Page 2 AG 5500 AG 5500 Copyright © 2007 Nomadix, Inc. All Rights Reserved. This product also includes software developed by: The University of California, Berkeley and its contributors; Carnegie Mellon University, Copyright © 1998 by Carnegie Mellon University All Rights Reserved; Go Ahead Software, Inc., Copyright ©...
Page 3 ZL00815827.4. Other U.S. and foreign patents pending or granted. Disclaimer Nomadix, Inc. makes no warranty, either express or implied, including but not limited to any implied warranties of merchantability and fitness for a particular purpose, regarding the product described herein. In no event shall Nomadix, Inc. be liable to anyone for special, collateral, incidental, or consequential damages in connection with or arising from the use of Nomadix, Inc.
Page 4 AG 5500 Notifications This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
Page 5 AG 5500 CAUTION WARNING Read the instruction manual prior to operation. Risk of electric shock; do not open; no user-serviceable parts inside. ATTENTION AVERTISSEMENT Lire le mode d’emploi avant utilisation. Risque de choc electrique; ne pas ouvrir; ne pas tenter de demontre l’appareil.
Page 6 AG 5500 This page intentionally left blank.
Page 7: Table Of Contents
Table of Contents Introduction ........................1 About this User’s Guide......................1 Organization..........................1 Welcome to the AG 5500......................2 Product Configuration and Licensing ................2 Key Features and Benefits ......................3 Platform Reliability......................3 Local Content and Services ....................3 Transparent Connectivity ....................
Page 8 Assigning the Location Information and IP Addresses ............ 47 Logging Out and Powering Down the System ................ 50 Connecting the AG 5500 to the Customer’s Network............. 50 Establishing the Basic Configuration for Subscribers............. 52 Setting the DHCP Options ....................52 Setting the DNS Options....................
Page 9 AG 5500 Archiving Your Configuration Settings.................. 55 Installing the Nomadix Private MIB..................55 Chapter 2: System Administration................57 Choosing a Remote Connection....................57 Using the Web Management Interface (WMI) ..............58 Using an SNMP Manager....................59 Using a Telnet Client ......................59 Logging In..........................
Page 10 AG 5500 Displaying the Host Table {Hosts} ................152 Displaying ICMP Statistics {ICMP} ................153 Displaying the Network Interfaces {Interfaces}............. 154 Displaying the IP Statistics {IP} ..................155 Viewing IPSec Tunnel Status {IPSec} ................155 Displaying the Routing Tables {Routing} ..............156 Displaying the Active IP Connections {Sockets} ............
Page 11 Adding Static Ports {Static Port-Mapping Add} ............241 Deleting Static Ports {Static Port-Mapping Delete} ............243 Blocking a Subscriber Interface {Subscriber Interfaces} ..........244 Updating the AG 5500 Firmware {Upgrade}..............244 Chapter 3: The Subscriber Interface ................. 245 Overview..........................245 Authorization and Billing......................
Page 12 Private Key Generation....................285 Create a Certificate Signing Request (CSR) File............288 Create a Public Key File (server.pem)................290 Setting Up AG 5500 for SSL Secure Login ..............294 Setting Up the Portal Page..................... 294 Mirroring Billing Records ..................... 295 Sending Billing Records ....................
Page 13: Introduction
This User’s Guide provides information and procedures that will enable system administrators to install, configure, manage, and use the Nomadix AG 5500 product successfully and efficiently. Use this guide to take full advantage of the AG 5500’s functionality and features. Organization This User’s Guide is organized into the following chapters:...
Page 14: Welcome To The Ag 5500
The AG 5500 also offers a unique set of security and connectivity features for deploying wireless 802.11 networks. The AG 5500 yields a complete solution to a set of complex issues in the Enterprise, Public- LAN, and Residential segments.
Page 15: Key Features And Benefits
Property Management System (PMS) and for system management and administration, while maintaining one billing relationship with their chosen provider. The AG 5500 enables a wide variety of network deployment options for different venue types. For example: Allows for flexible WAN Connectivity (T1/E1, Cable, xDSL, and ISDN).
Page 16: Transparent Connectivity
Billing Enablement The AG 5500 supports billing plans using credit cards, scratch cards, monthly subscriptions, or direct billing to a hotel’s Property Management System (PMS) and can base the billable event on a number of different parameters such as time, volume, IP address type, or bandwidth.
Page 17: Access Control And Authentication
AG 5500 Access Control and Authentication The AG 5500 ensures that all traffic to the Internet is blocked until authentication has been completed, creating an additional level of security in the network. Also, allows service providers to create their own unique “walled garden,” enabling users to access only certain predetermined Web sites before they have been authenticated.
