Page 2 ATEWAY Access Gateway Copyright © 2017 Nomadix, Inc. All Rights Reserved. This product also includes software developed by: The University of California, Berkeley and its contributors; Carnegie Mellon University, Copyright © 1998 by Carnegie Mellon University All Rights Reserved; Go Ahead Software, Inc., Copyright...
Page 3: Product Information
Write your product serial number in this box: Patent Information Please see the Nomadix website for a list of US and foreign patents covering this product release. Disclaimer Nomadix, Inc. makes no warranty, either express or implied, including but not limited to any implied warranties of merchantability and fitness for a particular purpose, regarding the product described herein.
Page 4 CCESS ATEWAY WARNING CAUTION Risk of electric shock; do not open; no user- Read the instruction manual prior to operation. serviceable parts inside. AVERTISSEMENT ATTENTION Risque de choc electrique; ne pas ouvrir; ne pas Lire le mode d’emploi avant utilisation. tenter de demontre l’appareil WARNUNG ACHTUNG...
Page 5: Table Of Contents
CCESS ATEWAY Table of Contents Introduction ................................. 1 About this Guide ................................1 Organization ................................2 Welcome to the Access Gateway ..........................3 Product Configuration and Licensing ........................ 3 Key Features and Benefits ............................4 Platform Reliability .............................. 4 Local Content and Services ..........................4 Transparent Connectivity ............................
Page 6 Secure XML API ..............................20 Session Rate Limiting (SRL) ..........................20 Session Termination Redirect..........................21 Smart Client Support ............................21 SNMP Nomadix Private MIB ..........................21 Static Port Mapping ............................21 Tri-Mode Authentication ........................... 21 URL Filtering ..............................21 Walled Garden ..............................22 Web Management Interface ..........................
Page 7 CCESS ATEWAY Separate Guest HSIA and Admin ISP Links, with Failover Between Each ISP Link ......... 30 Guest HSIA Failover Only, to Admin Network ....................31 Sharing Guest HSIA Network and Hotel Admin Network Among Multiple ISP Links ......31 Load Balancing With Users Connected to a Preferred ISP Link ..............
Page 8 CCESS ATEWAY Installing the Nomadix Private MIB ........................62 Obtaining the Management Information Base (MIB) file ................62 Configuring the Management Information Base ..................... 62 System Administration .............................. 63 Choosing a Remote Connection ..........................64 Using the Web Management Interface (WMI) ....................64 Using an SNMP Manager ..........................
Page 9 CCESS ATEWAY Enabling MAC Authentication {MAC Authentication} ................112 Assigning Passthrough Addresses {Passthrough Addresses} ............... 112 Assigning a PMS Service {PMS} ........................113 Setting Up Port Locations {Port-Location} ....................118 Setting up Quality of Service {QoS} ........................ 122 Defining the RADIUS Client Settings {RADIUS Client} ................124 Defining the RADIUS Proxy Settings {RADIUS Proxy} ................
Page 10 CCESS ATEWAY Deleting Port-Location Assignments....................... 157 Enabling Facebook Login for a Port Location ....................157 Subscriber Intra-Port Communication ......................158 Subscriber Administration Menu........................... 160 Adding Subscriber Profiles {Add} ........................160 Displaying Current Subscriber Connections {Current} ................164 Deleting Subscriber Profiles by MAC Address {Delete by MAC} ............... 165 Deleting Subscriber Profiles by User Name {Delete by User} ..............
Page 11 CCESS ATEWAY Utilizing Packet Capturing {Packet Capture} ....................201 Rebooting the System {Reboot} ........................202 Routing Tables {Routing} ..........................202 Establishing Session Rate Limiting {Session Limit} ..................204 Adding/Deleting Static Ports {Static Port-Mapping} ..................204 Updating the Access Gateway Firmware {Upgrade} ..................206 The Subscriber Interface ............................
Page 12 CCESS ATEWAY Accounting-Request ............................246 Selected Detailed Descriptions ......................... 247 Nomadix Vendor-Specific RADIUS Attributes ..................... 248 Setting Up the SSL Feature ............................ 251 Prerequisites ..............................251 Obtain a Private Key File (cakey.pem) ......................251 Installing Cygwin and OpenSSL on a PC....................... 251 Private Key Generation ...........................
Page 13: Introduction
The Nomadix Access Gateway hardware is configured and controlled by Nomadix Service Engine (NSE) software. The NSE 7.4 is the last Software Release that supports the AG2300, AG3100, and AG5500. NSE 8.8 series is the last software release that supports the AG5600.
Page 14: Organization
Organization This User Guide is organized into the following sections: Chapter 1: Introduction. The current chapter; an introduction to the features and benefits of the Nomadix AccessGateway. Chapter 2: Installing the Access Gateway. Provides instructions for installing the Access Gateway and establishing the start-up configuration.
Page 15: Welcome To The Access Gateway
Residential segments. Product Configuration and Licensing All Nomadix Access Gateway products are powered by our patented and patent-pending suite of embedded software, called the Nomadix Service Engine™ (NSE). The Access Gateway employs our NSE core software package and comes pre-packaged with the option to purchase additional modules to expand the product’s functionality.
Page 16: Key Features And Benefits
CCESS ATEWAY Key Features and Benefits The Access Gateway is a 1U high, free-standing or rack-mountable device that provides Ethernet ports to interface with the router and the aggregation equipment within the network. It also provides an RS232 serial port for connecting to a Property Management System (PMS), while maintaining one billing relationship with their chosen provider.
Page 17: Billing Enablement
Addresses and their associated VPN tunnels—by far the most reliable multi- session VPN passthrough to be tested against diverse VPN termination servers from companies such as Cisco, Checkpoint, Nortel and Microsoft. Nomadix’ iNAT feature allows multiple tunnels to be established to the same VPN server, creating a seamless connection for all users on the network.
Page 18 CCESS ATEWAY Initial Flash Page branding. Initial Portal Page Redirect (Pre-Authentication). Typically, this is used to redirect the user to a venue- specific Welcome and Login page. Home Page Redirect (Post-Authentication). This redirect page can be tailored to the individual user (as part of the RADIUS Reply message, the URL is received by the NSE) or set to re-display itself at freely configurable intervals.
Page 19: Nse Core Functionality
ATEWAY NSE Core Functionality Powering Nomadix’ family of Access Gateways, the Nomadix Service Engine (NSE) delivers a full range of features needed to successfully deploy public access networks. These “core” features solve issues of connectivity, security, billing, and roaming in a Wi-Fi public access network.
Page 20: Access Control
You can ensure that every user has a quality experience by placing a bandwidth ceiling on each device accessing the network, so every user gets a fair share of the available bandwidth. With the Nomadix ICC feature enabled, subscribers can increase or decrease their own bandwidth and pricing plans for their service dynamically.
Page 21: Billing Records Mirroring
Class-Based Queueing The Nomadix Class-Based Queueing feature provides the ability to define multiple groups (classes) of users. You can prioritize groups and guarantee minimum bandwidth on a per- group basis. Users are added to classes, and rules are applied across the entire class. Each class has three configurable...
Page 22 CCESS ATEWAY Class Priority Minimum Maximum User Bandwidth Limit** Conference 30 Mbps 100 Mbps 5 Mbps Guest Room 50 Mbps 100 Mbps 5 Mbps Public 20 Mbps 100 Mbps 3 Mbps User Bandwidth Limit is not an attribute of Class Based Queueing, but can be applied (if desired) using existing Bandwidth Limit functionality.
Page 23 CCESS ATEWAY Example Illustration of Weighted Fair Queueing and Class-Based Queueing This example demonstrates the effects of using Weighted Fair Queueing and Class-Based Queueing together. In this example configuration, these parameters apply:  A single WAN interface with a global upper limit of 900M 600 total subscribers;...
Page 24: Command Line Interface
The Command Line Interface (CLI) is a character-based user interface that can be accessed remotely or via a direct cable connection. Until your Nomadix product is up and running on the network, the CLI is the Network Administrator’s window to the system. Software upgrades can only be performed from the CLI.
Page 25: Dynamic Address Translation
Take advantage of the comprehensive Nomadix XML API to implement more complex billing plans. Recycle existing Web page content for the centrally hosted portal page.  If you choose to use the EWS interface, Nomadix Technical Support can provide you with sample scripts. See also Contact Information on page 268. Facebook Authentication You may provide Facebook authentication for facility guests.
Page 26: Home Page Redirect
See also Portal Page Redirect on page 18. iNAT™ Nomadix invented a new way of intelligently supporting multiple VPN connections to the same termination at the same time (iNAT™), thus solving a key problem of many public access networks. Introduction...
Page 27: Information And Control Console
 Information and Control Console The Nomadix ICC is a HTML-based pop-up window that is presented to subscribers with their Web browser. The ICC allows subscribers to select their bandwidth and billing options quickly and efficiently from a simple pull-down menu. For PayPal accounts, the ICC displays a dynamic “time”...
Page 28: Initial Nse Configuration
CCESS ATEWAY Initial NSE Configuration See Installing the Access Gateway on page 35 for initial installation and configuration instructions. Internal Web Server The NSE offers an embedded Internal Web Server (IWS) to deliver Web pages stored in flash memory. These Web pages are configurable by the system administrator by selecting various parameters to be displayed on the internal pages.
Page 29: Ipv6 Device Management
See also Information and Control Console on page 15. MAC Filtering MAC Filtering enhances Nomadix' access control technology by allowing system administrators to block malicious users based on their MAC address. Up to 50 MAC addresses can be blocked at any one time.
Page 30: Ntp Support
Optionally, the RADIUS authentication process and FTP download can be secured by sending the traffic through a peer-to-peer IPSec tunnel established by the Nomadix gateway and terminated at the NOC (Network Operations Center). See also Secure Management on page 19.
Page 31: Radius Proxy
Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on the subscriber side of the Nomadix gateway. See also Defining IPSec Tunnel Settings {IPSec} on page 102.
Page 32: Secure Socket Layer (Ssl)
XML enables solution providers to customize and enhance their product installations. This feature allows the operator to use Nomadix' popular XML API using the built-in SSL certificate functionality in the NSE so that parameters passed between the Gateway and the centralized Web server are secured via SSL.
Page 33: Session Termination Redirect
HP OpenView or Castle Rock). See Using an SNMP Manager on page 65. To take advantage of the functionality provided with Nomadix’ private MIB (Management Information Base), to view and manage SNMP objects on your product, see Installing the Nomadix Private MIB on page 62. Static Port Mapping...
Page 34: Walled Garden
Garden” within the Internet where unauthenticated users can be granted or denied access to sites of your choosing. Web Management Interface Nomadix’ Access Gateways can be managed remotely via the built-in Web Management Interface where various levels of administration can be established. See also Using the Web Management Interface (WMI) on page 64.
Page 35: Optional Nse Modules
The optional High Availability Module offers enhanced network uptime and service availability when delivering high-quality Wi-Fi service by providing Fail-Over functionality. This module allows a secondary Nomadix Access Gateway to be placed in the network that can take over if the primary device fails, ensuring Wi-Fi service remains uninterrupted.
Page 36: Network Architecture (Sample)
CCESS ATEWAY Network Architecture (Sample) The Access Gateway can be deployed effectively in a variety of wireless and wired broadband environments where there are many users—usually mobile—who need high speed access to the Internet. The following example shows a potential Hospitality application: Introduction...
Page 37: Multiple Unit Clustering
In the recent past, it was necessary to segment the network to serve a number of subscribers that exceed the user count on a Nomadix gateway. Now with clustering all subscribers can be on the same segment, as the subscribers are distributed across multiple gateways. A large number of subscribers can be distributed to as many as 256 gateways, thus providing a design capacity of two million subscribers.
Page 38 CCESS ATEWAY The following graphic illustrates a clustering scenario with 12,000 users and three gateways. Introduction...
Page 39: Load Balancing And Link Failover
7.5Mbps of bandwidth is available to be shared across all users, but a single user can receive a maximum of 1.5Mbps. All load-balancing appliances, as well as the Nomadix NSE, support link aggregation. In most cases, link aggregation and load balancing is effectively the same thing.
