1. Manuals
  2. Brands
  3. Colubris Networks Manuals
  4. IP Access Controllers
  5. CN3200
  6. Administrator's manual

Colubris Networks CN3200 Administrator's Manual

Wireless access controller
Hide thumbs
Table of Contents

Advertisement

Quick Links

CN3200
Administrator's Guide
DRAFT
Note: Any references to CN3000 in this draft also apply to the CN3200.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the CN3200 and is the answer not in the manual?

Questions and answers

Summary of Contents for Colubris Networks CN3200

  • Page 1 CN3200 Administrator’s Guide DRAFT Note: Any references to CN3000 in this draft also apply to the CN3200.
  • Page 2 Changes are periodically made to the information herein; these changes will be incorporated into new editions of the document. Copyright © 2004 Colubris Networks Inc. All rights reserved, including those to reproduce this document or parts thereof in any form without permission in writing from Colubris Networks, Inc.

  • Page 3: Table Of Contents

    Table of Contents Chapter 4 Installation ......... 37 Anatomy................38 Antenna connectors ............38 Ports ................38 Chapter 1 Powering the CN3200 ............ 39 Introduction.......... 7 Status lights ..............39 Radio................39 Introducing the CN3200............8 Reset button..............40 Scalable solution...............8 Secure infrastructure ............8...
  • Page 4 Standard MIBs ..............132 Supporting PDAs ............94 Management consoles ..........132 MIB II support details........... 132 Step 1: Setting up the CN3200 RADIUS client Managing shared secrets ..........95 Colubris Enterprise MIB ............. 134 Configuration procedure ..........95 COLUBRIS-IEEE802DOT11 MIB details......135 Profile name..............96...
  • Page 5 Step 7: Test the installation ..........258 Managing shared secrets ..........213 Step 8: Test the remote login page feature ......260 Creating a profile for the CN3200 on the RADIUS server ..214 Enable the remote login feature........260 Supported standard RADIUS attributes ......214 Test the remote login feature........
  • Page 6 Step 1: Add support for Colubris Networks attributes Step 2: Connect to the Steel-Belted Radius server....276 Chapter 21 Step 3: Create a RADIUS client profile for the CN3200 ..278 The configuration file ......353 Step 4: Define RADIUS profiles...........280 Manually editing the config file........... 354 Defining a CN3200 profile ..........280...

  • Page 7: Introduction

    DRAFT Chapter 1: Introduction Chapter 1: Introduction Chapter 1 Introduction This chapter presents an overview of the CN3200 and illustrates how it can be used to deploy a public access network.

  • Page 8: Introducing The Cn3200

    The CN3200 and the CN300s provide the wireless cells which customers use to connect their mobile computers. Intelligent bridging software on the CN300s infrastructure restricts customer traffic so that it can only flow to and from the CN3200. CN3200 Hacker...

  • Page 9: Enhanced User Experience

    DRAFT Chapter 1: Introduction For added security, the CN3200 is protected from malicious Internet traffic by its integrated firewall. Integrated Firewall Stations cannot exchange data Hacker telnet Unauthenticated Customer syn attack RADIUS Authenticated server Network Customer Operating Center Enhanced user The CN3200 makes it easy to deliver a completely customized experience for your customers.

  • Page 10: Secure Remote Management

    DRAFT Chapter 1: Introduction Secure remote Integrated VPN client software (PPTP and IPSec) enables the CN3200 to establish a secure connection with a remote network operating center. This management provides a secure encrypted tunnel for management and accounting traffic, enabling you to establish a centralized location from which to manage one or more CN3200s.
  • Page 11 Or, it can be used to create point-to-point links over longer distances, such as between two buildings (as illustrated below). This requires that the appropriate external antenna be installed on each unit (not included). Building A Building B wireless bridge antenna antenna CN3200 CN300 CN300 RADIUS server CN300...

  • Page 12: Multiple Ssid Support

    IPSec VPN #2 IPSec VPN #1 In this scenario, the CN3200 controls access to the Internet. However, it validates customer logins and records accounting information using the RADIUS server in each NOC. The CN3200 knows which RADIUS server to communicate with for a particular customer based on the SSID the customer is associated with.

  • Page 13: Feature Summary

    Chapter 1: Introduction Feature summary Wireless radio The CN3200’s dual-band mini-PCI radio module is software configurable to operate either in the 2.4GHz band (802.11b and 802.11g) or the 5GHz band (802.11a). Note: Customers are responsible for verifying approval and to identify the regulatory domain that corresponds to a particular country.
  • Page 14 DRAFT Chapter 1: Introduction Radio Approvals • Wi-Fi • FCC Part 15.401-15.407 • RSS-210 (Canada) • EN 300 440 (Europe) • ARIB STD-T71 (Japan) EMI and Susceptibility (Class B) • FCC Part 15.107 and 15.109 • ICES-003 (Canada) • VCCI (Japan) •...
  • Page 15 DRAFT Chapter 1: Introduction Modulation technique IEEE 802.11b: Direct sequence spread spectrum (DSSS) • DBPSK @ 1 Mbps • DQPSK @ 2 Mbps • CCK @ 5.5 and 11 Mbps IEEE 802.11g: Orthogonal Frequency Division Multiplexing (OFDM) • BPSK @ 6 and 9 Mbps •...

  • Page 16: Hardware

    DRAFT Chapter 1: Introduction Antenna Two SMA (Female) connectors for use with external antenna (sold separately). Security architecture client authentication • SSL protected WEB-based Authentication • 802.1x support including: PEAP, EAP-TLS, EAP-TTLS, and EAP-SIM to yield mutual authentication • Wi-Fi Protected Access (WPA) with AES support in HW (ready for WPA-2)· Support for static and dynamic IEEE 802.11 WEP keys of 40 bits and 128 bits Hardware Status LEDs...

  • Page 17: Network Management

    DRAFT Chapter 1: Introduction • RIP v1 (RFC 1058) and v2 (RFC 1723) • SMTP (e-mail) redirection • ICMP (RFC 792) • ARP (RFC 826) • CIDR (RFC 1519) Network • SNMP v1 and v2 • MIB-II with TRAPS management •...

  • Page 18: Authentication And Accounting

    DRAFT Chapter 1: Introduction Authentication and • Secure HTML login page • Support for 802.1x using EAP-MD5, EAP-TLS, EAP-TTLS, PEAP accounting • RADIUS AAA supporting EAP-MD5, PAP, CHAP, MSCHAP v2, MSCHAP v1 • MAC-level authentication for non-HTTP devices • Supports up to 100 concurrent users •...

  • Page 19: Package Contents

    Contains the CN3200 Administrator’s Guide, Colubris Backend Archive, and the Colubris Enterprise MIB. Technical support To obtain technical support, contact your reseller. Information about Colubris Networks products and services, including documentation and software updates, is available on our web site at www.colubris.com.

  • Page 20: Syntax Conventions

    DRAFT Chapter 1: Introduction Syntax conventions This manual uses the following formatting conventions. Example Description Network When referring to the management tool web interface, items in bold type identify menu commands or input fields. They are presented exactly as they appear on screen.

