream. When WAN1 is connected to an ISP and WAN2 is connected to another ISP, the network is referred as ‘dual ISP homing’, or ‘having dual homed Internet feed’.
Page 32 IP Address: the IP address of the WAN2 port. Subnet Mask: the subnet mask of the network WAN2 port connects to. Default Gateway: a gateway of the network WAN2 port connects to. Preferred DNS Server: The primary DNS server used by the system. Alternate DNS Server: The substitute DNS server used by the system.
Page 34: Other Wan Traffic Settings
Go to: System >> WAN Traffic. Enable WAN Failover: Normally WHG-505 uses WAN1 as it primary WAN interface. When WAN Failover is enabled and WAN2 is available, WAN1's traffic will be routed to WAN2 when WAN1 connection is down. On the other hand, a Service Zone’s policy could also use WAN2 as its interface;...
Page 35 Enable Load Balancing: Outbound load balancing is supported by the system. When enabled, the system will allocate traffic between WAN1 and WAN2 dynamically according to designed algorithms based on the weight ratio. WAN1 Weight: The percentage of traffic through WAN1. (Range: 1~99; by default, it is 50) Base: The weight ratio between WAN1 and WAN2 can be based on Sessions, Packets or Bytes.
Page 36: Internet Connection Detection
5.2.2 Internet Connection Detection The system will periodically check to see if the Internet (uplink) connection is down by seeing if it can get responses from three target sites. The administrator can specify the three target sites: Go to: System >> WAN Traffic. Administrator can further specification a warning text, which will be displayed to the client “Login Success Page”.
Page 37: Wan Bandwidth Control
5.2.2 WAN Bandwidth Control The section is for administrators to configure the control over the entire system’s traffic though the WAN interface (WAN1 and WAN2 ports). To configure WAN Bandwidth Limit Go to: System >> WAN Traffic. These parameters in the raw of Available Bandwidth on WAN Interface are used for matching to the real bandwidth come from your ISP.
Page 38: Lan Partition - Service Zone
4.6 LAN Partition - Service Zone Configure Service Zone, go to: System >> Service Zones. A Service Zone is a logical network area to cover certain wired and wireless networks in an organization such as SMB or branch offices. By associating a unique VLAN Tag and SSID with a Service Zone, administrators can separate wired network and wireless network into different logical zones.
Page 39 Tag-Base Service Zone Name: Mnemonic name of the Service Zone. LAN Port Mapping (Port Base only): Choose which port is mapped to which Service Zone. VLAN Tag (Tag Base only): The VLAN tag number that is mapped to the Service Zone. SSID: The SSID that is associated with the Service Zone.
Page 40: Planning Your Internal Network
In Port-Based mode, each LAN port can only serve traffic from one Service Zone. An example of network application diagram is shown as below: one Service Zone for Employees and one for Guests. The switches deployed under WHG-505 in Port-Based mode must be Layer 2 switches only.
Page 41 VLAN switch or VLAN AP to take care the VLAN tags carried within the message frames. An example of network application diagram is shown as below: more than two Service Zones for different departments. The switch deployed under WHG-505 in Tag-Based mode must be a VLAN switch only.
Page 42: Configure Service Zone Network
5.2.2 Configure Service Zone network To configure Service Zone, go to: System >> Service Zones. Service Zone Status: Each service zone can be enabled or disabled except for the default service zone. Service Zone Name: The name of service zone could be input here. Network Interface: VLAN Tag: The VLAN tag number that is mapped to the Service Zone.
Page 43 Management IP Address List accordingly (at System Configuration >> System Information >> Management IP Address List) to permit the administrator to access the WHG-505 admin page after the default IP address of the network interface is changed. Preferred DNS Server The primary DNS server that is used by this Service Zone.
Page 44 Lease Time This is the time period that the IP addresses issued from the DHCP server are valid and available. Ignore Client Name When enabled the system will not record the name of the device requesting for an IP address. On the other hand, when disabled is selected, the system will record the device’s name when issuing IP addresses.
Page 45: Tag Base And Port Base
Configure Tag Base or Port Base, go to: System >> LAN Port Mapping. WHG-505 supports multiple Service Zones in either of the two VLAN modes, Port-Based or Tag-Based, but not concurrently. In Port-Base mode, each LAN port can only serve traffic from one Service Zone as each Service Zone is identified by physical LAN ports.
Page 46 VLAN Tag setting is required for Tag-Based mode. Select Service Zone Mode: Select a VLAN mode, either Port-Based or Tag-Based. The switches deployed under WHG-505 in Port-Based mode must be Layer2 Switches only. The switch deployed under WHG-505 in Tag-Based mode must be a VLAN switch only.
Page 47 distinguished by VLAN tagging, instead of by physical LAN ports. Select Tag-Based and then click Apply to activate the Tag-Based VLAN function. When a restart message screen appears, do NOT restart the system until you have completed the configuration under the Service Zones tab first.
Page 48: Ipv6
4.7 IPv6 To configure Service Zone, go to: System >> IPv6. System implements IPv6 feature and supports operating in IPv6 networking environment. When IPv6 is enabled, administrator may assign IPv4 IP address as well as IPv6 address to each interface such as WAN1, WAN2, Default Service Zone, Service Zone1, etc.
Page 49 6to4: 6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 internet) without the need to configure explicit tunnels. 6to4 option can only be chosen when the selected WAN interface was set with a static IPv4 address.
Page 50: User Authentication And Grouping
On-demand User and SIP, which also can be selected by the system. Auth Option: There are several authentication options supported by WHG-505: Server 1 to Server 4, On-demand User, and SIP. Click the hyperlink of the respective Server Name to configure the authentication server.
Page 51 Authentication Option Configuration Click on the server name to set the configuration for that particular server. After completing and clicking Apply to save the settings, go back to the previous page to select a server to be the default server and enable or disable any server in each service zone.
Page 52: Local
5.2.2 Local Choose “Local” from the Authentication Database field. Click the button Configure for further configuration. Local User List: It let the administrator to view, add or delete local user account. The Upload User button is for importing a list of user account from a text file. The Download User button is for exporting all local user accounts into a text file.
Page 53 Add User: Click this button to enter into the Adding User(s) to the List interface. Fill in the necessary information such as “Username”, “Password”, “MAC Address”, and “Remark”. Select a desired Group to classify local users. Check to enable Local VPN in the Enable Local VPN column. Click Apply to complete adding the user(s).
Page 54 Edit User: If editing the content of individual user account is needed, click the username of the desired user account to enter the User Profile Interface for that particular user, and then modify or add any desired information such as Username, Password, MAC Address (optional), Applied Group (optional), Enable Local VPN (optional) and Remark (optional).
Page 55: Pop3
5.2.2 POP3 Choose “POP3” from the Authentication Database field. Except Local authentication, the Local VPN option in other authentication option only can be enabled or disabled for the entire Authentication Database. Click the button of Configure for further configuration. Enter the information for the primary server and/or the secondary server (the secondary server is not required).
Page 56: Radius
5.2.2 RADIUS Choose “RADIUS” from the Authentication Database field. Click the button of Configure for further configuration. The RADIUS server sets the external authentication for user accounts. Enter the information for the primary server and/or the secondary server (the secondary server is not required).
Page 58 Item Description External RADIUS Server Related Settings Enable /Disable 802.1X authentications for users authenticating through this Server. To support EAP-SIM authentication, please enable this feature and enter 802.1X Authentication 802.1X Settings to configure the AP’s that support associated clients to authenticate by EAP-SIM.
Page 59 RADIUS Standard Attributes Session Time Out: Forced logout once timeout period reached. Idle Time Out: Implicitly logout when inactivity timeout period reached. Acct Interim Interval: The time interval to send accounting updates. WISPr Vendor Specific Attributes Default from the drop-down menu is to follow external Server settings.
Page 60: Ldap
5.2.2 LDAP Choose “LDAP” from the Authentication Database field. Except Local authentication, the Local VPN option in other authentication option only can be enabled or disabled for the entire Authentication Database. Click the button Configure for further configuration. Enter the information for the primary server and/or the secondary server (the secondary server is not required).
Page 61: Nt Domain
5.2.2 NT Domain Choose “NT Domain” from the Authentication Database field. Except Local authentication, the Local VPN option in other authentication option only can be enabled or disabled for the entire Authentication Database. Click the button Configuration for further configuration. Enter the server IP address and enable/disable the transparent login function.
Page 62: On-Demand Users
5.2.2 On-Demand Users On-demand User Server Configuration: The administrator can enable and configure this authentication method to create on-demand user accounts. This function is designed for hotspot owners to provide temporary users with free or paid wireless Internet access in the hotspot environment. Major functions include accounts creation, users monitoring list, billing plan and external payment gateway support.
Page 63 Terminal Server: Terminal Configuration is a list of serial-to-Ethernet devices that communicate with the system only; never get online and no need to go through authentication. Ticket Customization On-demand account ticket can be customized here and previewed on the screen.
Page 64 Receipt Header: There are 3 receipt headers supported by the system. The entered content will be printed on the receipt. These headers are optional. Receipt Footer: The entered content will be printed on the receipt. This footer is optional. Background Image: You can choose to customize the ticket by uploading your own background image for the ticket, or choose the default image or none.
Page 65 Billing Plans Administrators can configure several billing plans. Click Edit button to enter the page of Editing Billing Plan. Click Apply to save the plan. Go back to the screen of Billing Plans, check the Enable checkbox or click Select all button, and then click Apply, the plan(s) will be activated. Plan: The number of the specific plan.
Page 67 Usage-time with No Expiration Time: Can access internet as long as account has remaining quota (usable time). Need to activate the purchased account within a given time period by logging in for the first time. Ideal for short term usage. For example in coffee shops, airport terminals etc. Only deducts quota while using.
Page 68 Hotel Cut-off-time: Hotel Cut-off-time is the clock time (normally check-out time) at which the on-demand account is cut off (made expired) by the system on the following day or many days later. On the account creation UI of this plan, operator can enter a Unit value which is the number of days to Cut-off-time according to customer stay time.
