Page 1 Amigopod 3.7...
Page 2 Copyright ® ® © 2012 Aruba Networks, Inc. Aruba Networks trademarks include, Aruba Networks , Aruba Wireless Networks ® ® the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System , Mobile Edge Architecture , People Move. ® ®...
Page 3: Table Of Contents
Contents Chapter 1 Amigopod Visitor Management Appliance.......... 17 About this Manual....................17 Documentation Conventions.................17 Documentation Overview................18 Getting Support ....................19 Field Help ......................19 Quick Help ....................19 Context-Sensitive Help .................19 Searching Help....................19 If You Need More Assistance................20 Chapter 2 Management Overview ................. 21 Visitor Access Scenarios ..................21 Reference Network Diagram ................22 Key Interactions....................22...
Page 4 Configure Amigopod Subscription ID ............42 Install Subscription Updates .................43 Setup Complete ....................44 Chapter 4 RADIUS Services ................... 45 Accessing RADIUS Services ................45 Server Control......................45 RADIUS Log Snapshot..................45 Debug RADIUS Server ..................46 Viewing Failed Authentications ..............46 Server Configuration....................47 Example: Removing a User-Name Suffix............49 Example: Correcting the NAS-IP-Address Attribute ........49 Example: Adding a Reply-Message to an Access-Reject Packet ....49 User Roles ......................49...
Page 5 EAP and 802.1X Authentication ................77 Specifying Supported EAP Types..............78 Creating a Server Certificate and Self-Signed Certificate Authority .....79 Requesting a Certificate from a Certificate Authority ........81 Importing a Server Certificate ...............82 Installing a Server Certificate from a Certificate Authority ......83 Exporting Server Certificates ...............83 PEAP Sample Configuration .................83 Active Directory Domain Services ...............88...
Page 6 Creating Multiple Guest Account Receipts..........138 Managing Guest Accounts................139 Managing Multiple Guest Accounts............142 Importing Guest Accounts ................144 Exporting Guest Account Information............148 Guest Manager Customization ................148 Default Settings for Account Creation ............149 About Fields, Forms, and Views ..............153 Business Logic for Account Creation ............153 Account Expiration Types ................155 Standard Fields ...................156 Standard Forms and Views.................156...
Page 7 MAC Authentication on Amigopod..............204 MAC Address Formats................204 Managing Devices ..................205 MAC Creation Modes..................210 Accounting-Based MAC Authentication .............214 Importing MAC Devices ................217 Advanced MAC Features ................217 Active Sessions Management ................218 Session States ....................220 RFC 3576 Dynamic Authorization ...............220 Filtering the List of Active Sessions ............221 Managing Multiple Active Sessions ............221 Sending Multiple SMS Alerts ..............226 SMS Services ....................227...
Page 8 Classification Groups ..................261 Statistics and Metrics..................263 Output Series ....................266 Output Series Fields..................267 Output Filters ....................268 Presentation Options ..................270 Final Report....................272 Creating Reports ....................272 Creating the Report – Step 1 ..............273 Creating the Report – Step 2 ..............273 Creating Sample Reports ..................274 Report Based on Modifying an Existing Report..........274 Report Created from Report Manager using Create New Report ....275 Report Created by Duplicating an Existing Report ........277...
Page 9 Notifications.......................313 OS Updates .......................314 Manual Operating System Updates............314 Reviewing the Operating System Update Log..........314 Determining Installed Operating System Packages........315 Plugin Manager....................315 Managing Subscriptions ................316 Viewing Available Plugins................316 Adding or Updating New Plugins..............317 Configuring Plugin Update Notifications.............318 Configuring Plugins..................318 Server Time......................321 System Control....................323 Changing System Configuration Parameters..........323 System Log Configuration ................323...
Page 10 Failure Detection ..................349 Database Replication ..................349 Configuration Replication................350 Primary Node Failure...................351 Secondary Node Failure................351 Email Notification ..................352 Cluster Status ....................352 Cluster Setup.....................353 Prepare Primary Node.................354 Prepare Secondary Node................356 Cluster initialization ..................356 Cluster Deployment ..................357 Cluster Maintenance..................357 Recovering From a Failure ................358 Recovering From a Temporary Outage............358 Recovering From a Hardware Failure ............359 Performing Scheduled Maintenance............359...
Page 11 NwaParseXml....................382 NwaPasswordByComplexity...............382 NwaSmsIsValidPhoneNumber ..............382 NwaStrongPassword ..................382 NwaVLookup....................383 NwaWordsPassword...................383 Field, Form and View Reference................384 GuestManager Standard Fields ..............384 Hotspot Standard Fields ................391 SMS Services Standard Fields ..............392 SMTP Services Standard Fields ..............392 Format Picture String Symbols ..............394 Form Field Validation Functions..............395 Form Field Conversion Functions ...............397 Form Field Display Formatting Functions ...........398 View Display Expression Technical Reference ...........400...
Page 12 List of Standard Radius Attributes ..............423 Authentication Attributes................423 RADIUS Server Internal Attributes ..............425 LDAP Standard Attributes for User Class ............425 Regular Expressions..................425 Chapter 12 Glossary....................427 Index ........................... 429 Amigopod 3.7 | Deployment Guide...
Page 13 Figures Figure 1 Visitor access using the Amigopod Visitor Management Appliance ....21 Figure 2 Reference network diagram for visitor access ............22 Figure 3 Interactions involved in guest access..............23 Figure 4 Sequence diagram for network access using AAA ..........24 Figure 5 Rear port configuration for AMG-HW-100/-2500 appliances ......31 Figure 6 RADIUS Role Editor page..................50...
Page 14 Amigopod 3.7 | Deployment Guide...
Page 15 Tables Table 1 Quick Links ......................18 Table 2 List of Key features....................25 Table 3 Common Terms....................27 Table 4 Site Preparation Checklist ...................29 Table 5 Default Port configurations..................31 Table 6 Ethernet adapter configuration................32 Table 7 Virtual ethernet adapter configuration ..............32 Table 8 Console access methods ..................33 Table 9 Web Login Page Syntax ..................66...
Page 16 Table 45 Display Expressions for Data Formatting ............400 Table 46 PHP Variables....................401 Table 47 General Configuration Settings .................410 Table 48 Security Configuration Settings.................412 Table 49 Proxy Configuration Settings................412 Table 50 Thread Pool Settings ..................413 Table 51 Authentication Module Configuration Settings..........415 Table 52 Database Modeule Configuration Settings............416 Table 53...
Page 17: Amigopod Visitor Management Appliance
Chapter 1 Amigopod Visitor Management Appliance Collaboration between companies and mobility of staff has never been greater. Distributed workforces, traveling sales staff and a dependence on outsourced contractors and consultants requires efficient management, which can pose problems for network security and operational staff. With visitors increasingly requiring online access to perform their work, Amigopod provides a simple interface that can quickly create and manage visitor accounts within a pre-defined security profile.
Page 18: Documentation Overview
Documentation Overview Click the context-sensitive Help link displayed at the top right of each page to go directly to the relevant section of the deployment guide. The following quick links may be useful in getting started. Table 1Quick Links For information about... Refer to...
Page 19: Getting Support
Chapter 10, “High Availability Services” describes the optional high availability services that may be  used to deploy a cluster of appliances in a fault-tolerant configuration. Chapter 11, “Reference” contains technical reference information about many of the built-in features of ...
Page 20: If You Need More Assistance
If You Need More Assistance If you encounter a problem using the Amigopod Visitor Management Appliance, your first step should be to consult the appropriate section in this Deployment Guide. If you cannot find an answer here, the next step is to contact your reseller. The reseller can usually provide you with the answer or obtain a solution to your problem.
Page 21: Management Overview
Chapter 2 Management Overview This section explains the terms, concepts, processes, and equipment involved in managing visitor access to a network. The content here is intended for network architects, IT administrators and security consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor access solution.
Page 22: Reference Network Diagram
Reference Network Diagram The following figure shows the network connections and protocols used by the Amigopod Visitor Management Appliance. See Figure Figure 2 Reference network diagram for visitor access The network administrator, operators and visitors may use different network interfaces to access the visitor management features.
Page 23: Aaa Framework
Figure 3 Interactions involved in guest access The Amigopod Visitor Management Appliance is part of your network’s core infrastructure and manages guest access to the network. NAS devices, such as wireless access points and wired switches on the edge of the network, use the RADIUS protocol to ask the Amigopod Visitor Management Appliance to authenticate the username and password provided by a guest logging in to the network.
Page 24: Figure 4 Sequence Diagram For Network Access Using Aaa
Figure 4 Sequence diagram for network access using AAA Guest Amigopod AMG Associates Unregistered role Redirects Browse to Landing page Complete login form Submit form Web login Login Message page Access-Request Automated NAS login Authentication Access-Accept Authorization Guest role Accounting-Request Accounting Accounting-Response Internet browsing...
Page 25: Key Features
Key Features Refer to the table below for a list of key features and a cross-reference to the relevant section of this deployment guide. Table 2 List of Key features Feature Refer to… Visitor Access RADIUS server providing authentication, authorization, and accounting (AAA) “RADIUS Services”...
Page 26 Table 2 List of Key features (Continued) Logout at account expiration “Account Expiration Types” Define unlimited custom fields “Customization of Fields” Username up to 64 characters “GuestManager Standard Fields” Customization Features Create new fields and forms for visitor management “Customization of Forms and Views”...
Page 27: Visitor Management Terminology
Visitor Management Terminology The following tables describes the common terms used in this guide. See Table Table 3 Common Terms Term Explanation Accounting Accounting is the process of recording summary information about network access by users and devices. Authentication Authentication is the verification of a user’s credentials, typically a username and password.
Page 28: Deployment Process
Deployment Process As part of your preparations for deploying a visitor management solution, you should consider the following areas: Management decisions about security policy  Decisions about the day-to-day operation of visitor management  Technical decisions related to network provisioning ...
Page 29: Site Preparation Checklist
Site Preparation Checklist The following is a checklist of the items that should be considered when setting up the Amigopod Visitor Management Appliance. Table 4 Site Preparation Checklist  Policy Decision Security Policy Segregated guest accounts? Type of network access? Time of day access? Bandwidth allocation to guests? Prioritization of traffic?
Page 30 | Management Overview Amigopod 3.7 | Deployment Guide...
Page 31: Setup Guide
Chapter 3 Setup Guide This section covers the initial deployment and configuration of the Amigopod Visitor Management Appliance. If you have a hardware appliance, See “Hardware Appliance Setup” in this chapter. If you are using the Amigopod Visitor Management Appliance in a virtual machine, See “Virtual Appliance Setup”...
Page 32: Virtual Appliance Setup
Table 5 Default Port configurations (Continued) Hostname Amigopod.localdomain Virtual Appliance Setup VMware Workstation or VMware Player The virtual appliance is packaged as a zip file containing a directory with the files for the virtual machine. To install the virtual appliance, extract the contents of the zip file to a new directory and double-click the .vmx file to start the appliance.The configuration for the VMware Player virtual machine includes two virtual Ethernet adapters.
Page 33: Accessing The Console User Interface
Table 7 Virtual ethernet adapter configuration (Continued) IP Address – Netmask – Gateway – – Adapter Name eth0 Hostname Amigopod.localdomain Accessing the Console User Interface The appliance’s console user interface can be used to perform basic administrative functions such as changing the network configuration or viewing the appliance’s MAC address details.
Page 34: Accessing The Graphical User Interface
3. Reinitialize database – Destroys the entire configuration of the appliance and resets to the factory default state. All guest accounts, operator logins, RADIUS accounting records, application configuration, and customization will be lost. 4. Change shell password – Sets the new shell password used to access the console user interface. 5.
Page 35: Login Screen
Login Screen To start the setup wizard, log in to the administrative user interface using the default username and password. Enter the username admin and the password amigopod when logging in for the first time. Amigopod License Agreement Review and accept the software license agreement. If you have any questions about the license agreement, contact Aruba support using the Web site http:// support.arubanetworks.com.
Page 36: Set Administrator Password
Set Administrator Password Create a new password for the administrator account. This account has full access to all settings and areas in the graphical user interface. You can optionally change the username of the administrative account for enhanced security. When the administrator password is set for the first time, the root password for the system will also be set to this password.
Page 37: Configure Network Interfaces
The system hostname is a fully-qualified domain name. By default, this is set to amigopod.localdomain, but you may specify another valid domain name. A valid hostname is a domain name that contains two or more components separated by a period (.). Hostname parameters are: Each component of the hostname must not exceed 63 characters ...
Page 38: Configure Http Proxy
Your Amigopod visitor management solution must be configured appropriately for your organization’s relevant network infrastructure. For details on how to configure your network interface, see Changing Network Interface Settings in the Administrator Tasks chapter. Configure HTTP Proxy If your network configuration requires the use of a HTTP proxy to access the Internet, enter the details for the proxy here and click Save Changes.
Page 39: Configure Smtp Mail Settings
Configure SMTP Mail Settings For details on SMTP configuration, See “SNMP Configuration” in the Administrator Tasks chapter. Click the Send Test Message button to send an email to a test email address in the selected format. This can be used to verify the SMTP configuration, as well as check the delivery of HTML formatted emails. Click the Save and Close button to save the updated SMTP configuration.
Page 40: Configure Snmp
Configure SNMP The SNMP Setup form is used to configure the system’s SNMP server and enable SNMP access. (For details on SNMP configuration, See “SNMP Configuration” in the Administrator Tasks chapter. Click the Save Changes button to apply the SNMP configuration. Configure Server Time and Time Zone Select the server’s time zone and set other options related to timekeeping for the server.
Page 41: Configure Default Radius Nas Vendor Type
To ensure that authentication, authorization and accounting (AAA) is performed correctly, it is vital that the server maintains the correct time of day at all times. It is strongly recommended that you configure one or more NTP servers to automatically synchronize the server’s time. NTP can interfere with timekeeping in virtual machines.
Page 42: Radius Network Access Servers
RADIUS Network Access Servers Network access servers are RADIUS clients, and must be predefined in order to access the RADIUS server. For security, each NAS device must also have a shared secret which is known only to the device and the RADIUS server.
Page 43: Install Subscription Updates
If you have purchased the Amigopod appliance, you will have one or more subscription IDs that enable particular modules of functionality that you have purchased. These subscription IDs will have been provided to you by your reseller at the time of purchase. A subscription ID consists of number and letter groups separated with hyphens.
Page 44: Setup Complete
Setup Complete After downloading and installing the available plugin updates, the setup process is complete. Context-sensitive help is available throughout the application. For more detailed information about the area of the application you are using, click the Help link displayed at the top right of the page. This will open a new browser window showing the relevant section of this deployment guide.
Page 45: Chapter 4 Radius Services
Chapter 4 RADIUS Services RADIUS is a network access-control protocol that verifies and authenticates users. The framework around which RADIUS is built is known as the AAA process, consisting of authentication, authorization, and accounting. RADIUS authenticates a guest user’s session by checking that the guest’s password matches the guest’s login details stored in the RADIUS database.
Page 46: Debug Radius Server
Log entries that are displayed include both successful and unsuccessful authentication attempts, the details about any authentication or authorization failures, and server configuration messages when the RADIUS server is started. Debug RADIUS Server The AAA Debug option on the RADIUS Server Configuration page enables additional debugging messages logged during the handling of RADIUS packets.
Page 47: Server Configuration
Each row in the table groups together authentication attempts based on the username (that is, the User- Name attribute provided to the RADIUS server in the Access-Request). The Status column displays one of the following messages for each authentication record, explaining the current state of the user account in the system: Does not exist –...
Page 48 The NAS Type list may be used to select a default type for network access servers. Use this option if you have a deployment that uses only one type of NAS. The AAA Debug option on the RADIUS Server Configuration page enables additional debugging messages logged during the handling of RADIUS packets.
Page 49: Example: Removing A User-Name Suffix
Example: Removing a User-Name Suffix Some NAS equipment always appends a realm in the form ‘@domain.com’ to a RADIUS User-Name attribute in the Access-Request message sent to the RADIUS server. It is possible to configure the RADIUS server to strip off this additional text, using the attr_rewrite module. Use the following Server Configuration entries to perform this modification: module.attr_rewrite.consentry.attribute = User-Name module.attr_rewrite.consentry.searchin = packet...