  • Page 21: Important Concepts

    DRAFT Chapter 2: Important concepts Chapter 2: Important concepts Chapter 2 Important concepts This chapter covers important topics that will help to understand how to install, deploy, and manage a wireless public access network.

  • Page 22: Networking Areas

    CN300 Coverage As a starting point for planning your setup, you can assume that the CN3200 provides a wireless cell of up to 300 feet (100 meters) in diameter at high power. Before creating a permanent installation, you should always perform a live test of the coverage provided by each access point to determine its optimum settings and location.
  • Page 23 Protected network resources All resources connected to the CN3200’s Internet port are protected. This means that access to them is controlled by configuration settings on the CN3200. By default, these settings are: • unauthenticated customers cannot access any protected network resources •...

  • Page 24: Attaching To A Wired Lan

    Chapter 2: Important concepts Attaching to a wired The CN3200 can be attached to a wired LAN. Computers on an attached wired LAN are treated just like those on the wireless LAN. Each computer must be authenticated before it can gain access to protected network resources.

  • Page 25: Network Operating Center (Noc)

    CN3200 and customers. Before the CN3200 activates the public network, it must authenticate itself to the RADIUS server and retrieve its configuration information. The CN3200 is compliant with RFC 2865 and RFC 2866 and will work with a variety of RADIUS servers. Web/FTP server If you intend to customize the look and feel of the public access interface, you will need a Web or FTP server to store your customized pages.

  • Page 26: Sending Traffic To The Noc

    DRAFT Chapter 2: Important concepts Management station This station is used to control and configure the CN3200 and any satellite CN300s. Control can occur via an SNMP console or through the CN3200’s web- based management tool. Sending traffic to For secure transmission of traffic between the CN3200 and the NOC, the CN3200 features both PPTP and IPSec clients.

  • Page 27: The Public Access Interface

    The public access interface is the sequence of web pages that customers use to login to the wireless network and to manage their accounts. The CN3200 ships with a default public access interface that you can customize to meet the needs of your installation. However, before you do this, you should...

  • Page 28: Connecting To And Using The Wireless Network

    For example, by default the CN3200 assigns creates the wireless network on the subnet 192.168.1.0. If a client station is pre-configured with the address 10.10.4.99, it will still be able to connect to the CN3200 without changing its address, or settings for DNS server and default gateway.

  • Page 29: The Radius Server

    • The default idle timeout for customer sessions. • The default address for the SMTP redirection When you set up a profile for the CN3200 on the RADIUS server you define this information in the form of a Colubris Networks vendor-specific attribute. For details see page 214.

  • Page 30: Customer Authentication

    These devices do not log in through the public access interface, rather, as soon as the CN3200 sees their MAC address appear on the network, the CN3200 attempts to authenticate them. To setup these accounts, see page 223.

  • Page 31: Planning Your Installation

    DRAFT Chapter 3: Planning your installation Chapter 3: Planning your installation Chapter 3 Planning your installation This chapter provides sample deployment strategies for two common scenarios. These scenarios will give you a good idea on how to approach your installation.

  • Page 32: Multi-Site Installation

    #1 and #3. installation • At site #2, the CN3200 provides a wireless network and is also connected to a LAN to enable a number of wired computers to act as public access stations. • Each CN3200 is connected to the Internet via a broadband modem. The Internet connection is protected by the CN3200’s firewall.

  • Page 33: Installation Strategy

    Establish a connection to the management tool. Pages Define management tool security settings. Page Configure the wireless network. Chapter 6 Connect the CN3200 to the local wired LAN. Chapter 7 Configure the Internet connection and firewall. Chapter 8 Start the public access interface. Chapter 9 Configure a VPN connection to the NOC.

  • Page 34: Multi-Area Installation

    #1 and #3. installation • At area #2, the CN3200 provides a wireless network and is also connected to a LAN to enable a number of wired computers to act as public access stations. • Each CN3200 is connected to the NOC via the backbone LAN.

  • Page 35: Installation Strategy

    Pages Define management tool security settings. Page Configure the wireless network. Chapter 6 Connect the CN3200 to the local wired LAN. Chapter 7 Connect the Internet port to the backbone LAN and Page configure IP addressing. Start the public access interface.
  • Page 36 DRAFT Chapter 3: Planning your installation...

  • Page 37: Installation

    DRAFT Chapter 4: Installation Chapter 4: Installation Chapter 4 Installation This chapter provides an overview of the CN3200 hardware and explains how to install it.

  • Page 38: Anatomy

    Antenna diversity The CN3200 supports antenna diversity. One benefit of this feature is that for a given client station connection, the CN3200 always transmits on the antenna it receives.

  • Page 39: Powering The Cn3200

    Important: The power adapter is not rated for use in plenum installations. Power over Ethernet (PoE) The CN3200 supports PoE on the LAN port and can be used with any IEEE 802.3af-compliant power injector. Important: Cisco PoE injectors are not compliant with IEEE 802.3af and cannot be used with the CN3200.

  • Page 40: Reset Button

    DRAFT Chapter 4: Installation Reset button The reset button is located on the rear of the CN3200. Use the end of a paper clip or another pointy object to press the button. Restarting Press and release the button quickly to restart the CN3200. This is equivalent to disconnecting and reconnecting the power.

  • Page 41: Installing The Cn3200

    Mounting the When mounting the CN3200 on a wall, ceiling or other surface, make sure that: • the surface you attach the CN3200 to and the fasteners you use are able to CN3200 support at least 5.1 kg (11.25 pounds) •...
  • Page 42 DRAFT Chapter 4: Installation...

  • Page 43: The Management Tool

    Chapter 5: The management tool Chapter 5: The management tool Chapter 5 The management tool This chapter provides an overview of the Web-based management tool and explains how to use it to perform management and configuration tasks.

  • Page 44: Overview

    Chapter 5: The management tool Overview The management tool is a Web-based interface to the CN3200 that provides easy access to all configuration functions. Important: Only one administrator can be logged into the management tool at a given time. If a second administrator logs in while the first is connected, the first administrator is logged out.
  • Page 45 Chapter 5: The management tool • Relay between wireless station: Off • Security: None port • IP address: 192.168.1.1 • DHCP server: On Internet port • IP address: (DHCP client is active) • Firewall: High security Management tool • Allow access via LAN port and port •...

  • Page 46: Starting The Management Tool

    Starting the management tool 1. Start your Web browser. 2. Press Enter. You will be prompted to accept a Colubris Networks security certificate. Do so to continue. (To eliminate this warning message you can install your own certificate as described in Chapter 14.)

  • Page 47: Menu Summary

    Network Address allocation Lets you configure the CN3200 to act as a DHCP server or DHCP relay agent, and also to setup bandwidth management. IP routes Lets you define routes to send traffic to the appropriate destination. This is useful when the CN3200 is connected to a wired LAN which provides access to other networks.

  • Page 48: Management

    Configures system time. Lets you view the status of other active Colubris access points. Status Use this option to view the status of the various components on the CN3200. Tools Provides diagnostic tools that can be used to investigate anomalies. Generally, you will use these only under the direction of your reseller.

  • Page 49: Management Tool Security

    Important: Make sure that the RADIUS profile you select is configured and that the administrator account is defined on a functioning RADIUS server. If not, you will not be able to log back into the CN3200 because the administrator password cannot be authenticated.