Page 69 Volume: Can access internet as long as account valid with remaining quota (traffic volume). Account expires when Valid Period has been used up or quota depleted. Ideal for small quantity applications such as sending/receiving mail, transferring a file etc. Count down of Valid Period is continuous regardless of logging in or out.
Page 70 Duration-time with Elapsed Time: Account activated upon the account creation time. Count down begins immediately after account created and is continuous regardless of logging in or out. Account expires once the Elapsed Time has been reached. Ideal for providing internet service immediately after account creation throughout a specific period of time.
Page 71 Duration-time with Cut-off Time: Cut-off Time is the clock time at which the on-demand account is cut off (made expired) by the system on that day. For example a shopping mall closing hour is 23:00; operators selling on-demand tickets can create use this plan to create ticket set to be Cut-off on 23:00. If an account of this kind is created after the Cut-off Time, the account will automatically expire.
Page 72 Duration-time with Begin-and End Time: Define explicitly the Begin Time and End Time of the account. Count down begins immediately after account activation and expires when the End Time has been reached. Ideal for providing internet service throughout a specific period of time. For example during exhibition events or large conventions such as Computex where each registered participant will get an internet account valid from 8:00 AM Jun 1 to 5:00 PM Jun 5 created in batch like coupons.
Page 73 External Payment Gateway This section is for merchants to set up an external payment gateway to accept payments in order to provide wireless access service to end customers who wish to pay for the service on-line. The three options are Authorize.Net, PayPal, SecurePay and Disable.
Page 74 On-demand Account Creation On-demand accounts are listed and related. After at least one plan is enabled, the administrator can generate on-demand user accounts here. Click this to enter the On-demand Account Creation screen. Click on the Create button of the desired plan and an on-demand user account will be created. After the account is created, you can click Print in the ticket to print a receipt which will contain the on-demand user’s information, including the username and password.
Page 75 On-demand Account Batch Creation After at least one plan is enabled, the administrator can generate more than one on-demand user accounts...
Page 76 here. Enter the number of accounts in the desired plan, and press Create button for the desired plan; the On-demand user accounts will be created. After create success, you can download the created accounts as a text file or click Send to POS and select a POS printer to print the receipts which will contain these on-demand users’...
Page 77 Search: Enter a keyword of a username, or reference, to be searched in the text filed and click this button to perform the search. All usernames, or reference, matching the keyword will be listed. Username: The login name of the account. Password: The login password of the account.
Page 78 Redeem On-demand Accounts: For Time and Volume accounts, if they are almost out of quota, they can use redeem function to extend their quota. After the user has get, or buy, a new account, they just need to click the Redeem button in the login success page, input the new account Name and Password and then click Enter.
Page 79: Users Group
5.3 Users Group Configure Users Group, go to: Users >> Group. There are 16 groups for divide users. A Group which can be allowed to access a Service Zone or not; and it also can be applied with a Policy within a Service Zone. The same Group within different Service Zones can be applied with different Policies as well as different Authentication Options.
Page 80: Assign Users To A Group
5.2.2 Assign users to a Group Configure users to a Group, go to: Users >> Authentication. This section shows how to group users, how to rule each grouped user with different policy as he moves to different service zone. The following examples will help you better understand this section.
Page 81 In this example, Group 1 users are allowed to access the internet in 5 places; Service Zone 0,1,4,6, and 8. They must follow policy 1 at Service Zone 1, 6 and 8. They are ruled by Policy 3 at Service Zone 1 and by Policy 8 at Service Zone 4.
Page 82 In RADIUS Authentication, the users can assign to different Group by Class-Group Mapping. In LDAP Authentication, the users can assign to different Group by Attribute-Group Mapping.
Page 83: Permission In Service Zone
5.2.2 Permission in Service Zone Configure Permission in Service Zone, go to: Users >> Group. A Group can be allowed to access one Service Zone or multiple Service Zones. Moreover, a Group can be applied different Policies within different Service Zones. Remote VPN is considered as a zone, where clients log into the system via remote VPN.
Page 84 At Service Zone 1, Group 1 user is ruled by Policy 3. Group 2 is by Policy 9 and Group 3 is by Policy 11. Other Groups are not enabled to access Service Zone 1.
Page 85 Group Option: The name of Group options available for selection. Enabled: Select Enabled to allow clients of the enabled Groups to log in to this Service Zone under constraints of the selected Policies. Check Enabled of each individual Group to assign it to the Service Zone listed. For example, the above figure shows, clients in Group 1~16 can access Service Zone 1, where they are governed by Policy 1~16 respectively.
Page 86: User Login
1. Open an Internet browser and try to connect to any website (in this example, we try to connect to www.google.com). For the first time, if the WHG-505 is not using a trusted SSL certificate (for more information, please see 4.2.5 Additional Configuration), there will be a “Certificate Error”, because the browser treats WHG-505 as an illegal website.
Page 87: Default Authentication
3. Successful! The Login Successful page appearing means you are connected to the network and Internet now! Note: When On-demand accounts are used, the system will display more information, as shown below. 5.2.2 Default Authentication In each Service Zone, there are different types of authentication database (LOCAL, POP3, RADIUS, LDAP, NTDOMAIN, ONDEMAND, and SIP) that are supported by the entire system.
Page 88: Login With Postfix
A postfix is used to inform the system which authentication option to be used for authenticating an account (e.g. bob@BostonLdap or tim@TaipeiRadius) when multiple options are concurrently in use. One of authentication option can be assigned as default. For authentication assigned as default, the postfix can be omitted.
Page 89: Disable Authentication In Service Zone
5.2.2 Disable Authentication in Service Zone To configure Authentication in Service Zone, go to: System >> Service Zones. Authentication Required For the Zone: When it is disabled, users will not need to authenticate before they get access to the network within this Service Zone.
Page 90: Wispr Attributes In Service Zone
5.2.2 WISPr attributes in Service Zone To configure WISPr attributes in Service Zone, go to: System >> Service Zones >> WISPr Configuration. If a RADIUS server has been configured, the WISPr attributes used during RADIUS authentication can be defined here in this Service Zone. WISPr Smart Client: Select Enable if you wish to allow customers with a roaming account from a WISPr agent (iPass, WiFi Skype, Boingo, and etc.) to access your internet.
Page 91: Local Area Ap Management
6 Local Area AP Management...
Page 92: The Controller With Multiple Types Of Aps
6.2 The Controller with Multiple Types of APs Besides letting users being connected to the Controller via wired Ethernet cable, you can connect AP to the Controller to extent the network access by wireless. The Controller can manager multiple type of AP, such as, EAP100, EAP200, EAP300, EAP700, OWL400, OWL410, OWL500 and OWL510.
Page 93: Configure Ap Template
6.3 Configure AP Template Configure AP Template, go to: Access Points >> Enter Local Area AP Management >> Templates. Template are configuration profiles for AP models that can be copied to managed AP thereby avoiding the task of having to configure each managed AP individually. There are three templates provided for each AP model. Select an AP Type, and click Edit to proceed with its template configuration.
Page 94 General: In this section, revise the Subnet Mask and Default Gateway here if desired. Configure the NTP Servers and Time Zone. In addition, administrator can enable SYSLOG server to receive the log from AP and enable SNMP read/write ability. Wireless: SSID Broadcast: Select this option to enable the AP’s SSID to broadcast in your network.
Page 95 throughout a ESS (Extended Service Set) and for secure exchange of station’s security context between current access point (AP) and new AP during handoff period. Wireless Client Isolation: The default value is Disabled. When “Enabled” is selected, all the wireless clients will be isolated each other. Transmit Power: The default is Auto.
Page 96: Ap Discovery
6.4 AP Discovery Configure Discovery AP, go to: Access Points >> Enter Local Area AP Management >> Discovery. After AP template configuration is complete, use this function to detect and scan for all of the APs connected under the managed network. Note that in Local Area AP Management the Controller can only manage APs that are connected to its LAN ports.
Page 97 take a couple of minutes to see that the status of the newly added AP change from “configuring” to “online” or “offline”. AP Type: The model type of the discovered APs. IP Address: IP address of the specified AP. MAC Address: MAC address of the specific AP. AP Name: Mnemonic name of the specific AP, configurable.
Page 98: Ap Background Discovery
5.2.2 AP Background Discovery Configure AP Background Discovery, go to: AP Management >> Enter Local Area AP Management >> Discovery. Background AP Discovery: Click Configure to enter Background AP Discovery interface and proceed with related configuration. The configuration is the same as AP Discovery. When Background AP Discovery function is enabled, the system will scan once every 10 minutes or according to the time set by the administrator.
Page 99: Manually Add Ap
6.5 Manually add AP To add an AP Manually, go to: Access Points >> Enter Local Area AP Management >> Adding. The AP can also be added manually without being online. Input the related data of the AP and select a Template. After clicking Add, the AP will be added to the managed list.
Page 100: Ap With Service Zone
6.6 AP with Service Zone Configure AP with Service Zone, go to: System >> Service Zones. Service Zone Settings – Assigned IP Address range for AP Management Under port-based service zone, each service zone can designate an IP segment for IP address assignment to the managed AP when the newly discovered AP is added into the service zone.
Page 101 All managed APs (VAP) that belong to this service zone have same ACL table. When the status is Allowed, only these clients whose MAC addresses are listed in this list can be allowed to connect to the AP; on the other hand, when the status is Denied, the clients whose MAC addresses are listed in the list will be denied to connect to the AP.
Page 102: Ap Security
6.7 AP Security Configure AP Security, go to: System >> Service Zones. Security: For each service zone, administrators can set up the wireless security profile, including Authentication and Encryption. Authentication: Including Open System, Share Key, WPA, WPA2 or WPA/WPA2 Mixed. Encryption: WEP: When Authentication is Open System or Share Key, WEP will be enabled.