Page 40: Traffic Balancing And Weighting
ISP link failure occurrences. Additional consideration must be made as to what actions should be taken when a failed ISP link recovers. The Nomadix approach is to rebalance as the ISP links change, thus making sure the maximum level of service is always provided. There is a small yet important waiting time to ensure changing links is kept to a minimum.
Page 41: Load Balancing Across Multiple Low Speed Links
Load Balancing across Multiple Low Speed Links In this example, an establishment has access to only low-speed, DSL-based ISP circuits and wishes to aggregate five such links together. The Nomadix NSE is configured with load balancing between all links. Failover to Standby ISP Link In this example, the organization has a high-quality 100M Ethernet service.
Page 42: Separate Guest Hsia And Admin Isp Links, With Failover Between Each Isp Link
Guest HSIA link until the Admin ISP is restored The Nomadix NSE is configured with load balancing and failover. All Guests use ISP 1 as the preferred WAN, the Admin network router uses ISP2 as the preferred WAN.
Page 43: Guest Hsia Failover Only, To Admin Network
Sharing Guest HSIA Network and Hotel Admin Network Among Multiple ISP Links In this scenario, multiple ISP links are connected to the Nomadix NSE, in a similar method to the first scenario, but both the guest HSIA network and the Hotel Admin network are connected to the NSE and share the aggregate bandwidth of the combined ISP links.
Page 44: Load Balancing With Users Connected To A Preferred Isp Link
CCESS ATEWAY Load Balancing With Users Connected to a Preferred ISP Link In this scenario, the hotel has purchased 2 x ISP links for guest HSIA. One is a high-quality, high-cost "business grade" ISP circuit, and the other is a low-cost, lower-grade domestic service provided by the local cable TV operator.
Page 45: Online Help (Webhelp)
CCESS ATEWAY Online Help (WebHelp) The Access Gateway incorporates an online Help system called “WebHelp” which is accessible through the Web Management Interface (when a remote Internet connection is established following a successful installation). WebHelp is HTML-based and can be viewed in a browser. WebHelp is useful when you have an Internet connection to the Access Gateway and you want to access information quickly and efficiently.
Page 46: Notes, Cautions, And Warnings
CCESS ATEWAY Notes, Cautions, and Warnings The following formats are used throughout this User Guide: General notes and additional information that may be useful are indicated with a Note. Cautions and warnings are indicated with a Caution. Cautions and warnings provide important information to eliminate the risk of a system malfunction or possible damage.
Page 47: Installing The Access Gateway
CCESS ATEWAY Installing the Access Gateway This section provides installation instructions for the hardware and software components of the Access Gateway. It also includes an overview of the management interface, some helpful hints for system administrators, and procedures. A Quick Reference Guide chapter is also provided in this document. Installing the Access Gateway...
Page 48: Installation Workflow
CCESS ATEWAY Installation Workflow The following flowchart illustrates the steps that are required to install and configure your Access Gateway successfully. Review the installation workflow before attempting to install the Access Gateway on the customer’s network. Installing the Access Gateway...
Page 49: Powering Up The System
CCESS ATEWAY Powering Up the System Use this procedure to establish a direct cable connection between the Access Gateway and your laptop computer, and to power up the system. Place the Access Gateway on a flat and stable work surface. Connect the power cord.
Page 50: User Manual And Documentation
CCESS ATEWAY User Manual and Documentation The Nomadix product user manuals, product documentation and support files including MIB, XML DTD and sample dictionary files are located at the following URL: http://www.nomadix.com/support If you have any problems, please contact our technical support team at +1.818.575.2590, or email: support@nomadix.com.
Page 51: Start Here
ATEWAY Start Here Unpack the Nomadix Access Gateway and place the product on a flat and stable work surface. Register the gateway for support services by completing and returning the Nomadix Gateway Registration Form; hardcopy enclosed or obtain the form online at http://www.nomadix.com/registration.
Page 52: Configuration
ORDER TO PROCEED WITH INSTALLATION. SEE USER'S GUIDE FOR LICENSE KEY INFORMATION. INSTALLATION WILL NOW TRY TO CONTACT THE NOMADIX LICENSE KEY SERVER. IN ORDER TO PROCEED, THE NSE MUST BE ABLE TO CONNECT TO THE INTERNET. DO YOU WANT TO CONFIGURE THE NSE'S IP AND DNS SETTINGS? [yes/no]: y...
Page 53: Step 1B: Dhcp Client Configuration
Subnet Mask : Your subnet mask Gateway IP : Your gateway IP address WAN 802.1Q tagging : Disabled VLAN ID : 1 DNS Domain Name : nomadix.com DNS Server 1 : Your primary DNS IP address DNS Server 2 : DNS Server 3 : 0.0.0.0...
Page 54: Step 1C: Pppoe Dynamic Ip Client Configuration
CCESS ATEWAY A WAN port summary page will then be displayed as shown in Figure 5. Port Name : WAN Port Role : wanIf Configuration Mode : dhcp IP Address : Your IP address Subnet Mask : Your subnet mask Gateway IP : Your gateway IP addrss WAN 802.1Q tagging : Disabled VLAN ID : 1...
Page 55 PPP Maximum TCP MSS [1452 ] : WAN 802.1Q tagging [Disabled ] : VLAN ID [1] : DNS Domain Name [nomadix.com ] : DNS Server 3 [0.0.0.0 ] : Figure 6: Selecting PPPoE with dynamic IP configuration. A WAN port summary page will then be displayed as shown in Figure 7.
Page 56: Step 1D: Pppoe Static Ip Client Configuration
EULA before the AG can retrieve its license key. To retrieve the license key, enter (y)es as shown in Figure 9. The AG retrieves the license key from the Nomadix license key server, then reboots.
Page 57: Step 4: Configuring The System
PLEASE READ THE NOMADIX END USER LICENSE AGREEMENT ('AGREEMENT') INCLUDED WITH THE NOMADIX PRODUCT. BY USING THIS SOFTWARE, YOU INDICATE YOUR ACCEPTANCE OF THE AGREEMENT. I AGREE TO THE TERMS AND CONDITIONS OF THE NOMADIX END USER LICENSE AGREEMENT. (Y)ES (N)O The system will now try to contact the Nomadix License Key Server.
Page 58 CCESS ATEWAY DHCP Parameter Your Settings Default Values DHCP Server Subnet Mask 255.255.255.0 DHCP Pool Start IP Address 10.0.0.12 DHCP Pool End IP Address 10.0.0.72 DHCP Lease Minutes 1440 An example of a basic network including an AG is shown below. Installing the Access Gateway...
Page 59: The Management Interfaces (Cli And Web)
CCESS ATEWAY The Management Interfaces (CLI and Web) The Access Gateway supports various methods for managing the system remotely. These include, an embedded graphical Web Management Interface (WMI), an SNMP client, or Telnet. However, until the unit is installed and running, system management is performed from the Access Gateway’s embedded CLI via a direct serial cable connection.
Page 60: Inputting Data - Maximum Character Lengths
CCESS ATEWAY Inputting Data – Maximum Character Lengths The following table details the maximum allowable character lengths when inputting data: Data Field Max. Characters All Messages (billing options) All Messages (subscriber error messages) All Messages (subscriber login UI) All Messages (subscriber “other” messages) Description of Service (billing options Plan) Home Page URL Host Name and Domain Name (DNS settings)
Page 61: Online Documentation And Help
The Web Management Interface (WMI) incorporates an online help system that is accessible from the main window. Other online documentation resources, available from our corporate Web site (www.nomadix.com/support), include a full PDF version of this User Guide (viewable with Acrobat™ Reader), How-To Guides, README files, white papers, technical notes, and business cases.
Page 62: Establishing The Start Up Configuration
CCESS ATEWAY Establishing the Start Up Configuration The CLI allows you to administer the Access Gateway’s start-up configuration settings. When establishing the start-up configuration for a new installation, you are connected to the Access Gateway via a direct serial connection (you do not have remote access capability because the Access Gateway is not yet configured or connected to a network).
Page 63: Setting The Snmp Parameters (Optional)
(yes) to reboot your Access Gateway. Sample Screen Response: Configuration>sn Enable the SNMP Daemon? [Yes]: Enter new system contact: newname@domainname.com [Nomadix, Newbury Park, CA] Enter new system location: Office, Newbury Park, CA Enter read/get community [public]: Installing the Access Gateway...
Page 64: Configuring The Wan Interface
A summary of the WAN port settings is now displayed; if they are correct, type “b” again. You will now see the Nomadix location configuration page. Enter contact data and agree to the Nomadix End User License Agreement. Your license will be retrieved when you enter “y”. The NSE will then reboot to activate your license settings.
Page 65: Enabling The Logging Options (Recommended)
CCESS ATEWAY Enabling the Logging Options (recommended) System logging creates log files and error messages generated at the system level. AAA logging creates activity log files for the AAA (Authentication, Authorization, and Accounting) functions. You can enable either of these options. Although the AAA and billing logs can go to the same server, we recommend that they have their own unique server ID number assigned (between 0 and 7).
Page 66 CCESS ATEWAY 6: Info 7: Debug Select an option from above [7]: 7 Enter System Log Server IP [255.255.255.255]: 10.10.10.10 Enable/disable System Log Save to file [disabled ]: enable Enable/disable AAALog [disabled ]: enable Enter AAA Log Number (0-7) [0 ]: 2 Enter AAA Log Filter 0: Emergency 1: Alert...
Page 67: Logging Out And Powering Down The System
CCESS ATEWAY AAA Log Server IP 10.10.10.10 AAA Log Save to file Enabled RADIUS History Log Enabled RADIUS History Log Number RADIUS History Log Filter RADIUS History Log Server IP 10.10.10.10 RADIUS History Log Save to file Enabled System Report Log Enabled System Report Log Number System Report Log Server IP...
Page 68: Establishing The Basic Configuration For Subscribers
CCESS ATEWAY Establishing the Basic Configuration for Subscribers When you have successfully established the startup configuration and installed the unit onto the customer’s network, connect to the Access Gateway via Telnet. You must now set up the basic configuration parameters for subscribers, including: Setting the DHCP Options –...
Page 69: Dhcp Options From Rfc 2132
CCESS ATEWAY External DHCP Server IP 0.0.0.0 DHCP Relay Agent IP 0.0.0.0 DHCP Server Enabled DHCP Server Subnet-based Disabled Forwarded DHCP Clients Disabled Server-IP Server-Netmask Start-IP End-IP Lease Type IPUp 208.11.0.4 255.255.0.0 208.11.0.5 208.11.0.7 PRIV 10.0.0.4 255.255.255.0 10.0.0.5 10.0.0.250 PRIV NO * * Default IP Pool DHCP IP Pools Configuration:...
Page 70 CCESS ATEWAY Option Description Option Code Sequence of 1 or more octets Ascii string of 1 or more printable characters 12, 14, 17-18, 40, 47, 64, 66-67 Disallowed options: Some option codes are not allowed, for one of the following reasons: Items that are already configured elsewhere as a separate DHCP pool or NSE configuration ...
Page 71: Dhcp Dynamic Enable And Disable
CCESS ATEWAY DHCP Dynamic Enable and Disable Click -> . Click the . Note that DHCP Configuration DHCP Server-IP Enable this DHCP Pool enable/disable is dynamic, no reboot required. Setting the DNS Options DNS allows subscribers to enter meaningful URLs into their browsers (instead of numeric IP addresses) by automatically converting the URLs into the correct IP addresses.
Page 72 CCESS ATEWAY Enter UDP DNS Redirection Port [1029 Enter Proxy UDP DNS Port [1028 Enable/Disable DNSSEC [enabled ]: Host Name DNS Redirection Port Mode fixed UDP DNS Redirection Port 1029 Proxy UDP DNS Port 1028 DNSSEC Support enabled Installing the Access Gateway...
Page 73: Archiving Your Configuration Settings
CCESS ATEWAY Archiving Your Configuration Settings Once you have installed your Access Gateway and established the configuration settings, you should write the settings to an archive file. If you ever experience problems with the system, your archived settings can be restored at any time.
Page 74: Installing The Nomadix Private Mib
The Nomadix Private Management Information Base (MIB) allows you to view and manage SNMP objects on your Access Gateway. To use the MIB, you must obtain the appropriate nomadix.mib file for your Access Gateway. This file is available in the Support area of the Nomadix web site.