  • Page 50: Security Settings

    Remote management security Secure remote management is possible using the integrated PPTP and IPSec client software. This enables the CN3200 to create a secure tunnel to a remote server using a public network (Internet). This can also be used to secure automatic configuration updates and communications with a remote RADIUS server or Web server.

  • Page 51: Firmware Management

    Scheduled install The CN3200 can automatically retrieve and install firmware from a local or remote URL. By placing CN3200 firmware on a web or ftp server, you can automate the update process for multiple units. When the update process is triggered, the CN3200 retrieves the first few bytes of the firmware file to determine if it is different than the active version.

  • Page 52: Using Curl

    Prepare the CN3200 to receive the firmware update. curl --cookie cookie.txt -m 60 "https://24.28.15.22/script/ firmware_init.asp" Upload the firmware. Once the upload is complete the CN3200 will automatically restart. curl --cookie cookie.txt -s -m 600 -F firmware=@CN3200.cim -F backup=Install "https://24.28.15.22/goform/ScriptUploadFirmware"...

  • Page 53: Configuration Management

    See Chapter 21 for details. Reset configuration Use this option to return the configuration of the CN3200 to its factory default settings. Note: Resetting sets the administrator password to ‘admin’ and resets all configuration settings.

  • Page 54: Using Curl

    Windows and LINUX at: http://curl.haxx.se/. You must use version 7.9.8 or higher. The following cURL commands illustrate how to manage the configuration file. The following setup is assumed: • IP address of the CN3200’s Internet port is 24.28.15.22. • Management access to the Internet port is enabled.
  • Page 55 Chapter 5: The management tool curl --cookie cookie.txt -m 5 "https://24.28.15.22/goform/ ScriptResetFactory?reset=Reset+to+Factory+Default" 3. Reset the CN3200 to activate the new configuration. curl --cookie cookie.txt -s -m 60 "https://24.28.15.22/script/ reset.asp"...
  • Page 56 Chapter 5: The management tool...

  • Page 57: Wlan Configuration

    Chapter 6: WLAN configuration Chapter 6: WLAN configuration: Chapter 6 WLAN configuration This chapter explains how to setup a wireless network with the CN3200.

  • Page 58: Setting Up The Wireless Lan

    WLAN name (SSID) Specify a name to uniquely identify your wireless network. Each client computer that wants to connect to the CN3200 must use this name. The name is case- sensitive. Maximum number of wireless client stations Specify the maximum number of wireless client stations that can be connected to the CN3200 at the same time.

  • Page 59: Radio

    How it works If a packet is larger than the threshold, the local CN3200 will hold it and issue a request to send (RTS) message to the remote CN3200. Only when the remote CN3200 replies with a clear to send (CTS) message will the local CN3200 send the packet.

  • Page 60: Wireless Port

    Key transmission protection This option determines how the TKIP keys are generated. • RADIUS: The CN3200 obtains the MPPE key from the RADIUS server. This is a dynamic key that changes each time the user logins in and is authenticated.

  • Page 61: Dynamic Keys

    CN3200. The definition for each encryption key must be the same on the CN3200 and all client stations. Keys must also be in the same position. For example, if you are using key 3 to encrypt transmissions, then each client station must also define key 3 to communicate with the CN3200.
  • Page 62 Specify the starting and ending IP addresses that define the range of addresses the DHCP server can assign to client stations. Gateway Specify the IP address of the default gateway the CN3200 will return to DHCP clients. Address/mask Shows the current settings for the port.

  • Page 63: Wireless Profiles

    Chapter 6: WLAN configuration Wireless profiles The CN3200 enables you to create multiple wireless networks (also knows as virtual access points) all sharing the same wireless port. Each network has its own SSID (network name), BSSID (MAC address), and configuration settings that are defined in a profile.

  • Page 64: Radius Accounting

    Key transmission protection This option determines how the TKIP keys are generated. • RADIUS: The CN3200 obtains the MPPE key from the RADIUS server. This is a dynamic key that changes each time the user logins in and is authenticated.
  • Page 65 CN3200. The definition for each encryption key must be the same on the CN3200 and all client stations. Keys must also be in the same position. For example, if you are using key 3 to encrypt transmissions, then each client station must also define key 3 to communicate with the CN3200.

  • Page 66: Configuring Overlapping Wireless Cells

    Chapter 6: WLAN configuration Configuring overlapping wireless cells Overlapping wireless cells are caused when two or more access points are within transmission range of each other. This may be under your control (when setting up multiple cells to cover a large location), or out of your control (when your neighbors set up their own wireless networks).

  • Page 67: Choosing Channels

    With the proliferation of wireless networks, it is very possible that the wireless cells of access points outside your control may overlap your intended area of coverage. To help you choose the best operating frequency, the CN3200 will automatically scan all channels and provide a recommendation on the Wireless >...
  • Page 68 Chapter 6: WLAN configuration In North America, you would create the following installation: cell 1 cell 2 cell 3 channel = 1 channel = 6 channel = 11 cell 1 cell 2 cell 3 channel = 1 channel = 6 channel = 11 Reducing transmission delays by using different operating frequencies.
  • Page 69 Chapter 6: WLAN configuration 150m 150m 150m 450 feet 450 feet 450 feet cell 1 cell 2 cell 3 cell 4 channel = 1 channel = 6 channel = 11 channel 1 Using only three frequencies across multiple cells (North America). This strategy can be expanded to cover an even larger area using three channels as follows: cell 1...

  • Page 70: Distance Between Access Points

    The areas in gray indicate where two cells using the same frequency overlap. Distance between In environments where the number of wireless frequencies are limited, it can be beneficial to adjust the receiver sensitivity of the CN3200. To make the access points adjustment, open the Wi-Fi page on the Wireless menu.

  • Page 71: Conducting A Site Survey And Finding Rouge Access Points

    (rouge) units. Conducting a site To discover the operating frequencies of other access points in your area, open the Wireless > Neighborhood page. The CN3200 will automatically scan to find survey all active access points.
  • Page 72 Chapter 6: WLAN configuration...

  • Page 73: Connecting To A Wired Lan

    DRAFT Chapter 7: Connecting to a wired LAN Chapter 7: Connecting to a wired LAN Chapter 7 Connecting to a wired LAN This chapter explains how to configure a connection to a wired LAN.

  • Page 74: Overview

    DRAFT Chapter 7: Connecting to a wired LAN Overview The CN3200 provides a LAN port for connection to a wired network. Generally, this is used to: • connect the CN3200 to one or more CN300s • connect wired computers to the public access network...

  • Page 75: Addressing Issues

    5. Click Save. LAN port address The CN3200 connects to the wired LAN via its LAN port. You must assign a static IP address to this port because the CN3200 cannot function as a DHCP client on its LAN port.
  • Page 76 DRAFT Chapter 7: Connecting to a wired LAN 2. Leave the DCHP server on the CN3200 operational and configure it to assign IP addresses outside the range of the static addresses already in use on the wired LAN.

  • Page 77: Connecting To The Internet

    Chapter 8: Connecting to the Internet Chapter 8 Connecting to the Internet This chapter explains how to connect the CN3200 to the Internet via a broadband modem and how to use the security features provided by the firewall and network address translation...