Page 103: Change Managed Ap Settings
6.8 Change managed AP settings Configure AP settings in AP List, go to: Access Points >> Enter Local Area AP Management >> List. All of the APs under the management of the Controller will be shown in the list. The AP can be edited by clicking the hyperlink of AP Name and the AP status can be reviewed by clicking the hyperlink of Status.
Page 104 General Setting: Click the link to enter the General Setting interface. Firmware information also can be observed here. LAN Setting: Click the link to enter the LAN Setting interface. Administrator can revise the AP’s LAN IP settings including IP address, Subnet Mask and Default Gateway of AP. Wireless LAN: Click the link to enter the Wireless interface.
Page 105 AP Status Summary includes AP Name, AP Type, LAN Interface MAC address, Wireless Interface MAC address, Report Time, SSID, and Number of Associated Clients. AP Status Details include System Status, LAN Status, Wireless LAN Status, Associated Client Status and Local Log Status.
Page 106: Ap Operations From Ap List
6.9 AP Operations from AP List Configure AP List, go to: Access Points >> Enter Local Area AP Management >> List. 5.2.2 Reboot, Enable, Disable and Delete the AP Select any AP by checking the checkbox and then click the button below to Reboot, Enable, Disable, Delete, Apply Template and Apply Service Zone (Tag-Based) the selected AP if desired.
Page 107: Apply Template
5.2.2 Apply Template Select any AP by check the checkbox and then click Apply Template; select one template to apply to the AP.
Page 108: Apply Service Zone (Tag-Based Only)
5.2.2 Apply Service Zone (Tag-Based Only) Select any AP by the check the checkbox and then click Apply Service Zone to select which Service Zones this AP associates to. For example, if SZ3 and SZ5 are selected for this AP, then these two Service Zones will be available under this AP.
Page 109: Firmware Management And Upgrade
6.10 Firmware management and upgrade Configure Firmware management, go to: Access Points >> Enter Local Area AP Management >> Firmware. Firmware Upload displays the current version of the AP’s firmware. New firmware can be uploaded here to update the current firmware. To upload, click Browse to select the file and then click Upload. Configure Firmware upgrade, go to: Access Points >>...
Page 110: Wide Area Ap Management
7 Wide Area AP Management The Controller supports the planning and monitoring of Access Points deployed over complicated network structures such as the internet. Integrated with Google Map API, Wide Area AP Management provides intuitive graphical tools for mapping APs at various physical locations and keeping track of these devices. Under Wide Area AP management, you can choose to simply monitor AP’s (OWL800 and EAP200) status via SNMP or logically incorporate the APs (EAP200) into the Controllers managed network via tunnels.
Page 111: Ap Discovery
7.2 AP Discovery To discover connected APs, go to: Access Points >> Enter Wide Area AP Management >> Discovery. With the Discovery feature, administrator can scan for APs regardless of their physical location as long as their IP address can be reached. After the discovery process, newly found AP’s will be listed under Device Results allowing administrators to add it to the managed AP List.
Page 112: Manually Add Ap
7.3 Manually add AP To add an individual Access Points to the managed list, go to: Access Points >> Enter Wide Area AP Management >> Adding. Besides Discovery feature that can search and list multiple APs for adding to the management list, Adding page allows administrator to directly add a single Access Point to the management list.
Page 113: Eap200 With Tunnel Management
7.4 EAP200 with Tunnel Management When an EAP200 is discovered or added to the AP list, it can be logically deployed into the Controller’s managed network regardless of its physical location by tunnels. Initially when an AP has been successfully added to the List, it’s “Tunnel Status” will show a red light indicating that no tunnel is established and that this AP is only being monitored via SNMP.
Page 114 AP’s tunnel settings can be checked at “System >> Management” page. On the Controller side, the AP’s Tunnel status will show green light indicating an active tunnel has been set up between controller and AP. Now the administrator can click “Edit” and re-enter the Tunnel Status page to assign a Service Zone to this tunnel managed AP.
Page 116: Map
7.5 Map To configure maps, go to: Access Points >> Enter Wide Area AP Management >> Map. The Map tab page is implemented with Google Map API version2 which allows administrators to view at a glance the whereabouts of all of the AP’s under Wide Area AP Management. This feature is helpful when it comes to network planning and management.
Page 117: Register Key From Google
5.2.2 Register key from Google Before configuring your maps, you will need to register the Controller’s IP address at Google Maps and get a key from Google. Go to http://code.google.com/intl/en/apis/maps/documentation/javascript/v2/ or search for “Google Map API”, to enter the Google code page. Click on “Sign up for a Google Maps API key”.
Page 118: Create A Map
5.2.2 Create a Map Now, return to the Map tab page in Controller’s WMI and Scroll down to the bottom of the page, click on the Add a New Map button. An editing page will open for configuration, please fill in a Map Name for this map and its geographical location as defined by Longitude and Latitude, remember to also fill in the Key issued by Google.
Page 119 can be marked on a particular map. Firstly, go to the List tab page and click on the Edit button of the AP’s that you wish to mark in the map. In the AP configuration page, set the coordinates (Latitude and Longitude) of this AP and the radius of signal coverage. Fill in the coordinates where you wish to mark this particular AP.
Page 120 The selected APs will show up as marker images on the map at the physical coordinates configured, as shown below. You can click on the AP icon to see the dialogue box for additional information or links that you have configured. Click the more info link for information on AP status, Client List, WDS List and Links related to this AP.
Page 121 AP status, Client List and WDS List information listed are collected from the remote AP via SNMP.
Page 122: Operations From Map Page
5.2.2 Operations from Map page Goto Map: When you have configured multiple map profiles, this function allows switching between different maps. Goto AP: This function is for administrator to select an AP on the list, and the map will shift to show the selected AP in the center of the map.
Page 123: Ap Operations From Ap List
7.6 AP Operations from AP List To perform operations on managed OWL800 APs, go to: Access Points >> Enter Wide Area AP Management >> List. After adding OWL800 APs to the managed List, the List page provides some operations for managing the listed AP’s.
Page 124 chosen AP’s configuration settings using a .db file store locally in administrator PC or in the Controller’s memory. Upgrade: Clicking this button will open a popup window where administrator can upgrade the chosen AP’s firmware using a firmware file store locally in administrator PC or in the Controller’s memory (under Firmware tab page).
Page 125: Wds List
7.7 WDS List To view the WDS link information established between APs in Wide Area AP Management, go to Access Points >> Enter Wide Area AP Management >> WDS List. The WDS link if established between APs listed in List will be listed here with related information such as the Band and Channel of the link, Security settings if any and the Transmit Power, Byte, Packets etc.
Page 126: Backup Config
7.8 Backup Config To view previously saved backup files for Wide Area APs, go to: Access Points >> Enter Wide Area AP Management >> Backup Config. Backed up Config files can be used to restore an AP’s settings in List. When administrator backups an AP’s configuration settings, all the backup files are listed at the Backup Config tab page and can be downloaded to a local storage device or deleted from controller’s memory.
Page 127: Firmware Management And Upgrade
7.9 Firmware management and upgrade To upload or view the details of previously uploaded firmware for upgrading OWL800 APs, go to: Access Points >> Enter Wide Area AP Management >> Firmware. The Controller can store OWL800’s firmware in its’ built-in memory. Under the Firmware tab page administrator can upload new OWL800 firmware to the Controller’s memory allowing for easy remote OWL800 upgrade and restore operations from the AP List page.
Page 128: Policies And Access Control
8 Policies and Access Control 8.2 Black List Configure Black List, go to: Users >> Black List. The administrator can add, delete, or edit the black list for user access control. Each black list can include up to 40 users. Users’ accounts that appear in the black list will be denied of network access. The administrator can use the pull-down menu to select the desired black list.
Page 130: Mac Address Control
Configure MAC Address Control, go to: Users >> Additional Control >> MAC ACL. MAC ACL: With this function, only the users with their MAC addresses in this list can login to WHG-505. There are 200 users maximum allowed in this MAC address list. User authentication is still required for these users. Click Edit to enter the MAC Address Control list.
Page 131: Policy
8.4 Policy Configure Policy, go to: Users >> Policy. WHG-505 supports multiple Policies, including one Global Policy and multiple individual Policy. Each Policy consists of access control profiles that can be configured respectively and applied to a certain Group of users.
Page 132 Maximum Concurrent Sessions: Set the maximum concurrent sessions for each client. Policy Beside Global Policy, there have Policy, each Policy consists of access control profiles that can be configured respectively and applied to a certain Group of users. The clients belonging to a Service Zone will also be bound by an applied Policy.
Page 133: Firewall
5.2.2 Firewall Firewall Profile: Click Setting for Firewall Profile. The Firewall Configuration will appear. Click Predefined and Custom Service Protocols to edit the protocol list. Click Firewall Rules to edit the rules. 8.4..1 Predefined Protocols Predefined and Custom Service Protocols: There are predefined service protocols available for firewall rules editing.
Page 134 If the Protocol Type is IP, it will need to define Protocol Number. 8.4..2 Rules After the custom protocol is defined or just use the Predefined Service Protocols, you will need to enable the Firewall Rule to apply these protocols. Firewall Rules: Click the number of Filter Rule No.
Page 135 Rule Number: This is the rule selected “1”. Rule No. 1 has the highest priority; rule No. 2 has the second priority, and so on. Rule Name: The rule name can be changed here. Source/Destination – Interface/Zone: There are choices of ALL, WAN1, WAN2, Default, and the named Service Zones to be applied for the traffic interface.
Page 136: Routing
5.2.2 Routing Specific Route Profile: Click the button of Setting for Specific Route Profile, the Specific Route Profile list will appear. 8.4..1 Specific Route Specific Route Profile: The Specific Route is use to control clients to access some specific IP segment by the specified gateway.
Page 137 Enable: Check Enable box to activate this function or uncheck to inactivate it. Default Gateway: It may be WAN1 Default Gateway, WAN2 Default Gateway or to specific an IP Address, if you select IP Address, you may need to fill the IP address of the gateway.
Page 138: Schedule