Page 75: System Administration
CCESS ATEWAY System Administration This section provides all the instructions and procedures necessary for system administrators to manage the Access Gateway on the customer’s network (after a successful installation). The system administration procedures in this section are organized as they are listed under their respective Web Management Interface (WMI) menus: Configuration Menu on page 68 ...
Page 76: Choosing A Remote Connection
CCESS ATEWAY Choosing a Remote Connection Once installed and configured for the customer’s network, the Access Gateway can be managed and administered remotely with any of the following interface options: Using the Web Management Interface (WMI)―Provides a powerful and flexible Web interface for ...
Page 77: Using An Snmp Manager
(MIB). SNMP enables managers and agents to communicate with each other for the purpose of accessing these MIBs and retrieving data. See also Installing the Nomadix Private MIB on page 62. The following example shows a (partial) SNMP screen response.
Page 78: Logging In
CCESS ATEWAY Logging In To access the Access Gateway’s Web Management Interface, use the Manager or Operator login user name and password you defined during the installation process (refer to Assigning Login User Names and Passwords). User names and passwords are case-sensitive. System Administration...
Page 79: About Your Product License
Some features included in this section will not be available to you unless you have purchased the appropriate product license from Nomadix. In this case, the following statement will appear either immediately below the section heading or when the feature is mentioned in the body text: Your product license may not support this feature.
Page 80: Configuration Menu
CCESS ATEWAY Configuration Menu Defining the AAA Services {AAA} This procedure shows you how to set up the AAA (Authentication, Authorization, and Accounting) service options. AAA Services are used by the Access Gateway to authenticate, authorize, and subsequently bill subscribers for their use of the customer’s network. The Access Gateway currently supports several AAA models that are discussed in Subscriber Management on page 213.
Page 81 CCESS ATEWAY XML is used by the Access Gateway’s subscriber management module for port location and user administration. Enabling the XML interface allows the Access Gateway to accept and process XML commands from an external source. XML commands are sent over the network to the Access Gateway. The Access Gateway parses the query string, executes the commands specified by the string, and returns data to the system that initiated the command request.
Page 82 CCESS ATEWAY <NUM_PAGES></NUM_PAGES> <COST></COST> <TIME_SUBMITTED></TIME_SUBMITTED> </USG> Subscribers could get to print.server.com by: ICC button link  Printout in the hotel room  Link from the hotel’s HPR Page  Your product license may not support this feature. Enable or disable the AAA Passthrough Port feature, as required. System administrators can set the Access Gateway to pass-through HTTPS traffic, in addition to standard port 80 traffic, without being redirected.
Page 83 CCESS ATEWAY Enable or disable Facebook Login. If you enable Facebook login, you must provide a Facebook App ID and Facebook App secret code. Instructions for creating these are available from Facebook. Depending on which authorization mode you choose, go to the following sub-sections in this procedure: Enabling AAA Services with the Internal Web Server –...
Page 84 Adding SSL support to the Access Gateway requires service providers to obtain digital certificates from VeriSign™ to create HTTPS pages. Instructions for obtaining certificates are provided by Nomadix. To enable SSL Support, your Access Gateway’s flash must include the server.pem, cakey.pem, and cacert.pem certificate files (the “cacert.pem”...
Page 85 The Access Gateway is configured to use PayPal. You will need to open a business account with PayPal before this feature can be used. Please contact Nomadix Technical Support for assistance. Refer to Contact Information on page 268. All data communications between the Access Gateway and PayPal are encrypted by the SSL (Secure Sockets Layer) protocol.
Page 86 CCESS ATEWAY Enabling AAA Services with an External Web Server You are here because you want to enable the AAA Services with an External Web Server (EWS). In the EWS mode, the Access Gateway redirects the subscriber’s login request to an external server. Select the tab.
Page 87: Establishing Secure Administration {Access Control
In order to utilize the parameter signing feature, the EWS or Portal Page Server used must be configured to correctly parse and verify the signing information. Documentation that includes guidelines for configuring a server to support signing can be obtained by contacting Nomadix Technical Support. Establishing Secure Administration {Access Control} The Access Gateway allows you to block administrator access to interfaces (Telnet, WMI and FTP, SSH and SFTP) and incorporates a master access control list that checks the source (IP address) of administrator logins.
Page 88 CCESS ATEWAY The NSE supports secure https connections to the Web Management Interface (WMI). Correct certificates must be installed on the NSE flash memory for these connections to function properly. The same certificate set that is used to support SSL connections for subscribers is used for this purpose. For documentation about configuring the system to support secure connections, contact technical support.
Page 89 SNMP. Enabling the blocking of all interfaces and disabling SNMP will completely block access to the Access Gateway administration interface. For assistance, contact Nomadix Technical Support. Enable or disable subscriber-side interface blocking for any of the following interfaces enables/disables blocking of Telnet access from the subscriber-side to the NSE ...
Page 90: Defining Automatic Configuration Settings {Auto Configuration
Restore to its previous state. Enabling Auto Configuration As shown in the diagram below, two subsequent events drive the automatic configuration of Nomadix devices: A flow of RADIUS Authentication Request and Reply messages between the Nomadix gateway and the centralized RADIUS server that specifies the location of the meta configuration file (containing a listing of the individual configuration files and their download frequency status) are downloaded from an FTP server into the flash of the Nomadix device.
Page 91 Administrative Steps to Enable Auto-Config for the NOC Administrator: Add NAS IP address. Add Nomadix Auto-Config VSA to the Nomadix dictionary file on the RADIUS server. Create a RADIUS profile with the configuration VSA. Create an FTP server with the configuration files.
Page 92: Setting Up Bandwidth Management {Bandwidth Management
CCESS ATEWAY The Nomadix device will automatically initiate one reboot to enable the new settings. Configuration updates for network maintenance can be accomplished by simply enabling the Auto-Configuration option and rebooting the device (for example, using SNMP). See also Defining Automatic Configuration Settings {Auto Configuration}.
Page 93: Group Bandwidth Limit Policy
The Group Bandwidth Limit Policy allows the you to assign a common bandwidth rate limiting policy to a group of subscriber devices. All devices within the group share the total bandwidth allocated to the policy. The Group Bandwidth Limit Policy feature defines the following vendor-specific attributes (VSAs): Nomadix Name Role/Value...
Page 94: Group Bandwidth Limit Policy - Current Table
CCESS ATEWAY The lifetime of a group policy record in the collection is determined by the session time of the authorized (i.e. VALID) subscribers participating in the group. Group policy records are removed from the collection when the last subscriber device belonging to the group is logged out of the NSE regardless of the reason (e.g. session timeout, idle timeout, deletion of the subscriber by an administrator, etc).
Page 95 CCESS ATEWAY If you want to enable the billing records “mirroring” functionality for credit card transactions, click on the check box for Enable Bill Record Mirroring. Enter the property identification code in the Property ID field. Enter the communication parameters for the primary server that is to be used for mirroring, including: •...
Page 96: Class-Based Queueing
ATEWAY Class-Based Queueing Nomadix Class-Based Queueing provides a flexible way to control the bandwidth provided to individual groups of users (classes). Classes have both maximum and minimum bandwidth specifications. You can add users to classes and apply attributes across entire classes. Each class has 3 configurable...
Page 97 Subscribers can be assigned to a specific class/sub-class using Radius VSA. Subscribers with no class membership are assigned a priority of 8. ATTRIBUTE Nomadix-Bw-Class-Name 27 string For example, when a subscriber logs in and this attribute is defined as follows, the subscriber gets assigned to the class priority1.Subclass.
Page 98: Clustering {Clustering
The NSE will intercept and respond to DNS queries containing configurable strings. Subscribers requesting a website at that DNS will obtain a DNS response that contains a “magic” IP address (which is the same value obtained when the subscriber queries the DNS string “logout.nomadix.com”). System Administration...
Page 99 CCESS ATEWAY The NSE will process HTTP requests for that “magic” IP address (configurable on the AAA page), and will reply with an HTTP redirection (which may include a number of signed redirection parameters) to a configured URL. By following the HTTP redirection, the subscriber will reach the target URL, and he/she will then be served a page containing whatever information is relevant (account and/or other specific information).
Page 100: Managing The Dhcp Service Options {Dhcp
CCESS ATEWAY From the Web Management Interface, click on Configuration, then Destination HTTP Redirection. The Destination HTTP Redirection Settings screen appears: To enable Destination HTTP Redirection, click on the Enabled check box. The default setting is disabled. You may create up to 20 portal pages. In the Portal Pages section, enter the matching string that will be directed to the portal page in the...
Page 101 From the Web Management Interface, click on Configuration, then DHCP. The DHCP Settings screen appears: Nomadix’ patented Dynamic Address Translation (DAT) functionality is automatically configured to facilitate “plug-and-play” access to subscribers who are misconfigured with static (permanent) IP addresses, or subscribers that do not have DHCP capability on their computers.
Page 102 Originating NSE physical subscriber port • VLAN ID of the subscriber • Nomadix IANA ID • Port-specific description (view/set in the Port-Location Table). You can view the Relay Agent Information, or change the Site prefix, by clicking the show/hide toggle button on the screen.
Page 103: Managing The Dns Options {Dns
CCESS ATEWAY • DHCP Pool Start IP • DHCP Pool Stop IP Enter the DHCP Lease Minutes Select Public Pool Private Pool , as required. A “public” IP address will not be translated by DAT. If required, make this an and/or the by checking the appropriate boxes.
Page 104: Enabling Dnssec Support
CCESS ATEWAY Enabling DNSSEC Support DNSSEC support adds authentication and integrity capability to DNS systems. The DNSSEC feature in the NSE allows DNSSEC queries and responses to traverse the NSE between subscribers and the NSE’s configured DNS servers. The NSE itself does not participate in DNSSEC trust relationships with subscribers. Use the following procedure to set the DNS configuration options.
Page 105: Ethernet Ports/Wan
CCESS ATEWAY Enter the user name for the DDNS server account in the Username field. c. Enter the password name for the DDNS server account in the field. Password In the field, click to force an immediate update to the DDNS. Force Update Save and Force Update Note that too many updates may be considered abuse by the DDNS vendor.
Page 106: Ipv6 Device Setup
CCESS ATEWAY Click any individual interface name to view and set details of the individual WAN. IPv6 Device Setup The NSE now supports external access to subscriber-side IPv6 devices. This works on standard ports, fiber ports, and even Link Aggregation Groups. Basic functionality is equivalent to IPv4 static port mapping except as follows: •...
Page 107 CCESS ATEWAY Enable IPv6 on the involved ports. Set up prefix delegation on the WAN port. Determine the delegated prefix and interface address for the subscriber port you will use. (Network Info / Interfaces) Based on that information, configure the device’s IPv6 settings. Delegated prefixes are assigned in sequence starting at 0 for Eth0.
Page 108: Link Aggregation
Two Link Aggregation Groups (LAGs) are available, and can be used for WAN or Sub connections as desired. Nomadix LAGs support LACP (Link Aggregation Control Protocol), so when configuring the connecting switch you would choose “active” mode. LAGs are listed in the Ethernet Ports / WAN listing like any other port.
Page 109 CCESS ATEWAY • Once the LAG is populated all configuration is done to the LAG, not the individual ports. The LAGs look and behave and are configured exactly like individual WAN and Sub ports. Use the following steps to set up a LAG: Set the desired port to AGG mode.
Page 110: Enabling Fast Forwarding
CCESS ATEWAY Enabling Fast Forwarding NSE version 8.8 provides a Fast Forwarding mode. This mode enhances overall system throughput, and provides as much as double previously-achievable bandwidth. To enable Fast Forwarding mode, choose Configuration > Fast Forwarding. Check Enabled. If you enable Fast Forwarding, some counting statistics (e.g., bytes sent / received) are updated somewhat less frequently than when the feature is disabled.
Page 111: Setting The Home Page Redirection Options {Home Page Redirect
Enabling Intelligent Address Translation (iNAT™) The Nomadix patented iNAT™ feature contains an advanced, real-time translation engine that analyzes all data packets being communicated between the private and public address domains. The Nomadix iNAT™ System Administration...
