Page 1 LevelOne Secure WLAN Controller WHG-311/315/401/505/515/707 User Manual...
Page 2 LevelOne does not assume any liability arising out the application or use of any products, or software described herein. Neither does it convey any license under its parent rights not the parent rights of others. LevelOne further reserves the right to make changes in any products described herein without notice. The publication is subject to change without notice.
Page 3 FCC CAUTION WHG-311 This equipment has been tested and proven to comply with the limits for a class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
Page 4: Table Of Contents
WHG-707 Hardware......................... 15 2.3. Preparation before the Installation ................... 16 2.4. Unpacking & Installing ..................... 17 2.4.1. WHG-311 Package & Installation ..................... 17 2.4.2. WHG-315 Package & Installation .................... 17 2.4.3. WHG-401 Package & Installation .................... 18 2.4.4. WHG-505 Package & Installation .................... 19 2.4.5.
Page 5 6.3. User Login ........................94 6.3.1. An Example of User Login ....................... 94 6.3.2. Default Authentication ......................96 6.3.3. Login with Postfix ........................96 Policies and Access Control ................97 7.1. Policy ..........................97 7.1.1. Firewall ............................. 99 7.1.2. Routing ........................... 104 7.1.3.
Page 6 11.3. Client Mobility ........................ 172 11.4. DNS Cache ........................173 11.5. Dynamic Domain Name Service ..................174 11.6. Port and IP Forwarding ....................175 11.7. Dynamic Route ......................176 System Management and Utilities ..............179 12.1. System Time ......................... 179 12.1.1.
Page 7 17.3. Account Roaming Out ....................266 17.4. Seamless Cross Gateway Roaming ................267 Appendix A. Certificate Settings for IE6 and IE7 ..............269 Appendix B. Network Configuration on PC & User Login ..........278 Appendix C. Policy Priority ....................291 Appendix D.
Page 8: Before You Start
1. Before You Start 1.1. Preface This WHG Controller User Manual is for WLAN service providers or network administrators to set up a network environment using the WHG Controllers. It contains step-by-step procedures and graphic examples to guide MIS staff or individuals with basic network system knowledge to complete the installation. Besides this document, there is a “Quick Installation Guide”...
Page 9: Whg Controllers Installation Guide
2. WHG Controllers Installation Guide 2.1. WHG Controller Capacity Table Capacity WHG-311 WHG-315 WHG-401 WHG-505 WHG-515 WHG-707 Form Factor 13" Mini-book 19”(1U) 19”(1U) 19”(1U) 19”(1U) 19”(1U) 2 x GbE, 2 x GbE 2 x GbE 2 x GbE 2 x GbE...
Page 10: Whg Controller Hardware Overview
2.2. WHG Controller Hardware Overview 2.2.1. WHG-311 Hardware  Quick Buttons Reset: Press and hold the Reset button for over 3 seconds and status of LED on front panel will start to blink, release button at this stage to restarting the system. Press and hold the Reset button for more than 10 seconds and status of LED on the front panel will turn from blinking to off, release at this stage to reset the system to default configuration.
Page 11: Hardware
2.2.2. WHG-315 Hardware  LCD Display Allows network administrator to check important system settings such as network interface, SZ configurations, etc. The navigations buttons from left to right respectively are “Sleep”, “Esc”, “Up”, “Down”, and “Enter”.  Quick Buttons Reset: Press and hold the Reset button for over 3 seconds and status of LED on front panel will start to blink, release button at this stage to restarting the system.
Page 12: Hardware
2.2.3. WHG-401 Hardware LED Indicators There are three kinds of LED, Power, Status and Hard-disk, to indicate different status of the system. LCD Display Allows network administrator to check important system settings such as network interface, SZ configurations, etc. The navigation buttons from left to right respectively are “Esc”, “Up”, “Down”, and “Enter”.
Page 13: Hardware
2.2.4. WHG-505 Hardware LED Indicators There are three kinds of LED, Power, Status and Hard-disk, to indicate different status of the system. LCD Display Allows network administrator to check important system settings such as network interface, SZ configurations, etc. The navigations buttons from left to right respectively are “Esc”, “Up”, “Down”, and “Enter”.
Page 14: Hardware
2.2.5. WHG-515 Hardware LED Indicators There are three kinds of LED, Power, Status and Hard-disk, to indicate different status of the system. LCD Display Allows network administrator to check important system settings such as network interface, SZ configurations, etc. The navigations buttons from left to right respectively are “Esc”, “Up”, “Down”, and “Enter”.
Page 15: Hardware
2.2.6. WHG-707 Hardware WAN1/ WAN2 (SFP) Two combo WAN ports (SFP) are connected to the external network, such as the ADSL Router from your ISP (Internet Service Provider). LAN5/ LAN6 (SFP) Client machines connect to WHG Controller via these LAN ports (SFP). LED Indicators There are four kinds of LED, WAN1, WAN2, LAN4, and LAN5, to indicate the traffic status of the SFP ports.
Page 16: Preparation Before The Installation
2.3. Preparation before the Installation Before you start the installation by either following this User Manual or the Quick Installation Guide, below is a short preparation list to do. 1. Unpack the WHG Controller and go through the package checklist. 2.
Page 17: Unpacking & Installing
2.4. Unpacking & Installing 2.4.1. WHG-311 Package & Installation  Package Checklist The standard package of WHG-311 includes:  WHG-311 x 1  CD-ROM (with User’s Manual and QIG) x 1  Quick Installation Guide (QIG) x 1  RS-232 DB9 Console Cable x 1 ...
Page 18: Package & Installation
 Rack Mounting Bracket (with Screws) x 1 It is highly recommended to use all the supplies in the package instead of substituting any components by other suppliers to guarantee best performance.  Installation  Connect the power cord to the power socket on the rear panel. ...
Page 19: Package & Installation
connecting more wired clients; or directly to a client PC. The LED of port should be on to indicate a proper connection. 2.4.4. WHG-505 Package & Installation  Package Checklist The standard package of WHG-505 includes:  WHG-505 x 1 ...
Page 20: Package & Installation
 Ethernet Cable x 1  Straight-through Ethernet Cable x 1  Power Cord x 1  Rack Mounting Bracket (with Screws) x 1 It is highly recommended to use all the supplies in the package instead of substituting any components by other suppliers to guarantee best performance.
Page 21 to an administrator PC for configuring the WHG Controller system. Connect an Ethernet cable to the LAN1 or LAN2 Port on the front panel; connect the other end of the Ethernet cable to an AP for extending wireless coverage, a switch for connecting more wired clients, or a client PC. The LED of this port should be on to indicate a proper connection.
Page 22: System Overview
3.1. System Concept If you have experienced other LevelOne WLAN WHG Controller products before and are familiar with its system concept, you may skip the concept description below. Please proceed to the next section on (Getting Started). WHG Controller is capable of managing user authentication, authorization and accounting (AAA). The user account information is stored in the local database or a specified external database server.
Page 23 Administrator/Manager manually. External Authentication Database is a user account database that is not built inside WHG Controller. Besides Local database and On-demand database, WHG Controller allows up to three additional External Authentication databases simultaneously. The types of external Authentication databases supported are RADIUS, POP3, LDAP (including Active Directory), and NTDomain (Win2K’s NTDS).
Page 24 ‘Policy’, which can be chosen to bound the network behaviors of a Group. The administrator can define the Firewall Profile, Route Profile, Schedule Profile and Max Sessions in a Policy. The following Figure depicts an example relationship of Service Zone, Group and Policy. In this example, Students and faculties logging into Service Zone 1 will be governed by Policy-A.
Page 25 WHG Controller in a Business Headquarter WHG Controller in a Hotel – Capable of integrating with DSLAM and PMS...
Page 26: Service Zone Concept
3.2. Service Zone Concept LevelOne Service Zones are virtual machines that has its’ own network interface, DHCP server, authentication configuration, user pages as well as security and user policy settings. By associating a unique VLAN Tag and SSID with a Service Zone, administrators can separate wired network and wireless network into different logical networks isolated from one another.
Page 27  Multi subnet network environment On the other hand, if the internal network is a Multi subnets network environment, Tag-Based model will satisfy to your conditions. In Tag-Based mode, each LAN port will serve traffics from different Service Zones; a VLAN switch or VLAN AP is required to take care of the VLAN tags carried within the message frames.
Page 28: Ap Management Concept
AP Management feature is designed not only for internal network AP deployment, but also overlay deployment at remote locations over the cloud. WHG Controllers can manage from 30 to 500 LevelOne Access Points depending on model. For overlay AP deployment, WHG Controllers establish a secure tunnel between the managed AP and Controller.
Page 29: Getting Started
4. Getting Started 4.1. Accessing Web Management Interface When you have completed the hardware installation of your WHG Controller, system configurations can be performed via built-in Web Management Interface (WMI). Step 1. Connect your PC to any of the LAN ports of your WHG Controller. Step 2.
Page 30 After a successful login, a Home Page will appear on the screen. For the first time, if WHG Controller is not using a trusted SSL certificate, there will be a “Certificate Error”, because the browser treats WHG Controller as an illegal website. Please press “Continue to this website” to continue.
Page 31: Home Page
4.2. Home Page Home page lists four buttons Setup Wizard, Quick Links, System Overview and Main Menu respectively. Each button will be described in detail in the following section.
Page 32: Setup Wizard
4.2.1. Setup Wizard Using the configuration wizard Configuration wizard provides a fast and easy way to configure the WHG Controller’s system time, change Administrator password, WAN interfaces, as well as local user accounts. Follow the instructions given at each step to change the system admin password, select time zone, configure WAN1 interface, and create local user account (optional).
Page 33: Quick Links
4.2.2. Quick Links The Quick Links provide eight shortcut links for administrators to directly access frequently used functions of the web management interface. The eight functional links are: System Status, Local User Management, Policy Management, AP Management, Online User List, On-demand Account Management, Authentication Configuration and Firmware Management.
Page 34: System Overview
4.2.3. System Overview This page displays important system related information that the administrator might need to be aware of at a glance, which includes General System settings, Network Interface and Online Users etc. A drop-down menu is available for selecting the information refresh rate for this page.
Page 35: Main Menu
4.2.4. Main Menu This feature leads to all the detailed configuration pages on the Web Management Interface, allowing you to set various networking parameters, enable and customize network services, manage user accounts and monitor user status. Administration functions are separated into 6 categories: System, Users, Access Points, Network, Utilities and Status.
Page 36: Online Help
4.2.5. Online Help The Help button is at the upper right corner of the WHG Controller display screen. Click Help for the Online Help window, and then click the hyperlink of the relevant information required. Online Help Corner...
Page 37: Initial Network Setup
5. Initial Network Setup 5.1. Network Requirement Typically, in a network environment, WHG Controller plays the role of a gateway. On a gateway device, a network port leading upstream to the Internet or the backbone network is called a ‘WAN port’ or an uplink port, while a network port used for branching out to the service the clients downstream is referred as ‘LAN port’.
Page 38: Wan1 & Wan2 Setup
5.3. WAN1 & WAN2 Setup WHG Controllers are designed with 2 WAN ports for load balancing and failover support. To configure WAN port settings, go to Main Menu > System > WAN1 / WAN2.  WAN1 WAN1 port supports four connection types: Static, Dynamic, PPPoE and PPTP. These connection types are enough to support most ISP.
Page 39 1492 bytes. In that case, you have to enter a smaller number MTU number to meet the ISP’s networking requirement.  Clamp MSS: Short for Maximum Segment Size for a TCP connection. An end-to-end TCP connection over PPPoE will consume additional overhead out of each packet. At least 40 bytes are used for the address.