Page 50: Creating A User Role
User roles can be used to apply different security policies to different classes of guest user accounts. For example, guest users, employees and contractors might all have differing network security policies. The RADIUS attributes defined by a user role can then specify what each class of user is authorized to do. The User Roles list view defines the user roles for the RADIUS server and allows you to make changes to existing user roles.
Page 51: Role Attributes
Role Attributes RADIUS attributes form the heart of the role-based access control system. Different user roles may have different attributes associated with them, which allows you to control the behavior of network access devices that authenticate users with the RADIUS server. Furthermore, you can associate a set of rules called a condition with each RADIUS attribute.
Page 52: Attribute Tags
When all the attributes have been added, click the Save Changes button to create this user role. You must click the Save Changes button before any of the changes you have made will take effect in the user role. A warning message will be displayed if you attempt to navigate away from the RADIUS Role Editor page while there are unsaved changes.
Page 53: Example: Time-Based Authorization
2. Click the Add Attribute tab. 3. Select the Reply-Message attribute from the drop-down list and enter the string value Good morning, guest. 4. Select Enter condition expression… from the Condition drop-down list and enter the following code in the Expression text field: return date('a') == 'am';...
Page 54: Attribute Value Expressions
4. Select Enter condition expression… from the Condition drop-down list and enter the following code in the Expression text field: return GetUserTraffic(86400) > 10485760 && AccessReject(); 5. Click the Add Attribute button. 6. Click the Save Changes button to apply the new settings to the role. The GetUserTraffic() function ( “GetUserTraffic()”...
Page 55: Network Access Servers
The network has an Aruba wireless controller at 192.168.30.2 which should be configured to place all visitor traffic into VLAN ID 100. There is another Aruba wireless controller at 192.168.40.2 which should be configured to place visitor traffic into VLAN ID 200. 1.
Page 56 The NAS name is used in the RADIUS server log to identify access requests from NAS servers. This name must be unique. The NAS type is selected from a drop down list with the following predefined types: Other NAS  RFC 3576 Dynamic Authorization Extensions Compatible ...
Page 57: Importing A List Of Network Access Servers
Trendnet  Xirrus  RFC 3576 is used by the RADIUS server to request that a NAS disconnect or reauthorize a session that was previously authorized by the RADIUS server. If your NAS vendor is not listed, select the “Other NAS” option. If the NAS is known to support RFC 3576, select the “RFC 3576 Dynamic Authorization Extensions Compatible”...
Page 58 To complete the form, you must either specify a file containing the server information, or type or paste in the NAS information to the NAS List Text area. Advanced import options may be specified by selecting the Show additional import options check box. The Amigopod Visitor Management Appliance uses the UTF-8 character set encoding internally to store NAS server properties.
Page 59: Web Logins
To complete the Match Fields form, make a selection from each of the drop-down lists. Choose a column name (Field 1, Field 2, etc.) to use the values from that column when importing the NAS entries, or select one of the other available options to use a fixed value. Click the Next Step button to preview the final result.
Page 60: Creating A Web Login Page
Figure 7 Sequence diagram for guest captive portal and Web login In a typical configuration, you would enable the captive portal functionality of your NAS [1], and use the URL of your custom Web login page as the default portal landing page for unauthorized guests.
Page 61 Changing the vendor settings may overwrite any customizations you have made to the Header HTML and Footer HTML. If you have chosen a specific vendor, the form will display additional options: The Address option allows you to set the IP address for the NAS, as it will be visible to the guest network. The Secure Login option controls whether the NAS login should be performed using HTTP or HTTPS.
Page 62 The Authentication field provides three options: Credentials—a username and password. The guest is prompted for a username and password to log in  to the network. Access Code—Requires only username for authentication. The guest’s password is automatically  provided for the login attempt. Anonymous—This option supports two special usernames: _mac and underscore (_).
Page 63 The visitor’s password will be submitted to the NAS unmodified if the Password Encryption option No  encryption (plaintext password) is selected. Otherwise, See “Universal Access Method (UAM) Password Encryption” in this chapter for details about the supported password encryption methods. When Local –...
Page 64 Use the Insert self-registration link… drop-down list to insert HTML code that creates a link to an existing guest self-registration page. This may be of use when you are creating a landing page suitable for both registered and unregistered visitors. You are able to optionally create a login message in this section.
Page 65: Universal Access Method (Uam) Password Encryption
The ‘Allowed Access’ and ‘Denied Access’ fields are access control lists that determine if a client is permitted to access this Web login page. You can specify multiple IP addresses and networks, one per line, using the following syntax: 1.2.3.4 – IP address ...
Page 66: Nas Login Parameters
http://192.168.88.88/weblogin.php/4?wlan=Amigopod This will in turn result in a hidden field included in the Web login form. The field will be named wlan and will be set to the value Amigopod. NAS Login Parameters Extra fields in the NAS login form may be defined using name=value pairs in the Web login form configuration.
Page 67: Apple Captive Network Assistant Bypass With Amigopod
{$extra_fields.wlan} To display all the remembered fields for the current visitor session, use the syntax: {dump var=$extra_fields export=html} Apple Captive Network Assistant Bypass with Amigopod This section describes the process for leveraging the Amigopod Captive Portal to bypass the Captive Network Assistant (Web sheet) that is displayed on iOS device such as iPhones, iPad and more recently Mac OS X machines running Lion (10.7).
Page 68: Figure 8 Captive Network Assistant On Macos X
Also if the user chooses to cancel the Web sheet, the Wi-Fi connection to the Open network will be dropped automatically preventing any further interaction via the full browser or other applications. The following are examples of these Web sheet sessions from a Mac OS X Lion (10.7) laptop, iPad and an iPhone. Figure 8 Captive Network Assistant on MacOS X Figure 9 Captive Network Assistant on iPad | RADIUS Services...
Page 69: Solution Implementation
Figure 10 Captive Network Assistant on iPhone The Web sheet can be easily identified by the lack of a URL bar at the top of the screen and typical menu bar items. For many customers, this behavior of their Apple wireless devices will be acceptable and a great usability enhancement for their user community.
Page 70: Figure 11 Captive Portal Profile Configuration
The following CLI and WebUI examples so a typical configuration of the Captive Portal profile and of note the login-page is set to point directly to the Amigopod hosted Web Login page.: http://10.169.130.50/ Aruba_Login.php Captive Portal Profile Configuration aaa authentication captive-portal "guestnet" default-role auth-guest direct-pause 3 no logout-popup-window...
Page 71: Database Lists
Figure 12 Configuring the Web Login page For example, the Captive Portal profile login page configuration sample below will link to an Amigopod hosted Web Login page called Aruba_Login: http://<Amigopod IP or FQDN>/landing.php/Aruba_Login.php. Database Lists This is a list of databases on the NAS server. The Amigopod RADIUS server uses a database to store the user accounts for authentication and other settings for the server.
Page 72: Database Maintenance Tasks
Database Maintenance Tasks Database optimization and other maintenance tasks can be performed using this form. These tasks are normally carried out automatically and do not require administrative intervention. Some system updates may require a database schema upgrade. If this is required, it is indicated on the database list with the schema upgrade icon.
Page 73: Import Dictionary
The dictionary can be sorted by clicking on a column heading. Import Dictionary You are able to import RADIUS dictionary entries from a text file using the Import Dictionary command located under the More Options tab. These text files can be created by you or you can download them from a manufacturer who is not in the standard list.
Page 74: Creating A New Vendor
Creating a New Vendor A new vendor may be added to the dictionary by clicking the Create Vendor tab at the top of the Dictionary list view. You are required to enter the Vendor Name. This name cannot already exist in the dictionary. Spaces are not permitted in the Vendor Name.
Page 75: Add A Vendor-Specific Attribute (Vsa)
Add a Vendor-Specific Attribute (VSA) A Vendor Specific Attribute (VSA) is a RADIUS attribute defined for a specific vendor. You are able to add vendor-specific attributes to a vendor by clicking the vendor in the RADIUS dictionary list view and then clicking the Add VSA icon link.
Page 76: Edit Vendor-Specific Attribute
Edit Vendor-Specific Attribute You can change the properties of an attribute by clicking on the attribute in the RADIUS dictionary list view and then clicking the Edit Attribute icon link. Once an attribute has been edited, click the Update Attribute button to save your changes. Delete Vendor-Specific Attribute Attributes can only be deleted from vendors that you have added to the dictionary.
Page 77: Delete Attribute Value
You are required to enter the name of the value to be added as well as its value. Values can only be added to attributes that are of integer type. Delete Attribute Value Values that have been added to a vendor-specific attribute can be deleted using the Delete Value button.
Page 78: Specifying Supported Eap Types
To specify supported EAP types and the default type, and to configure OCSP options, see “Specifying Supported EAP Types”. To create a server certificate and self-signed certificate authority, see “Creating a Server Certificate and Self-Signed Certificate Authority”. To request a certificate from another certificate authority, see “Requesting a Certificate from a Certificate Authority ”.
Page 79: Creating A Server Certificate And Self-Signed Certificate Authority
1. In the Supported EAP Types row, mark the check box for each type the RADIUS server should support. The available types are EAP-MD5, EAP-MSCHAPv2, EAP-TLS, EAP-TTLS, and PEAP. If you select EAP-TLS, the EAP-TLS Configuration area is added at the bottom of the form. 2.
Page 80 RADIUS Server Certificate form is displayed. The unique set of identifying details you enter on this form creates the Distinguished Name (DN) for the new certificate. Creating a new server certificate and self-signed CA is a three-step process: In step 1, a certificate signing request is created with the identifying details of the Distinguished Name ...
Page 81: Requesting A Certificate From A Certificate Authority
The “Common Name” of the CA certificate will be used to identify it to clients installing it as a trusted CA root. Make sure to choose a sensible name. Signing RADIUS Server Certificate For a client to verify that the RADIUS server’s identity is valid, the server’s certificate must be issued by a certificate authority (CA) that is trusted by the client.
Page 82: Importing A Server Certificate
Complete the details for the certificate, and click the Download Request button to save the certificate signing request. This signing request should be submitted to your certificate authority (CA). The CA signs the request to create the server’s digital certificate. Once you have the certificate, you need to import it to set it up for use with EAP.
Page 83: Installing A Server Certificate From A Certificate Authority
Complete the form with the details for your certificate, and click Continue to proceed to Step 2. Installing a Server Certificate from a Certificate Authority The Install Server Certificate form is used to install a digital certificate you have obtained from a third- party certificate authority.
Page 84 3. Click the Save Changes button, and restart the RADIUS Server to apply the configuration. 4. You may verify that the EAP configuration is loaded by checking for a certain startup message on the RADIUS Server Control screen: Tue Nov 17 01:04:05 2009 : Info: rlm_eap_tls: Loading the certificate file as a chain 5.
Page 85 2. Select the certificate in the list. Right-click it and choose Open: 3. Click the Install Certificate… button. The Certificate Import Wizard appears 4. Click Next. The Certificate Store form is displayed. Amigopod 3.7 | Deployment Guide RADIUS Services |...
Page 86 5. Click the Browse button to select the Trusted Root Certification Authorities store 6. Click OK, and then click Next. The last page of the Certificate Import Wizard will be displayed. | RADIUS Services Amigopod 3.7 | Deployment Guide...
Page 87 7. Once you have reached the end of the wizard, click Finish. A security warning dialog box will be displayed, indicating that the root certificate authorities store is about to be updated 8. To make use of the imported root certificate, make sure that the CA is specified as a Trusted Root Certification Authority for the wireless network connection that is using PEAP.
Page 88: Active Directory Domain Services
Active Directory Domain Services To perform certain types of user authentication, such as using the MS-CHAPv2 protocol to verify a username and password, the RADIUS server must first be joined to an Active Directory domain. For information on Proxy RADIUS, LDAP, and local certifiacate authority external authentication servers, External Authentication Servers.
Page 89 The process has built-in troubleshooting assistance, which can help with much of the necessary configuration: When the server’s DNS and network settings are correctly configured, all the necessary domain-related information is automatically detected. Use the Edit Settings link at the top of this page if any of the automatically detected settings need to be modified.
Page 90: Testing Active Directory User Authentication
Testing Active Directory User Authentication To verify that the domain has been joined successfully, click the Test Authentication command link on the RADIUS > Authentication > Active Directory page. Provide a username and password for a user in the domain to verify that authentication is working. The following options are available in the Authentication drop-down list: MS-CHAPv2 –...
Page 91: Leaving An Active Directory Domain
Leaving an Active Directory Domain To remove the server from the domain, click the Leave Domain command link on the RADIUS > Authentication > Active Directory page . As with joining the domain, the credentials for a domain administrator are required to perform this operation.
Page 92: Managing External Authentication Servers
Microsoft Active Directory — User accounts defined in a forest or domain and authenticated by  the domain controller. Both user and machine accounts may be authenticated. Additionally, support is provided for authenticating users with a supplied username of either “DOMAIN\user” or “user”. LDAP server (Lightweight Directory Access Protocol) —...
Page 93 The top part of the form contains basic properties for the external authentication server. The middle part of the form differs depending on the type of authentication being performed: Active Directory Authentication Server— See “Configuring an Active Directory External  Authentication Server”...
Page 94 NetBIOS Domain – automatically detected when joining the domain.  LDAP Server and Port Number – the hostname or IP address of the domain controller, with the  corresponding port number of the LDAP service. Bind Identity and Bind Password – credentials used to bind to the directory. ...
Page 95 The default settings for the “access_attr” and “access_attr_used_for_allow” settings mean that only users with the Remote Access Permission selected above will be authorized. To authorize all users in Active Directory, regardless of the individual user account settings for remote access permission, use the following settings: access_attr = nonexistentAttribute access_attr_used_for_allow = no Additional details about the precise operation of these parameters are as follows:...
Page 96 The number of seconds to wait for the LDAP query to finish. timelimit = 3 The number of seconds the LDAP server has to process the query (server-side time limit). net_timeout = 1 The number of seconds to wait for a response from the LDAP server (network failures). use_mppe = yes If this option is set to ‘yes’, MS-CHAP authentication will return the RADIUS attribute MS-CHAP-MPPE- Keys for MS-CHAPv1, and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2.
Page 97 LDAP Server and Port Number – the hostname or IP address of the LDAP server, with the  corresponding port number of the LDAP service. Security – select from one of these options:  Automatic – based on port number – LDAP connections to port 636 are encrypted using TLS, ...
Page 98 LDAP Filter – an optional LDAP filter expression that may be used to restrict the matching, over and  above the standard filtering applied by usernames. For example, specifying the expression (objectClass=user) will ensure that only LDAP objects with the specified type will be matched. Advanced Options –...
Page 99: Configuring Authorization For External Authentication Servers
1. In the Name field, enter a name to uniquely identify this server. 2. (Optional) You can use the Description field to include additional information. 3. (Optional) To enable RADIUS authentication for this server, mark the check box in the Enabled row. 4.
Page 100 No authorization—Authenticate only may be used to remove all RADIUS attributes not related to  authentication The RADIUS server will return an Access-Accept or Access-Reject message indicating the result of  the authentication attempt. Use the common name of the client certificate to match a local user account may be specified for ...
Page 101 If the authentication is successful, the authorization code is evaluated. The user object returned  from the external authentication server is available as the variable $user. The PHP code should return one of the following values:  The ID of a user role (that is, an integer value) to assign that role to the external user. ...
Page 102 Use PHP code to assign a user role (Advanced) may be selected to return a role ID for users  authenticated via EAP-TLS on a client’s local certificate server. The PHP authorization code is entered on the Edit Authentication Server form. The RADIUS Authentication diagnostic can be used to demonstrate the difference between the various authorization methods.
Page 103 Advanced Authorization — Example 1 This example covers the case where a domain contains several organizational units (OUs), and the users in each OU are to be mapped to a specific RADIUS role ID. To determine the appropriate role ID, navigate to RADIUS Services > User Roles and check the ID column for the appropriate role.