5.2.2 Schedule Schedule Profile: Click Setting of Schedule Profile to enter the configuration page. Select Enable to show the Permitted Login Hours list. This function is used to limit the time when clients can log in. Check the desired time slots checkbox and click Apply to save the settings. These settings will become effective immediately after clicking Apply.
Page 139: Sessions Limit
5.2.2 Sessions Limit To prevent ill-behaved clients or malicious software from using up the system’s connection resources, the administrator can restrict the number of concurrent sessions that a user can establish. The maximum number of concurrent sessions (TCP and UDP) for each user can be specified in the Global policy, which applies to authenticated users, users on a non-authenticated port, privileged users, and clients in DMZ zones.
Page 140: Qos Traffic Class And Bandwidth Control
8.5 QoS Traffic Class and Bandwidth Control Configure QoS, go to: Users >> Group. QoS Profile: Set parameters for traffic classification. Traffic Class: A Traffic Class can be chosen for a Group of users. There are four traffic classes: Voice, Video, Best-Effort and Background. Voice and Video traffic will be placed in the high priority queue.
Page 141: Users' Login And Logout
9 Users’ Login and Logout 9.2 Before User Login 5.2.2 Login with SSL Configure HTTPS, go to: System >> General. HTTPS (HTTP over SSL or HTTP Secure) is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering.
Page 142: Internal Domain Name With Certificate
Configure Internal Domain Name, go to: System >> General. Internal Domain Name is the domain name of the WHG-505 as seen on client machines connected under service zone. It must conform to FQDN (Fully-Qualified Domain Name) standard. A user on client machine can use this domain name to access WHG-505 instead of its IP address.
Page 143 Click “Continue to this website” to access the user login page. To Use Default Certificate: Click Use Default Certificate to use the default certificate and key. Click restart to validate the changes.
Page 144: Administrator Contact Information
5.2.2 Administrator Contact Information Configure Administrator Contact Information, go to: System >> General. Administrator Contact Information will appear in the user Login Fail window. When the user login fail with duplicate IP address or MAC address, system will show this contact information to the user by the Login Fail window.
Page 145: Walled Garden
5.2.2 Walled Garden Configure Walled Garden, go to: Network >> Walled Garden. This function provides certain free services for users to access the websites listed here before login and authentication. Up to 40 addresses or domain names of the websites can be defined in this list. Users without the network access right can still have a chance to experience the actual network service free of charge.
Page 146: Walled Garden Ad List
5.2.2 Walled Garden AD List Configure Walled Garden AD List, go to: Network >> Walled Garden AD List. This function provides advertisement web pages for users to access free advertisement websites listed before login and authentication. Advertisement hyperlinks are displayed on the user’s login page. Clients who click on it will be redirected to the listed advertisement websites.
Page 148: Mail Message
5.2.2 Mail Message Configure Mail Message, go to: System >> Service Zones. When enabled, the system will automatically send an email to users if they attempt to send/receive their emails using POP3 email program (for example, Microsoft Outlook) before they are authenticated. Click Edit Mail Message to edit the message in HTML format.
Page 149: After User Login
9.3 After User Login 5.2.2 Browse which Home Page after login success To configure Portal URL, go to: System >> General. If enable this function, enter the URL of a Web server as the homepage. Once logged in successfully, users will be directed to this homepage, such as http://www.google.com, regardless of the original homepage set in their computers.
Page 150: Idle Timer
5.2.2 Idle Timer To configure Idle Timer, go to: Users >> Additional Configuration. If a user has idled with no network activities, the system will automatically kick out the user. The logout timer can be set between 1~1440 minutes, and the default idle time is 10 minutes.
Page 151: Multiple Login
5.2.2 Multiple Login To configure Multiple Login, go to: Users >> Additional Configuration. When enabled, a user can log in from different computers with the same account. (This function doesn’t support On-demand users and RADIUS authentication.) 5.2.2 Local Users Change Password Privilege Configure Local Users Change Password Privilege, go to: Users >>...
Page 152: Proxy Server
Configure Proxy Server, go to: Network >> Proxy Server. Basically, a proxy server can help clients access the network resources more quickly. This section presents basic examples for configuring the proxy server settings of WHG-505. Using Internet Proxy Server The first scenario is that a proxy server is placed outside the LAN environment or in the Internet. For example, the following diagram shows that a proxy server of an ISP will be used.
Page 153 Step 3. Make sure that the proxy server settings match with at least one of the proxy server setting of the system – for example, in this case, 203.125.142.1:3128 matches with blank:3128.
Page 154 Caution: It is required that the proxy server setting of the clients match with the proxy server setting of the system. Otherwise, users will not be able to get the Login page for authentication via browsers and it will show an error page in the browser.
Page 155 Using Extranet Proxy Server The second scenario is that a proxy server is placed in the Extranet (such as DMZ), which all users from the Intranet or the Internet are able to access. For example, the following diagram shows that a proxy server of an organization in the DMZ will be used.
Page 156 Caution: It is required that the proxy server setting of the clients match with the proxy server setting of the system. Otherwise, users will not be able to get the Login page for authentication via browsers and it will show an error page in the browser.
Page 157: Networking Features Of A Gateway
10 Networking Features of a Gateway 10.2 DMZ Configure DMZ, go to: Network >> NAT>> DMZ (Demilitarized Zone). The system supports up to 80 sets of Internal IP address (LAN) to External IP address (WAN) mapping in the Static Assignments. The External IP Address of the Automatic WAN IP Assignment is the IP address of External Interface (WAN1) that will change dynamically if WAN1 Interface is Dynamic.
Page 158: Virtual Server
10.3 Virtual Server Configure Virtual Server, go to: Network >> NAT >> Public Accessible Server. This function allows the administrator to set 80 virtual servers at most, so that client devices outside the managed network can access these servers within the managed network. Different virtual servers can be configured for different sets of physical services, such as TCP and UDP services in general.
Page 159: Privilege List
10.4 Privilege List Configure Privilege List, go to: Network >> Privilege. Setup the Privilege IP Address List and Privilege MAC Address List. The clients in the list can access the network without any login.
Page 160: Privilege Ip
IP addresses of these workstations in the “Granted Access by IP Address”. The “Remark” field is not necessary but is useful to keep track. WHG-505 allows 200 privilege IP addresses at most. These settings will become effective immediately after clicking Apply.
Page 161: Privilege Mac
In addition to the IP address, the MAC address of the workstations that need to access the network without authentication can also be set in the “Granted Access by MAC Address”. WHG-505 allows 200 privilege MAC addresses at most. When manually creating the list, enter the MAC address (the format is xx:xx:xx:xx:xx:xx) as well as the remark (not necessary).
Page 162: Ip Plug And Play
Configure IP Plug and Play, go to: Network >> Client Mobility WHG-505 supports IP PNP function. User can login and access network with any IP address setting. At the user end, a static IP address can be used to connect to the system. Regardless of what the IP address at the...
Page 163: Dynamic Domain Name Service
Before activating this function, you must have your Dynamic DNS hostname registered with a Dynamic DNS provider. WHG-505 supports DNS function to alias the dynamic IP address for the WAN port to a static domain name, allowing the administrator to easily access WHG-505’s WAN. If the dynamic DHCP is activated at the WAN port, it will update the IP address of the DNS server periodically.
Page 164: Port And Ip Redirect
10.7 Port and IP Redirect Configure Port and IP Redirect, go to: Network >> NAT >> Port and IP Forwarding. This function allows the administrator to set 80 sets of the IP addresses at most for redirection purpose. When the user attempts to connect to a destination IP address listed here, the connection packet will be converted and redirected to the corresponding destination.
Page 165: System Management And Utilities
11 System Management and Utilities 11.2 System Time Configure System Time, go to: System >> General. 5.2.2 NTP NTP (Network Time Protocol) communication protocol can be used to synchronize the system time with remote time server. Please specify the local time zone and the IP address of at least one NTP server for adjusting the time automatically (Universal Time is Greenwich Mean Time, GMT).
Page 166: Manual Settings
5.2.2 Manual Settings The time can also be manually configured by selecting Manually set up and then select the date and time in these fields.
Page 167: Management Ip
11.3 Management IP Configure Management IP, go to: System >> General. Only PCs within this IP range on the list are allowed to access the system's web management interface. For example, 10.2.3.0/24 means that as long as an administrator is using a computer with the IP address range of 10.2.3.0/24, he or she can access the web management page.
Page 168: Access History Ip
Configure Access History IP, go to: System >> General. Specify an IP address of the administrator’s computer or a billing system to get billing history information of WHG-505 with the predefined URLs. The file name format is “yyyy-mm-dd”. An example is provided as follows: Traffic History：https://10.2.3.213/status/history/2005-02-17...
Page 169: Snmp
11.5 SNMP Configure SNMP, go to: System >> General. If this function is enabled, the SNMP Management IP and the Community can be assigned to access the SNMP Configuration List of the system.
Page 170: Three-Level Administration
11.6 Three-Level Administration WHG-505 supports three kinds of account interface. You can log in as admin, manager or operator. The default usernames and passwords show as follows: Admin: The administrator can access all configuration pages of WHG-505. User Name: admin Password: admin After a successful login to WHG-505, a web management interface will appear.
Page 171 Operator: The operator can only access the configuration page of Create On-demand User to create new on-demand user accounts and print out the on-demand user account receipts. User Name: operator Password: operator To logout, simply click the Logout icon on the upper right corner of the interface to return to the login Note: screen.
Page 173: Change Password
Configure Change Password, go to: Utilities >> Password Change. There are three levels of authorities: admin, manager or operator. The default usernames and passwords are as follows: Admin: The administrator can access all configuration pages of WHG-505. User Name: admin Password: admin Manager: The manager can only access the configuration pages under User Authentication to manage the user accounts, but without permission to change the settings of the profiles of Firewall, Specific Route and Schedule.