Page 40: Wan Traffic Control
 Learn DNS Server Address During Negotiation: When this check box is selected, the Controller will automatically learn the IP address of DNS server through DHCP messages received.  Preferred DNS Server: Statically designate the primary DNS server to be used by the system. ...
Page 41: Lan Port & Service Zone Mapping
When both WAN1 and WAN2 are properly configured with uplink to the internet, WAN failover and Load Balancing feature becomes available. Load Balancing: Administrator can spread the system traffic across WAN1 and WAN2 ports based on percentage load, calculated using session, bytes, or packets. WAN Failover: Once enabled, whenever WAN1 is down, WAN2 will service the traffics originally handled by WAN1 until WAN1 link is up again and vice versa.
Page 42 In Port-Based mode each LAN port can be mapped to an enabled Service Zone or disabled, this means the maximum number of Service Zones available to provide service is determined by the number of LAN ports on the Controller. Trusted Port: When a LAN port is selected, clients under this port will not require authentication regardless of the settings in the corresponding Service Zone profile this LAN port maps to.
Page 43 Select the mode for Isolation: When enabled, network traffic will be isolated by VLAN tag, which means that inter-VLAN devices are segregated from each other. Please note that this check option is not available for WHG-311 and WHG-315 and are always enabled.
Page 44: Lan Partition -- Service Zone
5.6. LAN Partition -- Service Zone Configure Service Zone; go to: System >> Service Zones. A Service Zone is a logical network area to cover certain wired and wireless networks in an organization such as SMB or branch offices. By associating a unique VLAN Tag and SSID with a Service Zone, administrators can separate wired network and wireless network into different logical zones.
Page 45  Default Authen Option: Default authentication method/server that is used within the Service Zone.  IP Address: The IPv4 address of this service zone interface.  IPv6 Address: The IPv6 address of this service zone interface.  Network Alias: Administrator may optionally set many alias network segments for a service zone. This feature can allow a single service zone to be seen as many service zones, also hide the IP address of a Service Zone’s network interface and to some degree, provide protection from possible attacks from LAN clients.
Page 46: Planning Your Internal Network
5.6.1. Planning Your Internal Network  Simple network environment For most simple internal network, such as there are just only two subnets. Using Port-Based model is an easy and better way. In Port-Based mode, each LAN port can only serve traffic from one Service Zone. An example of network application diagram is shown as below: one Service Zone for Employees and one for Guests.
Page 47: Configure Service Zone Network
5.6.2. Configure Service Zone Network Configure Service Zone; go to: System >> Service Zones >> Service Zone Configuration. Router Mode NAT Mode  Service Zone Status: Each service zone can be enabled or disabled except for the default service zone. ...
Page 48 IPv6 Settings: The IPv6 Address and configuration of this service zone (When IPv6 enabled). Network Alias List: Administrator may optionally set many alias network segments for a service zone. This feature can allow a single service zone to be seen as many service zones, also hide the IP address of a Service Zone’s network interface and to some degree, provide protection from possible attacks from LAN clients.
Page 49 Item Description DHCP Server 1 Start IP Address / End IP A range of IP addresses that built-in DHCP server will assign to clients. Note: please Address change the Management IP Address List accordingly (at System Configuration >> System Information >> Management IP Address List) to permit the administrator to access the WHG CONTROLLER admin page after the default IP address of the network interface is changed.
Page 50 The administrator can reserve a list of specific IP addresses for special device with certain MAC address. Fill a set of IP address and MAC address as reserve, additional information can be entered in the Description field. Click Apply to activate your settings. DHCP Lease Protection: When “Enabled”, whenever the Service Zone’s built-in DHCP server receives a DHCP request, it will automatically bind the MAC address with an IP address permanently.
Page 51: Wispr Attributes In Service Zone
5.6.3. WISPr Attributes in Service Zone WISPr or Wireless Internet Service Provider roaming - Pronounced "whisper," WISPr is a draft protocol submitted to the Wi-Fi Alliance that allows users to roam between wireless internet service providers, in a fashion similar to that used to allow cell phone users to roam between carriers.
Page 52: Ipv6
5.7. IPv6 Configure Service Zone; go to: System >> IPv6. System implements IPv6 feature and supports operating in IPv6 networking environment. When IPv6 is enabled, administrator may assign IPv4 IP address as well as IPv6 address to each interface such as WAN1, WAN2, Default Service Zone, Service Zone1, etc.
Page 53  6to4: 6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 internet) without the need to configure explicit tunnels. 6to4 option can only be chosen when the selected WAN interface was set with a static IPv4 address.
Page 54: User Authentication And Grouping
6. User Authentication and Grouping 6.1. Overview of User Authentication Database • Built-in User Databases Local and On-demand are Controller’s built-in user databases designed to house static and temporary accounts respectively. Local database is ideal for storing long term accounts for instance employee accounts while On-demand database is ideal for generating temporary accounts for guest usage.
Page 55 Go to Main Menu > Users > Authentication Click on the server name to set the configuration for that particular server. After completing and clicking Apply to save the settings. Then go back to System > Service Zones and enable or disable any server in each service zone as you prefer.
Page 56: Configuring On-Demand
6.1.1. Configuring On-demand The administrator can enable and configure this authentication method to create on-demand user accounts. This function is designed for hotspot owners to provide temporary users with free or paid wireless Internet access in the hotspot environment. Major functions include accounts creation, users monitoring list, billing plan and external payment gateway support.
Page 57 system only; never get online and no need to go through authentication. NetTicketGen is an example of terminal server that is required to be configured here before it can operate with Controller.  Expired Account Keep Days: When an Ondemand account expires, it will remain on the ondemand account list for a certain amount of time.
Page 58  Receipt Header: There are 3 receipt headers supported by the system. The entered content will be printed on the receipt. These headers are optional.  Receipt Footer: The entered content will be printed on the receipt. This footer is optional. ...
Page 59 network.  Price: The unit price of the respective billing plan.  Enable: Check the checkbox to activate the plan. Deactivated billing plans cannot be used to generate ondemand guest accounts.  Quick Account Creation: Check the checkbox to enable Quick Account Creation. Static users with “Ondemand Account Privilege”...
Page 60 Usage-time with No Expiration Time: Can access internet as long as account has remaining quota (usable time). Need to activate the purchased account within a given time period by logging in for the first time. Ideal for short term usage. For example in coffee shops, airport terminals etc. Only deducts quota while using.
Page 62  Hotel Cut-off-time: Hotel Cut-off-time is the clock time (normally check-out time) at which the on-demand account is cut off (made expired) by the system on the following day or many days later. On the account creation UI of this plan, operator can enter a Unit value which is the number of days to Cut-off-time according to customer stay time.
Page 63 Volume: Can access internet as long as account valid with remaining quota (traffic volume). Account expires when Valid Period has been used up or quota depleted. Ideal for small quantity applications such as sending/receiving mail, transferring a file etc. Count down of Valid Period is continuous regardless of logging in or out.
Page 64 Duration-time with Elapsed Time: Account activated upon the account creation time. Count down begins immediately after account created and is continuous regardless of logging in or out. Account expires once the Elapsed Time has been reached. Ideal for providing internet service immediately after account creation throughout a specific period of time.
Page 65 Duration-time with Cut-off Time: Cut-off Time is the clock time at which the on-demand account is cut off (made expired) by the system on that day. For example a shopping mall closing hour is 23:00; operators selling on-demand tickets can create use this plan to create ticket set to be Cut-off on 23:00. If an account of this kind is created after the Cut-off Time, the account will automatically expire.
Page 66 Duration-time with Begin-and End Time: Define explicitly the Begin Time and End Time of the account. Count down begins immediately after account activation and expires when the End Time has been reached. Ideal for providing internet service throughout a specific period of time. For example during exhibition events or large conventions such as Computex where each registered participant will get an internet account valid from 8:00 AM Jun 1 to 5:00 PM Jun 5 created in batch like coupons.
Page 68 External Payment Gateway This section is for merchants to set up an external payment gateway to accept payments in order to provide wireless access service to end customers who wish to pay for the service on-line. The four options are Authorize.Net, PayPal, SecurePay, WorldPay and Disable.
Page 69 On-demand Account Creation After at least one plan is enabled, the administrator can generate on-demand user accounts here. Click on the Create button of the desired plan and an on-demand user account will be created. After the account is created, you can print the ticket with all of the necessary on-demand user’s information, including the username and password.
Page 70 Network operator can also choose to create ondemand accounts in batch. Simply specify the number of account to be generated and click “Create” at the bottom of the page. The created accounts can be exported as a txt file or printed via pre-configures POS printer On-demand Account List All created On-demand accounts are listed and related information is also provided.
Page 71 Online: the account is currently in use. Expired: the account is not valid any more, even there is remaining quota to be used. Out of Quota: the account has exceeded the quota limit. Redeemed: the account has been applied for account renewal. ...
Page 72 Redeem On-demand Accounts For Time and Volume accounts, if they are almost out of quota, they can use redeem function to extend their quota. After the user has get, or buy, a new account, they just need to click the Redeem button in the login success page, input the new account Name and Password and then click Enter.
Page 73: Configuring Radius
6.1.2. Configuring RADIUS Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect and use a network service. Choose “RADIUS” from the Authentication Database field. The Local VPN option can be enabled or disabled for the entire Authentication Database.
Page 74 Item Description External RADIUS Server Related Settings 802.1X Authentication Enable /Disable 802.1X authentications for users authenticating through this...
Page 75 Server. To support EAP-SIM authentication, please enable this feature and enter 802.1X Settings to configure the AP’s that support associated clients to authenticate by EAP-SIM. Select the format which the user login information is sent to the external RADIUS Server. You may choose to send username in Complete (userID + Username Format Postfix), Only ID or Leave Unmodified.
Page 76 administrator to make changes in session characteristics without requiring to access Controller WMI to initiate change. For example, a network administrator may need to terminate a session or change the authorization attributes associated with a session. This is possible through RADIUS DM & CoA messages.
Page 77 The drop down selection list allows 3 options: Follow Server’s Setting, Overwrite Server’s Setting and Set if not presented. If Follow Server’s Setting is selected, system will use the RADIUS attributes set in the remote RADIUS server. If Overwrite Server’s Setting is selected, system will use the RADIUS attributes set below.
Page 78: Configuring Local