Page 18: Nse Core Functionality
AG 5500 NSE Core Functionality Powering Nomadix’ family of Access Gateways, the Nomadix Service Engine (NSE) delivers a full range of features needed to successfully deploy Wi-Fi Public access networks. These “core” features solve issues of connectivity, security, billing, and roaming in a Wi-Fi Public access network.
Page 19: Access Control
Secure Management Secure Socket Layer (SSL) Secure XML API Session Rate Limiting (SRL) Session Termination Redirect Smart Client Support SNMP Nomadix Private MIB Tri-Mode Authentication URL Filtering Walled Garden Web Management Interface Access Control For IP-based access control, the NSE incorporates a master access control list that checks the source (IP address) of administrator logins.
Page 20: Bandwidth Management
With the Nomadix Information and Control Console (ICC) feature enabled, subscribers can increase or decrease their own bandwidth dynamically (by the minute, or on an hourly, daily, weekly, or monthly basis), and also adjust the pricing plan for their service (see graphic).
Page 21: Command Line Interface
The Command Line Interface (CLI) is a character-based user interface that can be accessed remotely or via a direct cable connection. Until your Nomadix product is up and running on the network, the CLI is the Network Administrator’s window to the system. Software upgrades can only be performed from the CLI.
Page 22: External Web Server Mode
Take advantage of the comprehensive Nomadix XML API to implement more complex billing plans. Recycle existing Web page content for the centrally hosted portal page. If you choose to use the EWS interface, Nomadix Technical Support can provide you with sample scripts. See also, “Contact Information” on page 305.
Page 23: Inat
AG 5500 iNAT™ Nomadix invented a new way of intelligently supporting multiple VPN connections to the same termination at the same time (iNAT™), thus solving a key problem of many Public access networks. Nomadix’ patent-pending iNAT™ (intelligent Network Address Translation) feature contains an advanced, real-time translation engine that analyzes all data packets being communicated between the private address realm and the public address realm.
Page 24: Information And Control Console
AG 5500 Information and Control Console The Nomadix Information and Control Console (ICC) is a HTML-based pop-up window that is presented to subscribers with their Web browser. The ICC allows subscribers to select their bandwidth and billing options quickly and efficiently from a simple pull-down menu. For credit card accounts, the ICC displays a dynamic “time”...
Page 25: International Language Support
AG 5500 International Language Support The NSE allows you to define the text displayed to your users by the IWS without any HTML or ASP knowledge. The language you select determines the language encoding that the IWS instructs the browser to use. See also, “Internal Web Server”...
Page 26: Mac Filtering
AG 5500 MAC Filtering MAC Filtering enhances Nomadix' access control technology by allowing system administrators to block malicious users based on their MAC address. Up to 50 MAC addresses can be blocked at any one time. See also, “Session Rate Limiting (SRL)” on page...
Page 27: Port Mapping
Once configured, this methodology can also be effectively used to centrally manage configuration profiles for all Nomadix devices in the public access network.
Page 28: Radius Proxy
AG 5500 RADIUS Proxy The RADIUS Proxy feature relays authentication and accounting packets between the parties performing the authentication process. Different realms can be set up to directly channel RADIUS messages to the various RADIUS servers. This functionality can be effectively...
Page 29: Secure Management
NSE’s standards-driven, peer-to-peer IPSec tunneling with strong data encryption. Establishing the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on...
Page 30: Secure Socket Layer (Ssl)
XML enables solution providers to customize and enhance their product installations. This feature allows the operator to use Nomadix' popular XML API using the built-in SSL certificate functionality in the NSE so that parameters passed between the Gateway and the centralized Web server are secured via SSL.
Page 31: Smart Client Support
Adjungo Networks, Boingo Wireless, GRIC and iPass. SNMP Nomadix Private MIB Nomadix’ Access Gateways can be easily managed over the Internet with an SNMP client manager (for example, HP OpenView or Castle Rock). To take advantage of the functionality provided with Nomadix’ private MIB (Management Information Base), simply import the nomadix.mib...
Page 32: Url Filtering
“Walled Garden” within the Internet where unauthenticated users can be granted or denied access to sites of your choosing. Web Management Interface Nomadix’ Access Gateways can be managed remotely via the built-in Web Management Interface where various levels of administration can be established. See also, Using the Web Management Interface (WMI).
Page 33: Optional Nse Modules
PMS system whenever a subscriber purchases Internet service and decides to post the charges to their room. Nomadix’ Access Gateways are equipped with a dedicated PMS port to facilitate connectivity with a customer’s Property Management System.
Page 34: Credit Card Module
The optional High Availability Module offers enhanced network uptime and service availability when delivering high-quality Wi-Fi service by providing Fail-Over functionality. This module allows a secondary Nomadix Access Gateway to be placed in the network that can take over if the primary device fails, ensuring Wi-Fi service remains uninterrupted.