Page 112 CCESS ATEWAY engine performs a defined mode of network address translation based on packet type and protocol (for example, IKE etc…). NSE provides the following iNAT enhancements: A separate iNAT interface page shows the settings for each port in either WAN or OOS modes. ...
Page 113: Interface Monitoring
CCESS ATEWAY If you enabled iNAT, you have the option of enabling or disabling the following VPN protocols: • PPTP • PPTP CALL ID • IPSEC Click on the Save button to save your options. Use the fields to enter an IP address or range of IP addresses (up to 50), then iNAT Start iNAT End click on the...
Page 114: Defining Ipsec Tunnel Settings {Ipsec
CCESS ATEWAY Defining IPSec Tunnel Settings {IPSec} From the Web Management Interface, click on Configuration, then IPSec. The IPSec Tunnel Settings screen appears: Check the Enable IPsec checkbox to enable IP Security. Check Enable NAT Traversal to allow packets to traverse NAT/IPsec boundaries. Click Save to save the setting.
Page 115 CCESS ATEWAY Adding a new IPSec tunnel peer Click the Add button in the IPSec Tunnel Peers table. The IPSec Tunnel Peer Settings screen opens. Enter the IP address of the peer in the field. Tunnel Peer Enter a Dead Peer Detection interval (integer value in seconds). Select the Internet Key Exchange (IKE) Protocol Version.
Page 116: Managing Ipsec Security Policies
CCESS ATEWAY Modifying an Existing IPSec Tunnel Peer Click on the IPSec tunnel peer link that you wish to modify in the IPSec Tunnel Peers table. The IPSec Tunnel Peer Settings screen opens. Modify the settings as desired. Click: Modify to save the changes to the peer.
Page 117 CCESS ATEWAY Select the tunnel peer IP address for which you would like to add a security policy from the Tunnel menu. You must select a peer if the policy is using ; if the policy is a peer IP address policy, select Discard Bypass...
Page 118 CCESS ATEWAY The options are None, 768-bit, 1024-bit, 1536-bit, and 2048-bit. The default setting is None. Enter the maximum lifetime (in seconds) in the Maximum Lifetime field. The default settings 28800. Enter the maximum life size (in kbytes) in the Maximum Lifesize field. Enable the automatic renewal option by putting a check in the Automatic renewal checkbox.
Page 119: Load Balancing
ATEWAY Load Balancing Load Balancing is an optional licensed feature. For an overview of Nomadix load balancing and common use cases, see Load Balancing and Link Failover on page 27. The NSE can balance subscriber assignment between all active WAN interfaces when Load Balancing mode is enabled.
Page 120: Managing The Log Options {Logging
CCESS ATEWAY Location Settings screen appears: Enter your location information in the following fields: Company Name  Site Name  Address (Line 1 and Line 2)  City, State, Zip, and Country  E-mail Address  ISO Country Code  Phone Country Code ...
Page 121 CCESS ATEWAY multiple properties, the properties are identified in the log files by their IP addresses. From the Web Management Interface, click on Configuration, then Logging. The Log Settings screen appears: If required, click on the check box for System Log to enable system logging.
Page 122 CCESS ATEWAY a number disables any syslogs above that filter setting. For e.g. setting the filter to 2:Critical only generates 0:Emergency, 1:Alert and 2:Critical level syslogs. All other syslogs are not generated. : This setting enables/disables saving of syslogs generated by the system Log save to file Setting to a file named “syslog.txt”...
Page 123 CCESS ATEWAY PageFaults are stored in the file named “lograw.txt” in the /flash directory and is not viewable on the web management interface. Enabling the Subscriber Tracking Log Check the Subscriber Tracking Log option to enable or disable the Subscriber tracking log. Note: NTP must be enabled on the NSE for Subscriber tracking log to be enabled.
Page 124: Enabling Mac Authentication {Mac Authentication
CCESS ATEWAY Click Save to save your changes, or click Restore if you want to reset all the values to their previous state. When logging is enabled, log files and error messages are sent to these servers for future retrieval. To see sample reports, go to Sample SYSLOG Report on page 241 and Sample AAA Log on page 240.
Page 125: Assigning A Pms Service {Pms
CCESS ATEWAY If required, enable Passthrough Addresses, then click on the Save button. If you are supporting Facebook authentication, you must add Passthrough Addresses www.facebook.com:443 and fbstatic-a.akamaihd.net. In the IP/DNS Name field, enter the IP address or DNS name of the pass-through you want to add or remove from the system.
Page 126 (or alternatively use low-cost wired access concentration equipment) that either do not support port-ID or do so in a proprietary format that Nomadix does not currently support— and still be able to bill directly to the room.
Page 127 PMS port is working. To run the utility, you must have the Nomadix-supplied db9-rj45 adapter plugged into same device that you used to check the command-line interface. Set up a terminal session, with the same terminal settings you previously used.
Page 128 Skip First Char in Last Name • OnQ Compliant (Enable this option if you want to use Nomadix Micros POS emulation to query & post to Hilton Corporation's OnQ PMS system). In the Miscellaneous Settings group, you may enable phonetic name matching for WFB, FOSSE, MICROS, and MICROS Fidelio.
Page 129 CCESS ATEWAY Click Phonetic test to test the feature. Enter a string; the NSE will return a phonetic key. Click with CA or SC to enable cash and signed charge payments (Marriott). Post to folio Check the Suppress Posting of Zero Payment Amount if XML Charges of $0.00 should only do a lookup for the name and room to the Micros Fidelio and MICROS PMS types.
Page 130: Setting Up Port Locations {Port-Location
Click Save to save your changes and restart the serial interface, or click Restore if you want to reset all the values to their previous state. Based on the HOBIC interface standards, Nomadix, Inc. has also certified interoperability with a number of other PMS and call accounting solutions such as Ramesys’ ImagInn, Xeta Virtual XL, and Hilton’s proprietary standard OnQ.
Page 131 CCESS ATEWAY System administrators can set the properties for each room from the subscriber side of the Access Gateway. The system automatically detects which port number the administrator is using and allows them to enter the fields for the room corresponding to the port they are using. If required, click on the check box for to enable this feature.
Page 132 CCESS ATEWAY • RFC1493 Compliant Systems • RiverDelta 1000B • Elastic Networks These options enable an SNMP query to “ask” the access concentration device which card, slot, or port the information is coming from. The information can then be “sent to” and “billed by” the PMS. You must enter IP address (not name), SNMP community...
Page 133 CCESS ATEWAY conflicts, you must ensure that the VLAN tags are different on the different devices. Enable In Room Port Mapping and assign a user name and password (see previous section, Steps 2 & Enter the following URL target format: http://(Access Gateway IP address):1111/usg/roommapping For example: http://219.57.108.103:1111/usg/roommapping...
Page 134: Setting Up Quality Of Service {Qos
CCESS ATEWAY Room Blocked  Click on the Save button to save your changes. Repeat Steps 4 through 6 for each room (see note). If you leave your browser open, the “cookie” that is placed on your system will allow you to go from room to room during the mapping process.
Page 135 CCESS ATEWAY Select Add Policy to define a new QoS policy, or select a link to a policy that is already defined in order to modify it.The Add QoS Policy for Subscribers screen appears: System Administration...
Page 136: Defining The Radius Client Settings {Radius Client
The “Usernames” function must be enabled for a RADIUS login. See also Configuration Menu on page 68. Nomadix offers an integrated RADIUS client, allowing service providers to track or bill users based on the number of connections, location of the connection, bytes sent and received, connect time, etc. The customer database can exist in a central RADIUS server, along with associated attributes for each user.
Page 137 CCESS ATEWAY The Access Gateway's RADIUS implementation also handles vendor specific attributes (VSAs), required by WISPs that want to enable more advanced services and billing schemes, such as a per device/per month connectivity fee. All subscribers attempting to gain access to the network are validated by RADIUS. For additional RADIUS information, see also: Defining the RADIUS Proxy Settings {RADIUS Proxy} on page 128 ...
Page 138 CCESS ATEWAY Realm-Based (for Realm routing)  Fixed (for routing to predefined RADIUS servers)  Select the from the pull-down menu. Default RADIUS Service Profile Enter a and a Local Authentication Port Local Accounting Port Select whether Later Login Supersedes Previous. This will allow a secondary form of authentication to override the original authentication if necessary, and use the credentials of the last login to succeed.
Page 139 The following VSAs are used for implementation of volume- and time-based Radius termination action: VSA Name Value Termination-Action Session-Timeout Nomadix-MaxBytesDown 3000000 Nomadix-MaxBytesUp 3000000 If required, check the box for Enable Session-Terminate-End-Of-Day When Authorized (to allow business policies that want to terminate the session at midnight of every day).
Page 140: Defining The Radius Proxy Settings {Radius Proxy
CCESS ATEWAY Defining the RADIUS Proxy Settings {RADIUS Proxy} A RADIUS Proxy allows the NSE to relay authentication and accounting packets between the parties performing the authentication process. Different realms can be set up to directly channel RADIUS messages to the various RADIUS servers.
Page 141 Leave this field blank if default routing is not desired. Place a check in the box of the Nomadix VSAs to be enforced by the Proxy for this entry: • Enforce Bandwidth-Up VSA : The Radius VSA for Bandwidth-Up will be passed on to the Upstream NAS when enabled.
Page 142: Defining The Realm-Based Routing Settings {Realm-Based Routing
CCESS ATEWAY Repeat Steps 5 through 11 to add more Upstream RADIUS NAS definitions, as required. To view your configured RADIUS Service Profiles and Realm Routing Policies, click on the link: Click here to see configured RADIUS service profiles and Realm Routing Policies (this will take you to the Realm-Based Routing Settings screen).
Page 143 CCESS ATEWAY Define RADIUS Service Profiles RADIUS service profiles are used to direct username access requests for both plain RADIUS users and users who supply realm/domain in their username. Create a RADIUS service profile to a RADIUS server that will handle Prefix-based users. This is to handle users that will login with a username in the format type of “ISP/username”.
Page 144 CCESS ATEWAY Enter a name of your choice for this service profile in the Unique Name field. Authentication This category requires input for enabling RADIUS authentication and requires you to define IP addresses, ports, and secret keys for the primary and secondary RADIUS servers (the secondary server is optional). Enable or disable the RADIUS Authentication Service, as required, by clicking on the Enable RADIUS Authentication Service check box.
Page 145 CCESS ATEWAY To enable the accounting service for your RADIUS functionality, click on the check box for Enable RADIUS Accounting Service. Enter the primary RADIUS accounting server IP address in the Primary IP field. Enter the accounting port in the Port field for the primary RADIUS accounting server. This is the port the system uses when communicating accounting records.
Page 146 CCESS ATEWAY To add a RADIUS Service Profile, click on the appropriate button on the Realm- Based Routing Settings screen. The Add Realm Routing Policy screen appears: To make this entry the “active” entry, click on the Entry Active check box. To define a specific realm, choose the Specific Realm option and enter the destination in the...
Page 147: Managing Smtp Redirection {Smtp
CCESS ATEWAY The Realm Routing Policy you just created is added to the list. Managing SMTP Redirection {SMTP} When SMTP redirection is enabled (for misconfigured or properly configured subscribers), the Access Gateway redirects the subscriber’s E-mail through a dedicated SMTP server, including SMTP servers which support login authentication.
Page 148: Managing The Snmp Communities {Snmp
CCESS ATEWAY “properly configured” subscribers. If you enable SMTP redirection, you must provide the IP address of the SMTP server. In the SMTP Server IP/DNS field, enter the address of the SMTP server you want to use. For SMTP servers which support login authentication, enter a valid username in the SMTP Server Account Username field.
Page 149: Enabling Dynamic Multiple Subnet Support (Subnets)
You can now use your SNMP client to manage the Access Gateway via the Internet. Enabling Dynamic Multiple Subnet Support (Subnets) Nomadix’ dynamic multiple subnet support allows you to create flexible and cost-effective IP pool solutions to meet the demands of complex networks in large residential and public access networks. For example, you can define the user's subnet via the management interfaces.