Protocol Password Authentication Protocol (PAP). Accounting Service Enable / Disable RADIUS accounting Accounting Server Enter the Accounting Server domain name or IP address. Accounting Port Enter the Port number used for accounting Accounting Secret Secret Key used for accounting. Note: The Authentication Server and Accounting Service operates in sets, which means if the Authentication Server set under Primary RADIUS Server is unavailable then the system will refer to Secondary RADIUS Server setting without referencing the Accounting service settings under Primary.
Page 79: Configuring Ldap
for exporting all local user accounts into a text file. Clicking on each user account leads to a page for configuring the individual local account. Local user account can be assigned a Group and applied Local VPN individually. Search: Enter a keyword of a username to be searched in the text filed and click this button to perform the search.
Page 80  Name: Configurable text string designated as the mnemonic name of this authentication option.  Postfix: Is the text string entered as a postfix in the account field for notifying the Controller which authentication database this account belongs to.  Black List: System has built-in black-list profiles where specific user accounts can be listed.
Page 81: Configuring Pop3
to the organization, group, or domain name (AD) of external directory.  Binding Type: This specifies the binding type and search scope for LDAP authentication with 4 binding types available: User Account, Anonymous, Specified DN and Windows AD.  Account Attribute: The attribute of LDAP accounts. ...
Page 82: Configuring Nt Domain
 Username Format: When Complete option is checked, both the username and postfix will be transferred to the server for authentication. When Only ID option is checked, only the username will be transferred to the external server for authentication.  Server: The IP address of the external POP3 Server.
Page 83: Configuring Sip
login function. These settings will become effective immediately after clicking the Apply button.  Server: The IP address of the external NT Domain Server.  Transparent Login: This function refers to Windows NT Domain single sign-on. When Transparent Login is enabled, clients will log into the system automatically after they have logged into the NT domain, which means that clients only need to log in once.
Page 84 The system provides SIP proxy for SIP clients (devices or soft clients) pass through NAT. After enable SIP proxy server, all SIP traffic can pass through NAT with a selective but fixed WAN interface. If the SIP Registrar settings in SIP client is same as the system setting, when the client try to access the SIP Registrar, system will let this client login automatically and all SIP traffic can pass through.
Page 85: Choosing Your Networks' Authentication Method
The system provides SIP proxy functionality, which allows SIP clients to pass through NAT. When enabled, all SIP traffic can pass through NAT via a fixed WAN interface. The policy route setting of SIP Authentication must be configured carefully because it must cooperate with the fixed WAN interface for SIP authentication. SIP Transparent Proxy can be activated in both NAT and Router mode.
Page 86 A warning message can be customized at Main Menu > System > General page which will be displayed on the web browser of newly connected users when a Service Zone’s authentication is under the Suspend status. The purpose of this feature is to prevent further loading to this Service Zone when network administrator needs to make changes to the Service Zone configurations.
Page 87: Users Group
6.2. Users Group Group profiles are used to divide users based on role. A Group profile can be designated for differentiating a group of users with similar statuses e.g. Student, Staff, Guest, etc.; Network administrator can determine which Service Zones are accessible to a certain Group as well as the Policy that will govern the user. Therefore users belonging to a certain Group profile may be allowed to access many Service Zones and be govern by different policies under different Service Zone, depending on how the network administrator setup the Group –...
Page 88: Assign Users To A Group
6.2.1. Assign users to a Group Configure Group settings; go to: Users >> Group. This section shows how to group users, how to rule each grouped user with different policy as he moves to different service zone. The following examples will help you better understand this section.
Page 89 In this example, Group 1 users are allowed to access the internet in 5 places; Service Zone 0,1,4,6, and 8. They must follow policy 1 at Service Zone 1, 6 and 8. They are ruled by Policy 3 at Service Zone 1 and by Policy 8 at Service Zone 4.
Page 90: Permission In Service Zone
6.2.2. Permission in Service Zone Configure Group settings; go to: User Authentication >> Group. A Group can be allowed to access one Service Zone or multiple Service Zones. Moreover, a Group can be applied different Policies within different Service Zones. Remote VPN is considered as a zone, where clients log into the system via remote VPN.
Page 91 At Service Zone 1, Group 1 user is ruled by Policy 3. Group 2 is by Policy 9 and Group 3 is by Policy 11. Other Groups are not enabled to access Service Zone 1.
Page 92 Group Option: The name of Group options available for selection. Enabled: Select Enabled to allow clients of the enabled Groups to log in to this Service Zone under constraints of the selected Policies. Check Enabled of each individual Group to assign it to the Service Zone listed. Policy: Select a Policy that the Group will be applied with when accessing this Service Zone.
Page 93: Qos Traffic Class And Bandwidth Control
6.2.3. QoS Traffic Class and Bandwidth Control Configure QoS; go to: Users >> Group >> QoS Profile.  QoS Profile: Set parameters for traffic classification. Traffic Class: A Traffic Class can be chosen for a Group of users. There are four traffic classes: Voice, Video, Best-Effort and Background.
Page 94: User Login
6.3. User Login 6.3.1. An Example of User Login Normally, users will be authenticated before they get network access through WHG Controller. This section presents the basic authentication flow for end users. Please make sure that the WHG Controller is configured properly and network related settings are done.
Page 95 Remaining quota. 3. Successful! The Login Successful page appearing means you are connected to the network and Internet now!  Note: When On-demand accounts are used, the system will display more information, as shown below.
Page 96: Default Authentication
6.3.2. Default Authentication In each Service Zone, there are different types of authentication database (LOCAL, POP3, RADIUS, LDAP, NTDOMAIN, ONDEMAND, and SIP) that are supported by the entire system. There are up to six authentication servers can be enabled, two of them constantly as Ondemand and SIP, and one of them can be set as the Default Authentication–...
Page 97: Policies And Access Control
7. Policies and Access Control 7.1. Policy Configure Policy; go to: Users >> Policy. WHG Controller supports multiple Policies, including one Global Policy and individual Policies. Each Policy consists of access control profiles that can be configured respectively and applied to a certain Group of users. Global Policy is the system’s universal policy and applied to all clients, while other individual Policy can be selected and defined to be applied to any Service Zone.
Page 98 Policy 1 ~ Policy n Beside Global Policy, there are Policy1 to Policy n (different models have different number of Policy), each Policy consists of access control profiles that can be configured respectively and applied to a certain Group of users. The clients belonging to a Service Zone will also be bound by an applied Policy.
Page 99: Firewall
7.1.1. Firewall Firewall Profile (Global Policy): Click Setting for Firewall Profile. The Firewall Configuration will appear. Click Predefined and Custom Service Protocols to edit the protocol list. Click User Firewall Rules to edit the rules. Machine Firewall Rules – Input is for editing firewall rules which will be enforced on traffics entering the WAN ports from the external network.
Page 100 The Predefined Service Protocols can not be deleted. Click Add to add a custom service protocol. The Protocol Type can be defined from a list of service by protocols (TCP/UDP/ICMP/IP); and then define the Source Port (range) and Destination Port (range); click Apply to save this protocol .
Page 101 Selecting the Filter Rule Number 1 as an example: Rule Number: This is the rule selected “1”. Rule No. 1 has the highest priority; rule No. 2 has the second priority, and so on. Rule Name: The rule name can be changed here. Source/Destination –...
Page 102  Machine Firewall Rules – Input (Global Policy Only) This configuration page is for administrators to configure firewall rules which will be enforced from the systems perspective to filter incoming traffics passing through WAN ports from external networks.  Machine Firewall Rules – Output (Global Policy Only) This configuration page is for administrators to configure firewall rules which will be enforced from the systems perspective to filter outgoing traffics passing through WAN ports from the internal network.
Page 104: Routing
7.1.2. Routing  Specific Route Profile: Click the button of Setting for Specific Route Profile, the Specific Route Profile list will appear. 7.1.2.1 Specific Route  Specific Route Profile: The Specific Default Route is use to control clients to access some specific IP segment by the specified gateway.
Page 105: Schedule
7.1.3. Schedule  Schedule Profile: Click Setting of Schedule Profile to enter the configuration page. Select Enable to show the Permitted Login Hours list. This function is used to limit the time when clients can log in. Check the desired time slots checkbox and click Apply to save the settings. These settings will become effective immediately after clicking Apply.
Page 106: Session Limit
7.1.4. Session Limit To prevent ill-behaved clients or malicious software from using up the system’s connection resources, the administrator can restrict the number of concurrent sessions that a user can establish.  The maximum number of concurrent sessions (TCP and UDP) for each user can be specified in the Global policy, which applies to authenticated users, users on a non-authenticated port, privileged users, and clients in DMZ zones.
Page 107: User Access Control
7.2. User Access Control WHG Controller supports user access control per service zone, for the entire system, or per authentication server. MAC Access Control per Service Zone Go to Main Menu > System > Service Zones. Each Service Zone’s Wireless Settings will be applied to APs that are mapped to this service zone. There is a MAC Access Control section where the administrator can specify up to 10 MAC addresses which can be allowed, denied to access this service zone wirelessly.
Page 108 There are multiple Black List profiles available. Administrator can select one and enforce this black list on the desired authentication server. Click Add User(s) button to fill in usernames (postfix not required). When enforced on an authentication server, accounts in the black list will be denied authentication and network access. Privilege Users Setup the Privilege IP Address List and Privilege MAC Address List.
Page 109 Privilege IP Privilege IP/IPv6 Address List If there are workstations inside the managed network that need to access the network without authentication, enter the IP addresses of these workstations in the “Granted Access by IP Address”. The “Remark” field is not necessary but is useful to keep track.
Page 110 Privilege MAC Privilege MAC Address List In addition to the IP address, the MAC address of the workstations that need to access the network without authentication can also be set in the “Granted Access by MAC Address”. Controller allows specific privilege MAC addresses at most.
Page 111: Session Limit & Session Log
7.3. Session Limit & Session Log Session Limit To prevent ill-behaved clients or malicious software from using up system’s connection resources, administrators will have to restrict the number of concurrent sessions that a user can establish.  The maximum number of concurrent sessions (TCP and UDP) for each user can be specified in each Policy profile, which applies to authenticated users, users on a non-authenticated port, privileged users, and clients in DMZ zones will follow Global policies session limit.
Page 112  The following table shows an example of the session log data. Jul 20 12:35:05 2009 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.37 SPort=1626 DIP=203.125.164.132 DPort=80 Jul 20 12:35:05 2009 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.37 SPort=1627 DIP=203.125.164.132 DPort=80 Jul 20 12:35:06 2009 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.37 SPort=1628 DIP=203.125.164.142 DPort=80 Jul 20 12:35:06 2009 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.37 SPort=1629 DIP=203.125.164.142 DPort=80 Jul 20 12:35:07 2009 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.37 SPort=1630 DIP=67.18.163.154 DPort=80 Jul 20 12:35:09 2009 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.37 SPort=1631 DIP=202.43.195.52 DPort=80...