Page 35: Optional Standalone Application
AG 5500 Optional Standalone Application The following supplemental application—delivered on a separate CD-ROM—is available from Nomadix: Meeting Room Scheduler (MRS) If you have purchased the NSE’s optional Hospitality Module, our Meeting Room Scheduler (MRS) application can further enhance your product’s integration into the hospitality environment.
Page 36: Network Architecture (Sample)
AG 5500 Network Architecture (Sample) The AG 5500 can be deployed effectively in a variety of wireless and wired broadband environments where there are many users—usually mobile—who need high speed access to the Internet. The following example shows a potential Hospitality application:...
Page 37: Product Specifications
AG 5500 Product Specifications Specifications ERFORMANCE User Support: Up to 200 users concurrently Throughput: 100 Mbits/s* *As defined by RFC1242, Section 3.17 HYSICAL 1U rack space in a 19” rack 16.85”(L) x 10.04”(W) x 1.73”(H) 428mm(L) x 255mm(W) x 44mm(H) Weight: 6.61 lbs...
Page 38 AG 5500 Specifications NTERFACES 3 x 10/100 Mbps Ethernet (RJ-45) 1 x DB9 serial (for serial management and PMS interface) LED I NDICATORS ACT/LINK and 10/100 for each Ethernet port Power ETWORK ANAGEMENT Multi-Level Administration Controls Integrated VPN Client (IPSec) for secure connection to an NOC...
Page 39: Online Help (Webhelp)
WebHelp is best viewed using Internet Explorer, version 4.0 or higher. WebHelp is useful when you have an Internet connection to the AG 5500 and you want to access information quickly and efficiently. It contains all the information you will find in this User’s Guide.
Page 40 AG 5500 This page intentionally left blank. Introduction...
Page 41: Chapter 1: Installing The Ag 5500
Installing the AG 5500 This chapter provides installation instructions for the hardware and software components of the AG 5500. It also includes an overview of the management interface, some helpful hints for system administrators, and procedures for the following tasks:...
Page 42: Unpacking The Ag 5500
AG 5500 Unpacking the AG 5500 When you unpack the AG 5500, you will find the following items in the carton: Item AG 5500 module Cable – power cord (US or European) Cable – serial, DB9 female to DB9 female (6ft length) Null Modem (NM) Cable –...
Page 43: Installation Workflow
Network Connect the AG 5500 to the customer’s network. Power up the AG 5500 and log in via a Telnet session or the Web Management Interface. Set the basic configuration parameters for subscribers. The AG 5500 is now ready for administrators to add, delete, or change unique subscriber profiles.
Page 44: Powering Up The System
AG 5500 Powering Up the System Use this procedure to establish a direct cable connection between the AG 5500 and your laptop computer, and to power up the system. Place the AG 5500 on a flat and stable work surface.
Page 45: Logging In To The Command Line Interface
AG 5500 Logging In to the Command Line Interface Use this procedure to initialize the system and log in to the AG 5500’s Command Line Interface (CLI). The character-based CLI is used at initial start-up. Start a HyperTerminal™ session to connect to the AG 5500. Use the following...
Page 46 AG 5500 Installing the AG 5500...
Page 47: The Management Interfaces (Cli And Web)
Until the unit is installed on the customer’s network and a remote connection is established, the CLI is the administrator’s window to the system. This is where you establish all the AG 5500 start-up configuration parameters, depending on the customer’s network architecture.
Page 48: Making Menu Selections And Inputting Data With The Cli
Enter Menu Organization (Web Management Interface) When you have successfully installed and configured the AG 5500 from the CLI, you can then access the AG 5500 from its embedded Web Management Interface (WMI). The WMI is easier to use (point and click) and includes some items not found in the CLI. You can use either interface, depending on your preference.
Page 49 AG 5500 Note: Your browser preferences or Internet options should be set to compare loaded pages with cached pages. Installing the AG 5500...
Page 50: Inputting Data - Maximum Character Lengths
Location settings (all fields) Partner Image File Name Password (adding subscriber profiles) Port Description (finding ports by description) Redirection Frequency (in minutes) 2,147,483,647 (recommend 3600) Reservation Number Username (adding subscriber profiles) Valid SSL Certificate DNS Name Installing the AG 5500...
Page 51: Online Documentation And Help
Help system Other online documentation resources, available from our corporate Web site (www.nomadix.com), include a full PDF version of this User’s Guide (viewable with Acrobat™ Reader, version 4.0 or higher), white papers, technical notes, and business cases. The PDF version of this User’s Guide and associated README files are also available on the “Accessories”...