  • Page 78: Connecting Cables

    Connect cables as follows: 1. Turn off your broadband modem, then turn it back on. 2. Use a standard Ethernet cable to connect the CN3200 Internet port to the broadband modem. 3. If the CN3200 is already running, press the reset button to restart it.

  • Page 79: Configuring The Internet Connection

    Internet. To create a secure connection to a remote network via the Internet, Chapter The Internet port can also be used to link the CN3200 to a local area network. Just choose the addressing method that is appropriate for your setup.

  • Page 80: Pppoe Client

    NAT, client stations will not be able to access the Internet unless their IP addresses are valid on the Internet. If the CN3200 is connected to a wired LAN, computers on the wired LAN can also take advantage of NAT to share the Internet connection.

  • Page 81: Dhcp Client

    Mask Identifies the subnet mask that corresponds to the assigned IP address. Primary DNS address Identifies the IP address of the main DNS server the CN3200 will use to resolve DNS requests. Secondary DNS address Identifies the IP address of the backup server the CN3200 will use to resolve DNS requests.

  • Page 82: Static Addressing

    Chapter 8: Connecting to the Internet Settings DHCP client ID Specify an ID to identify the CN3200 to the DHCP server. This parameter is not required by all ISPs. Assigned by DHCP server These settings are assigned to the CN3200 by your ISP’s DHCP server. The Internet connection is not active until this occurs.

  • Page 83: Firewall

    The CN3200 offers a number of predefined rules to let you achieve the required security level without going to the trouble of designing your own rules. If the CN3200 is connected to a wired LAN, the firewall protects the wired LAN as well.
  • Page 84 DRAFT Chapter 8: Connecting to the Internet Outgoing traffic Firewall setting Application Medium High FTP (passive mode) Passed Passed Passed FTP (active mode) Passed Passed Passed Web (HTTP, HTTPS) Passed Passed Passed SNMP Passed Passed Passed Telnet Passed Passed Passed Windows networking Blocked Blocked...

  • Page 85: Firewall Configuration

    Customizing the To customize the firewall, you define one or more rules. A rule lets you target a specific type of data. If the CN3200 finds data that matches the rule, the rule is firewall triggered, and the data is rejected by the firewall.
  • Page 86 DRAFT Chapter 8: Connecting to the Internet 3. Click Reset To High. This imports all the rules from the predefined high security firewall. 4. Click the last rule to edit it. The Custom firewall configuration - Edit rule page opens. 9.
  • Page 87 DRAFT Chapter 8: Connecting to the Internet 0 to 79 Any TCP 81 to 442 Any TCP...
  • Page 88 DRAFT Chapter 8: Connecting to the Internet 13. To add a rule, click Add New Rule. The Custom firewall configuration - Add rule page opens. 14. Fill in the appropriate fields and then click Add to save the rule and return to the Custom firewall configuration page.

  • Page 89: Network Address Translation

    DRAFT Chapter 8: Connecting to the Internet Network address translation NAT overview NAT is an address mapping service that enables one set of IP addresses to be used on an internal network, while a second set is used on an external network. NAT handles the mapping between the two sets of addresses.

  • Page 90: One-To-One Nat

    IP address, or impose a limit. For example: some PPTP servers want a unique IP address for each client station. To resolve this problem, the CN3200 allows you to assign multiple IP addresses to the Internet port and use them to distinguish outgoing NAT traffic for customers making VPN connections.

  • Page 91: Nat Ipsec Passthrough

    Remote computers send their requests to 202.125.11.26 and the CN3200 routes them to the proper client. To configure the CN3200 to support this example, you would do the following: 1. On the main menu, click Network, then click NAT. The NAT mappings page...
  • Page 92 DRAFT Chapter 8: Connecting to the Internet 2. Click Add New Static NAT Mapping. The NAT mappings - Add static mapping page appears. • Under Requests for, choose Standard Services, then choose http (TCP 80). • Under Translate to, specify the IP address of the Web server. In the example, it is 192.168.1.2.

  • Page 93: Activating The Public Access Interface

    DRAFT Chapter 9: Activating the public access interface Chapter 9: Activating the public access interface Chapter 9 Activating the public access interface This chapter explains how to configure and start the public access interface.

  • Page 94: Overview

    The public access interface is the sequence of web pages that customers use to login, logout, and view the status of their wireless sessions. The CN3200 ships with a default interface which you can customize to meet the needs of your installation.

  • Page 95: Step 1: Setting Up The Cn3200 Radius Client

    Important: To safeguard the integrity of the customer accounts, it is important that you protect communications between the CN3200 and the RADIUS server. The CN3200 lets you use PPTP or IPSec to create a secure tunnel to the RADIUS server. Refer to...

  • Page 96: Profile Name

    Retry interval Controls the retry interval (in seconds) for access and accounting requests that time-out. If no reply is received within this interval, the CN3200 switches between the primary and secondary RADIUS servers (if defined). If a reply is received after the interval expires, it is ignored.

  • Page 97: Primary Radius Server

    For 802.1x users, the authentication method is always determined by the 802.1x client software and is not controlled by this setting. If traffic between the CN3200 and the RADIUS server is not protected by a VPN, it is recommended that you use EAP-MD5 or MSCHAP V2 if supported by your RADIUS Server.

  • Page 98: Step 2: Setting Up Cn3200 Authentication

    • a URL specifying the location of a configuration file. • MAC addresses of devices to authenticate. When you set up a profile for the CN3200 on the RADIUS server you define this information in the form of a Colubris Networks vendor-specific attribute. See “Creating a profile for the CN3200 on the RADIUS server”...
  • Page 99 ON/OFF each time its authentication state changes. Last authenticated Indicates when the CN3200 was last successfully authenticated. Force authentication Click this button to force the CN3200 to authenticate now. This lets you test your settings. Advanced settings Click this button to set additional authentication-related settings.

  • Page 100: Step 3: Setting Up Customer Authentication

    Chapter 9: Activating the public access interface Step 3: Setting up customer authentication The CN3200 uses the services of a RADIUS server to authenticate customer logins, track and manage connection time, and generate billing information. To login to the public access network, each customer must supply a username and password.

  • Page 101: Step 4: Setting Up The Radius Server

    • Create a RADIUS profile for the CN3200 Before it can activate the public access interface, the CN3200 must log onto a RADIUS server and retrieve certain operating settings which you must define. Therefore, you must create at least one RADIUS profile for use by the CN3200.

  • Page 102: Step 5: Testing The Public Access Interface

    Step 5: Testing the public access interface To test your installation, use a wireless client station to log onto the public access interface. For this to work, the CN3200 must be configured as the client’s default gateway. 1. Start the client station’s web browser and enter the IP address (or domain name) of a web site on the Internet.

  • Page 103: Secure Remote Connectivity

    DRAFT Chapter 10: Secure remote connectivity Chapter 10: Secure remote connectivity Chapter 10 Secure remote connectivity This chapter explains how to establish secure connections to a remote network.