Page 113: Users' Login And Logout
8. Users’ Login and Logout 8.1. Before User Login 8.1.1. Login with SSL Configure HTTPS; go to: System >> General. HTTPS (HTTP over SSL or HTTP Secure) by means of Secure Socket Layer (SSL) or Transport Layer Security (TLS) encrypts and decrypts user page requests as well as the pages that are returned by the Web server. This function will provide extra security upon client’s login.
Page 114: Internal Domain Name With Certificate
8.1.2. Internal Domain Name with Certificate Configure Internal Domain Name; go to: System >> General >> Internal Domain Name. Internal Domain Name is the domain name of the WHG CONTROLLER as seen on client machines connected under service zone. It must conform to FQDN (Fully-Qualified Domain Name) standard. A user on client machine can use this domain name to access WHG CONTROLLER instead of its IP address.
Page 115 Click “Continue to this website” to access the user login page. To Use Default Certificate: Click Use Default Certificate to use the default certificate and key. Click restart to validate the changes.
Page 116: Walled Garden
8.1.3. Walled Garden Configure Walled Garden; go to: Network >> Walled Garden. This function provides certain free services for users to access the websites listed here before login and authentication. Specific addresses or domain names of the websites can be defined in this list. Users without the network access right can still have a chance to experience the actual network service free of charge.
Page 117: Walled Garden Ad List
8.1.4. Walled Garden AD List Configure Walled Garden AD List; go to: Network >> Walled Garden AD List. This function provides advertisement web pages for users to access free advertisement websites listed before login and authentication. Advertisement hyperlinks are displayed on the user’s login page. Clients who click on it will be redirected to the listed advertisement websites.
Page 119: Mail Message
8.1.5. Mail Message Configure Mail Message, go to: System >> Service Zones. When enabled, the system will automatically send an email to users if they attempt to send/receive their emails using POP3 email program (for example, Microsoft Outlook) before they are authenticated. Click Edit Mail Message to edit the message in HTML format.
Page 120: After User Login
8.2. After User Login 8.2.1. Portal Home Page Configure Home Page Redirect; go to: System >> General. Portal URL function allows the network administrator to specify whether to redirect a user’s web browser to a specific webpage or not. When “Specific” is checked, once a user logged in successfully, user’s web browser will be redirected to the specified URL as set in the test box, such as http://www.google.com, regardless of the original homepage set in their computers.
Page 121: Idle Timer
8.2.2. Idle Timer Configure Idle Timer; go to: Users >> Additional Control. If a user has idled with no network activities, the system will automatically kick out the user. The logout timer can be set between 1~1440 minutes, and the default idle time is 10 minutes.
Page 122: Multiple Login
8.2.3. Multiple Login Configure Idle Timer, go to: Users >> Additional Control. When enabled, a user can log in from different computers with the same account. (This function doesn’t support On-demand users and RADIUS authentication.)
Page 123: Change Password Privilege
8.2.4. Change Password Privilege Configure Local Users change password privilege; go to: Users >> Group >> Privilege.  Privilege Profile: Change Password Privilege: When Change Password Privilege is enabled, the authenticated users within this Group are allowed to change their password via the Login Success Page. This function is not applicable for on-demand users.
Page 124: Proxy Server
8.2.5. Proxy Server Configure Proxy Server; go to: Network >> Proxy Server. The system provides a Build-in Proxy Server and External Proxy Server function. After successful authentication, the clients’ will be redirected back to the desired proxy servers. Basically, a proxy server can help clients access the network resources more quickly. This section presents basic examples for configuring the proxy server settings of WHG CONTROLLER.
Page 125  Using Extranet Proxy Server The second scenario is that a proxy server is placed in the Extranet (such as DMZ), which all users from the Intranet or the Internet are able to access. For example, the following diagram shows that a proxy server of an organization in the DMZ will be used.
Page 126: Local Area Ap Management
9. Local Area AP Management All of the supported APs under management of the system will be shown in this table and listed by different AP type.
Page 127: Multiple Type Of Ap
9.1. Multiple Type of AP Besides letting users being connected to the WHG Controller via wired Ethernet cable, you can connect AP to the WHG Controller to extent the network access by wireless. The WHG Controller can manage multiple type of AP, such as, EAP100, EAP-110, EAP-200, EAP-300, EAP700, OWL400, OWL410, OWL500 and OWL510.
Page 128: Configure Ap Template
9.2. Configure AP Template Configure AP Template; go to: Access Points >> Enter Local Area AP Management >> Templates. The system supports up to three templates which include configurations of APs. The administrator can configure the setting together in the template instead of logging the AP management interface to set the configurations one by one. Select the AP type (if available) and one of the three available templates, and then click Edit to have the Template Editing page.
Page 129  General: In this section, revise the Subnet Mask and Default Gateway here if desired. Configure the NTP Servers and Time Zone. In addition, administrator can enable SYSLOG server to receive the log from AP and enable SNMP read/write ability. ...
Page 130 throughout a ESS (Extended Service Set) and for secure exchange of station’s security context between current access point (AP) and new AP during handoff period.  Wireless Client Isolation: The default value is Disabled. When “Enabled” is selected, all the wireless clients will be isolated each other.
Page 131: Ap Discovery
9.3. AP Discovery Configure Discovery AP; go to: Access Points >> Enter Local Area AP Management >> Discovery. After AP template configuration is complete, use this function to detect and scan for all of the APs connected under the managed network. Note that in Local Area AP Management the WHG Controller can only manage APs that are connected to its LAN ports.
Page 132  Discovery Results: The newly discovered APs will be listed here. When the system’s Service Zone is set to Tag-based mode, service zones also can be assigned here. After clicking Add, the current management page is directed to AP List, where the newly added APs will show up in the AP List with a status of “configuring”. It may take a couple of minutes to see that the status of the newly added AP change from “configuring”...
Page 133: Ap Background Discovery
9.3.1. AP Background Discovery Configure AP Background Discovery; go to: AP Management >> Enter Local Area AP Management >> Discovery.  Background AP Discovery: Click Configure to enter Background AP Discovery interface and proceed with related configuration. The configuration is the same as AP Discovery. When Background AP Discovery function is enabled, the system will scan once every 10 minutes or according to the time set by the administrator.
Page 134: Manually Add Ap
9.4. Manually add AP Add an AP Manually; go to: Access Points >> Enter Local Area AP Management >> Adding. The administrator can add supported APs into the List table manually here. Similar to the AP added after discovery, a manually added AP will show up with a status of "configuring" in the AP List initially. The system will attempt to configure the AP with the value specified.
Page 135: Ap With Service Zone
9.5. AP with Service Zone Configure AP with Service Zone; go to: System >> Service Zones >> Service Zone Configuration. Service Zone Settings – Assigned IP Address range for AP Management  Under port-based service zone, each service zone can designate an IP segment for IP address assignment to the managed AP when the newly discovered AP is added into the service zone.
Page 136 Service Zone Settings – Access Control for Service Zone  All managed APs (VAP) that belong to this service zone have same ACL table. When the status is Allowed, only these clients whose MAC addresses are listed in this list can be allowed to connect to the AP; on the other hand, when the status is Denied, the clients whose MAC addresses are listed in the list will be denied to connect to the AP.
Page 137: Ap Security
9.6. AP Security Configure AP Security; go to: System >> Service Zones.  Security: For each service zone, administrators can set up the wireless security profile, including Authentication and Encryption.  Authentication: Including Open System, Share Key, WPA, WPA2 or WPA/WPA2 Mixed. ...
Page 138: Change Managed Ap Settings
9.7. Change managed AP settings Configure AP settings in AP List; go to: Access Points >> Enter Local Area AP Management >> List. All of the APs under the management of the WHG Controller will be shown in the list. The AP can be edited by clicking the hyperlink of AP Name and the AP status can be reviewed by clicking the hyperlink of Status.
Page 139  General Setting: Click the link to enter the General Setting interface. Firmware information also can be observed here.  LAN Setting: Click the link to enter the LAN Setting interface. Administrator can revise the AP’s LAN IP settings including IP address, Subnet Mask and Default Gateway of AP. ...
Page 140 AP Status Summary includes AP Name, AP Type, LAN Interface MAC address, Wireless Interface MAC address, Report Time, SSID, and Number of Associated Clients. AP Status Details include System Status, LAN Status, Wireless LAN Status, Associated Client Status and Local Log Status.
Page 141: Ap Operations From Ap List
9.8. AP Operations from AP List Configure AP List; go to: Access Points >> Enter Local Area AP Management >> List. 9.8.1. Reboot, Enable, Disable and Delete the AP Select any AP by checking the checkbox and then click the button below to Reboot, Enable, Disable, Delete, Apply Template and Apply Service Zone (Tag-Based) the selected AP if desired.
Page 142: Apply Template
9.8.2. Apply Template Select any AP by check the checkbox and then click Apply Template; select one template to apply to the AP.
Page 143: Apply Service Zone (Tag-Based Only)
9.8.3. Apply Service Zone (Tag-Based Only) Select any AP by the check the checkbox and then click Apply Service Zone to select which Service Zones this AP associates to. For example, if SZ3 and SZ5 are selected for this AP, then these two Service Zones will be available under this AP.
Page 144: Firmware Management And Upgrade
9.9. Firmware management and upgrade Configure Firmware management; go to: Access Points >> Enter Local Area AP Management >> Firmware. The system supports the firmware management of APs to upload new firmware, delete the existing firmware, and download the firmware to managed APs. Note that the AP's firmware version must be one that has been integrated. Firmware Upload displays the current version of the AP’s firmware.
Page 145: Wds Management
9.10. WDS Management Configure WDS management; go to: Access Points >> Enter Local Area AP Management >> WDS Management. WDS Management (Wireless Distribution System) is a function used to connect APs (Access Points) wirelessly. The WDS management function of the system can help administrators to setup a “Tree” structure of WDS network. ...
Page 146: Rogue Ap Detection
9.11. Rogue AP Detection Configure Rough AP Detection; go to: Access Points >> Enter Local Area AP Management >> Rogue AP Detection. It is designed to detect the non-managed or possibly malicious AP in the deployed environment. It takes the managed APs as sensors to find out the non-managed AP even if the AP uses the same SSID with managed AP's.
Page 147 Basically, all of the managed AP can become a Rogue AP sensor, but some earlier version AP will not support this function, they will list in the Sensor List, but they are not available for selection, so the Sensor List will list all of the managed AP.
Page 148: Ap Load Balancing
9.12. AP Load Balancing Configure AP Load Balancing; go to: Access Points >> Enter Local Area AP Management >> AP Load Balancing. It is a function to prevent managed APs from overloading. When the system detects the occurrence of APs' associated-client numbers exceeding a predefined threshold at circumstances other APs in the same group are still below the threshold, the balancing function will be activated to decrease the overloading APs' transmit power and increase other available APs' transmit power;...
Page 149 1. Setup the Interval Configure Interval; go to: Access Points >>AP Load Balancing. Go to: Access Points >>AP Load Balancing >> Configuration. Input an Interval, if you input “0”, it means “Disabled”, and system will not enable the AP Load Balancing function. 2.