Page 104: Testing External Authentication Servers
returned. If no match is found, false is returned, which means that authorization fails and the user’s Access- Request will be rejected. The in_array() comparison is done in a case-sensitive manner. Be sure to use the correct case as returned by the LDAP query for the group name.
Page 105 1. To specify the network layer to test against, mark the radio button in the Mode row for either the local RADIUS server or a remote RADIUS server. 2. To indicate the value for the User-Name field for outer authentication in the RADIUS access request, mark one of the radio buttons in the Identity row.
Page 106: Managing Certificates For External Authentication Servers
3. In the Client Private Key row, browse to the file containing the client’s private key. This must be a base-64 encoded (PEM) or binary encoded (DER) private key file. 4. (Optional) In the Passphrase row, you may enter the passphrase for the client’s private key. 5.
Page 107 The list displays the certificates that have been installed. By default, the list is empty. After selecting a certificate in the list, the following actions are available: Show Details – display information about the certificate, including its unique “fingerprint” identifier ...
Page 108 | RADIUS Services Amigopod 3.7 | Deployment Guide...
Page 109: Chapter 5 Operator Logins
Chapter 5 Operator Logins An operator is a company’s staff member who is able to log in to the Amigopod Visitor Management Appliance. Different operators may have different roles that can be specified with an operator profile; these profiles could be to administer the Amigopod network, manage guests or run reports. Operators may be defined locally on the Amigopod Visitor Management Appliance, or externally in an LDAP directory server.
Page 110: Operator Profiles
“About Operator Logins” in this chapter for details on configuring different forms and views for operator profiles. Operator Profiles An operator profile determines what actions an operator is permitted to take when using the Amigopod Visitor Management Appliance. Some of the settings in an operator profile may be overridden in a specific operator’s account settings. These customized settings will take precedence over the default values defined in the operator profile.
Page 111 The fields in the first area of the form identify the operator profile and capture any optional information: 1. You must enter a name for this profile in the Name field. 2. (Optional) You may enter additional information about the profile in the Description field. The fields in the second area of the form define permissions for the operator profile: 1.
Page 112: Figure 13 Operator Profile Editor Page-User Roles And Filters
access. The default in all cases is No Access. This means that you must select the appropriate privileges in order for the profile to work. See “Operator Profile Privileges” in this chapter for details about the available access levels for each privilege. If you choose the Custom setting for an item, the form expands to include additional privileges specific to that item.
Page 113: Table 10 Operators Supported In Filters
Table 10 Operators supported in filters Operator Meaning Additional Information is equal to You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ). is not equal to For example, specifying the filter "role_id=2|3, >...
Page 114: Operator Profile Privileges
4. (Optional) In the Time Zone row, the Default setting indicates that the operator’s time zone will default to the system’s currently configured time zone. You can use the drop-down list to specify a particular time zone. Figure 14 Operator Profile Editor page—Custom forms and views 5.
Page 115: Managing Operator Profiles
Read Only Access means that the operator can see the options available but is unable to make any changes to them. Full Access means that all the options are available to be used by the operator. Custom access allows you to choose individual permissions within each group. For example, Guest Manager allows you to control access to the following areas: Active sessions management ...
Page 116: Creating A New Operator
Creating a New Operator Once you have a profile you can create an operator to use that profile. Any properties for the operator login that are set to (Default) are taken from the operator profile. The Operator Filter field lets you select from three other options besides Default: No operator filter—All guest accounts display.
Page 117: Viewing All Operator Logins
Only show accounts by operators created within their profile—Only guest accounts created by all  operators within a profile display. The User Account Filter and Session Filter fields are optional, and allow you to create and configure these filtering options: The User Account Filter lets you create a filter for the user account list that cannot be overridden by ...
Page 118 When you click an operator login entry in the Operator Logins list, a menu appears that allows you to perform any of the following operations: View/Hide Details—displays or hides configuration details for the selected operator login.  Edit—opens the Edit Operator Login page for changing the properties of the specified operator login ...
Page 119: Changing Operator Passwords
Changing Operator Passwords To change the password for an operator, edit the operator login and type a new password in the “Operator Password” and “Confirm Password” password fields. You may also want to select “Force a password change on their next login” under Password Options to allow the operator to select a new password. Operators can change their own passwords by navigating to Home >...
Page 120: Figure 15 Server Configuration Page
Figure 15 Server Configuration page To specify a basic LDAP server connection (hostname and optional port number), use a Server URL of the form ldap://hostname/ or ldap://hostname:port/. See “Advanced LDAP URL Syntax” in this chapter for more details about the types of LDAP URL you may specify. Select the Enabled option if you want this server to authenticate operator logins.
Page 121: Table 12 Server Type Parameters
This form allows you to specify the type of LDAP server your system will use. Click the Server Type drop- down list and select one of the following options: Table 12 Server Type Parameters Server Type Required Configuration Parameters Microsoft Active Directory ...
Page 122: Advanced Ldap Url Syntax
Figure 16 LDAP Plugin Once you have completed the form, check your settings by clicking the Test Settings button. Use the Test Username and Test Password fields to supply a username and password for the authentication check. If the authentication is successful, the operator profile assigned to the username will be displayed. If the authentication fails, an error message will be displayed.
Page 123: Ldap Operator Server Troubleshooting
Select any of the LDAP servers in the list to display options to perform the following actions on the selected server: Edit—changes the properties of an LDAP server  Delete—removes the server from the LDAP server list  Duplicate—creates a copy of an LDAP server ...
Page 124: Table 13 Ldap Error Messages
You can also verify operator authentication when you create a new LDAP server configuration using the Test Settings button on the LDAP Configuration form ( See “Creating an LDAP Server” in this chapter for a description). Looking Up Sponsor Names This option is only available if sponsor lookup has been enabled for the server on the Edit Authentication Server page.
Page 125: Ldap Translation Rules
Table 13 LDAP Error Messages (Continued) User must reset password User account is locked Other items to consider when troubleshooting LDAP connection problems: Verify that you are using the correct LDAP version – use ldap:// for version 2 and ldap3:// to specify ...
Page 126 To create a new LDAP translation rule: 1. In the Name field, enter a self-explanatory name for the translation rule. In the example above the translation rule is to check that the user is an Administrator, hence the name MatchAdmin. 2.
Page 127: Custom Ldap Translation Processing
Translation rules are processed in order, until a matching rule is found that does not have the Fallthrough field set. To edit the matching rule list, select an entry in the table to display a menu that lets you perform the following actions: Edit –...
Page 128 For example, to permit non-administrator users to access the system only between the hours of 8am and 6pm, you could define the following LDAP translation rule. The Custom rule is: {strip} {if stripos($user.memberof, "CN=Administrators")!==false} {elseif date('H') >= 8 && date('H') < 18} {else} {/if} {/strip}...
Page 129: Operator Logins Configuration
Operator Logins Configuration You are able to configure a message on the login screen that will be displayed to all operators. This must be written in HTML. You may also use template code to further customize the appearance and behavior of the login screen.
Page 130: Operator Password Options
Para entrar en el web demo de Amigopod,<br> necesitas un nombre y contraseña. </p> <p> Si no tienes un login, puedes obtener uno<br> <a href="http://www.arubanetworks.com/">contactando con Aruba Networks</a>. </p> {else} <p> The Amigopod demo site <br> requires a username and password. </p>...
Page 131: Advanced Operator Login Options
Advanced Operator Login Options The following options are available in the Logging drop-down list: No logging  Log only failed operator login attempts  Log only Web logins  Log only XMLRPC access  Log all access  Log messages for operator logins, whether successful or unsuccessful, are shown in the application log. Automatic Logout The Logout After option in the Advanced Options section lets you to configure an idle time, after which an operator’s session will be ended.
Page 132 | Operator Logins Amigopod 3.7 | Deployment Guide...
Page 133: Chapter 6 Guest Management
Chapter 6 Guest Management The ability to easily create and manage guest accounts is the primary function of the Amigopod Visitor Management Appliance. Guest Manager provides complete control over the user account creation process. Using the built-in customization editor you can customize fields, forms and views as well as the forms for guest self- registration.
Page 134: Sponsored Guest Access
Sponsored Guest Access The following figure shows the process of sponsored guest access. See Figure Figure 17 Sponsored guest access with guest created by operator The operator creates the guest accounts and generates a receipt for the account. The guest logs on to the Network Access Server (NAS) using the credentials provided on her receipt. The NAS authenticates and authorizes the guest’s login using the Amigopod Visitor Management Appliance.
Page 135: Standard Guest Management Features
“Customizing Self Provisioned Access” in this chapter for details on creating and managing self- registration pages. Standard Guest Management Features Guest Manager provides a complete set of features for managing guest accounts, including: Creating single guest accounts  Creating multiple guest accounts ...
Page 136: Creating A Guest Account Receipt
To complete the form, first enter the visitor’s details into the Sponsor’s Name, Visitor Name, Company Name and Email Address fields. The visitor’s email address will become their username to log into the network. You can specify the account activation and expiration times. The visitor account cannot be used before the activation time, or after the expiration time.
Page 137: Creating Multiple Guest Accounts
To print a receipt for the visitor, select an appropriate template from the Open print window using template… list. A new Web browser window will open and the browser’s Print dialog box will be displayed. Click the Send SMS receipt link to send a guest account receipt via text message. Use the SMS Receipt form to enter the mobile telephone number to which the receipt should be sent.
Page 138: Creating Multiple Guest Account Receipts
To complete the form, you must enter the number of visitor accounts you want to create. A random password will be created for each visitor account. This is not displayed on this form, but will be available on the guest account receipt. You can specify the account activation and expiration times.
Page 139: Managing Guest Accounts
Lifetime – the account lifetime in minutes, or N/A if the account does not have a lifetime specified  Successful – “Yes” if the account was created successfully, or “No” if there was an error creating the  account Managing Guest Accounts Use the Guest Manager Accounts list view to work with individual guest accounts.
Page 140: Table 15 Operators Supported In Filters
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators: Table 15 Operators supported in filters Operator Meaning Additional Information...
Page 141 Click the Update Account button to reset the guest account’s password. A new account receipt is then displayed, which allows you to print a receipt showing the updated account details. Change expiration – Changes the expiration time for a guest account. ...
Page 142: Managing Multiple Guest Accounts
This form may be customized by adding new fields, or modifying or removing the existing fields. Refer to the section of this chapter for details about this customization process. This is the guest_edit form. Click the Update Account button to update the properties of the guest account. A new account receipt is then displayed, which allows you to print a receipt showing the updated account details.
Page 143: Table 16 Operators Supported In Filters
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators: Table 16 Operators supported in filters Operator Meaning Additional Information...
Page 144: Importing Guest Accounts
Use the selection row at the top of the table to work with the current set of selected accounts. The number of currently selected accounts is shown. When a filter is in effect, the “All Matching” link can be used to add all pages of the filtered result to the selection.
Page 145 To complete the form, you must either specify a file containing account information, or type or paste in the account information to the Accounts Text area. Select the Show additional import options check box to display the following advanced import options: Character Set: The Amigopod Visitor Management Appliance uses the UTF-8 character set encoding ...
Page 146 In this example, the following data was used: username,visitor_name,password,expire_time demo005,Demo five,secret005,2011-06-10 09:00 demo006,Demo six,secret006,2011-06-11 10:00 demo007,Demo seven,secret007,2011-06-12 11:00 demo008,Demo eight,secret008,2011-06-13 12:00 demo009,Demo nine,secret009,2011-06-13 12:00 demo010,Demo ten,secret010,2011-06-13 12:00 demo011,Demo eleven,secret011,2011-06-13 12:00 Because this data includes a header row that contains field names, the corresponding fields have been automatically detected in the data: Use the Match Fields form to identify which guest account fields are present in the imported data.
Page 147 Click the Next Step button to preview the final result. Step 3 of 3 displays a preview of the import operation. The values of each guest account field are determined, and any conflicts with existing user accounts are displayed. The icon displayed for each user account indicates if it is a new entry ( ) or if an existing user account will be updated ( By default, this form shows ten entries per page.
Page 148: Exporting Guest Account Information
Exporting Guest Account Information Guest account information may be exported to a file in one of several different formats. Click the appropriate command link to save a list of all guest accounts in comma-separated values (CSV), tab-separated values (TSV), or XML format. This view (guest_export) may be customized by adding new fields, modifying or removing the existing fields.
Page 149: Default Settings For Account Creation
SMS and email receipts – Include a short text message with your guest’s username and password, or  send HTML emails containing images. Advanced customization – The Amigopod Visitor Management Appliance is flexible and can be used  to provide location sensitive content and advertising. Default Settings for Account Creation The Guest Manager plugin configuration holds the default settings for account creation.
Page 150 Username Length –This field is displayed if the Username Type is set to “Random digits”,  “Random letters”, “Random letters and digits” or “Sequential numbering”. The default length of random account usernames (when creating groups of accounts). This may be overridden by using the random_username_length field.
Page 151: Figure 20 Customize Guest Manager Page (Part 2)-Continued
Figure 20 Customize Guest Manager page (part 2)—continued Expire Action – Default action to take when the expiration time is reached. There are four options. A  logout can only occur if the NAS is RFC-3576 compliant. Account Retention – Deleted user accounts are available for reporting purposes. The default value is 1 ...
Page 152: Figure 21 Customize Guest Manager Page (Part 3)-Continued
Figure 21 Customize Guest Manager page (part 3)—continued Lifetime Options – Default values for account lifetimes. These options are displayed as the values of  the “Account Lifetime” field when creating a user account. Terms of Use URL – URL of a terms and conditions page provided to sponsors. You may upload an ...
Page 153: About Fields, Forms, And Views
Password Display – Select the “View guest account passwords” to enable the display of visitor account  passwords in the user list. To reveal passwords, the password field must be added to the “guest_users” or “guest_edit” view, and the operator profile in use must also have the View Passwords privilege. Initial Sequence –...
Page 154 modify_password: This field controls password modification for the visitor account. It may be set to  one of these values: “reset” to randomly generate a new password according to the values of the  random_password_method and random_password_length fields “password” to use the password specified in the password field ...
Page 155: Account Expiration Types
Visitor Account Expiration Properties do_expire, modify_expire_time, expire_after and expire_time: These fields are used to determine  the time at which the visitor account will expire. If modify_expire_time is “none”, then the account has no expiration time set.  If modify_expire_time is “now”, then the account is disabled and has no expiration time set. ...
Page 156: Standard Fields
“Logout” indicates that a RADIUS Disconnect-Request will be used for all active sessions that have a username matching the account username. This option requires the NAS to support RFC 3576 dynamic authorization. See “RFC 3576 Dynamic Authorization” in this chapter for more information. Standard Fields “Field, Form and View Reference”...
Page 157: Customization Of Fields
Table 18 Visitor Management Forms and Views (Continued) guest_sessions View Active Sessions guest_users View List Accounts remove_account Form Remove Account reset_password Form Reset Password These forms are accessed directly: create_multi form – multiple account creation  create_user form – sponsored account creation ...
Page 158: Creating A Custom Field
Creating a Custom Field To create a custom field click the Create tab at the top of the window or the Create a new field link at the bottom of the window. The Create Field form is displayed. The Field Name is not permitted to have spaces but you can use underscores. Enter a description in the Description field.
Page 159: Duplicating A Field
You can specify the default validation rules that should be applied to this field when it is added to a form. “Form Validation Properties” in this chapter for further information about form validation properties. Select the Show advanced properties check box to reveal additional properties related to conversion, display and dynamic form behavior.
Page 160: Customization Of Forms And Views
The list displays the views that use the selected field. It also allows you to edit the view’s fields by clicking on the Edit Fields link. Clicking on the Use link displays the view. If the field is used on multiple views, you are able to select which view you would like to see. Customization of Forms and Views You are able to view a list of forms and views.