  • Page 104: Secure Remote Connectivity Using The Pptp Client

    Chapter 10: Secure remote connectivity Secure remote connectivity using the PPTP client The CN3200 features PPTP client software which enables it to create a secure connection to a remote site via a non-secure infrastructure like the Internet. PPTP works by creating a secure tunnel between two devices. Traffic in the tunnel is protected against eavesdropping by means of encryption.

  • Page 105: Configuration Procedure

    Account Username Specify the username the CN3200 will use to log on to the PPTP server. If you are logging on to a Windows NT domain, specify: domain_name\username Password / Confirm password Specify the password the CN3200 will use to log on to the PPTP server.

  • Page 106: Network Address Translation (Nat)

    DRAFT Chapter 10: Secure remote connectivity Network Address If you enable NAT, it effectively hides the addresses of all local computers so that they are not visible on the other side of the PPTP connection. Translation (NAT) If you disable NAT, then the appropriate IP routes must be added to send traffic though the tunnel.

  • Page 107: Secure Remote Connectivity Using Ipsec

    IPSec peers. The CN3200 supports IPSec on the Internet port. This enables you to use IPSec to safeguard data exchanged with remote RADIUS servers,...

  • Page 108: Configuration Procedure

    5. Click Save, when you are done. General A security association can only be established between the CN3200 and a peer if the policy is enabled. Name Specify a name for the policy. This identifies the policy in the IPSec security...

  • Page 109: Peer

    • Phase 1 exchange: key changed every 6 hours • Phase 2 exchange: key changed every 1 hour Note: The CN3200 will negotiate times up to 24 hours as required by the peer. Peer Accept any peer...

  • Page 110: Authentication Method

    Specify the domain name of the peer. Any DNS requests on the wireless LAN for addressed to this domain are forwarded to the DNS server specified above. This enables the CN3200 to properly forward traffic to stations on the other side of an IPSec tunnel.
  • Page 111 DRAFT Chapter 10: Secure remote connectivity Subnet Mask Only accepts incoming traffic that is addressed to the specified subnet or host you specify. All other traffic is dropped. To accept all traffic from the peer, specify both the Subnet and Mask as: 0.0.0.0 Enable network address translation for traffic addressed to the specified Subnet.
  • Page 112 DRAFT Chapter 10: Secure remote connectivity...

  • Page 113: Centralized Architecture

    DRAFT Chapter 11: Centralized architecture Chapter 11: Centralized architecture Chapter 11 Centralized architecture This chapter explains how to create centralized management structures for a variety of applications.

  • Page 114: Scenario #1: Centralized Authentication

    How it works In this scenario, each CN3200 forwards all user traffic to a remote NOC. The NOC is responsible for managing customer logins to the public access network and granting access to the Internet.

  • Page 115: Configuration Roadmap

    1. Open the Security > Authentication > Advanced page. 2. In the Access controller mode box, select Centralized and click Save. This disables the public access interface on the CN3200. 3. Open the Network > GRE page, and add two GRE tunnels to the remote NOC.
  • Page 116 DRAFT Chapter 11: Centralized architecture 9. Your settings should look like this when done: 10. Click Save.

  • Page 117: Scenario #2: Wholesaling With Gre

    The NOCs control customer logins to the public access network and granting access to the Internet. Each CN3200 is configured with two SSIDs for each WISP. The first is for customers using HTML logins, and the second is for customers who are using WPA or 802.1x.

  • Page 118: Configuration Roadmap

    1. Open the Security > Authentication > Advanced page. 2. In the Access controller mode box, select Centralized and click Save. This disables the public access interface on the CN3200. 3. Open the Network > GRE page, and add four GRE tunnels, two to each remote NOC.

  • Page 119: Scenario #3: Wholesaling With Vpns

    WISPs. How it works In this scenario, the CN3200 controls access to the public access network. A separate WLAN profile is defined for each WISP and is mapped to an IPSec tunnel that terminates at the appropriate NOC. Each WISP must provide a RADIUS server at the NOC to handle accounting and authentication duties.
  • Page 120 DRAFT Chapter 11: Centralized architecture 3. Open the Security > IPSec page and add two security associations, one to each remote NOC. • Set Only permit outgoing traffic addressed to the IP address of the NOC subnet.
  • Page 121 DRAFT Chapter 11: Centralized architecture 4. Open the Security > RADIUS page, and add two RADIUS profiles, one to each remote NOC. 5. Open the Wireless > WLAN profiles page, add two WLAN profiles. Make sure that each profile is mapped to the correct RADIUS profile.

  • Page 122: Scenario 4: Public/Private Access With Vlans

    • VLANs 51, 52, 53 and 70 are assigned to the corporate Intranet and are used by employees. VLAN carries authentication traffic to the RADIUS server. • VLAN 60 is used by guests and is mapped to the CN3200. Access lists on the CN3200 control the network resources guests can reach. For example, guests can use the Internet and specific servers or printers on the corporate Intranet.

  • Page 123: Configuration Roadmap

    • Downstream port mapped to VLAN 60. This means that all traffic with no VLAN assigned will be sent on VLAN 60 by default. Note that all management traffic from the CN300s will use this VLAN and therefore be sent to the CN3200. • Two SSIDs are defined: •...
  • Page 124 DRAFT Chapter 11: Centralized architecture 3. Open the Security > Access controller page. • Set the Access controller shared secret to same value as on the access controller. • Disable Location-aware authentication. On the RADIUS server Define the following: 1. Define accounts for the CN3000, guests, and employees. 2.

  • Page 125: Wireless Bridging

    DRAFT Chapter 12: Wireless bridging Chapter 12 Chapter 12 Wireless bridging This chapter explains how to use the wireless bridging feature to establish links between access points.

  • Page 126: Overview

    The wireless bridging feature enables you to use the wireless radio to create point-to-point wireless links to other access points. Each CN3200 can support up to six wireless bridges, which can operate at the same time as the network serving wireless customers.
  • Page 127 CN3200 CN300 CN300 RADIUS server CN300 In this scenario, each CN3200 must be equipped with the appropriate external antenna and be within line of sight to make the connection. Customers are authenticated via the RADIUS server.

  • Page 128: Setting Up A Wireless Link

    DRAFT Chapter 12: Wireless bridging Setting up a wireless link 1. On the Wireless menu, click Wireless links. The Wireless links page opens. 2. Click the wireless link you want to configure. The configuration page for the link opens. 3. In the Settings box, select Enabled. 4.

  • Page 129: Snmp Interface

    DRAFT Chapter 13: SNMP interface Chapter 13: SNMP interface Chapter 13 SNMP interface This chapter provides an overview of the SNMP interface and the MIBs supported by the CN3200.

  • Page 130: Configuring The Snmp Interface

    DRAFT Chapter 13: SNMP interface Configuring the SNMP interface The CN3200 SNMP interface can be reached both locally and remotely for complete flexibility. To configure 1. On the main menu, click Management, then click SNMP. The SNMP configuration page opens.

  • Page 131: Agent

    Specify the IP address or domain name of the host that the CN3200 will send traps to. Port Specify the port that the CN3200 will send traps on. By default, port 162 is used. Configure Traps Click this button to customize certain traps.