Page 150 Before setup the AP Load Balancing, you must discovery the APs and apply template first.  Note: For more detail of AP Management, please refer to the section of Managing Wireless Network. All of the managed AP can join to any of the Load Balancing Group, so the Device List will list all of the managed AP. Select the APs, chose a Group and click Apply.
Page 151: Wide Area Ap Management
Under Wide Area AP management, you can choose to simply monitor AP’s status via SNMP or logically incorporate LevelOne APs into the WHG Controllers managed network via tunnels. AP models supported for Wide Area AP management include OWL800, EAP-200, EAP-110, EAP-300 and 3rd party AP. Please note that different WHG...
Page 152: Ap Discovery
10.1. AP Discovery Discover connected APs; go to: Access Points >> Enter Wide Area AP Management >> Discovery. With the Discovery feature, administrator can scan for APs regardless of their physical location as long as their IP address can be reached. After the discovery process, newly found AP’s will be listed under Device Results allowing administrators to add it to the managed AP List.
Page 153: Manually Add Ap
10.2. Manually add AP Add an individual Access Points to the managed list; go to: Access Points >> Enter Wide Area AP Management >> Adding. Besides Discovery feature that can search and list multiple APs for adding to the management list, Adding page allows administrator to directly add a single Access Point to the management list.
Page 154: Manage Ap Lists
10.3. Manage AP Lists Manage AP lists; go to: Access Points >> Enter Wide Area AP Management >> List. When an EAP-200 is discovered or added to the AP list, it can be logically deployed into the WHG Controller’s managed network regardless of its physical location by tunnels. Initially when an AP has been successfully added to the List, it’s “Tunnel Status”...
Page 155 AP’s tunnel settings can be checked at “System >> Management” page. On the WHG Controller side, the AP’s Tunnel status will show green light indicating an active tunnel has been set up between WHG Controller and AP. Now the administrator can click “Edit” and re-enter the Tunnel Status page to assign a Service Zone to this tunnel managed AP.
Page 156: Manage Third Party Ap
10.4. Manage Third Party AP Add a third party AP; go to: Access Points >> Enter Wide Area AP Management >> List. Add third party AP by selecting THIRDAP from Device Type. Add to AP List manually by specifying third party AP’s IP address, Name, and VLAN ID.
Page 157: Map
10.5. Map Configure maps; go to: Access Points >> Enter Wide Area AP Management >> Map. The Map tab page is implemented with Google Map API version2 which allows administrators to view at a glance the whereabouts of all of the AP’s under Wide Area AP Management. This feature is helpful when it comes to network planning and management.
Page 158: Register Key From Google
10.5.1. Register key from Google Before configuring your maps, you will need to register the WHG Controller’s IP address at Google Maps and get a key from Google. Go to http://code.google.com/intl/en/apis/maps/documentation/javascript/v2/ or search for “Google Map API”, to enter the Google code page. Click on “Sign up for a Google Maps API key”.
Page 159: Create A Map
10.5.2. Create a Map Now, return to the Map tab page in WHG Controller’s WMI and Scroll down to the bottom of the page, click on the Add a New Map button.  An editing page will open for configuration, please fill in a Map Name for this map and its geographical location as defined by Longitude and Latitude, remember to also fill in the Key issued by Google.
Page 160: Marking Aps On Your Map
10.5.3. Marking APs on your Map If you have several APs deployed and listed in List under Wide Area AP Management, their geographical location can be marked on a particular map. Firstly, go to the List tab page and click on the Edit button of the AP’s that you wish to mark in the map. In the AP configuration page, set the coordinates (Latitude and Longitude) of this AP and the radius of signal coverage.
Page 161 The selected APs will show up as marker images on the map at the physical coordinates configured, as shown below. You can click on the AP icon to see the dialogue box for additional information or links that you have configured. Click the more info link for information on AP status, Client List, WDS List and Links related to this AP.
Page 162  AP status, Client List and WDS List information listed are collected from the remote AP via SNMP.
Page 163: Operations From Map Page
10.5.4. Operations from Map page  Goto Map: When you have configured multiple map profiles, this function allows switching between different maps.  Goto AP: This function is for administrator to select an AP on the list, and the map will shift to show the selected AP in the center of the map.
Page 164: Ap Operations From Ap List
10.6. AP Operations from AP List Perform operations on managed APs; go to: Access Points >> Enter Wide Area AP Management >> List. After adding APs to the managed List, the List page provides some operations for managing the listed AP’s. ...
Page 165 chosen AP’s configuration settings using a .db file store locally in administrator PC or in the WHG Controller’s memory.  Upgrade: Clicking this button will open a popup window where administrator can upgrade the chosen AP’s firmware using a firmware file store locally in administrator PC or in the WHG Controller’s memory (under Firmware tab page).
Page 166: Wds List
10.7. WDS List View the WDS link information established between APs in Wide Area AP Management; go to Access Points >> Enter Wide Area AP Management >> WDS List. The WDS link if established between APs listed in List will be listed here with related information such as the Band and Channel of the link, Security settings if any and the Transmit Power, Byte, Packets etc.
Page 167: Backup Config
10.8. Backup Config View previously saved backup files for Wide Area APs; go to: Access Points >> Enter Wide Area AP Management >> Backup Config. Backed up Config files can be used to restore an AP’s settings in List. When administrator backups an AP’s configuration settings, all the backup files are listed at the Backup Config tab page and can be downloaded to a local storage device or deleted from WHG Controller’s memory.
Page 168: Firmware Management And Upgrade
10.9. Firmware management and upgrade Upload or view the details of previously uploaded firmware for upgrading APs; go to: Access Points >> Enter Wide Area AP Management >> Firmware. The WHG Controller can store AP’s firmware in its’ built-in memory. Under the Firmware tab page administrator can upload new AP firmware to the WHG Controller’s memory allowing for easy remote AP upgrade and restore operations from the AP List page.
Page 169: Capwap
10.10. CAPWAP Enable CPAWAP auto-discovery feature for supported AP’s; go to: Access Points >> Enter Wide Area AP Management >> CAPWAP. CAPWAP is a standard interoperable protocol that enables a WHG Controller to manage a collection of wireless access points. ...
Page 170: Networking Features Of A Gateway
11. Networking Features of a Gateway 11.1. DMZ Configure DMZ; go to: Network >> NAT >> DMZ (Demilitarized Zone). The system supports specific sets of Internal IP address (LAN) to External IP address (WAN) mapping in the Static Assignments. The External IP Address of the Automatic WAN IP Assignment is the IP address of External Interface (WAN1) that will change dynamically if WAN1 Interface is Dynamic.
Page 171: Virtual Server
11.2. Virtual Server Configure Virtual Server; go to: Network >> NAT >> Public Accessible Server. This function allows the administrator to set virtual servers, so that client devices outside the managed network can access these servers within the managed network. Different virtual servers can be configured for different sets of physical services, such as TCP and UDP services in general.
Page 172: Client Mobility
11.3. Client Mobility Configure IP Plug and Play; go to: Network >> Client Mobility. WHG CONTROLLER supports IP PNP function: users can login and access network with any IP address setting. At the user end, a static IP address can be used to connect to the system. Regardless of what the IP address used at the user end, authentication can still be performed through WHG CONTROLLER.
Page 173: Dns Cache
11.4. DNS Cache Configure DNS Cache; go to: Network >> DNS Cache. The administrator could statically assign Domain Name to IP mappings for all clients connected to the WHG Controller’s LAN network. This feature can be used to redirect clients to preferred IP address for certain Domain Names.
Page 174: Dynamic Domain Name Service
11.5. Dynamic Domain Name Service Configure Dynamic Domain Name Service; go to: Network >> DDNS. Before activating this function, you must have your Dynamic DNS hostname registered with a Dynamic DNS provider. WHG CONTROLLER supports DNS function to alias the dynamic IP address for the WAN port to a static domain name, allowing the administrator to easily access WHG Controller’s WAN.
Page 175: Port And Ip Forwarding
11.6. Port and IP Forwarding Configure Port and IP Redirect; go to: Network >> NAT >> Port and IP Forwarding. This function allows the administrator to set specific sets of the IP addresses at most for redirection purpose. When the user attempts to connect to a destination IP address listed here, the connection packet will be converted and redirected to the corresponding destination.
Page 176: Dynamic Route
11.7. Dynamic Route Configure Dynamic Route; go to: Network >> Dynamic Route. The function supports three dynamic routing protocols: RIP, OSPF and IS-IS.  RIP Configuration: It is a dynamic routing protocol used in local and wide area networks. You can configure each interface to be Passive, supportive version and authentication.
Page 177 routing information.  Timeout Timer: Routes are only kept in the routing table for a limited amount of time. A special Timeout timer is started whenever a route is installed in the routing table. Whenever the router receives another RIP Response with information about that route, the route is considered “refreshed” and its Timeout timer is reset.
Page 178 a group of physically connected computers or similar devices. You can configure each interface Circuit Type to Level 1 or Level 2.  Net ID: It is the ISO address Network Entity Title (NET). The NET is used just like an IP address to uniquely identify a router on the inter-network.
Page 179: System Management And Utilities
12. System Management and Utilities 12.1. System Time Configure System Time; go to: System >> General. 12.1.1. NTP (Network Time Protocol) communication protocol can be used to synchronize the system time with remote time server. Please specify the local time zone and the IP address of at least one NTP server for adjusting the time automatically (Universal Time is Greenwich Mean Time, GMT).
Page 180: Manual Settings
12.1.2. Manual Settings The time can also be manually configured by selecting Manually set up and then entering the date and time in these fields.
Page 181: Management Ip
12.2. Management IP Configure Management IP; go to: System >> General. Only PCs within this IP range on the list are allowed to access the system's web management interface. For example, 10.2.3.0/24 means that as long as an administrator is using a computer with the IP address range of 10.2.3.0/24, he or she can access the web management page.
Page 182: Access History Ip
12.3. Access History IP Configure Access History IP; go to: System >> General. Specify an IP address of the administrator’s computer or a billing system to get billing history information of WHG CONTROLLER with the predefined URLs. The file name format is “yyyy-mm-dd”. An example is provided as follows: Traffic History：https://10.2.3.213/status/history/2005-02-17 On-demand History：https://10.2.3.213/status/ondemand_history/2005-02-17...
Page 183: Snmp
12.4. SNMP Configure SNMP; go to: System >> General. If this function is enabled, the SNMP Management IP and the Community can be assigned to access the SNMP Configuration List of the system.
Page 184: Change Password
12.5. Change Password Configure Change Password; go to: Utilities >> Password Change. There are three levels of authorities: admin, manager or operator. The default usernames and passwords are as follows: Admin: The administrator can access all configuration pages of WHG CONTROLLER. User Name: admin Password: admin Manager: The manager can only access the configuration pages under User Authentication to manage the user...
Page 185: Backup / Restore And Reset To Factory Default
12.6. Backup / Restore and Reset to Factory Default Configure Backup / Restore and Reset to Factory Default; go to: Utilities >> Backup & Restore. This function is used to backup/restore the WHG CONTROLLER settings. Also, WHG CONTROLLER can be restored to the factory default settings here.
Page 186: Firmware Upgrade
12.7. Firmware Upgrade Configure Firmware Upgrade; go to: Utilities >> System Upgrade. The administrator can download the latest firmware from website and upgrade the system here. Click Browse to search for the firmware file and click Apply for the firmware upgrade. It might take a few minutes before the upgrade process completes and the system needs to be restarted afterwards to activate the new firmware.