Page 150: Setting The System Date And Time {Time
CCESS ATEWAY The Summary of Configuration Settings screen appears (partial screen shown here): Setting the System Date and Time {Time} You can set the system time from local hardware or your choice of NTP server(s). The NSE supports automatic daylight Savings Time adjustment and official IANA (iana.org) time zones. You may also specify a UTC offset.
Page 151: Setting Up Traffic Descriptors {Traffic Descriptors
CCESS ATEWAY Select the method for time zone configuration; either IANA Time Zone Database Generic UTC . UTC is the Universal Coordinated Time, based on the ISO 8601 standard, and is used in offset conjunction with RADIUS servers (for example, if the RADIUS server is setup for a time zone that is different from the Access Gateway).
Page 152: Setting Up Url Filtering {Url Filtering
CCESS ATEWAY Select to create a new Traffic Descriptor, or select a link to an existing descriptor to modify it. The Add Traffic Descriptor screen appears. Enter a name for the descriptor in the field. Unique Name Enter a brief summary about the descriptor in the Description field.
Page 153: Selecting User Agent Filtering Settings
CCESS ATEWAY Host IP address (for example, 1.2.3.4)  Host DNS name (for example, www.yahoo.com)  DNS domain name (for example, *.yahoo.com, meaning all sites under the yahoo.com  hierarchy, such as finance.yahoo.com, sports.yahoo.com, etc.). The system administrator can dynamically add or remove specific IP addresses and domain names to be filtered for each property.
Page 154: Zone Migration
CCESS ATEWAY Zone Migration Zone migration is an expansion of the NSE’s “re-login after migration” capability, which currently allows the system to force a subscriber to log in again if the subscriber moves from one port location to another. Zone migration significantly expands this capability via the following means: It allows the creation of multiple zones, which are then constituted by groupings of multiple port ...
Page 155 CCESS ATEWAY Relogin within Zone This selection provides the option to require relogin after migration between ports that are within a given zone. The default is Disabled. Existing Zones Zones that have already been defined are listed here, and can be edited or deleted. (Note: The description field is not displayed in the list view).
Page 156: Network Info Menu
CCESS ATEWAY Network Info Menu Displaying ARP Table Entries {ARP} You can display a table that shows the current status of the ARP (Address Resolution Protocol) assignments. ARP is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address. ARP is limited to a single physical network that supports hardware broadcasting.
Page 157: Displaying Icmp Statistics {Icmp
CCESS ATEWAY To view the Host Table, go to the Web Management Interface, click on Network Info, then click on Hosts. The Host Table screen appears: Displaying ICMP Statistics {ICMP} You can display the current ICMP (Internet Control Message Protocol) statistics. ICMP is a standard Internet protocol that delivers error and control messages from hosts to message requesters.
Page 158: Displaying The Ip Statistics {Ip
CCESS ATEWAY Displaying the IP Statistics {IP} You can display the IP (Internet Protocol) statistics, which are presented as a detailed listing of all IP elements and their statuses. With IP transmissions, data is broken up into packets which are then sent over the network. By using IP addressing, Internet Protocol ensures that the data reaches its destination, even though different packets may “pass through”...
Page 159: Viewing Ipsec Tunnel Status {Ipsec
CCESS ATEWAY Viewing IPSec Tunnel Status {IPSec} To view the current IPSec Tunnel Status, go to the Web Management Interface, click on Network Info, then click on IPSec. Viewing NAT IP Address Usage {NAT IP Usage} To view the current NAT IP Address Usage, go to the Web Management Interface, click on Network Info, then click on NAT IP Usage.
Page 160: Displaying The Active Ip Connections {Sockets
CCESS ATEWAY Displaying the Active IP Connections {Sockets} You can display a table that provides a detailed listing of all currently active IP (Internet Protocol) connections. To view the Socket Table, go to the Web Management Interface, click on Network Info, then click on Sockets.
Page 161: Displaying Tcp Statistics {Tcp
CCESS ATEWAY Displaying TCP Statistics {TCP} You can display the TCP (Transmission Control Protocol) statistics, which are presented as a detailed listing of all TCP elements and their current status. TCP is a standard protocol that manages data transmissions across networks. To view the TCP Statistics, go to the Web Management Interface, click on Network Info, then click on TCP.
Page 162: Displaying Udp Statistics {Udp
CCESS ATEWAY Displaying UDP Statistics {UDP} You can display the UDP (User Datagram Protocol) statistics, which are presented as a detailed listing of all UDP elements and their current status. UDP is an Internet standard transport layer protocol. It is a connectionless protocol that adds a level of reliability and multiplexing to the Internet Protocol (IP).
Page 163: Port-Location Menu
CCESS ATEWAY Port-Location Menu The Port Location capabilities on the NSE have been enhanced. It is now possible to define a policy on a port. The billing methods (RADIUS, PayPal, PMS) and the billing plans available on each port can now be individually configured.
Page 164 CCESS ATEWAY From the Web Management Interface, click on Port-Location, then Add. The Add Port- Location Assignments screen appears: Enter a location identifier in the Location field. Locations can be assigned as an alpha, numeric, or alpha- numeric value unless a PMS interface is used (see note). If you are using a PMS interface, ensure that the “Location”...
Page 165: Exporting Port-Location Assignments {Export
CCESS ATEWAY You must now assign a State for this port-location. Possible states are, No Charge for using this port- location, Charge for Use, and Blocked. If you do not assign a conditional state, the state is registered as “No Charge” by default. If applicable, select the Default QoS Policy for the port assignment you are adding.
Page 166: Finding Port-Location Assignments By Description {Find By Description
CCESS ATEWAY From the Web Management Interface, click on Port-Location, then Export. The Export Port-Location Assignments screen appears: 2. Click on the Export button to export port-location assignment to the /flash/location.txt. file. Finding Port-Location Assignments by Description {Find by Description} This procedure shows you how to find a port-location assignment, based on its description.
Page 167: Finding Port-Location Assignments By Port {Find By Port
CCESS ATEWAY In the Enter Location field, enter the location of the assignment you want to find. The system ignores the case (upper or lower) of the characters you enter. Click on the Show button to view the specified port-location assignment, or click on the Restore button if you want to reset the “location”...
Page 168: Importing Port-Location Assignments {Import
CCESS ATEWAY Importing Port-Location Assignments {Import} This procedure shows you how to import port-location assignments from the “location.txt” file. The location.txt file is stored in: /flash/location.txt (resident in the Access Gateway’s flash memory). If you have never exported port-location assignments (since installing the Access Gateway at this site), the location.txt is empty.
Page 169: Displaying The Port-Location Mappings {List
CCESS ATEWAY Use the following format when creating the file: “1”,1,00:00:00:00:00:00,0.0.0.0,0, “Room 101” The 4 (four) fields used in the format represent the standard format for port-location assignments (location, port, modem MAC address for RiverDelta, subnet, state, description). Characters (used for locations and descriptions) are case-sensitive. Location –...
Page 170: Subscriber Intra-Port Communication
CCESS ATEWAY Check Enable Facebook Login. Subscriber Intra-Port Communication If enabled, subscribers on a same port location (for example, a conference room) can communicate with each other without NSE intervention. Subscribers can communicate with each other when on the same VLAN and the same IP subnet. The NSE will not respond to any ARP requests from the subscriber for other subscribers (or hosts) that are on the same port-location subnet.
Page 171 CCESS ATEWAY Use the following steps to enable intra-port communication Click Port-Location > List. Click on the Port number. The Process Port-Location Assignment screen appears. Click Allow Intra-port communication. Click Update. System Administration...
Page 172: Subscriber Administration Menu
CCESS ATEWAY Subscriber Administration Menu Adding Subscriber Profiles {Add} This procedure shows you how to add subscriber profiles into a table of authorized users. Three types of subscriber profiles are provided; see the following sections for configuration information for the different profile types: Adding a Subscriber Type Profile on page 160 ...
Page 173 CCESS ATEWAY Choose the Subscriber account type. Define the DHCP Address Type: Public Private (only used when the IP Upsell feature is enabled, otherwise leave this set to “private”). Enter a valid for the subscriber. MAC Address If you have chosen to manage this subscriber by user name only, you do not need to enter a MAC address (but you must enter a user name).
Page 174 CCESS ATEWAY Choose the account type for this profile. Device If required, enable the Proxy Arp For Device feature. Set the 802.1Q Device Port if the device is connected to a specific VLAN. Enter a valid for the device. MAC Address Enter the of the device.
Page 175 CCESS ATEWAY Enable STMP Redirection to allow the specified user to have their SMTP traffic redirected by the global SMTP redirect configuration. Click to add this device to the database, or click Restore if you want to reset all the values to their previous state.
Page 176: Displaying Current Subscriber Connections {Current
CCESS ATEWAY Define the Min Upstream Bandwidth Max Upstream Bandwidth range for this subscriber (in Kbps). Define the Min Downstream Bandwidth Max Downstream Bandwidth range for this subscriber (in Kbps). If using Class-Based Queuing, enter the primary and subclass for this subscriber in the field.
Page 177: Deleting Subscriber Profiles By Mac Address {Delete By Mac
CCESS ATEWAY Deleting Subscriber Profiles by MAC Address {Delete by MAC} This procedure shows you how to delete a subscriber profile from the Access Gateway’s database of authorized subscribers, based on the profile’s MAC address. To see a current listing of the subscriber database, sorted by MAC addresses, go to Listing Subscriber Profiles {List Profiles} on page 213.
Page 178: Deleting All Expired Subscriber Profiles {Expired
CCESS ATEWAY To view the list of Currently Allocated DHCP Leases, go to the Web Management Interface, click on Subscriber Administration , then click on DHCP Leases. To use this feature, your Access Gateway must be set to act as its own DHCP Server. The DHCP function cannot be set to DHCP Relay.
Page 179: Finding Subscriber Profiles By User Name {Find By User
CCESS ATEWAY In the Enter MAC Address field, enter the MAC address of the subscriber you want to find. Click on the Show button to view this subscriber profile, or click on the Restore button if you want to reset the “MAC Address” value to the 00 state. Finding Subscriber Profiles by User Name {Find by User} This procedure shows you how to find a subscriber profile from the Access Gateway’s database of authorized subscribers, based on the profile’s user name.
Page 180: Viewing Radius Proxy Accounting Logs {Radius Session History
CCESS ATEWAY -1 indicates a subscriber added by Admin or XML useradd with no associated plans. Viewing RADIUS Proxy Accounting Logs {RADIUS Session History} These settings are available under Subscriber Administration/RADIUS Session History menu. Enable Logfile checkbox When this setting is enabled any RADIUS proxy accounting messages sent or received by the RADIUS proxy application are logged into a file named “RADHIST.RAD”...
Page 181: Displaying Current Profiles And Connections {Statistics
CCESS ATEWAY The configuration page of the syslog server to which these RADIUS proxy accounting messages are sent is available under the Configuration/Logging menu as described above. The third set of Syslog parameters on that page pertains to the RADIUS History Log. Displaying Current Profiles and Connections {Statistics} You can view the total number of profiles and connections currently stored in the Access Gateway’s database of authorized subscribers.
Page 182: Subscriber Interface Menu
In addition to PayPal billing, Property Management Systems used by hotels are also supported along with the internal data base of the Access Gateway and billing via Nomadix' secure XML API. See also Assigning a PMS Service {PMS} on page 113 (see following note).
Page 183 CCESS ATEWAY Review the billing plans (normal plans and X over Y plans) that are currently active. To view or edit a billing plan, click the View/Edit/Delete button opposite the corresponding plan. The Internal Billing Options Plan Setup or Internal Billing Options XoverY Plan Setup screen appears for the billing plan (and type) you selected.
Page 184 CCESS ATEWAY System Administration...
Page 185 CCESS ATEWAY Sample of Internal Billing Options XoverY Plan Setup Screen: Depending on the type of plan you want to set up, go to: Setting Up a “Normal” Billing Plan on page 173.  Setting Up an X over Y Billing Plan on page 174. ...
Page 186 CCESS ATEWAY Define the DHCP Pool (public or private) -- see following note. The Access Gateway allows you to define multiple billing plans with different time units at the same time. For example, you can define one billing plan that changes by the hour (e.g.