Page 174: Backup / Restore And Reset To Factory Default
11.8 Backup / Restore and Reset to Factory Default Configure Backup / Restore and Reset to Factory Default, go to: Utilities >> Back & Restore. This function is used to backup/restore the WHG-505 settings. Also, WHG-505 can be restored to the factory default settings here.
Page 175: Firmware Upgrade
11.9 Firmware Upgrade Configure Firmware Upgrade, go to: Utilities >> System Upgrade. The administrator can download the latest firmware from website and upgrade the system here. Click Browse to search for the firmware file and click Apply for the firmware upgrade. It might take a few minutes before the upgrade process completes and the system needs to be restarted afterwards to activate the new firmware.
Page 176: Restart
This function allows the administrator to safely restart WHG-505, and the process might take approximately three minutes. Click YES to restart WHG-505; click NO to go back to the previous screen. If the power needs to be turned off, it is highly recommended to restart WHG-505 first and then turn off the power after completing the restart process.
Page 177: Network Utility
11.11 Network Utility To configure Network Utility, go to: Utilities >> Network Utilities. The system provides some network utilities to help administrators manage the network easily.
Page 178 Item Description Wake-on-LAN It allows the system to remotely boot up a power-down computer with Wake-On-LAN feature enabled in its BIOS and it is connect to any service zone. Enter the MAC Address of the desired device and click Wake Up button to execute this function. IPv4 Ping: It allows administrator to detect a device using IP address or Host domain name to see if it is alive or not.
Page 179: Monitor Ip Link
Configure Monitor IP Link, go to: Network >> Monitor IP. WHG-505 will send out a packet periodically to monitor the connection status of the IP addresses on the list. On each monitored item with a WEB server running, administrators may add a link for the easy access by entering the IP, select the Protocol to http or https and then click Create.
Page 180: Console Interface
Enter key to make selection or confirm what you enter. 3. Once the console port of WHG-505 is connected properly, the console main screen will appear automatically. If the screen does not appear in the terminal simulation program automatically, please try to press the arrow keys, so that the terminal simulation program will send some messages to the system, where the welcome screen or main menu should appear.
Page 181 Utilities for network debugging The console interface provides several utilities to assist the Administrator to check the system conditions and to debug any problems. The utilities are described as follows: Ping host (IP): By sending ICMP echo request to a specified host and wait for the response to test the network status.
Page 182 Although it does not require a username and password for the connection via the serial port, the same management interface can be accessed via SSH. Therefore, we recommend you to immediately change the WHG-505 Admin username and password after logging in the system for the first time. Reload factory default Choosing this option will reset the system configuration to the factory defaults.
Page 183: System Status And Reports
12 System Status and Reports 12.2 View the status This section includes System Status, Interface Status, Hardware, Routing Table, Online Users, Session List, User Logs, Logs, DHCP Lease, and Report & Notification to provide system status information and online user status.
Page 184: System Status
5.2.2 System Status To view System Status, go to: Status >> System. This section provides an overview of the system for the administrator.
Page 185 The present firmware version of WHG-505 Firmware Version The current build number. Build The system name. The default is WHG-505 System Name Portal URL The page the users are directed to after initial login success. The IP address and port number of the external Syslog Server. N/A means Syslog server- System Log that it is not configured.
Page 186: Interface Status
5.2.2 Interface Status To view Interface Status, go to: Status >> Interface. This section provides an overview of the interface for the administrator including WAN1, WAN2, SZ Default, SZ1 ~ SZ8.
Page 187 The description of the above-mentioned table is as follows: Item Description From the drop-down menu, administrators can select which interface status to Select Interface display. Mode Operating mode of this interface. MAC Address The MAC address of the WAN2 port. IP Address The IPv4 address of the WAN2 port.
Page 188 5.2.2 HW To view Hardware Status, go to: Status >> HW. This tab page displays the system’s hardware usage information.
Page 189: Routing Table
5.2.2 Routing Table To view Routing Table, go to: Status >> Routing Table >> IPv4/IPv6 Table. All the Policy Route rules and Global Policy Route rules will be listed here. Also it will show the System Route rules specified by each interface. •...
Page 190: Online Users
5.2.2 Online Users To view Online Users, go to: Status >> Online Users. In this page, all online users’ information is displayed. Administrators can force out a specific online user by clicking the hyperlink of Kick Out and check the user access AP status by clicking the hyperlink of the AP name for Access From.
Page 191: Non-Login Users
5.2.2 Non-Login Users To view Non-Login Users, go to: Status >> Non-Login Users. This page shows users that have acquired an IP address from the system’s DHCP server but have not yet been authenticated. This feature is designed for administrators to keep track of systems resources from being exhausted. The list shows the client’s MAC Address, IP Address and associated VLAN ID, Service Zone as well as Associated AP if the client uses wireless connection.
Page 192: Session List
5.2.2 Session List To view Session List, go to: Status >> Session List. This page allows the administrator to inspect sessions currently established between a client and the system. Each result displays the IP and Port values of the Source and Destination. You may define the filter conditions and display only the results you desire.
Page 193 This page is used to check the traffic history of WHG-505. The history of each day will be saved separately in the DRAM for at least 3 days (72 full hours). The system also keeps a cumulated record of the traffic data generated by each user in the latest 2 calendar months.
Page 194 Roaming Out User Log As shown in the following figure, each line is a roaming out traffic history record consisting of 14 fields, Date, Type, Name, NSID, NASIP, NASPort, UserMAC, SessionID, SessionTime, Bytes in, Bytes Out, Pkts In, Pkts Out and Message, of user activities. Roaming In User Log As shown in the following figure, each line is a roaming in traffic history record consisting of 15 fields, Date, Type, Name, NSID, NASIP, NASPort, UserMAC, UserIP, SessionID, SessionTime, Bytes in, Bytes Out,...
Page 195: Local User Monthly Network Usage
5.2.2 Local User Monthly Network Usage To view Local User Monthly Network Usage, go to: Status >> User Logs>>Month . Monthly Network Usage of Local User The system keeps a cumulated record of the traffic data generated by each Local user in the latest 2 calendar months.
Page 196: Logs
5.2.2 Logs To view Logs, please go to: Status >> Logs. This page displays the system’s local log information since system boot up. Administrators can examine the log entries of various events. However, since all these information are stored on volatile memory, they will be lost during a restart/reboot operation.
Page 197: Dhcp Lease
5.2.2 DHCP Lease To view DHCP Lease, go to: Status >> DHCP Lease. The DHCP IP lease statistics can be viewed after clicking on [Show] Statistics List in this page. Statistics of offered list Valid lease counts of the Last 10 Minutes, Hours and Days are shown here. The header 1 ~ 10 are unit multiplier, for instance the number under column 2 indicates the lease count in the last 20 minutes/hours/days, the number under column 3 indicated the lease count in the last 30 minutes/hours/days and so on.
Page 199: Notification
12.3 Notification To configure Notification, go to: Status >> Report & Notification . WHG-505 can automatically send various kinds of user and/or system related reports to configured E-mail addresses, SYSLOG Servers, or FTP Server. SMTP Settings: Allows the configuration of 5 recipient E-mail addresses and necessary mail server settings where various user related logs will be sent to.
Page 200: Smtp Settings
5.2.2 SMTP Settings Receiver E-mail Address (1 ~ 5): Up to 5 E-mail addresses can be set up here to receive notifications. Sender E-mail Address: The e-mail address of the administrator in charge of the monitoring. This will show up as the sender’s e-mail. SMTP Server: Enter the IP address of the sender’s SMTP server.
Page 201: Syslog Settings
5.2.2 SYSLOG Settings SYSLOG Destinations: Up to two external SYSLOG servers may be configured, please enter the IP address and port number of the external SYSLOG server. System Log: This controls the enabling/disabling of the SYSLOG logging feature. When enabled, the selected logs from “Notification Settings”...
Page 202: Ftp Settings
5.2.2 FTP Settings FTP Destination: Specify the IP address and port number of your FTP server. If your FTP needs authentication, enter the Username and Password. The “Send Test Log” radio button can be used to send a test log for testing your current FTP destination settings.
Page 203: Notification Settings
5.2.2 Notification Settings This configuration page allows the selection of log types to send, either to preconfigured E-mail, SYSLOG Servers or FTP Server based on the chosen time Interval.
Page 204 Sending Logs to E-mail The following log types can be sent to E-mail addresses configured in “SMTP Settings”: Monitor IP Report, Users Log, On-demand Users Log, Session Log. The numbers 1 to 5 represents the corresponding E-mail address configured in “SMTP Settings”, click the desired E-mail address profile (1 ~ 5) and select the time interval for sending report or log.
Page 205 Sending Logs to SYSLOG The following log types can be sent to external SYSLOG servers configured in “SYSLOG Settings”: Users Log, On-demand Users Log, Session Log, Hardware Log, HTTP Web Log, and DHCP Server Log. Click the desired log type and select the time interval for sending log. Detail: Clicking this radio button allows the configuration SYSLOG attributes such as Tag, Severity and Facility which will be assigned to the corresponding log to meet the filtering requirements on the SYSLOG Server.
Page 206 Detail: Clicking this radio button allows the specification of the FTP server folder where the logs sent will be stored on the FTP server. Note: The outputted log files to the FTP server will be named according to the format $Topic_$ExtraDesc_$SystemName_$Date_Time.txt.
Page 207: System Report
5.2.2 System Report This page displays system statuses and resource usages in a plotted graph. Item: Select the type of report you wish to see. Available report types are: CPU Loading, CPU Temperature, Memory Usage, Network Traffic, Online User, Successful Login, Session, DHCP Lease, and DNS Query. Time: For selecting the time scale of the displayed graph.
Page 208: Virtual Private Network (Vpn)
Manage add-ons button to enter the Manage add-ons dialogue box, where you can see VPNClient.ipsec is enabled. During the first-time login to WHG-505 with Local VPN, Internet Explorer will ask clients to download an ActiveX component of IPSec VPN. Once this ActiveX component is downloaded, it will run in parallel with the “Login...