Page 187: Restart
12.8. Restart Configure Restart; go to: Utilities >> Restart. This function allows the administrator to safely restart WHG CONTROLLER, and the process might take approximately three minutes. Click YES to restart WHG CONTROLLER; click NO to go back to the previous screen. If the power needs to be turned off, it is highly recommended to restart WHG CONTROLLER first and then turn off the power after completing the restart process.
Page 188: Network Utility
12.9. Network Utility Configure Network Utility; go to: Utilities >> Network Utilities. The system provides some network utilities to help administrators manage the network easily.
Page 189 Item Description Wake-on-LAN It allows the system to remotely boot up a power-down computer with Wake-On-LAN feature enabled in its BIOS and it is connect to any service zone. Enter the MAC Address of the desired device and click Wake Up button to execute this function. ...
Page 190: Certificate
12.10. Certificate Configure Certificate Utility; go to: Utility >> Certificate. AC can issue certificates to APs that it manages in its private network. Administrator can sign certificates issues by the system’s root CA and load these certificates to managed APs. These APs will be used in verifying the identity and authenticity of CAPWAP discovery requests between AP and AC.
Page 191  Create System’s Root CA Administrator can create a root CA for private use. The created root CA certificate can be downloaded and used to sign certificates generated by the system. The created root CA will be displayed in the table below. ...
Page 192 The generated certificate will be listed in the My Issue Certificate table. Certificate and key can be downloaded with Get Cert, Get key button.  Uploading Certificate or Trusted CA Apart from self signed certificate and system’s root CA, administrators can also upload other certificates signed by other CA entities or Trusted CAs into the system.
Page 193: Administrator Account
12.11. Administrator Account Configure operator accounts; go to: Utilities >> Administrator Account. WHG Controller has three kinds of permanent management account: admin, manager or operator. The default usernames and passwords show as follows: Admin: The administrator can access all configuration pages of WHG Controller and has all modification and access privilege.
Page 194  Create Admin Account Different operator accounts and their password can be specified here. Group here are authorization profiles that will be applied to this operator account, each Group profile can specify which SZ this account can access and the Maps that this operator can access.
Page 195  Configure operator Group profile Group allowed SZ and Map can be configured here. In this configuration page, administrator can specify which Service Zone and Map are allowed to be accessed by the operator that belongs to this Group. This feature allows the administrator to create multi-level privilege accounts with flexibility to meet the deployment and management needs.
Page 196: Monitor Ip
12.12. Monitor IP Configure Monitoring 3 Party IP; go to: Network >> Monitor IP. WHG CONTROLLER will send out a packet periodically to monitor the connection status of the IP addresses on the list. On each monitored item with a WEB server running, administrators may add a link for the easy access by entering the IP, select the Protocol to http or https and then click Create.
Page 197: Console Interface
12.13. Console Interface Via this port to enter the console interface for the administrator to handle the problems and situations occurred during operation. 1. In order to connect to the console port of WHG CONTROLLER, a console, modem cable and a terminal simulation program, such as the Hyper Terminal are needed.
Page 198  Utilities for network debugging The console interface provides several utilities to assist the Administrator to check the system conditions and to debug any problems. The utilities are described as follows:  Ping host (IP): By sending ICMP echo request to a specified host and wait for the response to test the network status.
Page 199 The username is “admin” and the default password is also “admin”, which is the same as for the web management interface. Password can also be changed here. If administrators forget the password and are unable to log in the management interface from the web or the remote end of the SSH, they can still use the null modem to connect the console management interface and set the administrator’s password again.
Page 200: System Status And Reports
13. System Status and Reports 13.1. View the Status This section includes System Status, Interface Status, Hardware, Routing Table, Online Users, Session List, User Logs, Logs, DHCP Lease, and E-mail & Syslog to provide system status information and online user status.
Page 201: System Status
13.1.1. System Status View System Status; go to: Status >> System. This section provides an overview of the system for the administrator.
Page 202 The description of the above-mentioned table is as follows: Item Description The present firmware version of WHG CONTROLLER Firmware Version The current build number. Build The system name. The default is WHG CONTROLLER System Name Portal URL The page the users are directed to after initial login success. The IP address and port number of the external Syslog Server.
Page 203: Interface Status
13.1.2. Interface Status View Interface Status; go to: Status >> Interface. This section provides an overview of the interface for the administrator including WAN1, WAN2, SZ Default, SZ1 ~ SZ8.
Page 204 The description of the above-mentioned table is as follows: Item Description From the drop-down menu, administrators can select which interface status to Select Interface display. Mode Operating mode of this interface. MAC Address The MAC address of the WAN2 port. IP Address The IPv4 address of the WAN2 port.
Page 205 13.1.3. View Hardware Status; go to: Status >> HW. This tab page displays the system’s hardware usage information.
Page 206: Routing Table
13.1.4. Routing Table View Routing Table; go to: Status >> Routing Table >> IPv4/IPv6 Table. All the Policy Route rules and Global Policy Route rules will be listed here. Also it will show the System Route rules specified by each interface. •...
Page 207: Online Users
13.1.5. Online Users View Online Users, go to: Status >> Online Users. In this page, all online users’ information is displayed. Administrators can force out a specific online user by clicking the hyperlink of Kick Out and check the user access AP status by clicking the hyperlink of the AP name for Access From.
Page 208: Non-Login Users
13.1.6. Non-Login Users View Non-Login Users; go to: Status >> Non-Login Users. This page shows users that have acquired an IP address from the system’s DHCP server but have not yet been authenticated. This feature is designed for administrators to keep track of systems resources from being exhausted. The list shows the client’s MAC Address, IP Address and associated VLAN ID, Service Zone as well as Associated AP if the client uses wireless connection.
Page 209: Session List
13.1.7. Session List View Session List; go to: Status >> Session List. This page allows the administrator to inspect sessions currently established between a client and the system. Each result displays the IP and Port values of the Source and Destination. You may define the filter conditions and display only the results you desire.
Page 210: User Logs
13.1.8. User Logs View Traffic History, go to: Status >> Users Log. This page is used to check the traffic history of WHG CONTROLLER. The history of each day will be saved separately in the DRAM for at least 3 days (72 full hours). The system also keeps a cumulated record of the traffic data generated by each user in the latest 2 calendar months.
Page 211  On-demand User Log As shown in the following figure, each line is a on-demand user log record consisting of 13 fields, Date, System Name, Type, Name, IP, MAC, Pkts In, Bytes In, Pkts Out, Bytes Out, 1st Login Expiration Time, Account Valid Through and Remark, of user activities.
Page 212: Local User Monthly Network Usage
13.1.9. Local User Monthly Network Usage View Local User Monthly Network Usage; go to: Status >> User Logs.  Monthly Network Usage of Local User The system keeps a cumulated record of the traffic data generated by each Local user in the latest 2 calendar months.
Page 213: Logs
13.1.10. Logs View Logs; please go to: Status >> Logs. This page displays the system’s local log information since system boot up. Administrators can examine the log entries of various events. However, since all these information are stored on volatile memory, they will be lost during a restart/reboot operation.
Page 214: Dhcp Lease
13.1.11. DHCP Lease View DHCP Lease; go to: Status >> DHCP Lease. The DHCP IP lease statistics can be viewed after clicking on Show Statistics List in this page.  Statistics of offered list Valid lease counts of the Last 10 Minutes, Hours and Days are shown here. The header 1 ~ 10 are unit multiplier, for instance the number under column 2 indicates the lease count in the last 20 minutes/hours/days, the number under column 3 indicated the lease count in the last 30 minutes/hours/days and so on.
Page 215: Notification
13.2. Notification Configure Notification; go to: Status >> Report & Notification . WHG CONTROLLER can automatically send various kinds of user and/or system related reports to configured E-mail addresses, SYSLOG Servers, or FTP Server.  SMTP Settings: Allows the configuration of 5 recipient E-mail addresses and necessary mail server settings where various user related logs will be sent to.
Page 216: Smtp Settings
13.2.1. SMTP Settings  Receiver E-mail Address (1 ~ 5): Up to 5 E-mail addresses can be set up here to receive notifications.  Sender E-mail Address: The e-mail address of the administrator in charge of the monitoring. This will show up as the sender’s e-mail.
Page 217: Syslog Settings
13.2.2. SYSLOG Settings  SYSLOG Destinations: Up to two external SYSLOG servers may be configured, please enter the IP address and port number of the external SYSLOG server.  System Log: This controls the enabling/disabling of the SYSLOG logging feature. When enabled, the selected logs from “Notification Settings”...
Page 218: Ftp Settings
13.2.3. FTP Settings  FTP Destination: Specify the IP address and port number of your FTP server. If your FTP needs authentication, enter the Username and Password. The “Send Test Log” radio button can be used to send a test log for testing your current FTP destination settings.
Page 219: Notification Settings
13.2.4. Notification Settings This configuration page allows the selection of log types to send, either to preconfigured E-mail, SYSLOG Servers or FTP Server based on the chosen time Interval.  Sending Logs to E-mail The following log types can be sent to E-mail addresses configured in “SMTP Settings”: Monitor IP Report, Users Log, On-demand Users Log, Session Log.
Page 220  Detail: Clicking this radio button allows the configuration of the E-mail subject for the corresponding log.  Send: Clicking this radio button sends a test log to the selected E-mail address.  Sending Logs to SYSLOG The following log types can be sent to external SYSLOG servers configured in “SYSLOG Settings”: Users Log, On-demand Users Log, Session Log, Hardware Log, HTTP Web Log, and DHCP Server Log.
Page 221  Sending Logs to FTP The following log types can be sent to external FTP servers configured in “FTP Settings”: Users Log, On-demand Users Log, Session Log, HTTP Web Log, DHCP Lease Log, and System Report. Click the desired log type and select the time interval for sending log. Detail: Clicking this radio button allows the specification of the FTP server folder where the logs sent will be stored on the FTP server.
Page 222: System Report
13.2.5. System Report The function provides the graphical statistics information of CPU Loading, CPU Temperature, Memory Usage and etc. This page displays system status and resource usages in a plotted graph. It can show the total DHCP Lease number of all Service Zone and each Service Zone. ...
Page 223: Virtual Private Network (Vpn)
14. Virtual Private Network (VPN) 14.1. Local VPN The system is equipped with IPSec VPN feature. To utilize IPSec VPN supported by Microsoft Windows XP SP2 (with patch) and Windows 2000 operating systems, the system implements IPSec VPN tunneling technology between client’s windows devices and the system itself regardless of wired or wireless network.
Page 224 tunnels between them. If the connection is down, the ActiveX component will detect the broken link and decompose the IPSec tunnel. Once the IPSec VPN tunnel was built, all sent packets will be encrypted. Without connecting to the original IPSec VPN tunnel, a client has no alternative way to gain network connection beyond this.
