Introduction This technical note explains how to use accounting-based authorization to build a complete portal for a network service that offers free usage to guests, where guests are restricted to a certain daily quota of traffic. The completed portal includes: •...
The next section contains a detailed configuration guide for creating the portal. Step-by- step instructions are provided for creating each page, and for performing all necessary configuration tasks. Disclaimer The topics of network design, security architectures and visitor access are complex subjects, and no single document can hope to cover all of the possible combinations of network equipment, network design, deployment requirements, and device configurations, nor can all the possible security implications for a particular recommendation be covered.
About Accounting-Based Authorization This section provides background information explaining the concepts of authorization and accounting, and how these can interact to provide a restricted network service to guests. Authentication, Authorization and Accounting The Amigopod Visitor Management Appliance is built on the industry standard AAA framework, which consists of authentication, authorization and accounting components.
In the standard AAA framework, network access is provided to a user according to the following process: • The user connects to the network by associating with a local access point [1]. • A landing page is displayed to the user [2] which allows them to log into the NAS [3], [4] using the login name and password of their guest account.
Guest Amigopod VMA Traffic less than limit Complete login form Submit form Web login Login Message page Automated NAS login Access-Request Authentication Access-Accept Authorization Traffic Limited Guest Traffic over limit Complete login form Submit form Web login Login Message page Access-Request Automated NAS login Authentication...
Page 9
There are two ways to achieve this, depending on the type of NAS equipment in use: • Vendor-specific attributes — Certain NAS vendors provide the capability to limit the amount of traffic in a particular session. For example: The ChilliSpot-Max-Total-Octets attribute may be used with a coova-chilli NAC device.
message [1]. The session information is updated on the RADIUS server [2], and can be seen using the Active Sessions view. If the guest reaches the allowed traffic limit, then on the next accounting update authorization will be rechecked. Because the session is no longer authorized to continue, the Amigopod Visitor Management Appliance will initiate an RFC 3576 Disconnect-Request to the NAS, which will disconnect the visitor’s session and respond with an acknowledgment.
Configuring Accounting-Based Authorization Check Plugin Versions Accounting-based authorization requires the Amigopod RADIUS Services plugin, version 2.1.30 or later. To verify you have the correct plugin versions installed, navigate to Administrator> Plugin Manager>Manage Plugins and check the version number in the list. Use the Update Plugins link to download and install updated plugins.
Your newly created role should appear as shown in the screenshot below: Create RADIUS NAS Client Navigate to RADIUS>NAS List and then click the Create tab. Enter suitable values for the name and IP address fields, and select a NAS Type that is marked as RFC 3576 capable.
3. Select the [x] Provide a custom login form checkbox. 4. Under the Login Page heading, select an appropriate skin to control the look and feel of the page. 5. Enter a page title, such as Terms of Use, in the Title field. 6.
Page 14
{* NOTE: The allowed traffic limit is defined below: *} {assign var=traffic_limit value=200e6} {* Do not edit below this line *} {nwa_radius_query _method=GetIpAddressCurrentSession _assign=current_session} {if $current_session.username} {nwa_radius_query _method=GetUserTraffic username=$current_session.username from_time="00:00" to_time="now" _assign=traffic_used} {else} {assign var=traffic_used value=0} {/if} {assign var=traffic_remaining value=`$traffic_limit- $traffic_used`} If you are using a traffic limit other than 200 MB, you should adjust the value in {assign var=traffic_limit value=200e6}.
Page 15
{nwa_icontext icon="images/icon-clock22.png" valign="middle" novspace="1"} So far today, you have used <span class="nwaImportant"> {$traffic_used|NwaByteFormatBase10:0}</span>. {/nwa_icontext} </td></tr><tr><td class="nwaBody"> {nwa_icontext icon="images/icon-report-bytes-out22.png" valign="middle" novspace="1"} Your remaining quota is <span class="nwaImportant"> {$traffic_remaining|NwaByteFormatBase10:0}</span>. {/nwa_icontext} </td></tr></table> <h3> About This Service </h3> <p> To ensure the highest quality of service for all of our visitors, the use of this WiFi service is subject to a <b>quota</b>.
<style type="text/css"><!--{literal} .apHomePageClass { behavior:url(#default#homepage) } {/literal}--></style> <span id="apGoHome" class="apHomePageClass"></span> <script type="text/javascript">{literal} function goHome() { var isSafari3 = window.devicePixelRatio; if (typeof(window.home) == 'function' || isSafari3) { window.home(); } else if (document.all) { var homePage = document.getElementById('apGoHome'); try { homePage.navigateHomePage(); } catch (e) { window.location.href = "about:home";...
Page 17
traffic (as recommended by the Amigopod Security Manager), then update the Default URL accordingly: https://{$smarty.server.HTTP_HOST}/traffic_stats.php If you have used a page name other than traffic_stats for the landing page, then update the Default URL accordingly. 6. Select the [x] Force default destination for all clients checkbox. This is to ensure that guests are always redirected to the landing page to view their current traffic statistics after logging in.
Additional Configuration Guidelines To complete the deployment, ensure that each of the following points has been taken into consideration: • The NAS captive portal should redirect guests to the login page, which will be located at a URL such as: http://amigopod/login.php. •...
Verifying Accounting-Based Authorization Check NAS captive portal settings Connect to the guest network, and open a web browser. Ensure that the NAS captive portal takes effect, and redirects your web browser to the login page. Troubleshooting tips: If these steps are unsuccessful, check your NAS equipment configuration (wired or wireless).
• Is the correct shared secret configured on both the NAS and the Amigopod RADIUS Server? • Is the guest account authorized? Check that the account is enabled, has the correct role, and that the authorization is not failing. Authorization failures are indicated with a log message in Administrator>System Logs.
Modifying Accounting-Based Authorization Adjusting the traffic limit The traffic limit is configured in two places: 1. In the RADIUS User Role as part of an authorization expression – the value is used to compare against the guest’s current traffic measurement and determine if the access request should be permitted.
Page 22
The additional parameter 'out' indicates that “output” traffic should be calculated. Alternatively, you may specify 'in' instead to count only “input” traffic, or any other value (the default) to count both “input” and “output” traffic. Secondly, update the following template code in the Header HTML of the landing page. This is required to calculate the actual traffic today for the current user: {nwa_radius_query _method=GetUserTraffic username=$current_session.username from_time="00:00"...