Page 209 Success Page” after the page being brought up successfully. The ActiveX component helps set up individual IPSec VPN tunnels between clients and WHG-505 and check the validity of IPSec VPN tunnels between them. If the connection is down, the ActiveX component will detect the broken link and decompose the IPSec tunnel.
Page 210 The ActiveX component for IPSec VPN is running in parallel with the web page of “Login Success”. To ensure that the built-in IPSec VPN tunnel is always alive, unless clients decide to close the session and to disconnect from WHG-505, the following conditions or behaviors, which may cause the Internet Explorer to stop the ActiveX, should be avoided.
Page 212 • FAQ (1) How to clean IPSec client? ANS: Open a command prompt window and type the commands as follows. C:\> cd %windir%\system32 C:\> Clean_IPSEC.bat C:\> cd %windir%\system32 C:\> ipsec2k.exe stop (2) How to remove ActiveX component in client’s computer? ANS: ①...
Page 213: Remote Vpn
WHG-505 support Remote VPN for user login to system from remote area. After the user is login to system from the outside network of WAN, the user will feel that it is look like login to WHG-505 under the service zone locally. They also can be applied Policy and are controlled by system to access the network.
Page 214: Site-To-Site Vpn
WHG-505 support Site-to-Site VPN for more than 2 WHG-505 create VPN tunnel to each other over the WAN network. For example, if there are 2 WHG-505, you can create a VPN tunnel to let a subnet of one WHG-505 to access the subnet of another WHG-505.
Page 215 Such as “172.30.11.0/24” of WHG-505_A >> “172.30.111.0/24” of WHG-505_B, after the tunnel is created, the users within these two subnets can reach each other. You can create more than one VPN tunnel, but the IP segment mapping can not be overlap that same IP segment has more than one routing rule.
Page 216: Customization Of Portal
14 Customization of Portal Pages 14.2 Customizable Pages To configure Customizable Pages, go to: System >> Service Zones. There are several users’ login and logout pages for each service zone that can be customized by administrators. Go to System Configuration >> Service Zone >> Configure >> Authentication Settings / Custom Pages. Click the button of Configure, the setup page will appear.
Page 217: Loading A Customized Login Page
14.3 Loading a Customized Login Page Custom Pages >> Login Page The administrator can use the default login page or get the customized login page by setting the template page, uploading the page or downloading from a designated website. After finishing the setting, click Preview to see the login page.
Page 218 Custom Pages >> Login Page >> Uploaded Page Choose Uploaded Page and upload a login page to the built-in HTTP server. The user-defined login page must include the following HTML codes to provide the necessary fields for user name and password.
Page 219 And if the user-defined login page includes an image file, the image file path in the HTML code must be the image file to be uploaded. Default Service Zone: <img src=images0/xx.jpg”> Service Zone 1 : <img src=images1/xx.jpg”> Service Zone 2 : <img src=images2/xx.jpg”>...
Page 220: Using An External Login Page
14.4 Using an External Login Page Custom Pages >> Login Pages >> External Page Choose the External Page selection and get the login page from a designated website. In the External Page Setting, enter the URL of the external login page and then click Apply. After applying the setting, the new login page can be previewed by clicking Preview button at the bottom of this page.
Page 221: Load A Customized Logout Page
14.5 Load a Customized Logout Page Custom Pages >> Logout Page The administrator can apply their own logout page in the menu. As the process is similar to that of the Login Page, please refer to the “Login Page >> Uploaded Page” instructions for more details. The different part is the HTML code of the user-defined logout interface must include the following HTML code that the user can enter the username and password.
Page 222: How External
14.6 How External Page Operates Choose External Page if you desire to use an external web page for your custom pages. Simply enter the URL of your external webpage, click Preview button to check if it is reachable, take a look at how your external webpage will be displayed, then click Apply button.
Page 223 The URL parameters sent by the Gateway to the external login page are as follows: Field Value Description loginurl String (URL encoded) The URL which shall be submitted when user login. remainingurl String (URL encoded) The URL which shall be submitted when user want to get remaining quota.
Page 224 <FORM action="" method="post" name="form"> <script language="Javascript"> form.action = getVarFromURL(window.location.href, 'loginurl'); </script> <INPUT type="text" name="myusername" size="25"> <INPUT type="password" name="mypassword" size="25"> <INPUT name="button_submit" type="submit" value="Enter"> <INPUT name="button_clear" type="button" value="Clear"> </FORM> The following shows the corresponding self-defined javascript function used to parse the loginurl parameter: function getVarFromURL(url, name) { if(name == ""...
Page 225 URL Variables from Gateway This section displays all the URL parameters that are sent from the Gateway to the various external pages. • External Login Page: Variables: Field Value Description loginurl String (URL encoded) The URL which shall be submitted when user login.
Page 226 Integer Service Zone ID Group Integer Group index Policy Integer Policy index max_uplink Integer (b/s) Maximum up-link rate max_downlink Integer (b/s) Maximum down-link rate req_uplink Integer (b/s) Minimum up-link rate req_downlink Integer (b/s) Minimum down-link rate next_page String Client redirection URL CLASS String RADUIS CLASS attribute (Only...
Page 227 Sorry, your account is not usable, because the authentication option (associated with the postfix) is not found.<BR>Please contact your network administrator. Sorry, you are not allowed to log in, because your account is currently on the Black List. Sorry, you are not allowed to log in, because it is currently not the service hour for your account.
Page 228 • External Logout Successful Page: Variables: Field Value Description String User ID (postfix is included) Vlanid Integer (1~4094) VLAN ID Gwip IP format Gateway activated IP address • External On-demand login successful page: Variables: Field Value Description String User ID (postfix is included) Utype String (LOCAL, RADIUS, Authentication server name...
Page 229 • External Logout Fail Page: Variables: Field Value Description String User ID Gwip IP format Gateway activated WAN IP address Vlanid Integer (1~4094) VLAN ID • External Port Location Mapping Free Login Page: • External Port Location Mapping Charge Login Page: The URL and variables are the same as Login page.
Page 230 URL Variables to Gateway This section presents the parameters that need to be sent back to the Gateway for the various external pages. Path: is the URL destination; Input: the parameters required to send back; Output: the feedback from system. •...
Page 231 If command is not set and there is no ret_url is presented, client would be redirected to pop_reminder.shtml page, which shows remaining quota in our UI style. If ret_url is presented, client would be redirected to ret_url, and gateway would add these four variables in URL. Field Value Description...
Page 232 Change password successfully User password is incorrect Invalid password format • Redeem (On-demand user): Path: (LAN IP address or Internal Domain Name) /loginpages/redeemuserlogin.shtml Input: Field Required Value Description Optional String Current user ID (If not presented, user name stored in cookie is the default value) upassword Optional...
Page 233 User run out of quota. Maximum allowable time is exceeded. Maximum allowable memory space is exceeded. Wrong postfix please check it. This account is expired. • On-demand account creation (Local User) Path: (LAN IP address or Internal Domain Name) /loginpages/UserAuthentication/OnDemandRecept.shtml Input: Field Required...
Page 234: Payment Gateways
15 Payment Gateways 15.2 Payments via Authorize.Net To configure Payments via Authorize.Net, go to: User >> Authentication >> On-demand User >> External Payment Gateway >> Authorize.Net. Before setting up “Authorize.Net”, it is required that the merchant owners have a valid Authorize.Net account. Authorize.Net Payment Page Configuration Merchant ID: This is the “Login ID”...
Page 235 Service Disclaimer Content/ Choose Billing Plan for Authorize.Net Payment Page/Client’s Purchasing Record Service Disclaimer Content View service agreements and fees for the standard payment gateway services here as well as adding new or editing services disclaimer. Choose Billing Plan for Authorize.Net Payment Page These 10 plans are the plans configured in Billing Plans page, and all previously enabled plans can be further enabled or disabled here, as needed.
Page 236 Authorize.Net Payment Page Fields Configuration/ Authorize.Net Payment Page Remark Content Authorize.Net Payment Page Fields Configuration Item: Check the box to show this item on the customer’s payment interface. Displayed Text: Enter what needs to be shown for this field. Required: Check the box to indicate this item as a required field. Credit Card Number: Credit card number of the customer.
Page 237 this customer’s name. Last Name: The last name of a customer associated with the billing or shipping address of a transaction. In the case when John Doe places an order, enter Doe in the Last Name field indicating this customer’s name. Company: The name of the company associated with the billing or shipping information entered on a given transaction.
Page 238: Payments Via Paypal
15.3 Payments via PayPal To configure Payments via PayPal, go to: User >> Authentication >> On-demand User >> External Payment Gateway >> PayPal. Before setting up “PayPal”, it is required that the hotspot owners have a valid PayPal “Business Account”. After opening a PayPal Business Account, the hotspot owners should find the “Identity Token”...
Page 239: Payments Via Securepay
Service Disclaimer Content / Billing Configuration for Payment Page Service Disclaimer Content: View the service agreement and fees for the standard payment gateway services as well as add or edit the service disclaimer content here. Choose Billing Plan for PayPal Payment Page: These 10 plans are the plans in Billing Configuration, and the desired plan(s) can be enabled.
Page 240 Before setting up “SecurePay”, it is required that the hotspot owners have a valid SecurePay “Merchant Account” from its official website.
Page 241 Payment Page Configuration Merchant ID: The ID that is associated with the Business Account. Password: This is the key used by Secure Pay to validate all the transactions. Payment Gateway URL: The default website address to post all transaction data. Verify SSL Certificate: This is to help protect the system from accessing a website other than Secure Pay.
Page 242: Payments Via Worldpay
15.5 Payments via WorldPay To configure Payments via WorldPay, go to: User >> Authentication >> On-demand Users >> External Payment Gateway >> WorldPay. WorldPay Payment Page Configuration Installation ID: The ID of the associated Merchant Account. Payment Gateway URL: The default website of posting all transaction data. Currency: The currency to be used for the payment transactions.
Page 243 Before setting up “WorldPay”, it is required that the hotspot owners have a valid WorldPay “Merchant Account” from its official website: RBS WorldPay: Merchant Services & Payment Processing, going to rbsworldpay.com >> support center >> account login. STEP ① . Log in to the Merchant Interface. Login url: www.rbsworldpay.com/support/index.php?page=login&c=WW Select Business Gateway - Formerly WorldPay...