Page 225 This patch also fixes the problem of supporting active mode FTP inside IPSec VPN tunnel of Windows XP SP2. Please UPDATE clients’ Windows XP SP2 with this patch. • The Termination of ActiveX The ActiveX component for IPSec VPN is running in parallel with the web page of “Login Success”. To ensure that the built-in IPSec VPN tunnel is always alive, unless clients decide to close the session and to disconnect from WHG CONTROLLER, the following conditions or behaviors, which may cause the Internet Explorer to stop the ActiveX, should be avoided.
Page 226 • FAQ (1) How to clean IPSec client? ANS: Open a command prompt window and type the commands as follows. C:\> cd %windir%\system32 C:\> Clean_IPSEC.bat C:\> cd %windir%\system32 C:\> ipsec2k.exe stop (2) How to remove ActiveX component in client’s computer? ANS: ①...
Page 227: Remote Vpn
14.2. Remote VPN Configure Remote VPN; go to: Network >> VPN >> Remote VPN. WHG CONTROLLER support Remote VPN for user login to system from remote area. After the user is login to system from the outside network of WAN, the user will feel that it is look like login to WHG CONTROLLER under the service zone locally.
Page 228: Site-To-Site Vpn
14.3. Site-to-Site VPN Configure Site-to-Site VPN; go to: Network >> VPN >> Site-to-Site VPN. WHG CONTROLLER support Site-to-Site VPN for more than 2 WHG CONTROLLER create VPN tunnel to each other over the WAN network. For example, if there are 2 WHG CONTROLLER, you can create a VPN tunnel to let a subnet of one WHG CONTROLLER to access the subnet of another WHG CONTROLLER.
Page 229 Such as “192.168.11.0/24” of WHG CONTROLLER_A >> “192.168.111.0/24” of WHG CONTROLLER_B, after the tunnel is created, the users within these two subnets can reach each other. You can create more than one VPN tunnel, but the IP segment mapping can not be overlap that same IP segment has more than one routing rule.
Page 230: Customization Of Portal
15. Customization of Portal Pages 15.1. Customizable Pages Configure Customizable Pages; go to: System >> Service Zones. There are several users’ login and logout pages for each service zone that can be customized by administrators. Go to System Configuration >> Service Zone >> Configure >> Authentication Settings / Custom Pages. Click the button of Configure, the setup page will appear.
Page 231: Loading A Customized Login Page
15.2. Loading a Customized Login Page  Custom Pages >> Login Page The administrator can use the default login page or get the customized login page by setting the template page, uploading the page or downloading from a designated website. After finishing the setting, click Preview to see the login page.
Page 232  Custom Pages >> Login Page >> Uploaded Page Choose Uploaded Page and upload a login page to the built-in HTTP server.
Page 233 The user-defined login page must include the following HTML codes to provide the necessary fields for user name and password. And if the user-defined login page includes an image file, the image file path in the HTML code must be the image file to be uploaded.
Page 234: Using An External Login Page
15.3. Using an External Login Page  Custom Pages >> Login Pages >> External Page Choose the External Page selection and get the login page from a designated website. In the External Page Setting, enter the URL of the external login page and then click Apply. After applying the setting, the new login page can be previewed by clicking Preview button at the bottom of this page.
Page 235: Load A Customized Logout Page
15.4. Load a Customized Logout Page  Custom Pages >> Logout Page The administrator can apply their own logout page in the menu. As the process is similar to that of the Login Page, please refer to the “Login Page >> Uploaded Page” instructions for more details. The different part is the HTML code of the user-defined logout interface must include the following HTML code that the user can enter the username and password.
Page 236: How External
15.5. How External Page Operates Choose External Page if you desire to use an external web page for your custom pages. Simply enter the URL of your external webpage, click Preview button to check if it is reachable, take a look at how your external webpage will be displayed, then click Apply button.
Page 237 The URL parameters sent by the Gateway to the external login page are as follows: Field Value Description loginurl String (URL encoded) The URL which shall be submitted when user login. remainingurl String (URL encoded) The URL which shall be submitted when user want to get remaining quota.
Page 238 <FORM action="" method="post" name="form"> <script language="Javascript"> form.action = getVarFromURL(window.location.href, 'loginurl'); </script> <INPUT type="text" name="myusername" size="25"> <INPUT type="password" name="mypassword" size="25"> <INPUT name="button_submit" type="submit" value="Enter"> <INPUT name="button_clear" type="button" value="Clear"> </FORM> The following shows the corresponding self-defined javascript function used to parse the loginurl parameter: function getVarFromURL(url, name) { if(name == ""...
Page 239  URL Variables from Gateway This section displays all the URL parameters that are sent from the Gateway to the various external pages. • External Login Page: Variables: Field Value Description loginurl String (URL encoded) The URL which shall be submitted when user login.
Page 240 Change_passwd_url String (URL encoded) The URL which shall be submitted when user want to change password. (Only available for LOCAL user) ondemand_creation_url String (URL encoded) The URL which shall be submitted when user want to create on-demand user. (Only available for LOCAL user) Vlanid Integer (1~4094)
Page 241 (Only available for RADIUS user) WISPR-BILLING-TIME String, format: WISPr Billing-Time attribute (Only HH:MM available for RADIUS user) session String Encrypted session information • External Error Page: Variables: Field Value Description String, includes: Error message The system is busy. Please try again later.
Page 242 because it is currently not the service hour for your account. You have already logged in. Sorry, there is a system problem checking the information of your account (XXX).<BR>Please contact your network administrator. Invalid username or password.<BR>Please check your username and password and try again.
Page 243 • External Logout Successful Page: Variables: Field Value Description String User ID (postfix is included) Vlanid Integer (1~4094) VLAN ID Gwip IP format Gateway activated IP address • External On-demand login successful page: Variables: Field Value Description String User ID (postfix is included) Utype String (LOCAL, RADIUS, Authentication server name...
Page 244 • External Logout Fail Page: Variables: Field Value Description String User ID Gwip IP format Gateway activated WAN IP address Vlanid Integer (1~4094) VLAN ID...
Page 245 1. URL Variables to Gateway This section presents the parameters that need to be sent back to the Gateway for the various external pages. Path: is the URL destination; Input: the parameters required to send back; Output: the feedback from system. •...
Page 246 Field Required Value Description myusername Required String User name mypassword Required String Password ret_url Optional String (URL encoded) Returned URL, default is pop_reminder.shtml command Optional String getValue: If command is set to “getValue”, the return URL would be ignored, and the page would only print out the available quota.
Page 247 -2: Out of quota. -3: Expired. -4: Redeemed. Uname String User name Type String, includes: On-demand user billing type TIME: Time type DATA: Volume type CUTOFF: Cut-off type • Change password (Local User): Path: (LAN IP address or Internal Domain Name) /loginpages/user_change_password.shtml Input: Field Required...
Page 248 Input: Field Required Value Description Optional String Current user ID (If not presented, user name stored in cookie is the default value) upassword Optional String Current user password (If not presented, password stored in cookie is the default value) myusername Required String Redeem user ID...
Page 249 Redeem user login already. Had been redeemed before. User run out of quota. Maximum allowable time is exceeded. Maximum allowable memory space is exceeded. Wrong postfix please check it. This account is expired. • On-demand account creation (Local User) Path: (LAN IP address or Internal Domain Name) /loginpages/UserAuthentication/OnDemandRecept.shtml Input: Field...
Page 250 price, number is account s/n. duration, serial number...
Page 251: Disclaimer Page
15.6. Disclaimer Page Configure Disclaimer Page; go to: System >> Service Zone >> Service Zone Configuration >> Disclaimer Page. Before the configuration of the Disclaimer Page, Disclaimer Page must be enabled first; click on Enable Disclaimer Page to redirect to General Settings: System >> General >> Disclaimer Page. ...
Page 253: Payment Gateways
16. Payment Gateways 16.1. Payments via Authorize.Net Configure Payments via Authorize.Net; go to: User >> Authentication >> On-demand User >> External Payment Gateway >> Authorize.Net. Before setting up “Authorize.Net”, it is required that the merchant owners have a valid Authorize.Net account. ...
Page 254  Service Disclaimer Content/ Choose Billing Plan for Authorize.Net Payment Page/Client’s Purchasing Record Service Disclaimer Content View service agreements and fees for the standard payment gateway services here as well as adding new or editing services disclaimer. Choose Billing Plan for Authorize.Net Payment Page These 10 plans are the plans configured in Billing Plans page, and all previously enabled plans can be further enabled or disabled here, as needed.
Page 255  Authorize.Net Payment Page Fields Configuration/ Authorize.Net Payment Page Remark Content  Authorize.Net Payment Page Fields Configuration Item: Check the box to show this item on the customer’s payment interface. Displayed Text: Enter what needs to be shown for this field. Required: Check the box to indicate this item as a required field.
Page 256 information of a transaction. This field may contain any format of information. First Name: The first name of a customer associated with the billing or shipping address of a transaction. In the case when John Doe places an order, enter John in the First Name field indicating this customer’s name.
Page 257: Payments Via Paypal
16.2. Payments via PayPal Configure Payments via PayPal; go to: User >> Authentication >> On-demand User >> External Payment Gateway >> PayPal. Before setting up “PayPal”, it is required that the hotspot owners have a valid PayPal “Business Account”. After opening a PayPal Business Account, the hotspot owners should find the “Identity Token” of this PayPal account to continue “PayPal Payment Page Configuration”.
Page 258  Service Disclaimer Content / Billing Configuration for Payment Page Service Disclaimer Content: View the service agreement and fees for the standard payment gateway services as well as add or edit the service disclaimer content here. Choose Billing Plan for PayPal Payment Page: These 10 plans are the plans in Billing Configuration, and the desired plan(s) can be enabled.
Page 259: Payments Via Securepay
16.3. Payments via SecurePay Configure Payments via SecurePay; go to: User >> Authentication >> On-demand Users >> External Payment Gateway >> SecurePay. Before setting up “SecurePay”, it is required that the hotspot owners have a valid SecurePay “Merchant Account” from its official website. ...
Page 260 Pay. Currency: The currency to be used for the payment transactions.  Service Disclaimer Content View the service agreement and fees for the standard payment gateway services as well as add or edit the service disclaimer content here.  SecurePay Payment Page Billing Configuration These 10 plans are the plans in Billing Configuration, and the desired plan(s) can be enabled.
Page 261: Payments Via Worldpay
16.4. Payments via WorldPay Configure Payments via WorldPay; go to: User >> Authentication >> On-demand Users >> External Payment Gateway >> WorldPay.  WorldPay Payment Page Configuration Installation ID: The ID of the associated Merchant Account. Payment Gateway URL: The default website of posting all transaction data. Currency: The currency to be used for the payment transactions.
Page 262 The message content will be displayed as a special notice to end customers. Before setting up “WorldPay”, it is required that the hotspot owners have a valid WorldPay “Merchant Account” from its official website: RBS WorldPay: Merchant Services & Payment Processing, going to rbsworldpay.com >> support center >>...
Page 263 STEP⑦. Select the Save Changes button STEP⑧. Input Installation ID and Payment Gateway URL in gateway UI.  Installation ID: 2009test  URL : https://select.wp3.rbsworldpay.com/wcc/purchase Note: The WAN IP of gateway must be real IP.
Page 264: Additional Applications
17. Additional Applications 17.1. Upload / Download Local Users Accounts Configure Upload / Download Local Users Accounts; go to: User >> Authentication >> Option >>Local >> Local User List.  Upload User: Click Upload User to enter the Upload User from File interface. Click the Browse button to select the text file for uploading user accounts, then click Upload to complete the upload process.
Page 265: Backup / Restore And Upload New On-Demand Users Accounts