Page 161: Editing Forms
The duplicated form or view has a name derived from the original, which cannot be changed. Use the Title and Description properties of the duplicated item to describe the intended purpose for the form or view. Click the Show Usage link for a duplicated form or view to see the operator profiles that are referencing Click the Delete link for a duplicated form or view to remove the copy.
Page 162: Form Field Editor
form submit is successful and a summary of the values submitted is displayed. This allows you to verify any data conversion and formatting rules you have set up. Form Field Editor The form field editor is used to control both the data gathering aspects and user interface characteristics of a field.
Page 163 CAPTCHA security code – A distorted image of several characters is shown. The image may be  regenerated, or played as an audio sample for visually impaired users. When using the recommended validator for this field (NwaCaptchaIsValid), the security code must be matched or the form submit will fail with an error.
Page 164 Because an array value may not be stored directly in a custom field, you should use the conversion and value formatting facilities to convert the array value to and from a string when using this user interface type. To store a comma-separated list of the selected values, enable the Advanced options, select “NwaImplodeComma”...
Page 165 How this works: Suppose the first two check boxes are selected (in this example, with keys “one” and “two”). The incoming value for the field will be an array containing 2 elements, which can be written as array("one", "two") . The NwaImplodeComma conversion is applied, which converts the array value into the string value “one,two”, which is then used as the value for the field.
Page 166 File upload – Displays a file selection text field and dialog box (the exact appearance differs from  browser to browser). File uploads cannot be stored in a custom field. This user interface type requires special form implementation support and is not recommended for use in custom fields. Hidden field –...
Page 167 Password text field – The field is displayed as a text field, with input from the user obscured. The text  typed in this field is submitted as the value for the field. Amigopod 3.7 | Deployment Guide Guest Management |...
Page 168 Radio buttons – The field is displayed as a group of radio buttons, allowing one to be selected. The text  displayed for each option is the value from the options list. When the form is submitted, the key of the selected value becomes the value of the field.
Page 169 Static text (Raw value) – The field’s value is displayed as a non-editable text string. HTML characters  in the value are not escaped, which allows you to display HTML markup such as images, links and font formatting. Use caution when using this type of user interface element, particularly if the field’s value is collected from visitors.
Page 170 Static group heading – The label and description of the field is used to display a group heading on the  form. The field’s value is not used, and the field is not submitted with the form. When using this user interface element, it is recommended that you use the “nwaImportant” CSS class to visually distinguish the group heading’s title.
Page 171 Text area – The field is displayed as a multiple-line text box. The text typed in this box is submitted as  the value for the field. It is recommended that you specify the desired minimum dimensions of the text area, either with the Rows and Columns options, or by specifying a width in the CSS Style (for example, “width: 460px;...
Page 172: Form Validation Properties
Form Validation Properties The form validation properties control the validation of data entered into a form. By specifying appropriate validation rules, you can detect when users attempt to enter incorrect data and require them to correct their mistake. The initial value for a form field may be specified. Use this option when a field value has a sensible default. The initial value should be expressed in the same way as the field’s value.
Page 173: Examples Of Form Field Validation
All fields must be successfully validated before any form processing can take place. This ensures that the form processing always has user input that is known to be valid. To validate a specific field, choose a validator from the drop-down list. See “Form Field Validation Functions”...
Page 174 Furthermore, note that blank values, or non-numeric values, will result in a different error message: The reason for this is that in this case, the validation has failed due to a type error – the field is specified to have an integer type, and a blank or non-numeric value cannot be converted to an integer. To set the error message to display in this case, use the Type Error option under the Advanced Properties.
Page 175: Advanced Form Field Properties
Advanced Form Field Properties The Advanced Properties control certain optional form processing behaviors. You can also specify JavaScript expressions to build dynamic forms similar to those found elsewhere in the Amigopod Visitor Management Appliance user interface. On the Customize Form Fields page, select the Show advanced properties check box to display the advanced properties in the form field editor.
Page 176: Form Field Validation Processing Sequence
If a preliminary value was provided for the field but the guest’s entered value does not need to match  case or all characters, choose Guest must supply field from the drop-down list. For example, a bulk account creation might use random usernames, and each visitor’s entry in that field would not need to match exactly.
Page 177 The Conversion step should be used when the type of data displayed in the user interface is different from the type required when storing the field. For example, consider a form field displayed as a date/time picker, such as the expire_time field used to specify an account expiration time on the create_user form.
Page 178 A comparison of these two approaches is shown below to illustrate the difference: When using a Conversion or Value Format function, you will almost always have to set up a Display Function for the form field. This function is used to perform the conversion in the reverse direction – between the internal stored value and the value displayed in the form field.
Page 179: Editing Views
Most user interface elements support the value property to retrieve the current value. For check boxes, however, use the checked property to determine if the check box is currently selected. The most practical use for this capability is to hide a form field until a certain value of some other related field has been selected.
Page 180: View Field Editor
Use the Edit Base Field link to make changes to an existing field definition. Any changes made to the field using this editor will apply to all views that are using this field (except where the view field has already been modified to be different from the underlying field definition).
Page 181: Customizing Self Provisioned Access
Boolean – Enabled/Disabled – The value of the field is converted to Boolean and displayed as  “Enabled” or “Disabled”. Boolean – On/Off – The value of the field is converted to Boolean and displayed as “On” or “Off”.  Date –...
Page 182: Creating A Self-Registration Page
Figure 23 Sequence diagram for guest self-registration The captive portal redirects unauthorized users to the register page [2]. After submitting the registration form [3], the guest account is created and the receipt page is displayed with the details of the guest account.
Page 183: Editing Self-Registration Pages
The Register Page is the name of a page that does not already exist. There are no spaces in this name. This page name will become part of the URL used to access the self provisioning page. For example, the default “guest_register”...
Page 184: Basic Properties For Self-Registration
Figure 24 Guest self-registration process A guest self-registration page consists of many different settings, which are divided into groups across several pages. Click an icon or label in the diagram to jump directly to the editor for that item. Basic Properties for Self-Registration Click the Master Enable, User Database, Choose Skin, or Rename Page links to edit the basic settings for guest self-registration.
Page 185 values, select the Guest Self-Registration (guest_register) option from the Parent field drop-down menu. Paying for Access If you select a standalone self -registration, (No parent- standalone) option you can also configure the Hotspot option. You can configure this setting so that registrants have to pay for access. Requiring Operator Credentials If you want to require an operator to log in with their credentials before they can create a new guest account, select the Require operator credentials prior to registering guest check box.
Page 186: Registration Page Properties
1.2.3.4/24 – IP address with network prefix length  1.2.3.4/255.255.255.0 – IP address with explicit network mask  Use the Deny Behavior drop-down list to specify the action to take when access is denied. The Time Access field allows you to specify the days and times that self-registration is enabled. Times must be entered in 24-hour clock format.
Page 187: Default Self-Registration Form Settings
3. Click the Register Page link, or one of the Title, Header or Footer fields for the Register Page. Template code for the title, header, and footer may be specified. See “Smarty Template Syntax” in the Reference chapter for details on the template code that may be inserted. Select the Do not include guest registration form contents check box to override the normal behavior of the registration page, which is to display the registration form between the header and footer templates.
Page 188: Receipt Page Properties
The auto_update_account field is set by default. This is to ensure that a visitor who registers again  with the same email address has their existing account automatically updated. Receipt Page Properties Click the Receipt Page link or one of the Title, Header or Footer fields for the Receipt Page to edit the properties of the receipt page.
Page 189: Receipt Actions
Receipt Actions Click the Actions link to edit the actions that are available once a visitor account has been created. Download and Print Actions Select the Download or Print check box to enable the template and display options to deliver a receipt to the user as a downloadable file, or display the receipt in a printable window in the visitor’s browser.
Page 190 Email Delivery of Receipts The Email Delivery options available for the receipt page actions allow you to specify the email subject line, the print template and email format, and other fields relevant to email delivery. When email delivery is enabled, the following options are available to control email delivery: Disable sending guest receipts by email –...
Page 191: Nas Login Properties
These options under Enabled are available to control delivery of SMS receipts: Disable sending guest receipts by SMS – SMS receipts are never sent for a guest registration.  Always auto-send guest receipts by SMS – An SMS receipt is always generated using the selected ...
Page 192: Login Page Properties
If automatic guest login is not enabled, the submit button on the receipt page will not be displayed, and automatic NAS login will not be performed. Many of the properties on this page are the same as for a RADIUS Web Login page. For details about specifying NAS login settings, extra fields, or URL redirection parameters, See “Creating a Web Login Page”...
Page 193: Self-Service Portal Properties
The login page consists of two separate parts: the login form page, and a login message page. The login form page contains a form prompting for the guest’s username and password. The title, header and footer of this page can be customized. If the Provide a custom login form option is selected, then the form must also be provided in either the Header HTML or Footer HTML sections.
Page 194 The self-service portal is accessed through a separate link that must be published to guests. The page name for the portal is derived from the registration page name by appending “_portal”. When the self-service portal is enabled, a Go To Portal link is displayed on the list of guest self- registration pages, and may be used to determine the URL that guests should use to access the portal.
Page 195: Resetting Passwords With The Self-Service Portal
session (that is, the guest’s HTTP client address is the same as the RADIUS Framed-IP-Address attribute for an active session). The Password Generation drop-down list controls what kind of password reset method is used in the portal. The default option is “Passwords will be randomly generated”, but the alternative option “Manually enter passwords”...
Page 196: Customizing Print Templates
Next, enable the “Required Field” option in the Self-Service Portal properties. Setting this to (Secret Question) will ask the guest the secret_question and will only permit the password to be reset if the guest supplies the correct secret_answer value. With these settings, the user interface for resetting the password now includes a question and answer prompt after the username has been determined: Selecting a different value for the “Required Field”...
Page 197: Creating New Print Templates
character used in the plain text template will be displayed below the preview. If you are including a guest account’s email address in the SMS, remember to allow for lengthy email addresses (up to 50 characters is a useful rule of thumb). Creating New Print Templates Print templates can be defined using the Create new print template link.
Page 198: Print Template Wizard
<table {$table_class_content} width="500"> <tbody> {if $u.guest_name} <tr> <th class="nwaLeft">guest name</th> <td class="nwaBody">{$u.guest_name}</td> </tr> {/if} If this code is placed in the User Account HTML section it will cater for the create, edit and delete options. Print Template Wizard Create new print template using wizard link provides a simplified way to create print templates by selecting a basic style and providing a logo image, title and content text, and selecting the guest account fields to include.
Page 199: Modifying Wizard-Generated Templates
Click the Create Template button to save your newly created print template and return to the list. Modifying Wizard-Generated Templates Once you have created a print template using the print template wizard, you can return to the wizard to modify it. Click the Edit print template code (Advanced) link to use the standard print template editor.
Page 200: Configuring Access Code Logins
Read-only access – the print template is visible in the list, and the settings for it may be viewed.  The print template cannot be edited or deleted. Update access – the print template is visible in the list, and may be edited. The print template ...
Page 201: Create The Print Template
Create the Print Template By default, the print templates include username, password, expiration, as well as other options. For the purpose of access codes, we only want the username presented. This access code login example bases the print template off an existing scratch card templates. 1.
Page 202: Customize The Guest Accounts Form
Customize the Guest Accounts Form Next, modify the Guest Accounts form to add a flag that to allows access-code based authentication. 1. Navigate to Customization > Forms & Views. 2. In the Customize Forms & Views list, select create_multi and then click Edit Fields. 3.
Page 203 2. Select the Username Authentication field added in the procedure above. (If you do not select this check box and if the username is entered on the login screen, the authentication will be denied.) The example shown below will create 10 accounts that will expire in two weeks, or fours hours after the visitors first log in, whichever comes first.
Page 204: Mac Authentication On Amigopod
4. Confirm that the accounts settings are as you expected with respect to letters and digits in the username and password, expiration, and role. 5. Click the Open print window using template drop-down list and select the new print template you created using this procedure.
Page 205: Managing Devices
Figure 25 MAC Authentication Plugin—Configuration On the controller, the fields look as follows: Figure 26 MAC Authentication Profile Managing Devices To view the list of current MAC devices, go to Guests > List Devices. The Guest Manager Devices page opens. Amigopod 3.7 | Deployment Guide Guest Management |...
Page 206: Table 19 Operators Supported In Filters
All devices created by one of methods described in the following section are listed. Options on the form let you change a device’s account expiration date; remove, activate, or edit the device; view active sessions or details for the device; or print details, receipts, confirmations, or other information. You can use the Filter field to narrow the search parameters.
Page 207 1. In the Account Expiration row, choose one of the options in the drop-down list to set an expiration date: If you choose Account expires after, the Expires After row is added to the form. Choose an  interval of hours, days, or weeks from the drop-down list. If you choose Account Expires at a specified time, the Expiration Time row is added to the ...
Page 208 Activating a Device To activate a disabled device’s account, click the device’s row in the Guest Manager Devices list, then click its Activate link. The row expands to include the Enable Guest Account form. 1. In the Activate Account row, choose one of the options in the drop-down list to specify when to activate the account.
Page 209 2. If you need to change the activation time, choose one of the options in the Account Activation drop- down list. You may choose to activate the account immediately, at a preset interval of hours or days, or at a specified time. If you choose Activate at a specified time, the Activation Time row is added to the form.
Page 210: Mac Creation Modes
Viewing Current Sessions for a Device To view any sessions that are currently active for a device, click the Sessions link in the device’s row on the Guest Manager Devices form. The Active Sessions list opens. For more information, see “Active Sessions Management”.
Page 211 1. In the Sponsor’s Name row, enter the name of the person sponsoring the visitor account. 2. Enter the name for the device in the Device Name row. 3. Enter the address in the MAC Address row. If you need to modify the configuration for expected separator format or case, go to Administrator > Plugin Manager >...
Page 212 5. To set the account’s expiration time, choose one of the options in the Account Expiration drop-down list. You may set the account to never expire, or to expire at a preset interval of hours or days, or at a specified time.
Page 213: Figure 27 Modify Fields
Figure 27 Modify fields Edit the receipt form fields: Edit username to be a Hidden field  Edit password to be a Hidden field  Adjust any headers or footers as needed. When the visitor registers, they should be able to still log in via the Log In button. The MAC will be passed as their username and password via standard captive portal means.
Page 214: Accounting-Based Mac Authentication
UI: Hidden field  Field Required: optional  Validator: IsValidMacAddress  Add or enable mac_auth_pair  UI: Hidden field  Initial Value: -1  Any other expiration options, role choice, surveys and so on can be entered as usual.  You will see an entry under both List Accounts and List Devices.
Page 215 && NwaDynamicLoad('NwaNormalizeMacAddress') // Required call && ($mac=NwaNormalizeMacAddress(GetAttr('Calling-Station-Id'))) // All MACs need to be normalized && ((!empty($user['id']) && NwaCreateUser(array(// We are caching the MAC for a local user account 'creator_accept_terms'=>1, 'mac_auth'=>1, // Flag as a MAC so it shows in List Devices 'mac'=>$mac, // The normalized MAC 'mac_auth_pair'=>$user['id'], // Formally pair the two accounts.
Page 216: Figure 28 Radius Role Editor
Figure 28 RADIUS Role Editor Note that modify_expire_time supports any valid syntax of strtotime. | Guest Management Amigopod 3.7 | Deployment Guide...
Page 217: Importing Mac Devices
Importing MAC Devices The standard Guests > Import Guests supports importing MAC devices. At a minimum the following two columns are required: mac and mac_auth. mac_auth,mac,notes 1,aa:aa:aa:aa:aa:aa,Device A 1,bb:bb:bb:bb:bb:bb,Device B 1,cc:cc:cc:cc:cc:cc,Device C Any of the other standard fields can be added similar to importing regular guests. Advanced MAC Features 2-Factor Authentication 2-factor authentication checks against both credentials and the MAC address on record.
Page 218: Active Sessions Management
Navigate to Administrator > Plugin Manager > Manage Plugins: MAC Authentication: Configuration and enable MAC Detect. Edit the header of your redirect landing page (login or registration) and include the following: <p>{if $guest_receipt.u.visitor_name} Welcome back to the show, {$guest_receipt.u.visitor_name|htmlspecialchars}! {else} Welcome to the show! {/if}</p>...