Page 187: Setting Up The Information And Control Console {Icc Setup
Setting Up the Information and Control Console {ICC Setup} The Nomadix ICC is a HTML pop-up window that is presented to subscribers, allowing them to select their bandwidth and billing plan options quickly and efficiently, and displays a dynamic “time” field to inform them of the time remaining on their account.
Page 188 4. If you enabled either of the ICC pop-up options, you can choose a unique name for the console. Simply type a meaningful name in the Title field. 5. Define the physical location where you want the Nomadix Logout Console to appear on the subscriber’s screen. Choose one of the following options: Upper Left Corner...
Page 189 CCESS ATEWAY 6. Define how you want to display the subscriber session time: Elapsed Time (how much time has elapsed since the start of the session) (how much time is remaining for the session) Time Remaining 7. You must now decide what you want the ICC to do if the subscriber closes it. Choose one of the following options: Redisplay itself Logout (return the subscriber to a “pending”...
Page 190 CCESS ATEWAY You can display up to 5 banners, but they must be defined here. Banners require all the same parameters that “buttons” use (see Assigning Buttons on page 177), with the addition of 3 (three) more. These are: – Defines how long the banner is displayed in the ICC. ...
Page 191: Defining Languages {Language Support
CCESS ATEWAY Banner (373 x 32 pixels) Small Buttons (45 x 26 pixels) ISP Button (98 x 26 pixels) Time Formats Use the following formats when defining times: Duration for Banners – 1 through 9999, or more  Start or Stop times for Banners – hh:mm PM/AM (for example, 2:35 PM) ...
Page 192 CCESS ATEWAY You can also change the language of the Web Management Interface. See “Selecting the language of the Web Management Interface” on page 78. From the Web Management Interface, click on Subscriber Interface, then Language Support. The Language Support screen appears: Select the language you want to use (see notes).
Page 193: Enable Serving Of Local Web Pages {Local Web Server
CCESS ATEWAY Enable Serving of Local Web Pages {Local Web Server} Here are the quick setup instructions to enable serving of local web pages. Upload the required pages and images to the /flash/web directory using FTP. Total file size of all pages and images cannot exceed 200 KB.
Page 194 CCESS ATEWAY Click the Force Reboot button to reboot your system and make the changes persistent. Reboot the NSE (System > Reboot). Web Page File Name This text box lets you add or remove the names of the web pages that you intend to serve to the end users. Note: The name of the web page has to be added in order for it to be served to the end users.
Page 195: Defining The Subscriber's Login Ui {Login Ui
CCESS ATEWAY Defining the Subscriber’s Login UI {Login UI} This procedure allows you to set up the presentation and content of the subscriber’s login User Interface (UI). From the Web Management Interface, click on Subscriber Interface, then Login UI. The Subscriber Login User Interface Settings screen appears: Define the messages you want subscribers to see when they log in.
Page 196 CCESS ATEWAY Gateway’s JavaScript™ support (JavaScript support is enabled by default). If necessary (and if JavaScript support is already enabled), click on the check box for Enable Javascript to disable this feature. Click on the check box for Enable “Remember Me” option if you want to enable (or disable) this feature.
Page 197 CCESS ATEWAY Click on the check box for Partner Image to enable this feature, then enter the name of the image file in the Partner Image File Name field. See Subscriber Login Screen (Sample) on page 185. Click on the Save button to save your changes, click on Save then Reboot to reboot the Access Gateway and make the changes take effect immediately, or click on the Restore button if you want to reset all the values to their previous state.
Page 198: Defining The Post Session User Interface (Post Session Ui)
CCESS ATEWAY Defining the Post Session User Interface (Post Session UI) The Post Session UI (Goodbye Page) can be defined either as a RADIUS VSA or be driven by the Access Gateway’s Internal Web Server (IWS). Using the IWS option means that this functionality is available for other post-paid billing mechanisms (for example, post-paid PMS—if your product license supports PMS).
Page 199 CCESS ATEWAY Click on the check box to enable (or disable) the IWS Goodbye Enable IWS Goodbye Page Page, as required. If you enabled the IWS Goodbye Page, select your preferred display options by checking the corresponding boxes: • Display IP Address •...
Page 200: Defining Subscriber Ui Buttons {Subscriber Buttons
CCESS ATEWAY Authen Type  Start Time  Stop Time  Byte Sent  Byte Received  Go To  The partner image (splash screen) is not the same screen that is defined by the Image File Name (IWS screen) field. Click on the Save button to save your changes.
Page 201: Defining Subscriber Error Messages {Subscriber Errors
CCESS ATEWAY Enter the definitions you want for each label in the corresponding fields. Click to save your changes, or click if you want to reset all the values to their Save Clear Changes previous state. If you want to reset all field values to their default state, click Restore Defaults Defining Subscriber Error Messages {Subscriber Errors} This procedure allows you to define how error messages are displayed to subscribers.
Page 202: Defining Subscriber Messages {Subscriber Messages
CCESS ATEWAY Enter the definitions you want for each error message in the corresponding fields. Click on the Save button to save your changes, or click on the Clear Changes button if you want to reset all the values to their previous state. If you want to reset all field values to their default state, click on the Restore Defaults button.
Page 203 CCESS ATEWAY Enter the definitions you want for each subscriber message in the corresponding fields. Click on the Save button to save your changes, or click on the Clear Changes button if you want to reset all the values to their previous state. If you want to reset all field values to their default state, click on the button.
Page 204: System Menu
CCESS ATEWAY System Menu Adding and Deleting ARP Table Entries ARP (Address Resolution Protocol) is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address. ARP is limited to a single physical network that supports hardware broadcasting. This procedure shows you how to add or delete an ARP table entry.
Page 205: Enabling The Bridge Mode Option {Bridge Mode
CCESS ATEWAY Choose Configuration>Ethernet Ports/WAN. Click the interface you wish to configure (in this example, the WAN interface). Enter the desired value for the Gateway ARP Refresh Interval. Press Enter to accept the new value. Enabling the Bridge Mode Option {Bridge Mode} Bridge Mode allows complete and unconditional access to devices on the subscriber side of the Access Gateway.
Page 206: Exporting Configuration Settings To The Archive File {Export
CCESS ATEWAY are unmodified and can be forwarded in both directions. This is a very useful feature when troubleshooting your entire network as it allows administrators to effectively “remove” the Access Gateway from the network without physically disconnecting the unit. You can still manage the Access Gateway when Bridge Mode is enabled, but you have no other functionality.
Page 207: Importing The Factory Defaults {Factory
Many large scale networks require fail-over support for all devices in the public access network. The Fail Over Options feature allows two Nomadix Gateways to act as siblings, where one device will take up the users should the other device become disconnected from the network. As part of this functionality, the settings (except IP addresses) between the two devices will be synchronized automatically.
Page 208: Viewing The History Log {History
. The time set here is how long the Secondary will wait while not receiving messages from the Primary before it takes over. If you are using RADIUS, it is recommended to add both Nomadix gateways to the RADIUS server.
Page 209: Importing Configuration Settings From The Archive File {Import
CCESS ATEWAY default setting for this option is “disabled” because ICMP pass- through is a useful end-user troubleshooting feature and is also required by certain smart clients (for example, GRIC). From the Web Management Interface, click on System, then ICMP. The ICMP screen appears: Click on the check box for Block ICMP from pending users to enable (or disable) this feature, as...
Page 210: Establishing Login Access Levels {Login
CCESS ATEWAY Click here to view the “archive.txt” or “current.txt” files. Click OK to replace the current system configuration settings with the settings contained in the archive.txt file (see notes above). Establishing Login Access Levels {Login} This procedure shows you how to assign differentiated access levels for operators and managers at login. The Access Gateway allows you to define 2 concurrent access levels to differentiate between managers and operators, where managers are permitted read/write access and operators are restricted to read access only.
Page 211: Remote Radius Testing
CCESS ATEWAY 2. Click on the check box for if you want to limit logins to 1 Manager and 3 Administration Concurrency operators simultaneously. 3. In the Manager Login field, enter a login name for this manager. Login names and passwords are case-sensitive. Use login names and passwords that are easy to remember (up to 11 characters, any character type).
Page 212: Defining The Mac Filtering Options {Mac Filtering
Defining the MAC Filtering Options {MAC Filtering} MAC Address filtering enhances Nomadix' access control technology by allowing System Administrators to block malicious users based on their MAC address. Up to 600 MAC addresses can be blocked at any one time (see caution).
Page 213: Utilizing Packet Capturing {Packet Capture
CCESS ATEWAY Click on the check box for to enable (or disable) this feature, as required. MAC Filtering Enter a MAC address in the field, then click on the button to add this address to the “blocked” list, or click on the button to remove this address from the list.
Page 214: Rebooting The System {Reboot
CCESS ATEWAY Rebooting the System {Reboot} This procedure shows you how to reboot the Access Gateway. The “reboot” procedure outlined on this page allows you to decide when to reboot (if you are making multiple changes to different menu functions and you want to reboot just one time after completing all your changes).
Page 215 CCESS ATEWAY To view the routing tables, choose System > Routing . The Routing Tables screen appears. You can view the routes associated with each physical NSE port by clicking on the tab for the port. In the screen shot above, only the WAN port is in use. Adding a Route Use the following steps to add a route: On the Routing Tables screen, scroll to...
Page 216: Establishing Session Rate Limiting {Session Limit
CCESS ATEWAY Deleting a Route To deleted a route, click the Delete link in the routing table. The route is immediately deleted. To restore a deleted route, reboot the NSE (which will restore auto-generated routes) or manually re-enter the route. Establishing Session Rate Limiting {Session Limit} Session Rate Limiting (SRL) significantly reduces the risk of “Denial of Service”...
Page 217 CCESS ATEWAY Enter the Internal IP Address Ensure that the device with the Internal IP Address has been added to the subscriber’s table. Enter the reference. Internal Port Enter a valid MAC Address Enter the External IP Address The External IP address field will default to the IP address of the Access Gateway. Enter the reference.
Page 218: Updating The Access Gateway Firmware {Upgrade
Port-Mapping} on page 148. Updating the Access Gateway Firmware {Upgrade} Upgrading the Access Gateway firmware is performed from the Access Gateway’s Command Line Interface (CLI) only. Refer to the Firmware Upgrade Procedure (separate document available from Nomadix Technical Support). System Administration...
Page 219: The Subscriber Interface
CCESS ATEWAY The Subscriber Interface This chapter provides an overview of the Access Gateway’s Subscriber Interface and sections outlining the authorization and billing processes, subscriber management models, and the Information and Control Console (ICC). Overview The Subscriber Interface is the window to the solution provider’s Web site, and much more than that. When a subscriber accesses the solution provider’s high speed network, the Access Gateway points the subscriber’s browser to a sign-in page.
Page 220: Authorization And Billing
CCESS ATEWAY Authorization and Billing As a gateway device, the Access Gateway enables plug-and-play access to broadband networks. Broadband network solution providers can now offer their subscribers a wide range of high speed services, including access to the Internet. Of course, a high speed Internet connection is not free – subscribers pay an access fee, based on the duration of their connection.
Page 221 CCESS ATEWAY The following illustration shows the functional relationship between the Access Gateway’s internal modules and the external support systems. The Authentication module is responsible for ensuring that when subscribers log in to the system they are correctly identified. It can identify subscribers in many different ways. For example: Based on their hardware (MAC) address.
Page 222 CCESS ATEWAY Only subscribers that are correctly identified and authenticated are authorized to access the system. Once authorized, the subscriber’s activity is logged and billed through the Access Gateway’s Accounting module. The Accounting module fully supports the following functions: PayPal billing ...
Page 223: Process Flow (Aaa)
CCESS ATEWAY Process Flow (AAA) The following flowchart outlines the AAA and billing process. All actions depicted in the chart are administered and tracked by the Access Gateway. Internal and External Web Servers The Access Gateway supports both internal and external Web servers which act as a login interface between subscribers and the solution provider’s network, including the Internet.
Page 224: Language Support
CCESS ATEWAY Language Support The Access Gateway’s subscriber interface supports many Asian and European languages, including: English, Chinese, French, German, Japanese, and Spanish. Home Page Redirection The Access Gateway can be configured to redirect all valid subscribers to a Web portal or home page determined by the solution provider.
