AMIGOPOD PowerConnect W Clearpass 100 Software Manual
Implementing accounting-based authorization technote
Hide thumbs
Also See for PowerConnect W Clearpass 100 Software:
- Deployment manual (128 pages) ,
- Integration manual (52 pages) ,
- Release note (38 pages)
Table of Contents
Related Manuals for AMIGOPOD PowerConnect W Clearpass 100 Software
Summary of Contents for AMIGOPOD PowerConnect W Clearpass 100 Software
- Page 1 Amigopod Implementing Accounting-Based Authorization...
-
Page 2: Legal Notice
Copyright © 2011 Aruba Networks, Inc. Aruba Networks trademarks include Airwave, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All rights reserved. -
Page 3: Table Of Contents
Table of Contents Introduction ..........................4 Audience ..............................4 Document Overview ..........................4 Disclaimer ............................... 5 About Accounting-Based Authorization ................6 Authentication, Authorization and Accounting .................. 6 Accounting-Based Authorization ......................7 Authorization during Access-Request ....................... 7 Authorization during Accounting-Request ....................8 NAS Requirements .......................... -
Page 4: Introduction
Introduction This technical note explains how to use accounting-based authorization to build a complete portal for a network service that offers free usage to guests, where guests are restricted to a certain daily quota of traffic. The completed portal includes: •... -
Page 5: Disclaimer
The next section contains a detailed configuration guide for creating the portal. Step-by- step instructions are provided for creating each page, and for performing all necessary configuration tasks. Disclaimer The topics of network design, security architectures and visitor access are complex subjects, and no single document can hope to cover all of the possible combinations of network equipment, network design, deployment requirements, and device configurations, nor can all the possible security implications for a particular recommendation be covered. -
Page 6: About Accounting-Based Authorization
About Accounting-Based Authorization This section provides background information explaining the concepts of authorization and accounting, and how these can interact to provide a restricted network service to guests. Authentication, Authorization and Accounting The Amigopod Visitor Management Appliance is built on the industry standard AAA framework, which consists of authentication, authorization and accounting components. -
Page 7: Accounting-Based Authorization
In the standard AAA framework, network access is provided to a user according to the following process: • The user connects to the network by associating with a local access point [1]. • A landing page is displayed to the user [2] which allows them to log into the NAS [3], [4] using the login name and password of their guest account. -
Page 8: Authorization During Accounting-Request
Guest Amigopod VMA Traffic less than limit Complete login form Submit form Web login Login Message page Automated NAS login Access-Request Authentication Access-Accept Authorization Traffic Limited Guest Traffic over limit Complete login form Submit form Web login Login Message page Access-Request Automated NAS login Authentication... - Page 9 There are two ways to achieve this, depending on the type of NAS equipment in use: • Vendor-specific attributes — Certain NAS vendors provide the capability to limit the amount of traffic in a particular session. For example: The ChilliSpot-Max-Total-Octets attribute may be used with a coova-chilli NAC device.
-
Page 10: Nas Requirements
message [1]. The session information is updated on the RADIUS server [2], and can be seen using the Active Sessions view. If the guest reaches the allowed traffic limit, then on the next accounting update authorization will be rechecked. Because the session is no longer authorized to continue, the Amigopod Visitor Management Appliance will initiate an RFC 3576 Disconnect-Request to the NAS, which will disconnect the visitor’s session and respond with an acknowledgment. -
Page 11: Configuring Accounting-Based Authorization
Configuring Accounting-Based Authorization Check Plugin Versions Accounting-based authorization requires the Amigopod RADIUS Services plugin, version 2.1.30 or later. To verify you have the correct plugin versions installed, navigate to Administrator> Plugin Manager>Manage Plugins and check the version number in the list. Use the Update Plugins link to download and install updated plugins. -
Page 12: Create Radius Nas Client
Your newly created role should appear as shown in the screenshot below: Create RADIUS NAS Client Navigate to RADIUS>NAS List and then click the Create tab. Enter suitable values for the name and IP address fields, and select a NAS Type that is marked as RFC 3576 capable. -
Page 13: Set Terms Of Use Url
3. Select the [x] Provide a custom login form checkbox. 4. Under the Login Page heading, select an appropriate skin to control the look and feel of the page. 5. Enter a page title, such as Terms of Use, in the Title field. 6. - Page 14 {* NOTE: The allowed traffic limit is defined below: *} {assign var=traffic_limit value=200e6} {* Do not edit below this line *} {nwa_radius_query _method=GetIpAddressCurrentSession _assign=current_session} {if $current_session.username} {nwa_radius_query _method=GetUserTraffic username=$current_session.username from_time="00:00" to_time="now" _assign=traffic_used} {else} {assign var=traffic_used value=0} {/if} {assign var=traffic_remaining value=`$traffic_limit- $traffic_used`} If you are using a traffic limit other than 200 MB, you should adjust the value in {assign var=traffic_limit value=200e6}.