Page 219 To view and manage active sessions for the RADIUS server, go to Guests > Active Sessions. The Active Sessions list opens. You can use this list to modify, disconnect or reauthorize, or send SMS notifications for active visitor sessions; manage multiple sessions; or customize the list to include additional fields. On the Manage Multiple Sessions form, the start time of each session is used to select the sessions to ...
Page 220: Session States
Session States A session may be in one of three possible states: Active—An active session is one for which the RADIUS server has received an accounting start  message and has not received a stop message, which indicates that service is being provided by a NAS on behalf of an authorized client.
Page 221: Filtering The List Of Active Sessions
Filtering the List of Active Sessions You can use the Filter tab to narrow the search parameters and quickly find all matching sessions: Enter a username or IP address in the Filter field. Additional fields can be included in the search if the “Include values when performing a quick search”...
Page 222 Closing All Stale Sessions Immediately By default, the Close Stale Sessions option is selected when the Manage Multiple Sessions form opens. This option allows you to quickly close all stale sessions with one click. Stale sessions should be closed to keep accounting statistics accurate.
Page 223 5. Use the Session Stop drop-down list to specify how the stop time will be calculated for each session. If you choose Use session start time, the session will be closed when you commit your changes on  this form. To specify a range of time after a session’s start time, choose one of the options for hours, day, or ...
Page 224 3. Use the Start Time row to indicate the beginning of the time range for selecting sessions. To specify a time for the beginning of the range, click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.
Page 225 If you choose Use session start time, the session will be closed when you commit your changes on  this form. To specify a range of time after a session’s start time, choose one of the options for hours, day, or ...
Page 226: Sending Multiple Sms Alerts
2. Use the Start Time row to indicate the beginning of the time range for selecting sessions. To specify a time for the beginning of the range, click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.
Page 227: Sms Services
3. Enter the message in the Message text box. Messages may contain up to 160 characters. 4. Click Send. SMS Services With SMS Services, you can configure the Amigopod Visitor Management Appliance to send SMS messages to guests. You can use SMS to send a customized guest account receipt to your guest’s mobile phone. You are also able to use SMS Services to send an SMS from your Web browser.
Page 228: Sending An Sms
The SMS Gateways window displays the name and available credits for any currently defined SMS gateways. To create a new SMS gateway, click the Create new SMS gateway link to display the SMS Service Configuration form. If your country uses a national dialing prefix such as “0”, you may enter this on the form. When sending an SMS to a number that starts with the national dialing prefix, the prefix is removed and replaced with the country code instead.
Page 229: About Sms Credits
The New SMS Message form appears Complete the form by typing in the SMS message and entering the mobile phone number that you are sending the SMS to. If multiple services are available, you may also choose the service to use when sending the message.
Page 230: Sms Receipt Options
The Amigopod Visitor Management Appliance may be configured to automatically send SMS receipts to visitors, or to send receipts only on demand. To manually send an SMS receipt, navigate to the Guests > List Accounts window, select the guest to which you want to send a receipt, then click the Send SMS receipt link displayed on the guest account receipt page.
Page 231: Figure 29 Configure Sms Services Plugin
Figure 29 Configure SMS Services Plugin SMS Receipt – Select the print template to be used when an SMS receipt is created. The print template used for the receipt must be in plain text format. Phone Number Field – Select which guest account field contains the guest’s mobile telephone number. ...
Page 232: Customize Sms Receipt
Auto-Send Field – Select a guest account field which, if set to a non-empty string or non-zero value,  will trigger an automatic SMS when the guest account is created or updated. The auto-send field can be used to create an “opt-in” facility for guests. Use a check box for the auto_send_sms field and add it to the create_user form, or a guest self-registration instance, and SMS messages will be sent to the specified phone number only if the check box has been selected.
Page 233: Sms Receipt Fields
Figure 30 Customize SMS Receipt page SMS Receipt Fields The behavior of SMS receipt operations can be customized with certain guest account fields. You can override global settings by setting these fields. sms_enabled – This field may be set to a non-zero value to enable sending an SMS receipt. If unset, the ...
Page 234: Smtp Services
values “_Disabled” and “_Enabled” may be used to never send an SMS or always send an SMS, respectively. sms_warn_before_message – This field overrides the logout warning message. If blank or unset, the  default value from the Customize SMS Receipt page is used. The logic used to send an SMS receipt is: If SMS receipts are disabled, take no action.
Page 235 Email receipts may be sent manually by clicking the Send email receipt link displayed on the guest account receipt page. When using guest self-registration, the Email Delivery options available for the receipt page actions allow you to specify the email subject line, the print template and email format, and other fields relevant to email delivery.
Page 236: Email Receipt Options
Email Receipt Options The Customize Email Receipt form may be used to set default options for visitor account email receipts. Figure 31 Customize Email Receipt page The Subject line may contain template code, including references to guest account fields. The default value, Visitor account receipt for {$email} , uses the value of the email field.
Page 237: Figure 32 Customize Email Receipt Page-Continued
Do not send copies – The Copies To list is ignored and email is not copied.  Always send using ‘cc:’ – The Copies To list is always sent a copy of any guest account receipt (even if  no guest account email address is available). Always send using ‘bcc:’...
Page 238: Smtp Receipt Fields
SMTP Receipt Fields The behavior of email receipt operations can be customized with certain guest account fields. You do this on a per user basis. smtp_enabled – This field may be set to a non-zero value to enable sending an email receipt. If unset, ...
Page 239 smtp_warn_before_template_id – This field overrides the print template ID specified under Logout  Warnings on the email receipt. If the value is “default”, the default template ID under the Logout Warnings section on the email receipt configuration is used. smtp_warn_before_receipt_format – This field overrides the email format under Logout Warnings to ...
Page 240 | Guest Management Amigopod 3.7 | Deployment Guide...
Page 241: Chapter 7 Report Management
Chapter 7 Report Management The Reporting Manager provides you with a set of tools to summarize the visitor accounts that have been created and analyze the accounting data collected by the RADIUS server. Through the predefined reports and the custom reports you can create using the report editor, you can get a complete picture of the network usage of your guests.
Page 242: Running And Managing Reports
Number of concurrent sessions by role – This report shows the number of concurrent sessions  according to the user’s role across a time interval. Number of sessions per NAS – This report shows the total number of sessions per NAS in the selected ...
Page 243: Run
Run option allows you to change the date range of the report before it is run. Choose a time period for the report from the Date Range drop-down list. If the report definition includes any additional parameters that have a user interface, these will also be displayed as part of the Report Options form.
Page 244: Delete A Report
The Report Type editor allows you to change the defaults for the Date Range and the Formats for the report you have selected. If you want to change the default for another report you must also edit that report. Click Save Changes button to have these changes become the new default.
Page 245 No access – the report is not visible on the list, and cannot be used, edited, duplicated, or deleted.  Visible-only access – the report is visible in the list. It can be viewed in HTML but cannot be edited ...
Page 246: Exporting Report Definitions
Exporting Report Definitions Report definitions may be exported to a file and later imported. This provides an easy way to move reports from one appliance to another. Click the More Options tab at the top of the report list to access the Export Reports command link. (This link also appears on the Reporting start page.) Use the check boxes to select the reports to export.
Page 247: Importing Report Definitions
Importing report Definitions Report definitions may be imported from a file that has been generated with the Export Reports command. Click the More Options tab at the top of the report list to access the Import Reports command link. (This link also appears on the Reporting start page.) You may select a file to upload using your Web browser, or alternatively the report definition may be pasted into the text area provided.
Page 248: About Custom Reports
About Custom Reports The Report Editor is used to build a custom report. The process used to generate a report is shown in the figure below. In this diagram, the arrows represent the flow of data, while the icons represent the processing stages that the data goes through.
Page 249: Data Sources
Data Sources The available data sources are: Local RADIUS Accounting – Accounting traffic consists of summary information about visitor  sessions, reported by NAS devices to the Amigopod Visitor Management Appliance. In the RADIUS Accounting data source, each data record corresponds to a single visitor session. The data record contains information such as the start and stop times for the session, the NAS IP address, client IP address and MAC address, and statistics such as the total amount of input and output traffic and the length of the session.
Page 250: Groups
Figure 35 Reporting – Bin west of GMT The next diagram is similar but for time zones that are east of GMT Figure 36 Reporting – Bin east of GMT This process may be automated by entering an expression as the value for the time zone offset. The correct expression to use for the Bin Offset is: <?= -date("Z") Explanation: The PHP date() function returns the time zone offset in seconds when passed the “Z”...
Page 251: Statistics From Classification Groups
Statistics from Classification Groups The classification groups that you define in a report will determine what type of statistics that can be derived for that report. This is shown in the following diagrams. The following figure shows how statistics are calculated per bin when bins are present but groups are not present.
Page 252: Report Type
Figure 39 Components of the Report Editor Report Type The Report Type link opens a window where you type a distinct name or Title for the report. You can add additional information in the Description field. This could be used to explain the purpose of the report. | Report Management Amigopod 3.7 | Deployment Guide...
Page 253: Report Parameters
While you are working on creating the report you could leave the Enabled field unchecked. When you want the report to be available for use, mark the Enabled check box. You should set a default Date Range for the report. The available options are listed under the drop down menu.
Page 254 Properties for individual fields within an output series (header)  Properties for presentation blocks (container CSS style)  Properties for table cells within a presentation block (CSS style)  Within text presentation blocks  In these cases the report editor may simply indicate that a value is required. To use the value of a report parameter in a template, use the syntax {$parameter} .
Page 255: Parameter User Interface Editing
Parameter User Interface Editing The Edit Parameter form is used to specify the default value for a parameter as well as the type of user interface to use for this parameter. If No user interface is selected, then the parameter will have a fixed value and cannot be edited before the report is run.
Page 256: Data Source
The initial value displayed on this form for a report parameter may be specified as the Value for the parameter. Run Preview and Run Default icon links will be available for a report if all parameters have an acceptable default value. This is determined by the validation properties for each parameter. If no validation properties are specified, all parameter values are considered to be valid.
Page 257: Select Fields
Click the Save Changes button to return to the Report Editor. Select Fields If you have not selected fields in the Data Source form, you must select the required source fields here. Fields can be defined one at a time by clicking the Create Source Field tab.
Page 258 Each source field has a name that is unique within the report. You can also attach a description to the field for use by the report designer. If you select a field from the Data Source Field drop down list, that field name is automatically placed in the Field Name area.
Page 259: Source Filters
If you select to calculate a value by summing over source fields, you are required to nominate the fields to be summed. Click the Create Source Field button to create the source or derived field in the report. Source Filters Source filters are applied to the data source fields to determine whether a data record will be included for processing in the report.
Page 260 To add additional filters, click the first source filter. An action row is displayed with Edit and Insert After links. There is also a Set Default Report Range option for the first date/time filter. Edit link allows you to alter the options for the source filter as well as being able to disable the filter.
Page 261: Classification Groups
You must then select the filter from the Filter Type drop down list. The following options are available: List: Value is not one of a list  List: Value is not one of a list (case sensitive)  List: Value is one of a list ...
Page 262 To create a bin or a classification group, click the Create Classifier tab in the Edit Classification Groups list view. You are required to choose the classification method and the Source Field to use for the classification. The Create Classifier tab can be accessed from the Classification, Bins or Groups options in the Report Editor.
Page 263: Statistics And Metrics
Time measurement: bin by days – See “Binning Example – Time Measurements” in this chapter for  the bin classification method description. The bin classification method uses the specified date/time field to calculate a day number. Times that fall within the same day are assigned the same bin number. The bin offset is used to account for time zones as explained in the .
Page 264 Like the statistic fields, metrics share a close relationship with the report’s classification groups. When designing a report, consider the metrics that you would like to generate, and work backwards to determine the statistics you will need in order to calculate each metric and the classification groups will be needed to calculate each statistic.
Page 265 Median value – the median (middle) value of the source field over the selected classification group is  calculated Minimum value – the minimum value of the source field over the selected classification group is  calculated Number of bins – the number of different bin classification groups is calculated ...
Page 266: Output Series
Number of distinct values – the number of distinct values that the statistic field takes over the  selected report dimension is calculated Subtract (value 1 – value 2) – the values are subtracted  Sum of values – the sum of all values of the statistic field over the selected report dimension is ...
Page 267: Output Series Fields
You are required to enter a unique name for this output series. You must also select the Dimension to be used. This could be the source data or one of the classification groups defined in the report. Click the Create Output Series button to add the output series definition to the report. The Edit Output Series form will then be displayed to allow the components of the output series to be defined.
Page 268: Output Filters
To edit an output series field, click the Edit link for the field. The Edit Series field opens, as shown below. The Header is displayed in tables and charts that use this output series. Use a short description of the values contained in this field.
Page 269 Match filters check if a value matches a particular condition, which could be a regular expression or  other match value. List filters check to see if a value is found in a list.  Click the Create output filter link to create an output filter. Select the output series you want to filter in order to view the remaining filter options.
Page 270: Presentation Options
Unconditionally exclude item if filter matches – If the filter matches the item in the output series,  the item will never be included in the output. No further filters will be applied to the data once this filter has matched. Click the Create Output Filter button to add the new output filter to the report definition.
Page 271: Table 21 Default Table Layouts
Scatter  Polar  In general, the first field in the output series is used as the category values for the chart. The second and subsequent fields are used as the values to display on the chart. The Pie and Pie 3-D charts support only a single data point for each category value. A pie chart is used to compare the relative proportions of different values in a single data series.
Page 272: Final Report
This standard header includes the report title, the time at which the report was run, and the date range included in the report. The variables available for use in the template include any of the parameters defined in the report, as well as the following special variables: Table 23 Template Variables Variable...
Page 273: Creating The Report - Step 1
Creating the Report – Step 1 The following form will be displayed when the Create New Report link is clicked. This is the same form that you would obtain if you clicked the Report Type option in the Report Editor. See “Report Type”...
Page 274: Creating Sample Reports
Creating Sample Reports Report Based on Modifying an Existing Report This sample involves modifying the predefined Number of users per day report to report on the number of users per week. 1. Select the “Number of users per day” report. 2.
Page 275: Report Created From Report Manager Using Create New Report
Report Created from Report Manager using Create New Report To create a report that lists today’s user sessions, follow this process. 1. To create a new report without it being based on an existing report, click Create New Report. 2. You must give the report a Title. For this report, Today’s Sessions would be an appropriate name. 3.
Page 276 6. Select the required fields in Step 2. For this report the fields are shown in the screen below. These are the fields of interest for the report. 7. Click the Save Changes button to have the report created. The Report Editor screen is displayed. 8.
Page 277: Report Created By Duplicating An Existing Report
9. You can continue to further enhance this report using the Report Editor. To change the formatting of the table you would use the Presentation Options; to remove a column you would use the Output Series option; to restrict the data in the table you would use a filter, for example, a source filter to limit by NAS IP address;...
Page 278 11. The Source Field will be changed to nas_ip_address, as this report is to calculate the average traffic by NAS rather than the average traffic by user. The field will also be renamed to total_nas to reflect the new value it will contain. These changes are shown in the screen below. 12.
Page 279: Report Troubleshooting
20. Click the Back to report editor link to return to the Report Editor. 21. As there are no further changes required, click the Final Report icon to preview your new report. Report Troubleshooting Report Preview with Debugging If you are experiencing problems with your report, you can receive help with the Report Diagnostics. The diagnostics run the report and show you the internal data that is being used to generate the contents of the final report.
Page 280: Troubleshooting Tips
0 => /* group 0 */ array ( 'a' => /* group value: 'a' */ array ( 0 => first data record 1 => second data record 234 => /* bin value: 234 */ array ( /* bin items organized by group */ 1 =>...
Page 281: Chapter 8 Administrator Tasks
Chapter 8 Administrator Tasks The Amigopod Administrator provides tools used by a network administrator to perform both the initial configuration and ongoing maintenance of the Amigopod Visitor Management Appliance. Accessing Administrator Use the Administrator command link on the Amigopod Visitor Management Appliance home page to access the system administration features.