  • Page 132: Standard Mibs

    SNMPV2C protocol. consoles MIB II support The CN3200 provides complete read support of MIB II objects 1.10. The following table lists all MIB II objects defined as read/write and indicates the details objects that can be “set” on the CN3200.
  • Page 133 DRAFT Chapter 13: SNMP interface Group Notes ipRouteAge ipRouteMask ipRouteMetric5 ipNetToMediaIfIndex ipNetToMediaNetAddress ipNetToMediaType(4) Can be other(1), invalid(2), dynamic(3), or static(4). tcpConnState(5) Can be closed(1), listen(2), synSent(3), synReceived(4), established(5), finWait1(6), finWait2(7), closeWait(8), lastAck(9), closing(10), timeWait(11), or deleteTCB(12).

  • Page 134: Colubris Enterprise Mib

    DRAFT Chapter 13: SNMP interface Colubris Enterprise MIB The Colubris Enterprise MIB is available on the Colubris Networks web site. It is organized as follows: • COLUBRIS-CDP-MIB • COLUBRIS-IEEE802DOT11 • COLUBRIS-MAINTENANCE-MIB • COLUBRIS-PRODUCTS-MIB • COLUBRIS-SMI (Glue between standard tree and Colubris Enterprise MIB.) •...

  • Page 135: Colubris-Ieee802Dot11 Mib Details

    DRAFT Chapter 13: SNMP interface COLUBRIS-IEEE802DOT11 MIB details Group dot11StationConfig dot11StationId dot11MediumOccupancyLimit dot11CFPPeriod dot11CFPMaxDuration dot11AuthenticationResponseTimeOut dot11PowerManagementMode dot11DesiredSSID dot11DesiredBSSType dot11OperationalRateSet dot11BeaconPeriod dot11DTIMPeriod dot11AssociationResponseTimeOut dot11PrivacyOptionImplemented dot11AuthenticationAlgorithms dot11AuthenticationAlgorithmsEnable dot11WEPDefaultKeys dot11WEPDefaultKeyValue dot11WEPKeyMappings dot11WEPKeyMappingAddress dot11WEPKeyMappingWEPOn dot11WEPKeyMappingValue dot11WEPKeyMappingStatus dot11Privacy dot11PrivacyInvoked dot11WEPDefaultKeyID dot11WEPKeyMappingLength dot11ExcludeUnencrypted dot11SMTnotification...
  • Page 136 DRAFT Chapter 13: SNMP interface Group dot11Operation Dot11RTSThreshold Dot11ShortRetryLimit Dot11LongRetryLimit Dot11FragmentationThreshold Dot11MaxTransmitMSDULifetime Dot11MaxReceiveLifetime dot11Counters Group dot11GroupAddresses Dot11Address Dot11GroupAddressesStatus dot11PhyOperation Dot11CurrentRegDomain dot11PhyAntenna Dot11CurrentTxAntenna Dot11CurrentRxAntenna dot11PhyTxPower Dot11CurrentTxPowerLevel dot11PhyFHSS Dot11CurrentChannelNumber Dot11CurrentDwellTime Dot11CurrentSet Dot11CurrentPattern Dot11CurrentIndex dot11PhyDSSS Dot11CurrentChannel Dot11CurrentCCAMode Dot11EDThreshold dot11PhyIR Dot11CCAWatchdogTimerMax Dot11CCAWatchdogCountMax Dot11CCAWatchdogTimerMin Dot11CCAWatchdogCountMin...
  • Page 137 DRAFT Chapter 13: SNMP interface Group dot11RegDomainsSupported dot11AntennasList Dot11SupportedTxAntenna Dot11SupportedRxAntenna Dot11DiversitySelectionRx SupportedDataRatesTx SupportedDataRatesRx Traps Not applicable.
  • Page 138 DRAFT Chapter 13: SNMP interface...

  • Page 139: Ssl Certificates

    DRAFT Chapter 14: SSL certificates Chapter 14: SSL certificates Chapter 14 SSL certificates This chapter explains how to create and install SSL certificates to secure communications with the CN3200.

  • Page 140: Overview Of Ssl Certificates

    5. The SSL connection is started. The host name in the currently installed SSL certificate is automatically assigned as the domain name of the CN3200. The factory default SSL certificate that is installed on the CN3200 has the host name wireless.colubris.com.
  • Page 141 DNS servers as configured on the Network > DNS/WINS page. To summarize, this means that by default, any DNS request by a client station on the wireless or LAN ports that matches wireless.colubris.com will return the IP address of the CN3200’s Internet port.

  • Page 142: Eliminating Certificate Warning Messages

    DRAFT Chapter 14: SSL certificates Eliminating certificate warning messages The default certificate installed on the CN3200 is not registered with a certificate authority. It is a self-signed certificate which is attached to the default IP address (192.168.1.1) for the CN3200.

  • Page 143: Creating An Ssl Certificate

    DRAFT Chapter 14: SSL certificates Creating an SSL certificate The are three ways to create a digital certificate: • Obtain a registered certificate from a recognized certificate authority: This is the best option, since it ensures that your certificate can be validated by any web browser.
  • Page 144 ----- Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Laval]: Organization Name (eg, company) [Colubris Networks Inc.]:Company Inc. Organizational Unit Name (eg, section) [Research & Development]:Department Your Name []:www.company.com Email Address [support@colubris.com]:support@company.com Generated certificate request: Using configuration from openssl.conf...

  • Page 145: Becoming A Ca

    ----- Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Laval]: Organization Name (eg, company) [Colubris Networks Inc.]:Company Inc. Organizational Unit Name (eg, section) [Research & Development]:Department Your Name []:Test-Only Certificate Authority Email Address [support@colubris.com]:ca@company.com...
  • Page 146 Creating the web server certificates Once you have created the CA certificates, you can use them to create certificates for your CN3200 or web server. 1. Open a Windows command-line session. 2. Go to the directory where you installed the certificate tools. This example assumes c:\certificates.
  • Page 147 ----- Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Laval]: Organization Name (eg, company) [Colubris Networks Inc.]:Company Inc. Organizational Unit Name (eg, section) [Research & Development]:Department Your Name []:www.company.com Email Address [support@colubris.com]:webmaster@company.com Generated certificate request: Using configuration from openssl.conf...
  • Page 148 DRAFT Chapter 14: SSL certificates • www.company.com.pem, which contains theX.509 certificate for the web server’s public key. A copy of www.company.com.pem has been created as: C:\certificates\DemoCA\CA\newcerts\01.pem The file containing the next serial number that will be used for the next certificate to be signed has been updated: C:\certificates\DemoCA\CA\serial The previous version of this file is in:...