Page 244 STEP ⑦ . Select the Save Changes button STEP ⑧ . Input Installation ID and Payment Gateway URL in gateway UI. Installation ID: 2009test URL : https://select.wp3.rbsworldpay.com/wcc/purchase Note: The WAN IP of gateway must be real IP.
Page 245: Additional Applications
16 Additional Applications 16.2 Upload / Download Local Users Accounts Configure Upload / Download Local Users Accounts, go to: Users >> Authentication. Upload User: Click Upload User to enter the Upload User from File interface. Click the Browse button to select the text file for uploading user accounts, then click Upload to complete the upload process.
Page 246: Backup / Restore And Upload New On-Demand Users Accounts
16.3 Backup / Restore and Upload New On-demand Users Accounts Configure Backup / Restore On-demand Users Accounts, go to: Users >> Authentication. Backup Current Accounts: Use this function to create a .txt file with all current user account information and then save it on disk.
Page 247 Example Format: Cut-Off The upload result will be as follow: The mail different between Upload New Account and Backup/Restore Accounts is Upload New Account is for new accounts creations. So the format of the upload file does not need to add any Note: hidden columns, just need to input the required information in each column.
Page 248: Pop3 Login With Complete Name Format
16.4 POP3 login with complete name format Configure POP3 login with complete name format, go to: Users >> Authentication. For POP3 authentication, there have a option to send the complete username with postfix or username only. Username Format: When Complete option is checked, both the username and postfix will be transferred to the POP3 server for authentication.
Page 249: Radius Advance Settings
16.5 RADIUS Advance settings To configure RADIUS Advance settings, go to: Users >> Authentication >> Option >> RADIUS >> RADIUS Configure. 5.2.2 Complete Name vs. Only ID For RADIUS authentication, there have a option to send the complete username with postfix or username only. Username Format: When Complete option is checked, both the username and postfix will be transferred to the RADIUS server for authentication.
Page 250 5.2.2 External RADIUS Server Related Settings Item Description Enable /Disable 802.1X authentications for users authenticating through this Server. To support EAP-SIM authentication, please enable this feature and 802.1X Authentication enter 802.1X Settings to configure the AP’s that support associated clients to authenticate by EAP-SIM.
Page 251 5.2.2 RADIUS Server Attributes Item Description The drop down selection list allows 3 options: Follow Server’s Setting, Overwrite Server’s Setting and Set if not presented. If Follow Server’s Setting is selected, system will use the RADIUS attributes set in the remote RADIUS server. If Overwrite Server’s Setting is selected, system will use the RADIUS attributes set below.
Page 252 Session Terminate on Billing Time: When enabled, the session will terminate in the Billing Time set. Bandwidth Setting: It will follow the Bandwidth settings of the Group profile set for this authentication server.
Page 253 5.2.2 RADIUS Authentication Servers and Accounting Servers Primary / Secondary RADIUS Server Item Description Authentication Server Enter the domain name or IP address of your RADIUS Server. Authentication Port Enter the Port number used for authentication Authentication Secret Key Secret Key used for authentication Select Challenge-Handshake Authentication Protocol (CHAP) or Password Authentication Protocol Authentication Protocol (PAP).
Page 254: Ldap Advance Settings - Attribute-Group Mapping
16.6 LDAP Advance settings - Attribute-Group Mapping Configure LDAP - Attribute-Group Mapping, go to: Users >> Authentication. This function is to assign a Group to a LDAP attribute sent from the LDAP server. When the clients classified by LDAP attributes log into the system via the LDAP server, each client will be mapped to its assigned Group. To get and show the attribute name and value from the configured LDAP server, enter Username and Password and click Show Attribute.
Page 255: Nt Transparent Login
Domain first, and then they will be assigned the access right in this domain. On the other hand, user also need to login to WHG-505 to get the network access right. So user must login twice for network access right and domain resource access right.
Page 256: Roaming Out
16.8 Roaming Out Configure Roaming Out, go to: Users >> Authentication. In sometime, WHG-505 can act as a RADIUS server for Roaming Out from other system. The Local User database will act as the RADIUS user database. Account Roaming Out & 802.1X Authentication: When Account Roaming Out is enabled; the link of this function will be available to define the authorized device with IP address, Subnet Mask, and Secret Key.
Page 257: Sip Proxy
After enabling SIP proxy server, all SIP traffic pass through NAT with a selective but fixed WAN interface. In this example, client extension #301 is trying to call #303. WHG-505 asks an external trusted SIP registrar to verify both identities. After SIP registrar responds with a YES, call is established through WHG-505.
Page 258 Remark: The administrator can enter extra information in this field for remark. Group: A Group option can be applied to the clients who login with SIP Authentication. Be noted that the specific route of the applied Policy for the selected Group cannot conflict with the assigned WAN interface for SIP authentication.
Page 259: Appendix A. Proxy Configuration
Proxy Configuration Basically, a proxy server can help clients access the network resources more quickly. This section presents basic examples for configuring the proxy server settings of the WHG-505. Using Internet Proxy Server The first scenario is that a proxy server is placed outside the LAN environment or in the Internet.
Page 260 1. It is required that the proxy server setting of the clients match with at least one of the proxy server setting of the WHG-505. Otherwise, users will not be able to get the Login page for authentication via browsers and it will show an error page in the browser.
Page 261 Note: A special scenario is that a proxy server is placed in a zone like Intranet – where users can reach each other without going through the WHG-505. In this case, whenever any one of users in the Intranet has been authenticated and connects to the network via the proxy server, other users using the same proxy setting in their browsers will be able to access the network without any authentication.
Page 262 Note: It is required that the proxy server setting of the clients match with the proxy server setting of the WHG-505. Otherwise, users will not be able to get the Login page for authentication via browsers and it will show an error page...
Page 263: Appendix B. Certificate Settings For Ie6 And Ie7
As long as the SSL function is enabled in the WHG-505, there must be a public SSL certificate signed by an established certificate authority. To avoid the error message in the browser, a company should have its own Certificate Authority (CA).
Page 264 Certificate setting for Internet Explorer 7 For IE7, regarding certificate issues caused by certificate publisher not being trusted by IE7, the following steps may be taken to provide a workaround or to bypass the issue. (1) Open the IE7 browser, and you will be redirected to the default login page. If the certificate is not trusted, the following page will appear.
Page 265 For installing a trusted certificate to solve the IE7 certificate issue, please follow the instructions stated below. (1) When the User Login page appears, click “Certificate Error” at the top. (2) Click “View Certificate”. (3) Click “Certification path”. (4) Select root certification, and then click “View Certificate”.
Page 266 (5) Click “Install Certificate”. (6) Click “Next”.
Page 267 (7) Select “Automatically select the certificate store based on the type of certificate”, and then click “Next”. (8) Click “Finish”.
Page 268 (9) Click “Yes”. (10) Click “OK”. (11) Launch a new IE7 browser. The certificate is now trusted via IE7 according to the key symbol shown at top next to the address field.
Page 269 Certificate setting for Internet Explorer 6 For issues relating to IE6 certificate error, the following information provides the step to take when the certificate publisher is not trusted by IE6. (1) Open an IE6 browser, the Security Alert message will be appeared if the certificate is not trusted. Click “Yes” to proceed.
Page 270: Appendix C. Service Zones - Deployment Examples
Appendix C. Service Zones – Deployment Examples Typical Application Scenario: Employee vs. Guest Typical service zone settings will separate users groups into Employee and Guest for the purpose of different authentication level. Application Network: As shown in the diagram, assign service zone 1 to Employee and service zone 2 to Guest.
Page 271 4. Apply different access control policies to separated groups Employee and Guest. Solution and Configuration in WHG-505 Configure two service zones to map to the two groups Step 1: Select “Tag-Based mode“ for all “service zones“...
Page 272 Step 3: Configure the “service zone“ accordingly Configure the SSID Choose the authentication option and configure the login page Choose the appropriate policy for this “service zone“...
Page 273 Finished Configuration – Service Zone Settings: Once the settings of two service zones are completed, the configured result will be displayed on screen in the Service Zone Settings. The name of the service zone and the enabled status should appear in the display.
Page 274: Appendix D. Dhcp Relay
WHG-505, the DHCP server will receive a DHCP REQUEST packet with Option 82 (a code defined in RFC 3046). A Circuit ID will be sent by the WHG-505 when the DHCP relay is enabled to define where the packet is sent from, and this Circuit ID will have a format of MAC_IP, such as 00:E0:22:DF:AC:DF_172.30.1.254.
Page 275 Based on the above example, the client that connects to the WHG-505 sends out a DHCP request. The DHCP relay function being enabled in the WHG-505 sends a Circuit ID 00:90:0B:07:60:91_172.30.1.254 to the external DHCP server. When the DHCP server gets the Circuit ID, it recognizes that the request is sent from g1_public_lan and thus assigns the client a DNS server of 169.95.1.1, an IP that is in the range of 172.30.1.30 and 172.30.1.50, a...
Page 276: Appendix E. Session Limit And Session Log
Appendix E. Session Limit and Session Log Session Limit To prevent ill-behaved clients or malicious software from using up system’s connection resources, administrators will have to restrict the number of concurrent sessions that a user can establish. The maximum number of concurrent sessions (TCP and UDP) for each user can be specified in the Global policy, which applies to authenticated users, users on a non-authenticated port, privileged users, and clients in DMZ zones.
Page 277 The following table shows an example of the session log data. Jul 20 12:35:05 2009 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.37 SPort=1626 DIP=203.125.164.132 DPort=80 Jul 20 12:35:05 2009 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.37 SPort=1627 DIP=203.125.164.132 DPort=80 Jul 20 12:35:06 2009 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.37 SPort=1628 DIP=203.125.164.142 DPort=80 Jul 20 12:35:06 2009 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.37 SPort=1629 DIP=203.125.164.142 DPort=80 Jul 20 12:35:07 2009 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.37 SPort=1630 DIP=67.18.163.154 DPort=80 Jul 20 12:35:09 2009 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.37 SPort=1631 DIP=202.43.195.52 DPort=80...