Page 282: Automatic Network Diagnostics
Automatic Network Diagnostics When you view or edit the appliance’s network configuration on the Network Setup, HTTP Proxy, Network Diagnostics, or Network Interfaces page, an automatic network connectivity test determines the current status of the network, and the results of the diagnostic are displayed. The problems that can be detected with this built-in diagnostic include: No default gateway set ...
Page 283: Network Interfaces
The system hostname should match the common name of the installed SSL certificate. If these names do not match, then HTTPS access to the appliance may result in security warnings from your Web browser. A valid hostname is a domain name that contains two or more components separated by a period (.). Hostname parameters are: Each component of the hostname must not exceed 63 characters ...
Page 284: Changing Network Interface Settings
Delete – Remove a network interface. Manually created network interfaces may be deleted—for  example, tunnel, VLAN, or secondary interfaces. The standard system network interfaces cannot be deleted. Routes – Define static routes that specify the gateway IP addresses for other networks. ...
Page 285 To specify an IP address for the network interface, select Manually configure IP address. The  following form is displayed for IP address details. The MTU field allows you to specify the Maximum Transfer Unit size in bytes for the network interface. While standard Ethernet uses a MTU of 1500 bytes, you may find it necessary to reduce the MTU slightly in some network topologies.
Page 286: Table 24 Default Interface Settings
Click the Save Changes button to update the network interface with the specified settings. The new settings will be tested and the results of the test displayed. If DNS name resolution is not working, the system will be unable to perform many common tasks. To ...
Page 287: Managing Static Routes
Managing Static Routes In the Network Interfaces list view, click the network interface to edit, and then click Routes. The Network Interface Routes list view will be displayed. Click the Create tab to add a new static route. You must specify the network address of the destination network as an IP address and netmask, and the gateway for the destination network.
Page 288: Creating A Vlan Interface
Figure 40 Network diagram showing IP addressing for a GRE tunnel To create a GRE tunnel, navigate to the Network Interfaces page and click the Create a tunnel network interface link. The Network Interface Settings form is displayed. The Interface Name is the system’s internal name for this tunnel interface. A default value is supplied, which may be used without modification.
Page 289: Managing Vlan Interfaces
Use the Create a VLAN interface link to create a new network interface with a specific VLAN tag. The Create a New VLAN form is displayed. In this form, select the physical interface through which the VLAN traffic will be routed, and enter a name for the VLAN and the corresponding VLAN ID.
Page 290: Creating A Secondary Network Interface
VLAN interfaces are distinguished from other network interfaces with blue icons. The possible states for the system’s network interfaces are summarized in the table below Table 25 Network Interface States Interface State Physical VLAN Active (up) Active with default gateway Inactive (down) The actions available when selecting a VLAN interface are: Show Details –...
Page 291: Login Access Control
Secondary network interfaces have the same name as the underlying physical interface, with a suffix such as “:1”, “:2” and so on for each subsequent IP address created. All secondary interfaces will be brought down if the corresponding physical interface is brought down. Login Access Control Both guests and operators may use HTTP or HTTPS to access the Amigopod user interface.
Page 292: Network Diagnostic Tools
The ‘Deny Behavior’ drop-down list may be used to specify the action to take when access is denied. The access control rules will be applied in order, from the most specific match to the least specific match. Access control entries are more specific when they match fewer IP addresses. The most specific entry is a single IP address (for example, 1.2.3.4), while the least specific entry is the match-all address of 0.0.0.0/0.
Page 293 Select a diagnostic from the drop-down list. Depending on the diagnostic you have selected, additional parameters will also be available: DHCP Leases – Select a network interface to view the DHCP lease information for that interface.  DNS Lookup – Enter a hostname to perform a domain name lookup and display the results. ...
Page 294: Network Diagnostics - Packet Capturing
form. Additional RADIUS attributes may also be included by adding Attribute-Name = Value pairs in the Extra Arguments field; see the example below. Routing Table – Displays the current IPv4 routing table. The list shows the static, network addresses  and default routes configured for the system.
Page 295 Select the network interface and, if required, enter filtering parameters to restrict the type and number of packets to be captured. You can enter network addresses in the Source IP and Destination IP fields by using an IP address and a network address length;...
Page 296: Network Hosts
Once the packet capture has completed, the status is updated, and a link to Download packet capture file is available. Click this link to download a packet capture file, which may be analyzed using the Wireshark utility or another tool capable of reading the “pcap” file format. To delete the saved file, select the Delete current packet capture file check box and click the Delete button.
Page 297: Http Proxy Configuration
The fields on each line are separated by any number of blanks or tab characters. Any text from a # character to the end of the line is a comment, and is ignored. Hostnames may contain only alphanumeric characters, minus signs (“-”), and periods (“.”). A hostname must begin with an alphabetic character and end with an alphanumeric character.
Page 298 The SNMP Setup form is used to configure the system’s SNMP server and enable SNMP access. To enable SNMP access, one of the available modes must be selected. Version 2c, version 3, or both versions may be enabled. The System Contact and System Location parameters are basic SNMP “system” MIB parameters that are frequently used to identify network equipment.
Page 299: Supported Mibs
SNMP version 2c has only one configuration option, which is the name of the community string. SNMP clients must provide this value in order to access the server. The default community string is public. SNMP version 3 adds authentication and encryption capabilities to the protocol. You must supply a set of credentials to be used for SNMP v3 access.
Page 300: Smtp Configuration
SNMP-VIEW-BASED-ACM-MIB  TCP-MIB  UCD-DISKIO-MIB  UCD-DLMOD-MIB  UCD-SNMP-MIB  UDP-MIB  SMTP Configuration The SMTP Configuration form is used to provide system default settings used when sending email messages. To manage and view the current SMTP configuration click the SMTP Configuration command link on the Administrator >...
Page 301: Ssl Certificate
The From Address must be specified. This is the sender of the email and will be visible to all email recipients. It is recommended that you provide a valid email address so that guests receiving email receipts are able to contact you. When using the SMTP Server option, the following special header values are recognized: X-Smtp-Timeout –...
Page 302: Installing An Ssl Certificate
A completed sample certificate request is shown below. Click the Create Certificate Request button to generate the certificate signing request. The certificate signing request is displayed in a text field in the browser. This can be used to copy and paste the request directly to a certificate authority that supports this form of request submission.
Page 303 The process for installing an SSL certificate has been simplified. In the first step, select whether you will be copying and pasting the certificate as plain text, or uploading the certificate from a file. In the second step, you must provide between one and three items of information: The Certificate field must contain the digital certificate.
Page 304: Displaying The Current Ssl Certificate
To resolve this error, first check that you have provided the correct intermediate certificate. If the problem persists, check with your certificate authority for the appropriate root certificate to use. As an optional third step, if you have a private key that corresponds to the SSL certificate, it may be specified separately.
Page 305: Backup And Restore
Backup and Restore Click the Backup & Restore command link on the Adminstrator start page to make backups of the appliance’s current configuration as well as restore a previous backup. It is recommended that you make a complete configuration backup of the system after completing a deployment and after making configuration changes.
Page 306: Scheduling Automatic Backups
Server Configuration), you can select to back up the entire area or only a particular part of that area. To access the components within an area, click the down arrow There are five possible states for each area, described below: 1.
Page 307 You are able to select either a complete or custom backup to run on the schedule. The options available are the same as for the manual backup. You are required to enter a prefix for the backup filename. The backup name is used as the basis for the name of the backup file.
Page 308: Restoring A Backup
proxy*: proxy related arguments  quote=CMD: send custom command to FTP server  require-ssl: require SSL connection for success  SMB options  kerberos: use Kerberos authentication (Active Directory)  domain=NAME or workgroup=NAME: set the workgroup to NAME  debug: generate additional debugging messages which are logged to the application log ...
Page 309: Content Manager
restore, be sure to select the appropriate items by clicking the tick icon for each configuration item to restore. 4. Mark the Restore settings from backup check box. Be aware that it is possible to overwrite any local configuration changes that have been made since the backup was created. 5.
Page 310: Uploading Content
using the Amigopod’s built-in Web server. To access the Content Manager, click the Content Manager command link on the Customization start page. You can add content items by using your Web browser to upload them. You can also copy a content item stored on another Web server by downloading it.
Page 311: Additional Content Actions
After you have completed the form, click the Fetch Content button to have the file downloaded. The file is placed in the public directory on the Web server. You are then able to reference this file when creating custom HTML templates. Additional Content Actions Properties link allows you to view and edit the properties of the item.
Page 312: Reviewing Security Audit Results
A security assessment will be performed and a report will be displayed containing the recommendations from the security assessment. Reviewing Security Audit Results For each of the security recommendations presented, you can choose to accept the recommendation, ignore the recommendation, or disable the recommendation. A Details link may be provided, containing more information about this security message or guidance on a recommended fix.
Page 313: Resetting The Root Password
The Amigopod appliance has a command line interface(CLI) which may be accessed using the appliance console or SSH. Typical usage scenarios where command line access might be used are: Changing the initial network configuration of the appliance  Resetting the appliance to factory default settings ...
Page 314: Os Updates
2. In the Warning Levels drop-down list, specify the maximum number of alerts to receive. If you do not want to receive notifications, choose 0-Disable warnings. 3. If you enabled warnings, in the Level 1 field, enter the amount of remaining disk space at which the first notification should be sent.
Page 315: Determining Installed Operating System Packages
Determining Installed Operating System Packages Use the Advanced view of the System Information page to display a list of the installed operating system packages, together with the corresponding version numbers. Plugin Manager Plugins are the software components that fit together to make your Web application. The Plugin Manager allows you to manage subscriptions, list available plugins, add new plugins, and check for updates to the installed plugins.
Page 316: Managing Subscriptions
Managing Subscriptions A subscription ID is a unique number used to identify your software license and any custom software modules that are part of your Amigopod solution. To view current subscription IDs, navigate to Administrator > Plugin Manager, then click Manage Subscriptions. The Amigopod Subscription page opens.
Page 317: Adding Or Updating New Plugins
Adding or Updating New Plugins You can add or update plugins either from the Internet or from a file provided to you by email. If your new plugin was emailed to you as a file, navigate to Administrator > Plugin Manager > Add ...
Page 318: Configuring Plugin Update Notifications
When you select multiple available updates on the Add New Plugins page and click the Finish button, the system updates them sequentially. If an update for one plugin cannot be completed—for example, due to low disk space—the update for that plugin is cancelled. The other updates are not affected, and the system continues to process the rest of the plugin updates in the queue.
Page 319 To undo any changes to the plugin’s configuration, click the plugin’s Restore default configuration link. The plugin’s configuration is restored to the factory default settings. In most cases, plugin configuration settings do not need to be modified directly. Use the customization options available elsewhere in the application to make configuration changes.
Page 320 1. To change the application’s title, enter the new name in the Application Title field (for example, your company name) to display that text as the title of your Web application. Click Save Configuration. 2. TheKernel plugin’s Debug Level, Update Base URL and Application URL options should not be modified unless you are instructed to do so by Aruba support.
Page 321: Server Time
2. The default navigation layout is “expanded.” To change the behavior of the navigation menu, click the Navigation Layout drop-down list and select a different expansion level for menu items. 3. The Page Heading field allows you to enter additional heading text to be displayed at the very top of the page.
Page 322 To ensure that authentication, authorization, and accounting (AAA) is performed correctly, it is vital that the server maintains the correct time of day at all times. It is strongly recommended that you configure one or more NTP servers to automatically synchronize the server’s time. NTP can interfere with timekeeping in virtual machines.
Page 323: System Control
System Control The System Control commands on the Administrator > System Control page allow you to: Shut down the server immediately.  Reboot the system which stops all services while the reboot is taking place.  Restart the system services without stopping the server. This would usually be done after a plugin ...
Page 324 Log Rotation: Configuring Data Retention To configure the number of weeks to retain records for data, log files, disabled accounts, and mobile device certificates, click the Configure data retention link in Log Rotation row. The Data Retention Policy page opens. Log files are rotated and expired logs are cleared according to the database maintenance schedule you define.
Page 325 Facility: Redirecting Application Log Messages To redirect log messages from the application log to the syslog, select an option from the Facility field drop-down menu. The default option None – Do not send application log messages to syslog stores all application-generated messages in the separate application log.
Page 326: Managing Data Retention
For high-traffic sites that are maintaining many weeks of log files, enter a non-zero value for Disk Space to ensure that the log files cannot fill up the system’s disk. If the disk space check is enabled, the server’s free disk space is checked daily at midnight, and if it is below the specified threshold, old log files are deleted to free up space.
Page 327: Figure 41 Data Retention Policy Page
Figure 41 Data Retention Policy page Select Enable to enable the the data retention policy opton and enter how many weeks in the Log Rotation field to indicated how many weeks you want log files kept before they are deleted. You can specify how many weeks a guest account persists after the account is disabled in the Guest Accounts field.
Page 328: Changing Database Configuration Parameters
Changing Database Configuration Parameters The Database Configuration form allows you to configure the system’s database and manage its maintenance schedule. Access this form by navigating to System Control > Database Config. The Options field is a text field that accepts multiple name = value pairs. You can also add comments by entering lines starting with a # character.
Page 329: Changing Web Application Configuration
Changing Web Application Configuration Certain performance and security options may be configured that affect the operation of the Web application GUI. Use the Web Application Configuration command link to adjust these configuration parameters. The Memory Limit may be increased to allow larger reports to be run on the system. The File Upload Size may be increased to allow larger content items to be uploaded, or larger backup files to be restored.
Page 330: Changing Web Server Configuration
Changing Web Server Configuration High-traffic deployments may need to adjust certain performance options related to the system’s Web server. Use the Web Server Configuration command link to adjust these configuration parameters. The Maximum Clients option specifies the maximum number of clients that may simultaneously be making HTTP requests.
Page 331: Adding Disk Space
This report can be downloaded for support purposes. Adding Disk Space Storage capacity can be increased on VMware-based deployments. To increase available storage, click the Add Space option on the System Information screen. TheAdding Disk Space screen appears. Follow instructions on this page. Amigopod 3.7 | Deployment Guide Administrator Tasks |...
Page 332 | Administrator Tasks Amigopod 3.7 | Deployment Guide...
Page 333: System Log
System Log The system log viewer available on the Support > System Logs page displays messages that have been generated from multiple different sources: Application Logs—messages generated by the Amigopod application.  HTTP Logs—messages generated by the Apache Web Server. ...
Page 334: Exporting The System Log
Use the Filter tab to control advanced filtering settings, such as which logs to search and the time period to display: Click the Apply Filter button to save your changes and update the view, or click the Reset button to remove the filter and return to the default view.
Page 335: Searching The Application Log
Searching the Application Log You are able to search for particular log records using the form displayed when you click the Search tab. Click the Reset Form button to clear the search and return to displaying all records in the log. Exporting the Application Log Use the Export tab to save the log in other formats, including HTML, text, CSV, TSV and XML.
Page 336 | Administrator Tasks Amigopod 3.7 | Deployment Guide...
Page 337: Chapter 9 Hotspot Manager
Chapter 9 Hotspot Manager The Hotspot Manager controls self provisioned guest or visitor accounts. This is where the customer is able to create his or her own guest account on your network for access to the Internet. This can save you time and resources when dealing with individual accounts.
Page 338: Manage Hotspot Sign-Up
Manage Hotspot Sign-up You can enable visitor access self provisioning by navigating to Customization > Hotspot Manager and selecting the Manage Hotspot Sign-up command. This allows you to change user interface options and set global preferences for the self-provisioning of visitor accounts. The Enable visitor access self-provisioning check box must be ticked for self-provisioning to be available.
Page 339: Captive Portal Integration
The Require HTTPS field, when enabled, redirects guests to an HTTPS connection for greater security. The Service Not Available Message allows a HTML message to be displayed to visitors if self-provisioning has been disabled. See “Smarty Template Syntax” in the Reference chapter for details about the template syntax you may use to format this message.