  • Page 149: Creating A Self-Signed Certificate

    DRAFT Chapter 14: SSL certificates 37:2b:ad:c2:18:9a:dc:ab:14:b9:de:f4:dd:d4:b8:21:84:59: 2a:8a:af:5f:ea:a5:33:1b:90:0e:56:ff:f5:34:5c:1b:8c:1b: ba:bd:64:1b:f0:6b:f4:a8:b8:14:dc:8b:1f:25:f9:04:25:85: 82:d5:07:8b:26:90:7d:c7:c8:71:ba:37:e0:a8:42:91:31:30: 2b:56:4a:34:70:14:22:38:7c:3f:99:5d:a5:5c:2c:a0:52:58: cc:b0:87:5d:14:ff:c3:7e:c8:ed:4e:a8:7b:ca:f3:d3:e3:85: 99:88:a4:7f:26:15:a1:14:61:01:87:18:53:ab:48:d4:f8:f9: aa:2d -----BEGIN CERTIFICATE----- MIID0DCCAzmgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMCQ0Ex DzANBgNVBAgTBlF1ZWJlYzEOMAwGA1UEBxMFTGF2YWwxFTATBgNVBAoTDENvbXBh bnkgSW5jLjETMBEGA1UECxMKRGVwYXJ0bWVudDEoMCYGA1UEAxMfVGVzdC1Pbmx5 IENlcnRpZmljYXRlIEF1dGhvcml0eTEdMBsGCSqGSIb3DQEJARYOY2FAY29tcGFu eS5jb20wHhcNMDIwMjI4MTYzMTE3WhcNMDMwMjI4MTYzMTE3WjCBmjELMAkGA1UE BhMCQ0ExDzANBgNVBAgTBlF1ZWJlYzEOMAwGA1UEBxMFTGF2YWwxFTATBgNVBAoT DENvbXBhbnkgSW5jLjETMBEGA1UECxMKRGVwYXJ0bWVudDEYMBYGA1UEAxMPd3d3 LmNvbXBhbnkuY29tMSQwIgYJKoZIhvcNAQkBFhV3ZWJtYXN0ZXJAY29tcGFueS5j b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPaTUjtr2nzy3EtfkyyaDFBS rD1apEPS7302tVScet+yvZuCQTuuB4pFJqM368HE5wTSZzLKCDOfrOwjieI2YGNh XC1gmpJI7bN8D2CUbaR01eupf0DMzSSuE/Cn6tuBpdAb3Cb4j4nGJx1c1a6klHbo 1hQ3rKqVYibYIrFf+xnVAgMBAAGjggEZMIIBFTAJBgNVHRMEAjAAMCwGCWCGSAGG +EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU 41o4d+QMuRaYv6jVpF2ogaLCcrYwgboGA1UdIwSBsjCBr6GBqaSBpjCBozELMAkG A1UEBhMCQ0ExDzANBgNVBAgTBlF1ZWJlYzEOMAwGA1UEBxMFTGF2YWwxFTATBgNV BAoTDENvbXBhbnkgSW5jLjETMBEGA1UECxMKRGVwYXJ0bWVudDEoMCYGA1UEAxMf VGVzdC1Pbmx5IENlcnRpZmljYXRlIEF1dGhvcml0eTEdMBsGCSqGSIb3DQEJARYO Y2FAY29tcGFueS5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEANyutwhia3KsUud70 3dS4IYRZKoqvX+qlMxuQDlb/9TRcG4wbur1kG/Br9Ki4FNyLHyX5BCWFgtUHiyaQ fcfIcbo34KhCkTEwK1ZKNHAUIjh8P5ldpVwsoFJYzLCHXRT/w37I7U6oe8rz0+OF mYikfyYVoRRhAYcYU6tI1Pj5qi0= -----END CERTIFICATE----- This time, the issuer and subject fields of the certificate are different. Verifying the certificate You can check that a certificate has been issued by your Certificate Authority using the command verifycert:...
  • Page 150 ----- Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Laval]: Organization Name (eg, company) [Colubris Networks Inc.]:Company Inc. Organizational Unit Name (eg, section) [Research & Development]:Department Your Name []:www.company.com Email Address [support@colubris.com]:webmaster@company.com...
  • Page 151 DRAFT Chapter 14: SSL certificates Note: Customers must install this certificate in their browsers to stop the certificate warning message. See the section “Installing certificates in a browser” on page 154.

  • Page 152: Converting A Certificate To Pkcs #12 Format

    Chapter 14: SSL certificates Converting a certificate to PKCS #12 format Before you can install a certificate on the CN3200, you need to convert it to PKCS #12 format. This can be done with the openssl program pemtopkcs12. Execute the command: pemtopkcs12 certificate Replace certificate with the name of the certificate file.

  • Page 153: Installing A New Ssl Certificate

    DRAFT Chapter 14: SSL certificates Installing a new SSL certificate Before you can install a new SSL certificate, make sure that it conforms to the following: • It must be in PKCS #12 format. See “Converting a certificate to PKCS #12 format”...

  • Page 154: Installing Certificates In A Browser

    If you are operating as your own certificate authority, installing a certificate signed by your own CA will still cause a security warning to appear when customers open the CN3200’s Login page. This occurs because your CA is not part of the group of well-known certificate authorities included with most browsers. This means customers will get a security warning when establishing the SSL connection with the Login page.
  • Page 155 DRAFT Chapter 14: SSL certificates 5. Click Browse. 6. Specify *.pem in the File name box, and press the Enter key, then select CAcert.pem and click Open.
  • Page 156 DRAFT Chapter 14: SSL certificates 7. Click Next. 8. Click Next.

  • Page 157: Netscape Navigator

    DRAFT Chapter 14: SSL certificates 9. Click Finish. 10. Click Yes. Customers who do this will no longer see any security warnings. Netscape To eliminate the certificate warning message in Netscape Navigator 7.1,do the following: Navigator 1. On the Edit menu, click Preferences. 2.
  • Page 158 DRAFT Chapter 14: SSL certificates...

  • Page 159: Customizing The Public Access Interface

    DRAFT Chapter 15: Customizing the public access interface Chapter 15: Customizing the public access interface Chapter 15 Customizing the public access interface This chapter provides an overview of the public access interface and explains how to customize it.

  • Page 160: Overview

    The public access interface is the sequence of web pages that customers use to login, logout, and view the status of their wireless sessions. The CN3200 enables you to tailor these pages to provide a customized look-and-feel for your site.

  • Page 161: Site Map

    The pages are split into two groups: internal pages and external pages. Note: You can also create a remote login page that resides on the web server and is not downloaded to the CN3200. See “Using a remote login page” on page 173 for details.

  • Page 162: Internal

    DRAFT Chapter 15: Customizing the public access interface Internal pages Internal pages are resident on the CN3200. You have the option of using the default pages supplied with the CN3200 or replacing them with customized pages of your own design.
  • Page 163 DRAFT Chapter 15: Customizing the public access interface Session page This page displays usage statistics for the session, and the logout button the customer clicks to terminate the session. The default Session page is: Managing the session page The session page is automatically opened after the customer logs in. By default, it contains the logout button.

  • Page 164: External

    The Welcome page includes a link to the page that was originally requested. If the CN3200 cannot reach the custom URL specified for the Welcome page or if a custom URL is not defined, it jumps directly to the page originally requested by the customer.

  • Page 165: How It Works

    DRAFT Chapter 15: Customizing the public access interface How it works The following diagram illustrates the sequence of events that occur when a customer attempts to browse an external web site.

  • Page 166: Customizing The Internal

    • Only one image can be included on these pages. It must be a .gif file (recommended size less than 20K). This same image file is shared by all pages, and must be resident on the CN3200. For instructions on how to change it, see “Examples”...
  • Page 167 Placeholder Description Returns the NAS ID assigned to the CN3200. By default, this is the unit’s serial number. Returns the RADIUS login name assigned to the CN3200. By default, this is the unit’s serial number.