- Page 15 {nwa_icontext icon="images/icon-clock22.png" valign="middle" novspace="1"} So far today, you have used <span class="nwaImportant"> {$traffic_used|NwaByteFormatBase10:0}</span>. {/nwa_icontext} </td></tr><tr><td class="nwaBody"> {nwa_icontext icon="images/icon-report-bytes-out22.png" valign="middle" novspace="1"} Your remaining quota is <span class="nwaImportant"> {$traffic_remaining|NwaByteFormatBase10:0}</span>. {/nwa_icontext} </td></tr></table> <h3> About This Service </h3> <p> To ensure the highest quality of service for all of our visitors, the use of this WiFi service is subject to a <b>quota</b>.
-
Page 16: Create Login Page
<style type="text/css"><!--{literal} .apHomePageClass { behavior:url(#default#homepage) } {/literal}--></style> <span id="apGoHome" class="apHomePageClass"></span> <script type="text/javascript">{literal} function goHome() { var isSafari3 = window.devicePixelRatio; if (typeof(window.home) == 'function' || isSafari3) { window.home(); } else if (document.all) { var homePage = document.getElementById('apGoHome'); try { homePage.navigateHomePage(); } catch (e) { window.location.href = "about:home";... - Page 17 traffic (as recommended by the Amigopod Security Manager), then update the Default URL accordingly: https://{$smarty.server.HTTP_HOST}/traffic_stats.php If you have used a page name other than traffic_stats for the landing page, then update the Default URL accordingly. 6. Select the [x] Force default destination for all clients checkbox. This is to ensure that guests are always redirected to the landing page to view their current traffic statistics after logging in.
-
Page 18: Additional Configuration Guidelines
Additional Configuration Guidelines To complete the deployment, ensure that each of the following points has been taken into consideration: • The NAS captive portal should redirect guests to the login page, which will be located at a URL such as: http://amigopod/login.php. •... -
Page 19: Verifying Accounting-Based Authorization
Verifying Accounting-Based Authorization Check NAS captive portal settings Connect to the guest network, and open a web browser. Ensure that the NAS captive portal takes effect, and redirects your web browser to the login page. Troubleshooting tips: If these steps are unsuccessful, check your NAS equipment configuration (wired or wireless). -
Page 20: Check Landing Page
• Is the correct shared secret configured on both the NAS and the Amigopod RADIUS Server? • Is the guest account authorized? Check that the account is enabled, has the correct role, and that the authorization is not failing. Authorization failures are indicated with a log message in Administrator>System Logs. -
Page 21: Modifying Accounting-Based Authorization
Modifying Accounting-Based Authorization Adjusting the traffic limit The traffic limit is configured in two places: 1. In the RADIUS User Role as part of an authorization expression – the value is used to compare against the guest’s current traffic measurement and determine if the access request should be permitted. - Page 22 The additional parameter 'out' indicates that “output” traffic should be calculated. Alternatively, you may specify 'in' instead to count only “input” traffic, or any other value (the default) to count both “input” and “output” traffic. Secondly, update the following template code in the Header HTML of the landing page. This is required to calculate the actual traffic today for the current user: {nwa_radius_query _method=GetUserTraffic username=$current_session.username from_time="00:00"...