Introduction This document outlines the configuration process on both the Trapeze Networks Mobility Exchanges (MX) and the amigopod appliance to create a fully integrated Visitor Management solution. The solution leverages the captive portal functionality built into the Trapeze Mobility System Software (MSS). Trapeze uses the terminology of Web-Portal to refer to their internal captive portal functionality and it can be generally defined as follows: Captive portal allows a wireless client to authenticate using a web-based portal.
Test Environment The test environment referenced throughout this integration guide is based on a Trapeze MXR- 2 Mobility Exchange. Although this low end hardware platform has been used, the testing and therefore this procedure is valid for all hardware variants from Trapeze and their OEM partners as it is the MSS software that is providing the integration points with amigopod.
Integration Although the MXR-2 MSS supports both internal and external Captive portal functionality, this integration guide will focus on the later as the internal Web-Portal dictates the use of the internal Login Page resident on the controller itself. The Login page is very basic and doesn’t allow for significant customization as is possible with the amigopod Web Logins feature.
Amigopod Configuration The following configuration procedure assumes that the amigopod software or appliance has been powered up and a basic IP configuration has been applied through the setup wizard to allow the administrator to access the Web User Interface. The following table again reviews the IP Addressing used in the test environment but this would be replaced with the site specific details of each customer deployment: MX IP Address...
Step 1 – Create RADIUS NAS for Trapeze Controller In order for the Trapeze controller to authenticate users it needs to be able to communicate with the amigopod RADIUS instance. This step configures the amigopod NAS definition for the Trapeze Controller. The RADIUS key used here needs to be configured exactly the same as what will be configured on the MXR-2 for the RADIUS transactions to be successful.
Step 2 – Restart RADIUS Services A restart of the RADIUS Service is required for the new NAS configuration to take effect. Click the Restart RADIUS Server button shown below and wait a few moments for the process to complete. CONFIDENTIAL...
Step 3 – Create a Web-Login Page From the RADIUS Services Web Logins page select the Trapeze Networks Login entry and Click the Edit button. From the RADIUS Web Login page enter the IP Address of the Trapeze MXR-2 and select the Skin that you would like presented as the branding for the Captive Portal page.
Step 4 - Review to Web Login Captive Portal page Returning to the Web Logins page, select the Trapeze Networks Login entry and Click the Test button and in a new window the configured captive portal page will be displayed as shown below: Click the Back button in the web browser to return to the amigopod configuration screen.
Trapeze MSS Configuration The following configuration procedure assumes that the Trapeze Mobility Exchange has been powered up and a basic IP configuration has been applied through the Quick Start CLI to allow the administrative access. The following table again reviews the IP Addressing used in the test environment but this would be replaced with the site specific details of each customer deployment: MXR-2 IP Address...
Step 1 – Create RADIUS Definition for amigopod From the Trapeze CLI ensure you are in enable mode by checking the # suffix on the hostname as shown below: mxr-2# Enter the following two set commands to create firstly a RADIUS server definition for amigopod including the IP address and shared secret and then a server group called for example radius with the new amigopod RADIUS definition as a member.
Step 2 – Create the Captive Portal service-profile A service profile within the context of the Trapeze configuration represents a set of options that may be configured and deployed on the wireless network. Services define networking specifics such as SSID, authentication type, local or RADIUS authentication, encryption and VLAN mappings.
Step 4 – Enable RADIUS Authentication & Accounting The next step is to enable both RADIUS Authentication and Accounting for the newly create amigopod SSID. This is done by entering the following two set commands from the enable prompt: set authentication web ssid amigopod ** radius set accounting web ssid amigopod ** start-stop radius Please note if you are not familiar with the ** notation above, refer to the Trapeze documentation regarding User Glob definitions.
Step 6 – Configure Trapeze to redirect new users to amigopod Now that we have created the new amigopod Web-Login in the previous section, we need to configure the MXR-2 to redirect any unauthenticated users to the amigopod to display the login page.
Testing the Configuration Now that the configuration of both the Trapeze Controller and the amigopod solution is complete, the following steps can be followed to verify the setup. Step 1 – Create a test user account Within the amigopod RADIUS Server a test user account can be created using the amigopod Guest Manager.
Step 2 - Connect to the amigopod wireless network Using a test laptop with a compatible 802.11 based wireless card attempt to connect to the advertised amigopod wireless network. The screen capture below shows the interface used on a Windows XP SP2 based laptop. Although the process differs from laptop to laptop depending on the wireless card drivers installed and different operating systems in use, the basic premise of connecting to the unsecured Guest Wireless network should be fundamentally the same.
Step 2 – Confirm DHCP IP Address received Using the Windows Command Prompt or equivalent in the chosen operating system, confirm that a valid IP Address has been received from the DHCP server configured on the Trapeze Controller. Issue the ipconfig command from the Windows Command Prompt to display the IP information received from the DHCP process.
Step 4 – Launch Web Browser and login When the web browser on the test laptop is launched the Trapeze portalacl will automatically capture the session and redirect the user to the amigopod hosted login page as shown below: Enter the test user details entered and recorded in Step 1 above and click the Login button. At this point the test user should be successfully authenticated and allowed to transit through the controller and onto the Internet or Corporate network.
Step 5 – Confirm the login successful from Trapeze From the Trapeze CLI if you issues the show sessions command again you will now see the test user name and the star indicating that the user has been successfully authenticated: mxr-2# show sessions 1 session total User Name...
Page 21
rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup WHERE usergroup.Username = 'cam' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username='cam' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows =...
Step 7 – Check User Experience After successful login the user web browser should be displayed with a holding page informing them that they are about to be redirected to their original requested page (in our example www.amigopod.com) and also the Logout pop-up box should be displayed as shown below: CONFIDENTIAL...
Appendix A – Dynamic Authorisation (RFC 3576) The Trapeze Mobility Exchanges have strong in built support for RFC 3576 which is an extension of the RADIUS standard that allows RADIUS servers to participate in the dynamic disconnect or reauthorization of authenticated users. This is of particular interest in some customer environments where they may wish to use the amigopod to disconnect users on an ad-hoc basis by listing the Guest Manager Active...
Step 1 – Configure amigopod as a DAC entry Enter the following set command at the enable prompt of the CLI to enable the amigopod on 10.9.4.8 to be able to send RFC3576 messages to the Trapeze. Please note that the key is still the same as the entry configured in Step 1 of the Trapeze configuration so it matches the NAS definition on the amigopod.
Page 25
From the Guest Manager Active Sessions as shown below we can also see the entry for the authenticated wireless user: To disconnect the wireless user, click on the top Active Session entry for your test user (depicted by the coloured wireless icon in the left hand column) and click the Disconnect button below.
Appendix B – Testing additional RADIUS attributes As with all amigopod deployments, User Roles can be configured to implement a wireless policy for each user once they have been authenticated. These roles definitions can be made up of both Standard RADIUS attributes as per RFC 2865 and also Vendor Specific Attributes (VSA) that enable vendors such as Trapeze to extend their functionality and apply policies based on their value-add features.
These included the following attributes: • A hard coded Session-Timeout value to ensure that account durations would be honored. • An Acct-Interim-Interval was set to make sure additional accounting information can be drawn from the MX if required for accounting purposes or dynamic billing •...