Page 278: Appendix F. Network Configuration On Pc & User Login
Appendix F. Network Configuration on PC & User Login Network Configuration on PC After WHG-505 is installed, the following configurations must be set up on the PC: Internet Connection Setup and TCP/IP Network Setup. Internet Connection Setup Windows 9x/2000 1) Choose Start >> Control Panel >> Internet Options.
Page 279 3) Choose “I want to set up my Internet connection manually, or I want to connect through a local Area network (LAN)”, and then click Next. 4) Choose “I connect through a local area network (LAN)” and then click Next. 5) DO NOT choose any option in the following LAN window for Internet configuration, and just click Next.
Page 280 6) Choose “No” and then click Next 7) Finally, click Finish to exit the Internet Connection Wizard. Now, the set up is completed. Windows XP 1) Choose Start >> Control Panel >> Internet Option.
Page 281 2) Choose the Connections tab, and then click Setup. 3) When the Welcome to the New Connection Wizard window appears, click Next. 4) Choose “Connect to the Internet” and then click Next.
Page 282 5) Choose “Set up my connection manually” and then click Next. 6) Choose “Connect using a broadband connection that is always on” and then click Next. 7) Finally, click Finish to exit the Connection Wizard. Now, the setup is completed.
Page 283 With the factory default settings, during the process of starting the system, WHG-505 with DHCP function will automatically assign an appropriate IP address and related information for each PC. If the Windows operating system is not a server version, the default settings of the TCP/IP will regard the PC as a DHCP client, and this function is called “Obtain an IP address automatically”.
Page 284 IP Address, Subnet Mask and DNS Server address provided by your ISP and the Gateway address of WHG-505. If your PC has been set up completely, please inform the network administrator before proceeding to the following steps.
Page 285 4.2) Click on the Gateway tab. Enter the gateway address of WHG-505 in the “New gateway” field and click Add. Then, click OK. 4.3) Click on DNS Configuration tab. If the DNS Server field is empty, select “Enable DNS” and enter DNS Server address. Click Add, and then click OK to complete the configuration.
Page 286 4) Using DHCP: If you want to use DHCP, choose “Obtain an IP address automatically”, and then click OK. This is also the default setting of Windows. Then, reboot the PC to make sure an IP address is obtained from WHG-505.
Page 287 IP Address, Subnet Mask and DNS Server address provided by your ISP and the Gateway address of WHG-505. If your PC has been set up completely, please inform the network administrator before proceeding to the following steps.
Page 288 5.4) Enter the gateway address of WHG-505 in the “Gateway” field, and then click Add. After back to the IP Settings tab, click OK to complete the configuration. Check the TCP/IP Setup of Window XP 1) Select Start >> Control Panel >> Network Connection.
Page 289 OK. This is also the default setting of Windows. Then, reboot the PC to make sure an IP address is obtained from WHG-505. 5) Using Specific IP Address: If you want to use a specific IP address, acquire the following...
Page 290 5.3) Click on the IP Settings tab and click Add below the “Default gateways” column and the TCP/IP Gateway Address window will appear. 5.4) Enter the gateway address of WHG-505 in the “Gateway” field, and then click Add. After back to the IP Settings tab, click OK to finish the...
Page 291: Appendix G. Policy Priority
Global Policy, Service Zone Policy, Authentication Policy and User Policy WHG-505 supports multiple Policies, including one Global Policy and 40 individual Policy can be assigned to different Group. Global Policy is the system’s universal policy and applied to all clients, while other individual Policy can be selected and defined to be applied to any Service Zone.
Page 292: Appendix H. Radius Accounting
The standard Attribute Type of VSA is “26”. Also we need to know the “Vendor ID”, in this example; the Vendor ID of LevelOne is “31932”. There must have other attribute to define the amount of traffic with “Attribute Number” and “Attribute Value”:...
Page 293 2. VSA configuration in RADIUS server (IAS Server) This section will guide you through a VSA configuration in your external RADIUS server. Before getting start, please access your external RADIUS server’s desktop directly or remotely from other PC. 2.1. Step 1 Assume there are already have users in RADIUS Server Assume there are already have Groups and assigned users to belong these Groups in RADIUS Server Assume there are already have Policies and assigned Groups to belong these Policies in RADIUS...
Page 294 2.3. Step 3 Edit Profile Select the Advanced Tag Add a new attribute Add a new Vendor-specific attribute 2.4. Step 4 Add a new attribute under Vendor-specific Set “Vendor Code = 31932” Set it conforms to the RADIUS RFC Configure Attribute Set “Vendor-assigned attribute number = 10”...
Page 295 2.5. Step 5 Confirm the Vendor-specific Attribute has been added success 2.6. Step 6 Follow the same steps to create other Vendor-specific Attribute as you need.
Page 296 3. VSA configuration in RADIUS server (FreeRADIUS) This section will guide you through a VSA configuration using the operating system “Fedora” FreeRADIUS version 1.0.5. Before getting start, open the shell of RADIUS server, for example, use Putty to access the Linux Host: 3.1.
Page 297 Administrator also can add other attributes as the table stated in Section 2 with same format. 3.5. Step 5 Edit the file “dictionary” under the folder “freeradius”. 3.6. Step 6 Include “dictionary.4ipnet” in the dictionary of RADIUS server. Insert it in an incremental position that easy to find it again.
Page 298 Insert VSA into RADIUS respond. In this example, the maximum download and upload in bytes for group03 users is 1MBytes. 3.9. Step 9 Restart RADIUS to get your settings activated.
Page 299: Appendix I. Vlan Port Location Mapping And Pms Middleware
Appendix I. VLAN Port Location Mapping and PMS Middleware This section introduces the Port Location Mapping feature. This feature is designed for creating multiple VLAN divisions (as if they were separate LAN ports) under a Service Zone and mapping these VLANs to different locations individually.
Page 300 2. Port Location Mapping To configure Port Location Mapping, go to: System >>Port Location Mapping>> Configure.
Page 301 Administrator could use Port Location Mapping feature to map a location (such as a hotel room) to a VLAN port of VLAN switch or a DSLAM device. Each Room is mapped to a VLAN Tag. And each Room can be assign to different Service Zone to get different policy.
Page 302 VLAN ID Start: The starting VLAN ID. Number of VLAN: The total number of VLAN. Start Room Number / Location ID: The start room number. Room NUM / Location ID Prefix: The prefix of room number. Room NUM / Location ID Postfix: The postfix of room number. After you have created the VLAN Tag and Room number mapping, you can change the Port Type for all entries in a particular Service Zone.
Page 303 The VLAN Tags configured in Port Location Mapping must not conflict with any of the VLAN Tags that has been assigned to each Service Zone. When you have finished creating Port Location Mapping profiles, go back to the Port Location Mapping page, the Port Location Mapping List displays all the profile entries with information such as its’...
Page 304 To configure Port Location Mapping List, go to: System >> Port Location Mapping. The Port Location Mapping List displays all the profile entries with information such as its’ VLAN ID, Room Num/Location ID, Port Type and Service Zone. Clicking the Delete link can erase an individual Port Location Mapping profile.
Page 305 When a user tries to access internet from a “Single User” room, the browser will show the Login page with a list of available plans and service agreement. The Service Agreement body can be configured at the applied Service Zone’s Custom Pages settings. User may chose a billing plan, click the Confirm button and the system will display the generated account name and password.
Page 306 When a user tries to access internet from a “Free” room, the browser will show service agreement page, simply by clicking CONFIRM and the user can access the internet. The Service Agreement body can be configured at the applied Service Zone’s Custom Pages settings. When a user tries to access internet from a “Block”...
Page 308: Appendix J. Ap Wds Management
Appendix J. AP WDS Management Configure AP WDS, go to: Access Points >> WDS Management. WDS Management (Wireless Distribution System) is a function used to connect APs (Access Points) wirelessly. The WDS management function of the system can help administrators to setup a “Tree” structure of WDS network. WDS Status: Status shows the added APs in the WDS Tree with the Security and Channel settings.
Page 309: Appendix K. Rogue Ap Detection
Appendix K. Rogue AP Detection Configure Rogue AP Detection, go to: Access Points >>Rogue AP Detection. This function is designed to detect the non-managed or possibly malicious AP in the deployed environment. It takes the managed AP as sensors to find out the non-managed AP even if the AP uses the same SSID with the managed AP's.
Page 310 1. Setup the Detection Interval Configure Detection Interval, go to: Access Points >>Rogue AP Detection >>General Configuration. Input a Detection Interval, if you input “0”, it will “Disable” this function, and system will not enable the Rogue AP Detection function. 2.
Page 311: Appendix L. Ap Load Balancing
If there are some APs that are trusted by administrator, or these APs are just temporary usage. So you can add these APs to the Trust List, and then system will ignore these APs and will not show in the Rogue AP List again.
Page 312 This function is trying to prevent the managed APs occur overloading. When the system detects the occurrence of APs' associated-client numbers is exceeding the predefined threshold. At circumstances other APs in the same group are still below the threshold, the balancing function will be activated to decrease the transmit power of the overloading APs and increase other available APs' transmit power.
Page 313 1. Setup the Interval Configure Interval, go to: Access Points >>AP Load Balancing >>General Configuration. Input an Interval, if you input “0”, it means “Disabled”, and system will not enable the AP Load Balancing function. 2. Configure the Loading of Threshold of each Group Configure Group Configuration, go to: Access Points >>AP Load Balancing >>Group Configuration.
Page 314 Before setup the AP Load Balancing, you must discovery the APs and apply template first. Note: For more detail of AP Management, please refer to the section of Managing Wireless Network. All of the managed AP can join to any of the Load Balancing Group, so the Device List will list all of the managed AP. Select the APs, chose a Group and click Apply.

LevelOne WHG-505 User Manual

Local Area AP Management

Wide Area AP Management

Customization of Portal

Payment Gateways

Appendix A. Proxy Configuration

Appendix B. Certificate Settings for IE6 and IE7

Appendix C. Service Zones - Deployment Examples

Appendix D. DHCP Relay

Appendix E. Session Limit and Session Log

Appendix F. Network Configuration on PC & User Login

Appendix G. Policy Priority

Appendix H. RADIUS Accounting

Appendix I. VLAN Port Location Mapping and PMS Middleware

Appendix J. AP WDS Management

Appendix K. Rogue AP Detection

Appendix L. AP Load Balancing

Quick Links

User Manual

Need help?

Questions and answers

Related Manuals for LevelOne WHG-505

Summary of Contents for LevelOne WHG-505