Page 340: Modifying An Existing Plan
You can customize which plans are available for selection, and any of the details of a plan, such as its description, cost to purchase, allocated role and what sort of username will be provided to customers. Above is the list of default plans supplied with the Amigopod Visitor Management Appliance. Plans that you have enabled have their name in bold with the following icon: .
Page 341: Creating New Plans
Creating New Plans Custom hotspot plans are added by clicking the Create Hotspot plan button. The following form is displayed. Click the Create Plan button to create this plan for use by your Hotspot visitors. “Format Picture String Symbols” in the Reference chapter for a list of the special characters that may be used in the Generated Username and Generated Password format strings.
Page 342: Creating A New Transaction Processor
eWAY  Netregistry  Paypal  WorldPay  Amigopod also includes a Demo transaction processor that you can use to create hotspot forms and test hotspot transactions. Creating a New Transaction Processor To define a new transaction processor, navigate to Customization > Hotspot Manager, click Manage Transaction Processors then select New Transaction Processor.
Page 343: Customize User Interface
You can customize the title shown on the invoice and how the invoice number is created. You can also customize the currency displayed on the invoice. The Invoice Title must be written in HTML. See “Basic HTML Syntax” in the Reference chapter for details about basic HTML syntax.
Page 344: Customize Page One
Customize Page One Page one of the guest self-provisioning process requires that the guest selects a plan. You are able to customize how this page is displayed to the guest. You are able to give this page a title, some introductory text and a footer. The Introduction and the Footer are HTML text that may use template syntax, See “Smarty Template Syntax”...
Page 345 Amigopod 3.7 | Deployment Guide Hotspot Manager |...
Page 346: Customize Page Three
“Smarty Template Syntax” in the Reference chapter for details about the template syntax you may use to format the content on this page. Customize Page Three You can make changes to the content of page 3, where the customer receives an invoice containing confirmation of their transaction and the details of their newly created wireless account.
Page 347: Chapter 10 High Availability Services
Chapter 10 High Availability Services The goal of a highly available system is to continue to provide network services even if a hardware failure occurs. High Availability Services provides the tools required to achieve this goal. These tools include service clustering, fault tolerance, database replication, configuration replication, automatic failover and automatic recovery.
Page 348: Network Architecture
A cluster’s virtual IP address is a unique IP address that will always be assigned to the primary node of the cluster. In order to take advantage of the cluster’s fault tolerance, all clients that use the cluster must use the cluster’s virtual IP address, rather than each node’s IP address.
Page 349: Deploying An Ssl Certificate
The cluster relies on DNS for name lookup. Each node must have a unique hostname, and each node  must be able to resolve the other node’s IP address by performing a DNS lookup. The nodes in the cluster must be connected to the same local network. Use high quality network cables and reliable switching equipment to ensure the nodes have an uninterrupted network connection.
Page 350: Configuration Replication
accounting information, are replicated from the primary node to the secondary node. The replication delay will depend on the volume of database updates and system load but is generally only a few seconds. Replicating the database contents ensures that in the event of a primary node failure, the secondary node is up to date and can continue to deliver the same network services to clients.
Page 351: Primary Node Failure
SMTP settings for email receipts ( See “Email Receipt Options” in the Guest Management chapter)  SNMP server settings ( See “SNMP Configuration” in the Administrator Tasks chapter)  The set of currently installed plugins ( See “Plugin Manager” in the Administrator Tasks chapter) ...
Page 352: Email Notification
The cluster will continue operating without service interruption. Network services will be unaffected as the cluster’s virtual IP address is assigned to the primary node. While the secondary node is offline, the cluster will no longer be fault-tolerant. A subsequent failure of the primary node will leave the cluster inoperable.
Page 353: Cluster Setup
Table 27 Cluster Status Descriptions (Continued) The primary node is running, but the secondary node is down or stopped. The secondary is no longer available. Check the Remote Status on the primary node to determine  the cause of the problem. ...
Page 354: Prepare Primary Node
Prepare Primary Node Use the Cluster Configuration form to enter the basic network and control parameters for the cluster. If you have not already set a unique hostname for this server, you can do so here. Each node in the cluster must have a unique hostname.
Page 355 If you have not already set a unique hostname for this server, you can do so here. Each node in the cluster must have a unique hostname. A valid hostname is a domain name that contains two or more components separated by a period (.).
Page 356: Prepare Secondary Node
You can select a single virtual IP address by entering one IP address in the Virtual IP Address field, or specify than one virtual IP by entering a comma-separated list of multiple IP addresses. Each node in the cluster must be able to resolve the other node by using a DNS lookup. This is verified during the cluster initialization.
Page 357: Cluster Deployment
The Cluster Initialization form is displayed. Select the check box and click the Initialize Cluster button to proceed. During the cluster initialization process, the entire contents of the RADIUS database (including guest accounts, user roles, and accounting history) and all configuration settings of the primary node will be replicated to the secondary node.
Page 358: Recovering From A Failure
The maintenance commands that are available on this page will depend on the current state of the cluster as well as which node you are logged into. Some maintenance commands are only available on the secondary node. Other commands may change the active state of the cluster.
Page 359: Recovering From A Hardware Failure
6. Recovery is complete. The secondary node is now the new primary node for the cluster. The cluster is back in a fault-tolerant mode of operation. The Recover Cluster command will only work if the node that failed is brought back online with the same cluster configuration.
Page 360: Updating Plugins
To check the current status of a node, log into that node and click the Show details link displayed with the cluster status on the High Availability page. The node’s current status is displayed under the Local Status heading. Use this procedure to make the current primary node the secondary node: 1.
Page 361 To avoid unexpected failover of the cluster, ensure that the network connection to the nodes of the cluster is always available. Use high quality network equipment, including cables, and secure physical access to the servers to prevent accidental dislodgement of cables. If network access to the cluster is intermittent, this may indicate a possible hardware failure on the current primary node.
Page 362 | High Availability Services Amigopod 3.7 | Deployment Guide...
Page 363: Chapter 11 Reference
Chapter 11 Reference Basic HTML Syntax The Amigopod Visitor Management Appliance allows different parts of the user interface to be customized using the Hypertext Markup Language (HTML). Most customization tasks only require basic HTML knowledge, which is covered in this section. HTML is a markup language that consists primarily of tags that are enclosed inside angle brackets, for example, <p>.
Page 364: Standard Html Styles
Table 29 Standard HTML Tags (Continued) Styled text (block) <div style="…">Uses CSS formatting</div> <div class="…">Uses predefined style</div> Hypertext Hyperlink <a href="url">Link text to click on</a> Inline image <img src="url"> <img src="url" /> – XHTML equivalent Floating image <img src="url" align="left"> For more details about HTML syntax and detailed examples of its use, consult a HTML tutorial or reference guide.
Page 365: Smarty Template Syntax
Table 30 Formatting Classes (Continued) nwaTop Table Header Table heading at top nwaLeft Table Header Left column of table nwaRight Table Header Right column of table nwaBottom Table Header Table heading at bottom nwaBody Table Cell Style to apply to table cell containing data nwaHighlight Table Cell Highlighted text (used for mouseover)
Page 366: Comments
Comments To remove text entirely from the template, comment it out with the Smarty syntax {* commented text *} Note that this is different from a HTML comment, in that the Smarty template comment will never be included in the page sent to the Web browser. Variable Assignment To assign a value to a page variable, use the following syntax: {assign var=name value=value}...
Page 367: Foreach Text Blocks
 {/section} Note that the content after a {sectionelse} tag is included only if the {section} block would otherwise be empty. Foreach Text Blocks An easier to use alternative to the {section} … {/section} tag is to use the {foreach} … {/foreach} block: {foreach key=key_var item=item_var from=$collection} {$key_var} = {$item_var} {foreachelse}...
Page 368: Predefined Template Functions
Table 31 Smarty Modifiers (Continued) Modifier Description nwamoneyformat Formats a monetary amount for display purposes; an optional modifier argument may be used to specify the format string. This modifier is equivalent to the NwaMoneyFormat() function; see “NwaMoneyFormat” in this chapter for details. strtolower Converts the value to lowercase strtoupper...
Page 369 The “text” parameter is the explanatory text describing the action that lies behind the command link.  (This is optional.) The “linkwidth” parameter, if specified, indicates the width of the command link in pixels. This should  be at least 250; the recommended value is 400. The “width”...
Page 370 The “width” and “height” parameters, if specified, provide the dimensions of the icon to display. If not  specified, this is automatically determined from the image. The “alt” parameter, if specified, provides the alternate text for the icon.  The “class” parameter, if specified, is the style name to apply to a containing DIV element wrapped ...
Page 371 {nwa_radius_query _method=GetCallingStationTraffic callingstationid=$dhcp_lease.mac_address from_time=86400 in_out=out _assign=total_traffic} This example uses the query function. , and passes the “callingstationid”, GetCallingStationTraffic “from_time” and “in_out” parameters. The result is assigned to a template variable called total_traffic, and will not generate any output. See “GetCallingStationTraffic()” This template function accepts the following parameters to select a RADIUS database and other connection options: _db –...
Page 372: Advanced Developer Reference
GetCurrentSession($criteria)  GetUserCurrentSession($username)  GetIpAddressCurrentSession($ip_addr = null)  GetCallingStationCurrentSession($callingstationid, $mac_format = null)  GetSessionTimeRemaining($username, $format = “relative”)  ChangeToRole($username, $role_name)  The $criteria array consists of of one or more criteria on which to perform a databased search. This array is used for advanced cases where pre-defined helper functions do not provide required flexiblity.
Page 373: Table 32 Navigation Tags
nwa_makeid {nwa_makeid …} Smarty registered template function. Creates a unique identifier and assigns it to a named page variable. Identifiers are unique for a given page instantiation. Usage example: {nwa_makeid var=some_id} The “var” parameter specifies the page variable that will be assigned. Alternative usage: {nwa_makeid var=some_id file=filename} The “file”...
Page 374 The “reset” parameter may be specified to clear any existing navigation settings. Usage example: {nwa_nav block=level1_active}<li class="active">@a@</li>{/nwa_nav} {nwa_nav block=level1_inactive}<li>@a@</li>{/nwa_nav} {nwa_nav type=simple}{/nwa_nav} {* this generates the HTML *} Block types can be one of the following types: enter_level1_item  enter_level2_item  enter_level3_item ...
Page 375 The ‘output’ parameter specifies the metadata field to return  If ‘output’ is not specified, the default is ‘output=id’; that is, the plugin ID is returned. nwa_privilege {nwa_privilege} … {/nwa_privilege} Smarty registered block function. Includes output only if a certain kind of privilege has been granted. Usage examples: {nwa_privilege access=create_user} ..
Page 376: Date/Time Format Syntax
Usage examples: {nwa_userpref name=prefName} {nwa_userpref name=prefName default=10} {nwa_userpref has=prefName} “name”: return the named user preference  “default”: supply a value to be returned if the preference is not set  “has”: return 1 if the named preference exists for the current user, 0 if the preference does not exist ...
Page 377: Nwatimeformat Modifier
Table 33 Date and Time Formats (Continued) hh:mm:ss %H:%M:%S 14:13:45 iso8601 %Y%m%d 20080407 iso8601t %Y%m%d%H%M%S 20080407141345 iso-8601 %Y-%m-%d 2008-04-07 iso-8601t %Y-%m-%d %H:%M:%S 2008-04-07 14:13:45 longdate %A, %d %B %Y, %I:%M %p Monday, 07 April 2008, 2:13 PM rfc822 %a, %d %b %Y %H:%M:%S %Z Mon, 07 Apr 2008 14:13:45 EST displaytime %I:%M %p...
Page 378: Date/Time Format String Reference
Date/Time Format String Reference Table 34 Date and Time Format Strings Format Result Abbreviated weekday name for the current locale Full weekday name for the current locale Abbreviated month name for the current locale Full month name for the current locale Preferred date and time representation for the current locale Century number (2-digit number, 00 to 99) Day of the month as a decimal number (01 to 31)
Page 379: Programmer's Reference
Programmer’s Reference NwaAlnumPassword NwaAlnumPassword($len) Generates an alpha-numeric password (mixed case) of length $len characters. NwaBoolFormat NwaBoolFormat($value, $options = null) Formats a boolean value as a string. If 3 function arguments are supplied, the 2nd and 3rd arguments are the values to return for false and true, respectively. Otherwise, the $options parameter specifies how to do the conversion: If an integer 0 or 1, the string values “0”...
Page 380: Nwadigitspassword($Len)
NwaDigitsPassword($len) NwaDigitsPassword($len) Generates digit-only passwords of at least $len characters in length. NwaDynamicLoad NwaDynamicLoad($func) Loads the PHP function $func for use in the current expression or code block. Returns true if the function exists (that is, the function is already present or was loaded successfully), or false if the function does not exist.
Page 381: Nwaparsecsv
The $format argument may be null, to specify the default behavior (U.S. English format), or it may be a pattern string containing the following: currency symbol (prefix)  thousands separator  decimal point  number of decimal places  The format “€1.000,00” uses the Euro sign as the currency symbol, “.” as the thousands separator, “,” as the decimal point, and 2 decimal places.
Page 382: Nwaparsexml
NwaParseXml NwaParseXml($xml_text) Parses a string as an XML document and returns the corresponding document structure as an associative array. Returns an array containing the following elements: error – set if there was a problem parsing the XML  message – describes the parse error ...
Page 383: Nwavlookup
NwaVLookup NwaVLookup($value, $table, $column_index, $range_lookup = true, $value_column = 0, $cmp_fn = null) Table lookup function, similar to the Excel function VLOOKUP(). This function searches for a value in the first column of a table and returns a value in the same row from another column in the table. This function supports the values described in the table below.
Page 384: Field, Form And View Reference
Field, Form and View Reference GuestManager Standard Fields The table below describes standard fields available for the GuestManager form. Table 37 GuestManager Standard Fields Field Description account_activation String. The current account activation time in long form. This field is available on the change_expiration and guest_enable forms.
Page 385 Table 37 GuestManager Standard Fields (Continued) Field Description do_expire Integer that specifies the action to take when the expire time of the account is reached. See “expire_time”  0—Account will not expire  1—Disable  2—Disable and logout 3—Delete  ...
Page 386 Table 37 GuestManager Standard Fields (Continued) Field Description expire_time Integer. Time at which the account will expire. The expiration time should be specified as a UNIX timestamp. Setting an expire_time value also requires a non-zero value to be set for the do_expire field;...
Page 387 Table 37 GuestManager Standard Fields (Continued) Field Description modify_expire_usage String. Value indicating how to modify the expire_usage field. This field is only of use when editing a visitor account. It may be set to one of the following values:  “expire_usage”...
Page 388 Table 37 GuestManager Standard Fields (Continued) Field Description netmask String. Network address mask to use for stations using the account. This field may be up to 20 characters in length. The value of this field is not currently used by the system.
Page 389 Table 37 GuestManager Standard Fields (Continued) Field Description password_last_change Integer. The time that the guest’s password was last changed. The password change time is specified as a UNIX timestamp. This field is automatically updated with the current time when the guest changes their password using the self-service portal. random_password String.
Page 390 Table 37 GuestManager Standard Fields (Continued) Field Description random_username_method String. Identifier specifying how usernames are to be created. It may be one of the following identifiers:  nwa_sequence to assign sequential usernames. In this case, the multi_prefix field is used as the prefix for the username, followed by a sequential number; the number of digits is specified by the random_username_length field.
Page 391: Hotspot Standard Fields
Table 37 GuestManager Standard Fields (Continued) Field Description simultaneous_use Integer. Maximum number of simultaneous sessions allowed for the account. sponsor_email Email address of the sponsor of the account. If the sponsor_email field can be inserted into an email receipt and used future emails, the “Reply-To” email address will always be the email address of the original sponsor, not the current operator.
Page 392: Sms Services Standard Fields
Table 38 Hotspot Standard Fields (Continued) Field Description personal_details No Type. Field attached to a form label. purchase_amount No Type. Total amount of the transaction. This field is only used during transaction processing. purchase_details No Type. Field attached to a form label. state String.