  • Page 168: Examples

    • login.html • transport.html • session.html • fail.html 4. Edit the login.html to meet the requirements of your site. 5. Add the following entries to the RADIUS profile for the CN3200. login-page=web_server_URL/newpages/login.html transport-page=web_server_URL/newpages/transport.html session-page=web_server_URL/newpages/session.html fail-page=web_server_URL/newpages/fail.html logo=web server URL/newpages/logo.gif...

  • Page 169: Customizing The External

    Activating new To activate new external pages, you must define their URLs using the Colubris- AVPair value string when you create a RADIUS profile for the CN3200 or a external pages customer. See Chapter 16 for information on how to create RADIUS profiles.
  • Page 170 This option is used with the remote login page feature. Returns the NAS ID assigned to the CN3200. By default, this is the unit’s serial number. Returns the RADIUS login name assigned to the CN3200. By default, this is the unit’s serial number.

  • Page 171: Examples

    5. Add the following entry to the RADIUS profile for the premium customers. welcome-url=web_server_URL/premium/welcome.html goodbye-url=web_server_URL/premium/goodbye.html 6. Add the following entry to the RADIUS profile for the CN3200. This gives all unauthenticated users access to the web server hosting the goodbye page. access-list=loginserver,ACCEPT,tcp,web server IP address...
  • Page 172 DRAFT Chapter 15: Customizing the public access interface Supporting PDAs Customers using PDAs that only support a single browser window will have difficulty using the public access interface in its standard configuration. The problem Once a customer logs in to the public access interface, two web pages are sent to their browser: the Welcome page and the Session page.

  • Page 173: Using A Remote Login

    Chapter 15: Customizing the public access interface Using a remote login page The CN3200 provides an option that allows you to redirect customers to a remote server to log in to the public access interface instead of using the internal login page.

  • Page 174: How It Works

    CN3200 via a RADIUS server. To accomplish this, the remote web server must send customer login information back to the CN3200. There are two ways to accomplish this: basic remote login or using the NOC-based authentication feature.
  • Page 175 • Communications between the customer’s browser and the CN3200 is always SSL-based. The default certificate on the CN3200 will generate a warning on the customer’s browser unless replaced with a certificate signed by a well-...
  • Page 176 4. Customize login.html to accept username and password information from customers and then send it to the CN3200. You can use code similar to the following example to redirect the customer’s web browser to the login URL on the CN3200 for authentication: <form action="https://CN3200.wireless.colubris.com:8090/goform/...
  • Page 177 ?username=username&password=password&ipaddr=customer_ip CN3000_ip is the IP address of the CN3200 or you could use a domain name if you have defined one using the hosts file on the web server. (By default, the secure web server on the CN3200 operates on port 8090. This can be...
  • Page 178 The login application can then contstruct the appropriate Host HTTP header. Example 1 Assume that the CN3200 is not behind a NATing device, and that its IP address is 192.168.4.2. The subject DN in its SSL certificates is www.noc-cn3000.com. The Host HTTP header should be set to one of: •...
  • Page 179 • logo.gif 3. Customize login.html to accept username and password information from customers and then send it to the CN3200. You could use code similar to the following PHP example to send login information back to the CN3200 for authentication: https://ipaddress of CNx;8090/goform/HtmlNocLoginRequest...
  • Page 180 Important: This request must come from the login application (or another other application that is using the same SSL certificate). The CN3200 returns a positive or negative answer for the customer logout as standard HTML. The login application must parse this information to retrieve the response.

  • Page 181: Location-Aware Authentication

    Important: This feature does not support 802.1x customers and devices using MAC-based authentication. How it works When a customer attempts to login to the public access network, the CN3200 sets the Called-Station-ID in the RADIUS access request to one of the following values (your choice): •...

  • Page 182: Parameters

    Called-Station-ID content Choose the value that you want the CN3200 to return in the Called-Station-ID when it generates a RADIUS access request for a customer login. • the MAC address of the wireless port the customer is associated with •...

  • Page 183: Ipass Support

    The CN3200 provides support for the Generic Interface Specification from iPass which enables you to create an iPass-compatible hotspot. To setup the CN3200 as an iPass hotspot, you must define the IPass authentication server on the Security > RADIUS page. You can use either Profile...

  • Page 184: Asp Functions

    To avoid having the customer login once registration is complete, the registration web server can send the customer back to the CN3200 using a special URL that will automatically log the customer into the public access interface. Assuming the registration server is 192.169.30.1, the register button code on the Login page might look something like this: <FORM><INPUT...

  • Page 185: Page Urls

    Chapter 15: Customizing the public access interface The NAS ID and NAS address are required when the customer is redirected back to the CN3200 after registration. The code on the registration web page would look something like this: // Registering user information in the backend database...
  • Page 186 DRAFT Chapter 15: Customizing the public access interface setTimeout('refresh()',3000); else //no login or logout is pending and customer is logged out document.form1.close.value = "Close window"; //change button label function refresh() // refresh the Fail page {document.location="<%GetFailRetryUrl();%>"; } IsLoggedIn() Returns "yes" if the customer is logged in. See IsRequestPending() for an example that shows how to use this function.
  • Page 187 DRAFT Chapter 15: Customizing the public access interface TruncateMaxSessionTime(unit) Returns the total amount of connection time configured for the current customer truncated to the specified unit. Years Days Hours Minutes Seconds For example if the customer account is configured for 5000 seconds, then: •...

  • Page 188: Session Quotas

    DRAFT Chapter 15: Customizing the public access interface GetSessionRemainingTimeHMS() Returns the amount of connection time remaining for the current customer session in hours, minutes and seconds in the format: hh:mm:ss. ConvertSessionRemainingTime(unit) Returns the total amount of connection time remaining for the current customer in the specified unit.
  • Page 189 DRAFT Chapter 15: Customizing the public access interface GetSessionRemainingInputOctets(div) Returns the number of incoming octets the current customer session can still receive. This value is a decimal string (20 characters) representing a 64-bit unsigned integer. If you specify a value for the optional parameter div, then the return value is the number of octets divided by div.

  • Page 190: Ipass Support

    CN3200. • If a customer logs into the CN300, this function returns the MAC address of the CN300’s downsteam port. • If a customer logs into the CN3200, this function returns the MAC address of the CN3200’s LAN port. iPassGetLoginResponseCode() Returns one of the following values when a customer attempts to login to iPass: Login was successful.
  • Page 191 Returns one of the following values when a customer attempts to logout from iPass: 150 Logout was successful. 255 The authenticaiton server could not be reached due to an error on the CN3200 (Internet port not up, for example).

  • Page 192: Message File

    DRAFT Chapter 15: Customizing the public access interface Message file The functions GetAuthenticationErrorMessage() and GetSessionStateMessage() are used in various internal pages to return a string from the file “message.txt”. You can customize the messages in this file for your installation. See “Customizing the internal pages”...

  • Page 193: Login

    DRAFT Chapter 15: Customizing the public access interface # The customer has exhausted the available session time. stat-session-timeout = "Logged out. (Reached the session time limit.)" # User was logged out due to administrator termination stat-admin-reset = "Logged out. (Administrator terminated the session.)" # The network authentication software is down.

Table of Contents