17.2. Backup / Restore and Upload New On-demand Users Accounts Configure Backup / Restore On-demand Users Accounts; go to: Users >> Authentication >> On-demand User >> On-demand Account List.  Backup Current Accounts: Use this function to create a .txt file with all current user account information and then save it on disk.
Page 266: Account Roaming Out
17.3. Account Roaming Out Configure Notification; go to: Users >> Authentication >> Local >> Configure. In sometime, WHG Controller’s built in Local database can act as a RADIUS server for Roaming Out from other system. The Local User database will act as the RADIUS user database. ...
Page 267: Seamless Cross Gateway Roaming
17.4. Seamless Cross Gateway Roaming Configure Notification; go to: Network >> Client Mobility >> Cross Gateway Roaming. WHG Controllers supports seamless inter-Controller roaming with up to 15 other Controllers in a star like topology. The Master Node means that this Controller will be at the center of the roaming cluster, and its users can roan with all the Slave nodes.
Page 269: Appendix A. Certificate Settings For Ie6 And Ie7
Appendix A. Certificate Settings for IE6 and IE7  Certificate setting for the company with Certificate Authority Background information  Any website or high-value Web Applications will require a client to access their websites via Secure Sockets Layer (SSL). The browser will automatically ask for a public SSL certificate from the website and check if it is valid.
Page 270 trusted media to install this certificate (as trusted CA) in each employee’s computer, and in the meantime export this certificate to the WHG CONTROLLER. In some circumstance, the company without Certificate Authority may follow the steps stated below to avoid error message.
Page 271  Certificate setting for Internet Explorer 7 For IE7, regarding certificate issues caused by certificate publisher not being trusted by IE7, the following steps may be taken to provide a workaround or to bypass the issue. (1) Open the IE7 browser, and you will be redirected to the default login page. If the certificate is not trusted, the following page will appear.
Page 272 For installing a trusted certificate to solve the IE7 certificate issue, please follow the instructions stated below. (1) When the User Login page appears, click “Certificate Error” at the top. (2) Click “View Certificate”. (3) Click “Certification path”.
Page 273 (4) Select root certification, and then click “View Certificate”. (5) Click “Install Certificate”.
Page 274 (6) Click “Next”. (7) Select “Automatically select the certificate store based on the type of certificate”, and then click “Next”.
Page 275 (8) Click “Finish”.
Page 276 (9) Click “Yes”. (10) Click “OK”. (11) Launch a new IE7 browser. The certificate is now trusted via IE7 according to the key symbol shown at top next to the address field.
Page 277  Certificate setting for Internet Explorer 6 For issues relating to IE6 certificate error, the following information provides the step to take when the certificate publisher is not trusted by IE6. (1) Open an IE6 browser, the Security Alert message will be appeared if the certificate is not trusted. Click “Yes” to proceed.
Page 278: Appendix B. Network Configuration On Pc & User Login
Appendix B. Network Configuration on PC & User Login  Network Configuration on PC After WHG CONTROLLER is installed, the following configurations must be set up on the PC: Internet Connection Setup and TCP/IP Network Setup.  Internet Connection Setup ...
Page 279 3) Choose “I want to set up my Internet connection manually, or I want to connect through a local Area network (LAN)”, and then click Next. 4) Choose “I connect through a local area network (LAN)” and then click Next. 5) DO NOT choose any option in the following LAN window for Internet configuration, and just click Next.
Page 280 6) Choose “No” and then click Next 7) Finally, click Finish to exit the Internet Connection Wizard. Now, the set up is completed.  Windows XP 1) Choose Start >> Control Panel >> Internet Option.
Page 281 2) Choose the Connections tab, and then click Setup. 3) When the Welcome to the New Connection Wizard window appears, click Next. 4) Choose “Connect to the Internet” and then click Next.
Page 282 5) Choose “Set up my connection manually” and then click Next. 6) Choose “Connect using a broadband connection that is always on” and then click Next. 7) Finally, click Finish to exit the Connection Wizard. Now, the setup is completed.
Page 283  TCP/IP Network Setup If the operating system of the PC in use is Windows 95/98/ME/2000/XP, keep the default settings without any changes to directly start/restart the system. With the factory default settings, during the process of starting the system, WHG CONTROLLER with DHCP function will automatically assign an appropriate IP address and related information for each PC.
Page 284 3) Using DHCP: If you want to use DHCP, click on the IP Address tab and choose “Obtain an IP address automatically”, and then click OK. This is also the default setting of Windows. Then, reboot the PC to make sure an IP address is obtained from WHG CONTROLLER.
Page 285 4.2) Click on the Gateway tab. Enter the gateway address of WHG CONTROLLER in the “New gateway” field and click Add. Then, click OK. 4.3) Click on DNS Configuration tab. If the DNS Server field is empty, select “Enable DNS” and enter DNS Server address.
Page 286 2) Right click on the Local Area Connection icon and select “Properties”. 3) Select “Internet Protocol (TCP/IP)” and then click Properties. Now, you can choose to use DHCP or a specific IP address. 4) Using DHCP: If you want to use DHCP, choose “Obtain an IP address automatically”, and then click OK.
Page 287 5) Using Specific IP Address: If you want to use a specific IP address, acquire the following information from the network administrator: the IP Address, Subnet Mask and DNS Server address provided by your ISP and the Gateway address of WHG CONTROLLER. If your PC has been set up completely, please inform the network administrator before proceeding to the following steps.
Page 288 5.4) Enter the gateway address of WHG CONTROLLER in the “Gateway” field, and then click Add. After back to the IP Settings tab, click OK to complete the configuration.  Check the TCP/IP Setup of Window XP 1) Select Start >> Control Panel >> Network Connection.
Page 289 Now, you can choose to use DHCP or a specific IP address. 4) Using DHCP: If you want to use DHCP, choose “Obtain an IP address automatically” and click OK. This is also the default setting of Windows. Then, reboot the PC to make sure an IP address is obtained from WHG CONTROLLER.
Page 290 5.3) Click on the IP Settings tab and click Add below the “Default gateways” column and the TCP/IP Gateway Address window will appear. 5.4) Enter the gateway address of WHG CONTROLLER in the “Gateway” field, and then click Add. After back to the IP Settings tab, click OK to finish the configuration.
Page 291: Appendix C. Policy Priority
Appendix C. Policy Priority  Global Policy, Service Zone Policy, Authentication Policy and User Policy WHG Controller supports multiple Policies, including one Global Policy and multiple individual Policy which can be assigned and bound to Group. Global Policy is the system’s universal policy and applied to all clients, while other individual Policy can be selected and defined to be applied to any Service Zone.
Page 292: Appendix D. Radius Accounting
The standard Attribute Type of VSA is “26”. Also we need to know the “Vendor ID”, in this example; the Vendor ID of LevelOne is “31932”. There must have other attribute to define the amount of traffic with “Attribute Number” and “Attribute Value”:...
Page 293 2. VSA configuration in RADIUS server (IAS Server) This section will guide you through a VSA configuration in your external RADIUS server. Before getting start, please access your external RADIUS server’s desktop directly or remotely from other PC. Step 1 Assume there are already have users in RADIUS Server Assume there are already have Groups and assigned users to belong these Groups in RADIUS Server Assume there are already have Policies and assigned Groups to belong these Policies in RADIUS...
Page 294 Step 3 Edit Profile Select the Advanced Tag Add a new attribute Add a new Vendor-specific attribute Step 4 Add a new attribute under Vendor-specific Set “Vendor Code = 31932” Set it conforms to the RADIUS RFC Configure Attribute Set “Vendor-assigned attribute number = 10” Set “Attribute format = Hexadecimal”...
Page 295 Step 5 Confirm the Vendor-specific Attribute has been added success Step 6 Follow the same steps to create other Vendor-specific Attribute as you need.
Page 296 Assume there are already have Groups and assigned users to belong these Groups in RADIUS Server Step 2 Login the Linux Host of the RADIUS server. Step 3 Create a file “dictionary.LevelOne” under the “freeradius” folder. Step 4 Edit and save the content of the file “dictionary.LevelOne” as the following:...
Page 297 Administrator also can add other attributes as the table stated in Section 2 with same format. Step 5 Edit the file “dictionary” under the folder “freeradius”. Step 6 Include “dictionary.LevelOne” in the dictionary of RADIUS server. Insert it in an incremental position that easy to find it again. Step 7 Open the “radius” database.
Page 298 Step 8 Insert VSA into RADIUS respond. In this example, the maximum download and upload in bytes for group03 users is 1MBytes. Step 9 Restart RADIUS to get your settings activated.
Page 299: Appendix E. Vlan Port Location Mapping And Pms Middleware
Appendix E. VLAN Port Location Mapping and PMS Middleware This section introduces the Port Location Mapping feature. This feature is designed for creating multiple VLAN divisions (as if they were separate LAN ports) under a Service Zone and mapping these VLANs to different locations individually.
Page 300 2. Port Location Mapping Configure Port Location Mapping; go to: System >>Port Location Mapping>> Configure. Administrator could use Port Location Mapping feature to map a location (such as a hotel room) to a VLAN port of VLAN switch or a DSLAM device. Each Room is mapped to a VLAN Tag. And each Room can be assign to different Service Zone to get different policy.
Page 301 Multiple User is the port type used for rooms with many users for example dormitory applications. If the  user opens a browser and tries to access internet, a user login page without billing plan options will be displayed. The user needs to buy accounts from the front dorm office in order to login. The room with this port type allows more than one user to access the network within the room.
Page 302  Port Location Mapping Setup – Create One From: Set the Physical LAN port on the gateway to provide Port Location Mapping Service. Port Type: The default state of the rooms, it may be: Free, Block, Single User, Multiple User. Service Zone: The service zone profile used to provide internet service to this room.
Page 303 Connection Setup: Enter the Secret, Interface Port, MI ID, AC ID, and Link Test Interval for  Middleware connection. Secret: The secret key between Guest Service Device and PMS Middleware for challenge and  response (MD5 Hash) to test the authenticity of the link. It should contain one or more lowercase letters, uppercase letters, numbers and symbols.
Page 304 The Search field allows administrator to search for mapping entries according to VLAN ID, Room Num/Location ID or Service Zone. Click the VLAN ID link to enter the Port Mapping Profile page for that entry. You can change the Port Type or Service Zone of this room. You also can check the present user account information. 5.
Page 305 will display the generated account name and password. If you already have a user account, you can click the “here” link to login with the user account that you possess.   When a user tries to access internet from a “Multiple User” room, the browser will show the Login page without billing plans options to select.
Page 306  When a user tries to access internet from a “Free” room, the browser will show service agreement page, simply by clicking CONFIRM and the user can access the internet. The Service Agreement body can be configured at the applied Service Zone’s Custom Pages settings. ...
Page 307  P/N: VWHG50020110601...

This manual is also suitable for:

Whg-315 Whg-401 Whg-707 Whg-505 Whg-515

LevelOne WHG-311 User Manual

1 Before You Start

2 WHG Controllers Installation Guide

3 System Overview

4 Getting Started

5 Initial Network Setup

6 User Authentication and Grouping

7 Policies and Access Control

8 Users' Login and Logout

9 Local Area AP Management

10 Wide Area AP Management

11 Networking Features of a Gateway

12 System Management and Utilities

13 System Status and Reports

14 Virtual Private Network (VPN)

15 Customization of Portal

16 Payment Gateways

17 Additional Applications

Appendix A. Certificate Settings for IE6 and IE7

Appendix B. Network Configuration on PC & User Login

Appendix C. Policy Priority

Appendix D. RADIUS Accounting

Appendix E. VLAN Port Location Mapping and PMS Middleware

Quick Links

Related Manuals for LevelOne WHG-311

Summary of Contents for LevelOne WHG-311