Page 393: Table 40 Smpt Services Standard Fields
Table 40 SMPT Services Standard Fields Field Description auto_send_smtp Boolean. Flag indicating that an email receipt should be automatically sent upon creation of the guest account. Set this field to a non-zero value or a non-empty string to enable an automatic email receipt to be sent. This field can be used to create an opt-in facility for guests.
Page 394: Format Picture String Symbols
Table 40 SMPT Services Standard Fields (Continued) (Continued) Field Description smtp_warn_before_receipt_format String. This field overrides the format in the Email Receipt field under Logout Warnings. It may be one of “plaintext” (No skin – plain text only), “html_embedded” (No skin – HTML only), “receipt” (No skin – Native receipt format), “default”...
Page 395: Form Field Validation Functions
Any other alphanumeric characters in the picture string will be used in the resulting username or password. Some examples of the picture string are shown below: Table 42 Picture String Example Passwords Picture String Sample Password #### 3728 user#### user3728 v^^#__ vQU3nj @@@@@...
Page 396 'corp-domain.com', 'other-domain.com', 'deny' => array( 'blocked-domain.com', 'other-blocked-domain.com', The keys ‘whitelist’ and ‘blacklist’ may also be used for ‘allow’ and ‘deny’, respectively.  An ‘allow’ or ‘deny’ value that is a string is converted to a single element array.  Wildcard matching may be used on domain names: the prefix ‘*.’ means match any domain that ends ...
Page 397: Form Field Conversion Functions
username – specifies the name of the field containing the username. If empty or unset, the password  is not checked against this field for a match. minimum_length – specifies the minimum length of the password in characters.  disallowed_chars – if set, specifies characters that are not allowed in the password. ...
Page 398: Form Field Display Formatting Functions
NwaConvertStringToOptions – Converts a multi-line string representation of the form  key1 | value1 key2 | value2 to the array representation array ( 'key1' => 'value1', 'key2' => 'value2', NwaImplodeComma – Converts an array to a string by joining all of the array values with a comma. ...
Page 399 Table 44 Form Field Display Functions (Continued) Function Description NwaDateFormat Format a date like the PHP function strftime(), using the argument as the date format string. Returns a result guaranteed to be in UTF-8 and correct for the current page language.
Page 400: View Display Expression Technical Reference
View Display Expression Technical Reference A page that contains a view is displayed in an operator’s Web browser. The view con tains data that is loaded from the server dynamically. Because of this, both data formatting and display operations for the view are implemented with JavaScript in the Web browser. For each item displayed in the view, a JavaScript object is constructed.
Page 401: Standard Radius Request Functions
Table 45 Display Expressions for Data Formatting (Continued) (Continued) Value Description Nwa_NumberFormat(value[, if_undefined]) Converts a numerical value to a string. If the value has an Nwa_NumberFormat(value, decimals) undefined type (in other words, has not been set), and the Nwa_NumberFormat(value, decimals, dec_point, if_undefined parameter was provided, returns if_undefined.
Page 402: Enabledebug()
If the expression evaluates to true, the AccessReject() will cause authorization to be refused. If the expression evaluates to false, the AccessReject() is not called, and authorization process will continue (however, the attribute will not be included in the Access-Accept, as the condition expression has evaluated to false).
Page 403: Macequal()
MacEqual() MacEqual($addr1, $addr2) Compares two MAC addresses for equality, using their canonical forms. Example usage as a condition expression for an attribute: return MacEqual(GetAttr('Calling-Station-Id'), '00-01-02-44-55-66') MacAddrConvert() MacAddrConvert($mac, $mac_format) Converts a MAC address to a specified format. This function accepts anything that can be interpreted as a MAC address using some fairly liberal guidelines and returns the address formatted with the $mac_format string.
Page 404: Getsessions()
If $to_time is specified, the interval considered is between $from_time and $to_time . Returns the total session time for all matching accounting records in the time interval specified. GetSessions() GetSessions($criteria, $from_time, $to_time = null) Calculate the number of sessions from accounting records in the database. This is a multi-purpose function that has a very flexible query interface;...
Page 405: Getusertraffic()
Limit by MAC address, 50 MB download in past 24 hours:  return GetCallingStationTraffic(86400, 'out') > 50000000 && AccessReject() GetUserTraffic() GetUserTraffic($from_time, $to_time = null, $in_out = null) Calculate sum of traffic counters in a time interval. Sessions are summed if they have the same User-Name attribute as that specified in the RADIUS Access-Request.
Page 406: Getcallingstationsessions()
GetCallingStationSessions() GetCallingStationSessions($from_time, $to_time = null, $mac_format = null) Calculate the number of sessions for accounting records matching a specific calling-station-id. The calling station id address is looked up automatically from the RADIUS Access-Request (Calling-Station-ID attribute). Because different NAS equipment can send differently-formatted MAC addresses in the Calling-Station-Id attribute, the $mac_format argument may be specified.
Page 407: Getusercurrentsession()
'acctuniqueid' => 'c199b5a94ebf5184', 'username' => 'demo@example.com', 'realm' => '', 'role_name' => 'Guest', 'nasipaddress' => '192.168.2.20', 'nasportid' => '', 'nasporttype' => '', 'calledstationid' => '', 'callingstationid' => '', 'acctstarttime' => '1249258943', 'connectinfo_start' => '', 'acctstoptime' => NULL, 'connectinfo_stop' => NULL, 'acctsessiontime' => 0, 'acctinputoctets' =>...
Page 408: Getuserstationcount()
GetUserStationCount() GetUserStationCount($from_time = null, $to_time = null, $exclude_mac = null) Count the total number of unique MAC addresses used in a time interval, for all sessions with the same User-Name attribute as that specified in the RADIUS Access-Request. If $exclude_mac is set, any sessions matching that MAC address are excluded from the count. This function can be used to link a MAC address to a user on the first time they log in, and subsequently prevent access by the user if using a device other than the original device used.
Page 409: Radius Server Options
Example: Use the following as a conditional expression for an attribute. If the user's traffic in the past 24 hours exceeds 50 MB, the user is changed to the "Over-Quota" role. return GetUserTraffic(86400) > 50e6 && ChangeToRole("Over-Quota"); RADIUS Server Options These are the advanced server options that may be configured using the RADIUS Server Options text field.
Page 410: General Configuration
General Configuration Table 47 General Configuration Settings Value Description max_request_time = 30 The maximum time (in seconds) to handle a request. Requests which take more time than this to process may be killed, and a REJECT message is returned. cleanup_delay = 5 The time to wait (in seconds) before cleaning up a reply which was sent to the NAS.
Page 411 Table 47 General Configuration Settings (Continued) Value Description log_auth_goodpass = no Log correct passwords with the authentication requests. Allowed values are no and yes. lower_user = no Convert the username or password to lowercase “before” or “after” attempting to authenticate. If set to “before”, the server will first modify the request and then try to lower_pass = no authenticate the user.
Page 412: Security Configuration
Security Configuration Table 48 Security Configuration Settings Value Description security.max_attributes = 200 The maximum number of attributes permitted in a RADIUS packet. Packets which have more than this number of attributes in them will be dropped. If this number is set too low, then no RADIUS packets will be accepted. If this number is set too high, then an attacker may be able to send a small number of packets which will cause the server to use all available memory on the machine.
Page 413: Snmp Query Configuration
Table 49 Proxy Configuration Settings (Continued) (Continued) Value Description proxy.dead_time = 120 If the home server does not respond to any of the multiple retries, then the RADIUS server will stop sending it proxy requests, and mark it ‘dead’. If there are multiple entries configured for this realm, then the server will failover to the next one listed.
Page 414 Table 50 Thread Pool Settings (Continued) (Continued) Value Description thread.max_requests_per_server = 0 Set the maximum number of requests a server should handle before exiting. Zero is a special value meaning “infinity”, or “the servers never exit”. thread.max_queue_size = 65536 Set the maximum number of incoming requests which may be queued for processing.
Page 415: Authentication Module Configuration
Authentication Module Configuration Table 51 Authentication Module Configuration Settings Value Description module.pap = yes PAP module to authenticate users based on their stored password. pap.encryption_scheme = crypt The PAP module supports multiple encryption schemes:  clear: Clear text crypt: Unix crypt ...
Page 416: Database Module Configuration
Database Module Configuration Table 52 Database Modeule Configuration Settings Value Description sql.case_insensitive_usernames = 0 Set this option to 1 to match usernames in the local user database without regard to case. This will allows basic RADIUS authentication to work when the case of the username provided by the NAS is different from the case of the username in the local user database.
Page 417 Table 53 Optional EAP Module Options (Continued) Function Description eap.default_eap_type = md5 Invoke the default supported EAP type when EAP-Identity response is received. The incoming EAP messages DO NOT specify which EAP type they will be using, so it MUST be set here. Only one default EAP type may be used at a time.
Page 418 Table 53 Optional EAP Module Options (Continued) Function Description module.eap_tls = no Enables EAP-TLS module. The following functions onfigure digital certificates for EAP-TLS. If the private key and certificate are located in the same file, then private_key_file and certificate_file must contain the same filename. ...
Page 419: Ldap Module Configuration
Table 53 Optional EAP Module Options (Continued) Function Description module.eap_peap= no PEAP authentication. The PEAP module needs the TLS module to be installed and configured, in order to use the TLS tunnel inside of the EAP packet. You will still need to configure the TLS module, even if you do not want to deploy EAP-TLS in your network.
Page 420 Table 54 LDAP Module Settings (Continued) Setting Description ldap.password_attribute = “nspmPassword” To support Novell eDirectory Universal Password, this option must be set to “nspmPassword”. Retrieves the user’s plain-text password from the directory and uses in the RADIUS server for user authentication. Universal Password requires a secure connection to the LDAP server.
Page 421 Table 54 LDAP Module Settings (Continued) Setting Description ldap.tls_certfile = not set The PEM Encoded certificate file that should be presented to clients that connect. ldap.tls_keyfile = not set The PEM Encoded private key that should be used to encrypt the session.
Page 422: Rewrite Module Configuration
Table 54 LDAP Module Settings (Continued) Setting Description ldap.groupmembership_filter = not set The filter to search for group membership of a particular user after we have found the DN for the group. Example filter: (|(&(objectClass=GroupOfNames)(member=%{Ldap- UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember= %{Ldap-UserDn}))) ldap.groupmembership_attribute = not set The attribute in the user entry that states the group the user belongs to.
Page 423: List Of Standard Radius Attributes
Table 55 Rewrite Module Configuration Settings (Continued) Value Description module.attr_rewrite.name.replacewith = not set The replacement value which will be used for the attribute value, if the attribute matches the “searchfor” regular expression. Backreferences to the matching components of the “searchfor” regular expression are supported: %{0} will contain the string for the entire regular expression match, and %{1} through %{8} contain the contents of the 1 through the...
Page 424 Framed-IP-Address: This attribute indicates the address to be configured for the user. In an  Accounting-Request packet, it indicates the IP address of the user. Framed-IP-Netmask: This attribute indicates the IP netmask to be configured for the user when the ...
Page 425: Radius Server Internal Attributes
RADIUS Server Internal Attributes The Simultaneous-Use attribute is used by the RADIUS server during the processing of a request. It never returned to a NAS. Simultaneous-Use specifies the maximum number of simultaneous logins a given user is permitted to have. When the user is logged in this number of times any additional attempts to log in are rejected.
Page 426 Table 56 Regular Expressions for Pattern Matching (Continued) (Continued) Any string starting with “a” Only the string “a” Any string ending with “a” Any single character A literal “.” [abc] Any of the characters a, b, or c [a-z0-9A-Z] Any alphanumeric character [^a-z] Any character not in the set a through z Matches zero or one “a”...
Page 427: Chapter 12 Glossary
Chapter 12 Glossary Access-Accept Response from RADIUS server indicating successful authentication, and containing authorization information. Access-Reject Response from RADIUS server indicating a user is not authorized. Access-Request RADIUS packet sent to a RADIUS server requesting authorization. RADIUS packet type sent to a RADIUS server containing accounting Accounting-Request summary information.
Page 428 operator profile The characteristics assigned to a class of operators, such as the permissions granted to those operators. operator/operator login User of Amigopod Visitor Management Appliance to create guest accounts or perform system administration. ping Test network connectivity using an ICMP echo request (“ping”). print template Formatted template used to generate guest account receipts.
Page 429: Index
Index Application log ............334 Numerics Export ............... 334 802.1Q VLAN............289 Files ..............334 802.1X ............... 77 Filtering ............. 333 Search .............. 335 Attribute values ............76 AAA..............23, 45 Attributes............. 50, 74 Access control Condition ............51 Operator logins ..........291 Conditions ............
Page 430 Check for updates........... 317 Caching ............379 Classification groups..........261 Parsing.............. 381 Closed session ............220 System logs ............334 Cluster ..............347 Customize Email receipt ..........234, 236 Concurrent sessions..........241 Fields ..............157 Configuration replication ......... 350 Hotspot invoice..........343 Hotspot plan selection........
Page 431 Download card_code............391 Content ............. 310 card_expiry ............391 card_name............391 Download content ........... 311 card_number ............ 391 Downtime threshold ..........351 city ..............391 country.............. 391 duplicate fields ............159 creator_accept_terms........153 Dynamic authorization......156, 218, 220 Customize............157 Delete..............
Page 432 secret_answer........... 195 Static text ............168 secret_question ..........195 Static text (Options lookup) ......169 Show forms............159 Static text (Raw value) ........169 Show views ............159 Submit button........... 170 simultaneous_use ........152, 154 Text area............171 sms_auto_send_field ........ 234, 392 Text field ............
Page 433 Create multiple..........137 Navigation............347 Delete..............141 Network architecture ........348 Disable .............. 141 Primary failure........... 351 Edit............123, 142 Rebuild cluster..........359 Email receipt ............. 137 Repair cluster............ 358 Export ............... 148 Scheduled maintenance ........359 Filtering ........140, 143, 206, 221 Secondary failure..........
Page 434 Time server ............40 Network Update plugins............ 43 Default gateway..........286 Virtual machine ........... 32 Default settings........... 31 DHCP configuration.......... 284 Intermediate certificate..........303 Diagnostics ............292 DNS lookup ............293 Ethernet settings..........285 Keep-alive ............... 349 Firewall rules............. 293 GRE tunnel............
Page 435 Create LDAP server .......... 119 Print templates ............196 LDAP ..............119 Create ............... 197 Navigation ............109 Create using wizard .......... 198 Password complexity........130 Permissions ..........199, 244 Password options ..........111 SMS receipts ............ 196 User roles............112 Proxy RADIUS............
Page 436 RADIUS Services Local RADIUS accounting ........ 249 Navigation ............45 Managing............242 Parameters ............253 Range filter .............. 259 Print ............242, 243 Reboot..............323 Reset to defaults..........247 Run default ............242 Receipt page ............181 Run options ............243 Register page ............
Page 437 session filter Subscription ID ..........42, 316 creating ............. 112, 117 Sysctl parameters ........... 323 Sessions System control ............323 Active ..............220 System information ..........330 Closed............... 220 Stale ..............220 System log viewer ........... 333 sessions filtering .............. 221 Temporary outage...........
Page 438 Virtual IP address ............ 348 Virtual machine............32 NTP and timekeeping ......... 41 NTP configuration ..........322 Visitor................. 27 Visitor Account ............27 VLAN RADIUS Attributes ..........54 VLAN interface ............289 VSA................75 Delete..............76 Web login Using parameters..........66 Web Logins ...............

This manual is also suitable for:

Amigopod 3.7

Aruba Networks PowerConnect W Clearpass 100 Software Deployment Manual

Chapter 1 Amigopod Visitor Management Appliance

Chapter 2 Management Overview

Chapter 3 Setup Guide

Chapter 4 RADIUS Services

Chapter 5 Operator Logins

Chapter 6 Guest Management

Chapter 7 Report Management

Quick Links

Troubleshooting

Related Manuals for Aruba Networks PowerConnect W Clearpass 100 Software

Summary of Contents for Aruba Networks PowerConnect W Clearpass 100 Software