Page 225: Subscriber Management
CCESS ATEWAY Subscriber Management The Access Gateway provides several subscriber management models, including:  Free access (for example, no AAAfunctionality)  MAC address Port-Location ID (for example, by room or unit number)  User name and password  Credit card ...
Page 226 CCESS ATEWAY Model What You Need To Do PayPal Enable the AAA services. You have the choice of enabling the Access Gateway’s internal authorization module or using PayPal as an authorization server. Internal Authorization Enabled Enter PayPal’s App Name, Client ID, Webhook ID, set the proper secret code, and select if you are using a Live Environment information obtained from your PayPal account.
Page 227: Information And Control Console (Icc)
CCESS ATEWAY Information and Control Console (ICC) The ICC is a HTML pop-up window that is presented to subscribers, allowing them to select their bandwidth and billing options quickly and efficiently, and displays a dynamic “time” field to inform them of the time remaining on their account.
Page 228: Quick Reference Guide
CCESS ATEWAY Quick Reference Guide This chapter contains product reference information, organized by topic. Use this chapter to locate the information you need quickly and efficiently. The Subscriber Interface...
Page 229: Web Management Interface (Wmi) Menus
A login is permitted only if a match is made with the master list contained on the Nomadix Access Gateway. If a match is not made, the login is denied, even if a correct login name and password are supplied. The access control list supports up to 50 (fifty) entries in the form of a specific IP address or range of IP addresses.
Page 230 Configure redirection of HTTP requests to one or more portal page URLs. Redirection DHCP Assigns the Nomadix Access Gateway as its own DHCP server, or enables the DHCP relay for an external server. Sets up the DNS parameters, including the host name, domain, and the primary and secondary DNS servers.
Page 231: Network Info Menu Items
Wi- Fi wholesale model. This functionality allows users to interact only with their chosen provider in a seamless and transparent manner. Routed Subscribers Allows Routed network hops on the Subscriber side of the Nomadix. SMTP Enables the SMTP (E-mail) redirection functions.
Page 232: Port-Location Menu Items
CCESS ATEWAY Item Description Displays the IP performance statistics. IPSec IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).
Page 233: Subscriber Administration Menu Items
CCESS ATEWAY Subscriber Administration Menu Items Items Description Adds subscriber profiles to the database. Current Displays a list of all currently connected subscribers. Delete by MAC Deletes a subscriber, based on a specific MAC address. Delete by User Deletes a subscriber, based on a specific user name. DHCP Leases Sets up the current subscriber DHCP leases.
Page 234: System Menu Items
Factory Imports the factory default settings. Fail Over Sets up a “sibling” Nomadix Gateway, allowing one device to take up the users should the other device become disconnected from the network. History Displays a history log of the system’s activity, including Access, Reboot and Uptime.
Page 235: Alphabetical Listing Of Menu Items (Wmi)
CCESS ATEWAY Alphabetical Listing of Menu Items (WMI) The menu items listed here are for a fully featured Nomadix Access Gateway (with all optional modules included). Refer to About Your Product License on page 67. Item Description Menu Set AAA options...
Page 236 CCESS ATEWAY Item Description Menu Find by Location Find port-location assignments by location Port-Location Find by MAC Find a subscriber profile by MAC address Subscriber Admin Find by Port Find port-location assignments by port Port-Location Find by User Find a subscriber profile by user name Subscriber Admin History Display the system’s history log...
Page 237 CCESS ATEWAY Item Description Menu Route Delete Delete a route from the routing table System Routing Display routing performance statistics and tables Network Info Session Limit Limits subscriber sessions System SMTP Set the SMTP redirection options Configuration SNMP Establish the SNMP parameters Configuration Sockets Display the active IP connections...
Page 238: Default (Factory) Configuration Settings
For more information, go to Importing the Factory Defaults {Factory} on page 195. Function Default Setting Version Nomadix Access Gateway v8.8.xxx (depends on firmware version) Nomadix Access Gateway ID AG5900 Network Interface MAC MAC address is unique for each product...
Page 239 CCESS ATEWAY Function Default Setting Parameter Passing Disabled Usernames Enabled Disabled DNS Redirection Enabled SMTP Redirection Disabled SMTP Server IP 0.0.0.0 SNMP Disabled SNMP Get Community public SNMP Set Community private SNMP Trap IP 0.0.0.0 System Administration Login User Name admin System Administration Password admin...
Page 240: Product Specifications
CCESS ATEWAY Product Specifications AG2400 Specifications AVAILABLE NSE MODULES AG 2400 Hospitality Module AG 2400 High Availability Module PERFORMANCE Up to 500 concurrent users or devices Throughput up to 230 Mbps as defined by RFC 1242, Section 3.17 PLATFORM Intel based System INTERFACE 1-RJ 45 - WAN 3-RJ 45 - ETH...
Page 241 CCESS ATEWAY AG2400 Specifications REGULATORY FCC Class A UL, UL (US and Canada) CE (Emissions) CB Scheme (CE Safety) CONCURRENT USERS 100-500 devices ACCESS CONTROL AND AUTHENTICATION Tri-Modal Authentication, Authentication and Accounting (AAA) Walled Garden Group Accounts Universal Access Method over SSL IEEE 802.1x Smart Client Support (Boingo, IPass) MAC Authentication Remember Me Log-in ADVANCED SECURITY...
Page 242 CCESS ATEWAY AG2400 Specifications SNMPv2c Syslog/AAALog MEDIA ACCESS CONTROL CSMA/CA PORTS 10/100/1000 Base-T Ethernet, RJ-45 (UTP): WAN5-10/10/100/1000 Base-T Ethernet RJ-45 (UTP) LAN RJ-45 port for Serial Access Systems Console DB9 Serial Port: Property Management Interface IP ADDRESS MANAGEMENT IEEE 802.3/3u/3eb IEEE 802.1d DHCP Server DHCP Relay...
Page 243 CCESS ATEWAY AG5600 Specifications AVAILABLE NSE MODULES High Availability - Fail Over Hospitality Module - Property Management Interface (PMS) PERFORMANCE User Support: Up to 2000 users concurrently Throughput: up to 750Mbits/s* *As defined by RFC1242, Section 3.18 PHYSICAL 1U rack space in a 19” rack 17.24”(L) x 11.53”(W) x 1.73”(H) 438mm (L) x 292.0mm (W) x 44mm (H) Weight: 8.8 lbs.
Page 244 CCESS ATEWAY AG5600 Specifications IEC 61000-4-4: 2004 IEC 61000-4-5: 2005 IEC 61000-4-6: 2007 IEC 61000-4-8: 1993 : A1: 2000 IEC 61000-4-11: 2004 EN 61000-3-3: 1995 +A1: 2001 +A2: 2005 Low Voltage Directive: European Council Directive 2006/95/EC IEC 60950-1: 2005 (2nd Edition) EN60950-1:2006 + A11: 2009 INTERFACES 2 x 10/100/1000 Mbps GigE (RJ-45) LAN...
Page 245 CCESS ATEWAY AG5800 Specifications USER TRUE PLUG AND PLAY Dynamic Address Translation (DAT) Dynamic Transparent Proxy SERVICE PROVISIONING Home Page Redirect HTTP - Redirect Portal Page Redirect Session Termination Redirect Information and Control console Pop-up (Explicit) Logout Button International Language Support External Web Server Mode Internal Web Server Mode Secure XML API over SSL...
Page 246 CCESS ATEWAY AG5800 Specifications Remember Me Log-in ADVANCED SECURITY iNAT IPSec Support PPTP Support Session Rate Limiting (SRL) User Agent Filtering Mac Address Filtering URL Filtering ICMP Blocking Proxy ARP for device to device communication POLICY BASED TRAFFIC SHAPING Bandwidth Management QoS Tagging Group Bandwidth Management IP ADDRESS MANAGEMENT...
Page 247 CCESS ATEWAY AG5800 Specifications SNMPv2c Syslog/AAALog MEDIA ACCESS CONTROL CSMA/CA PORTS 10/100/1000 Base-T Ethernet, RJ-45 (UTP): WAN 5 – 10/100/1000 Base-T Ethernet, RJ-45 (UTP): LAN Front access RJ-45 port for serial System Console DB9 serial port: Property Management Interface POWER 100 –...
Page 248 CCESS ATEWAY AG5900 Specifications USER TRUE PLUG AND PLAY Dynamic Address Translation (DAT) Dynamic Transparent Proxy SERVICE PROVISIONING Home Page Redirect HTTP - Redirect HTTPS - Redirect Portal Page Redirect Session Termination Redirect Information and Control Console Pop-Up (Explicit) Logout Button International Language Support External Web Server Mode Internal Web Server Mode...
Page 249 CCESS ATEWAY AG5900 Specifications ACCESS CONTROL AND AUTHENTICATION Authorization, Authentication and Accounting (AAA) Walled Garden Group Accounts Tri Mode Authentication Universal Access Method over SSL IEEE 802.1x Smart Client Support (Boingo, iPass) MAC Authentication Remember Me Log-in ADVANCED SECURITY iNAT IPSec Support PPTP Support Session Rate Limiting (SRL)
Page 250 CCESS ATEWAY AG5900 Specifications NETWORK MANAGEMENT Web Management Interface (WMI) Command Line Interface (CLI) Integrated VPN Client for Management RADIUS-Driven Configuration Multi-level Admin Support Centralized Radius Authentication SMTP Redirection Access Control Bridge Mode SNMPv2c Syslog/AAA Log MEDIA ACCESS CONTROL CSMA/CA PORTS 10/100/1000 Base-T Ethernet, RJ-45 (UTP): WAN 5 –...
Page 251 CCESS ATEWAY AG5900 Specifications LED INDICATORS Power Indicator Status Indicator Memory Indicator ACT/LINK and 10/100/1000 for each Ethernet port PERFORMANCE User Support: Up to 8000 users or devices concurrently Throughput: up to 1425Mbits/s, as defined by RFC1242, Section 3.18 OPTIONAL MODULE The AG5900 supports an optional plug-in module that provides two SFP+10 Gigabit fiber interface slots.
Page 252: Sample Aaa Log
Access Gateway Type Subscriber MAC Expiration Name of Data Log Code Address Time Date Time Log Message Mar 31 18:23:10 nomad237.nomadix. INFO AAA: 4207 AAA_Authentication 00:00:0E:32:2 C:BC 2 hrs 1 min Successful Mar 31 18:23:26 nomad237.nomadix. INFO AAA: 4207 AAA_Authentication...
Page 253: Sample Syslog Report
CCESS ATEWAY Sample SYSLOG Report Syslog reports are generated by the Access Gateway and sent to the syslog server that is assigned to general error detection and reporting. 2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [Access Gateway v51.4.126] DHCP: ndxDHCPInit: 0021 DHCP initialized 2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [Access Gateway v51.4.126] CLISRD: 0206 Setting COM1 to 9600 baud 2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [Access Gateway v51.4.126]...
Page 254: Sample History Log
CCESS ATEWAY Sample History Log A history log is generated by the Access Gateway which includes the system’s activity (Access, Reboot and Uptime). More Listings… Quick Reference Guide...
Page 255: Keyboard Shortcuts
CCESS ATEWAY Keyboard Shortcuts The following table shows the most common keyboard shortcuts. Action Keyboard Shortcut Cut selected data and place it on the clipboard. Ctrl + X Copy selected data to the clipboard. Ctrl + C Paste data from the clipboard into a document (at the Ctrl + V insertion point).
Page 256: Hyperterminal Settings
CCESS ATEWAY HyperTerminal Settings Use the following settings when establishing a HyperTerminal session. Item Setting Bits per second 9600 Data bits Parity None Stop bits Flow control None Quick Reference Guide...
Page 257: Radius Attributes
If RADIUS cannot authenticate the subscriber, it will instruct the NAS to deny access to the network. The Nomadix Access Gateway RADIUS functionality can be broken down into the following categories: Authentication-Request ...
Page 258: Authentication-Reply (Accept)
 State (used/tested for 802.1x)  Class  Session-Timeout  Idle-Timeout  EAP-Packet (used for 802.1x)  Message-Authenticator (used for 802.1x)  Acct-Interim-Interval  Nomadix VSAs:  Nomadix-Bw-Up  Nomadix-Bw-Down  Nomadix-URL-Redirection  Nomadix-IP-Upsell  Nomadix-MaxBytesUp  Nomadix-MaxBytesDown  Nomadix-Net-VLAN ...
Page 259: Selected Detailed Descriptions
CCESS ATEWAY Class  Nomadix VSAs:  Nomadix-Subnet  Nomadix-URL-Redirection  Nomadix-IP-Upsell  Acct-Session-Time (Stop)  Terminate-Cause (Stop)  NAS ID  NAS-IP Address  NAS-Port-Type  NAS-Port  Framed-IP Address  Acct-Delay-Time  Called-Station-ID  Calling-Station-ID  MaxBytesTotal ...
Page 260: Nomadix Vendor-Specific Radius Attributes
Upon a reboot, these 2 attributes are saved in currfile.dat the same way as for Acct-Input- Octets and Acct- Input-Octets. If you plan to implement RADIUS, go to “Contact Information” on page 347 for Nomadix Technical Support. Nomadix Vendor-Specific RADIUS Attributes Nomadix provides the following vendor-specific RADIUS attributes.
Page 261 Integer Value Description Nomadix-BW-Down Value (in Kbps) restricts the speed at which downloads are performed. Nomadix-Url-Redirection 3 Allows the administrator to redirect the user to a page of the administrator’s choice each time the user logs in Nomadix-IP-Upsell Allows the user to receive a public address from a DHCP pool when the NSE has This feature enabled.
Page 262 CCESS ATEWAY Attribute Integer Value Description Nomadix-Preferred-WAN 24 Either WAN, Eth1, Eth2, Eth3, Eth4, or Eth5 to identify what interface the user will try to send traffic on. Nomadix-Bw-Class-Name 27 Class name in dotted notation Nomadix-MaxBytesTotal Total amount of traffic up and down for a user before being...
Page 263: Setting Up The Ssl Feature
VeriSign (all instructions in this document are based on obtaining a key from VeriSign). Please contact Nomadix Technical Support if you want to use a different Certificate Authority. For Nomadix technical support, go to Contact Information on page 268.
Page 264 CCESS ATEWAY Click Next. The following screen appears: Click Next to display the next setup screen. Click Next to display the next setup screen. Click Next to display the next setup screen Quick Reference Guide...
Page 265 Click Next to display the next setup screen. Select a location and click Next. For the purposes of this document, Nomadix used: ftp://planetmirror.com. In the following screens, skip all packages except “cygwin” and “openssl,” then click Next when you are done.
Page 266: Private Key Generation
CCESS ATEWAY Click Next to start the download process. Wait for the download process to complete. 10. Click Next to start the install process. Wait for the install process to complete. 11. There will be a pop-up dialog to inform you that the installation process is completed. At the pop-up dialog, click OK.
Page 267 CCESS ATEWAY Go to the c:\cygwin\bin\ directory and run the following command: >openssl genrsa -rand file1:file2:file3:file4:file5 1024 > cakey.pem The following table provides an explanation of the command elements: Command Description openssl “openssl” command. genrsa A parameter for “openssl” to generate an RSA key. Rand A parameter for “openssl”...
Page 268: Create A Certificate Signing Request (Csr) File
CCESS ATEWAY Create a Certificate Signing Request (CSR) File Run the following command to generate the certificate signing request: >openssl req -new -key cakey.pem > server.csr The following table provides an explanation of the command elements: Command Description openssl “openssl” command A parameter for creating a request Defining a “new”...
Page 269: Create A Public Key File (Server.pem)
Some older versions of popular browsers only support 40-bit or 56-bit encryption. Since it impossible to forecast the browsers that may be used in a visitor-based network, Nomadix recommends implementing a 40-bit Public Key. During the process, VeriSign will ask for your business information and verification. There are several ways to proof the existence of your business.
Page 270 CCESS ATEWAY there is one section about generating a CSR; however, since you have already created the CSR in step 2 with OpenSSL, you can skip the instructions. CSR Submission to VeriSign: Please select “Apache Freeware” to submit the CSR to VeriSign. The Certificate Signing Request is in the server.csr (created in the previous step).
Page 271: Setting Up Access Gateway For Ssl Secure Login
CCESS ATEWAY Setting Up Access Gateway for SSL Secure Login FTP the “cakey.pem” and “server.pem” files into the Access Gateway platform's flash directory. FTP to the Access Gateway by Netscape: ftp://username:password@[Access Gateway Network IP]/flash Drag and drop the “cakey.pem” and “server.pem” files into the directory. Changing Settings in the WMI To change settings in the Web Management Interface (WMI), go to Configuration Menu on page 68.
Page 272: Mirroring Billing Records
CCESS ATEWAY Mirroring Billing Records Multiple Access Gateway units can send copies of billing records to a number of external servers that have been previously defined by system administrators. The Access Gateway assumes control of billing transmissions and saving billing records. By effectively “mirroring” the billing data, the Access Gateway can send copies of billing records to predefined “carbon copy”...
Page 273 CCESS ATEWAY <DATE>max 10 characters </DATE> <TIME>max 8 characters</TIME> <ROOM_NUM>max 20 characters</ROOM_NUM> <AMOUNT>max 10 characters</AMOUNT> <TRANS_TYPE>max 5 characters </TRANS_TYPE> </USG> Format for each field: REC_NUM:00923 (numbers only, no alpha characters) Access Gateway_ID:00020b PROPERTY_ID:Any regular string DATE:03/30/2001 (mm/dd/yyyy) TIME:23:41:38 (24 hour format) ROOM_NUM:Any regular string AMOUNT:234.34 TRANS_TYPE:CC...
Page 274 RESULT_VALUE:OK or ERROR IP:Standard IP format (123.123.123.123) ERROR_CODE1 for OK, or any other number Please contact Nomadix Technical Support for the complete XML DTD. Refer to “Contact Information” on page 347. For more information about Billing Records Mirroring, see also: Billing Records Mirroring on page 9 ...
Page 275: Troubleshooting
CCESS ATEWAY Troubleshooting This chapter provides information to help you resolve common hardware and software problems. It also contains a list of known error messages associated with the Management Interface. General Hints and Tips  Management Interface Error Messages  Common Problems ...
Page 276: General Hints And Tips
CCESS ATEWAY General Hints and Tips The Access Gateway is both a hardware device and a powerful software utility. As a hardware computing device, the Access Gateway requires careful handling. It should be positioned in a dust-free and temperature- controlled environment. Never block the unit’s ventilation holes, and do not stack with other equipment (unless correctly mounted in a rack).
Page 277: Management Interface Error Messages
When upgrading the software, the system needs the new boot must FTP a valid boot image to the flash. image file. You must FTP the file from NOMADIX™ to your local hard drive. Warning: no DHCP services are available to This message is displayed because you have disabled both the subscribers.
Page 278: Common Problems
PayPal on a specified port 1111 and make sure that the SSL communicate with PayPal. port which is not enabled within the port on the Nomadix is still 443. company’s firewall. When a subscriber who is The DHCP relay is enabled with an...
Page 279: Appendix A: Technical Support
CCESS ATEWAY Appendix A: Technical Support We have tried to ensure that you get the most up-to-date information available about the Access Gateway, and we hope this User Guide has met all your operational and performance needs. However, we understand that occasionally you may run into problems that require additional technical support.
Page 280: Contact Information
CCESS ATEWAY Contact Information You can contact us by Email, fax, telephone, or regular mail. Telephone ++1.818.575.2590 E-mail support@nomadix.com ++1.818.597.1502 Address Nomadix, Inc. 30851 Agoura Rd, Suite 102 Agoura Hills, CA 91301 USA Attn: Technical Support Troubleshooting...
Page 281: Appendix B: Glossary Of Terms
See Ethernet. (Authentication, Authorization, and Accounting) A combination of commands used by Nomadix Gateways to authenticate, authorize, and subsequently bill subscribers for their use of the customer’s network. When a subscriber logs into the system, their unique MAC address is placed into an authorization table. The system then authenticates the subscriber’s MAC address and billing information before allowing...
Page 282 CCESS ATEWAY Term Definition Adaptive A Nomadix, Inc. patented technology that enables Dynamic Address Translation. See Configuration also, DAT. Technology ad-hoc mode An 802.11x networking framework in which devices or stations communicate directly with each other, without the use of an Access Point (AP). Ad-hoc mode is also referred to as peer-to-peer mode, or an Independent Basic Service Set (IBSS).
Page 283 (Dynamic Address Translation) Nomadix Gateways provide “plug-and-play” access to subscribers who are misconfigured with static (permanent) IP addresses, or subscribers that do not have DHCP functionality on their computers. DAT is a Nomadix, Inc. patented technology that allows all users to obtain network access, regardless of their computer’s network settings.
Page 284 CCESS ATEWAY Term Definition AP for proof of identity, which the AP gets from the user and thensends back to the server to complete the authentication. ECommerce A business venture between a supplier and its customers using online services (for example, the Internet).
Page 285 California accesses a computer in New York, the computer in New York is considered the host. (Home Page Redirection) Nomadix Gateways enable solution providers to redirect subscribers to a “portal” home page of their choice. This allows the solution provider to generate online advertising revenues and increase business exposure.
Page 286 Term Definition iNAT™ (Intelligent Network Address Translation) Nomadix’ iNAT™ feature creates an intelligent mapping of IP addresses and their associated VPN tunnels allowing multiple tunnels to be established to the same VPN server—creating a seamless connection for all the users at the public-access location.
Page 287 MIBs. In theory, any SNMP manager can talk to any SNMP agent with a properly defined MIB. See also, SNMP. Misconfigured A Nomadix, Inc. term used to describe users who have IP address configurations that User are different from the current network. For example, if the current network is 123.45.67.89 but the user’s IP address is 10.10.10.15, then this user is considered to be...
Page 288 CCESS ATEWAY Term Definition program on a computer, NTP sends periodic time requests to servers, obtaining server time stamps and using them to adjust the client's clock. OFDM (Orthogonal Frequency Division Multiplexing) An FDM modulation technique for transmitting large amounts of digital data over a radio wave. OFDM works by splitting the radio signal into multiple smaller sub-signals that are then transmitted simultaneously at different frequencies to the receiver.
Page 289 CCESS ATEWAY Term Definition (packets per second) The rate at which packets are delivered to their destination. See also, Forwarding Rate, Packet, and Packet Switching Network. PPTP (Point-to-Point Tunneling Protocol) Developed jointly by Microsoft Corporation, U.S. Robotics, and several remote access vendor companies, known collectively as the PPTP Forum, PPTP is a new technology used for creating Virtual Private Networks (VPNs).
Page 290 Normally, a solution provider is offering a solution that isn’t readily available on the open market. For example, NOMADIX™ is a solution provider to its customers (broadband network service providers), and those customers are solution providers to their end users (network subscribers).
Page 291 CCESS ATEWAY Term Definition routes between hosts. To establish path redundancy, STP creates a tree that spans all of the switches in an extended network, forcing redundant paths into a standby (or blocked) state. STP allows only one active path at a time between any two network devices (this prevents the loops) but establishes the redundant links as a backup if the initial link should fail.
Page 292 CCESS ATEWAY Term Definition or receives any data. TLS is application protocol-independent. Higher-level protocols can layer on top of the TLS protocol transparently. Based on Netscape’s SSL 3.0, TLS supersedes and is an extension of SSL. TLS and SSL are not interoperable. See also, Protocol and SSL. Translation See IP Address Translation.
Page 293 HTML. For example, XML supports links that point to multiple documents, as opposed to HTML links, which can reference just one destination each. For all Nomadix Gateways, XML is used by the subscriber management module for port location and user administration.
Page 294 CCESS ATEWAY Glossary of Terms...

This manual is also suitable for:

Ag5800 Ag2500 Ag5600 Ag5900 Ag2400 Ag 5500 ... Show all

Nomadix AG3100 User Manual

Quick Links

Related Manuals for Nomadix AG3100

Summary of Contents for Nomadix AG3100