Page 52: Quick Reference Guide
When establishing the start-up configuration for a new installation, you are connected to the AG 5500 via a direct serial connection (you do not have remote access capability because the AG 5500 is not yet configured or connected to a network).
Page 53 – The subnet mask defines the number of IP Assigning the Subnet Mask addresses that are available on the routed subnet where the AG 5500 is located. – This is the IP address of the Assigning the Default Gateway IP Address router that the AG 5500 uses to transmit data to the Internet.
Page 54: Assigning Login User Names And Passwords
AG 5500 Assigning Login User Names and Passwords When you initially powered up the AG 5500 and logged in to the Management Interface, the default login user name and password you used was “admin.” The AG 5500 allows you to define 2 concurrent access levels to differentiate between managers and operators, where managers are permitted read/write access and operators are restricted to read access only.
Page 55: Setting The Snmp Parameters (Optional)
AG 5500 Setting the SNMP Parameters (optional) You can address the AG 5500 using an SNMP client manager (for example, HP OpenView). SNMP is the standard protocol that regulates network management over the Internet. To do this, you must set up the SNMP communities and identifiers. For more information about SNMP, see “Using an SNMP Manager”...
Page 56: Enabling The Logging Options (Recommended)
IP addresses. When system logging is enabled, the standard SYSLOG protocol (UDP) is used to send all message logs generated by the AG 5500 to the specified server. Enter (logging) at the Configuration menu. The system displays the current logging status (enabled or disabled).
Page 57 Enabled RADIUS History log number RADIUS History log filter RADIUS History log server IP 8.9.10.11 RADIUS History log Save to file Disabled System Report log Enabled System Report log number System Report log server IP 8.9.10.11 Installing the AG 5500...
Page 58 AG 5500 System Report log Save to file Disabled Tracking logging Enabled Tracking log number Tracking log server IP 8.9.10.11 Tracking log Save to file Disabled Installing the AG 5500...
Page 59: Assigning The Location Information And Ip Addresses
IP address, the subscriber interface IP address, the subnet mask, and the default gateway IP address. All of these AG 5500 “location” parameters must be set up as part of the system’s start up configuration (otherwise the AG 5500 will not be “visible” on the network).
Page 60 AG 5500 After establishing all “Location” settings, you must reboot the AG 5500 for your changes to take effect. Sample Screen Response: Configuration>loc Please enter your company name [companyname]: newname Please enter your site name [sitename]:Coffee House Please enter your address <Line 1>...
Page 61 The system must be reset to function properly. Reboot? [yes/no]: y Your new settings are displayed and the AG 5500 reboots. When the system restarts, the Telnet interface is enabled (based on your new configuration settings which are saved to the AG 5500’s on-board flash memory).
Page 62: Logging Out And Powering Down The System
Disconnect the serial cable between the AG 5500 and your computer. Connecting the AG 5500 to the Customer’s Network Use this procedure to connect the AG 5500 to the customer’s network (after the start up configuration parameters have been established).
Page 63: Front Panel
AG 5500 Front Panel Network Subscribers Connect the power cord and turn on the AG 5500. Go to “Establishing the Basic Configuration for Subscribers” on page Installing the AG 5500...
Page 64: Establishing The Basic Configuration For Subscribers
AG 5500, you can either enable the DHCP relay (routed to an external DHCP server IP address), or you can enable the AG 5500 to act as its own DHCP server. In both cases, DHCP functionality is necessary if you want to automatically assign IP addresses to subscribers.
Page 65 2 - Modify an IP Pool 3 - Remove an IP Pool 4 - Exit this menu Select the DHCP Pool configuration mode[0]: After setting up your DHCP options, the system must be rebooted for your changes to take effect. Installing the AG 5500...
Page 66: Setting The Dns Options
Enter a valid domain name (the Internet domain that DNS requests will utilize). Enter the host name (the DNS name of the AG 5500). The name cannot contain spaces. After assigning the host name, the system requests IP addresses for the primary, secondary, and tertiary DNS servers (the default for the DNS primary address is 0.0.0.2).
Page 67: Archiving Your Configuration Settings
Import the nomadix.mib file into your SNMP client manager. Connect to the AG 5500 from a node on the network that is accessible via the AG 5500’s network port (Internet, LAN, etc.). Be sure to enable the SNMP daemon on the AG 5500 (available on the AG 5500’s CLI or Web Management Interface, under the Configuration...
Page 68 AG 5500 This page intentionally left blank. Installing the AG 5500...
Page 69: Chapter 2: System Administration
AG 5500 from the Web Management Interface (WMI) viewpoint. Choosing a Remote Connection Once installed and configured for the customer’s network, the AG 5500 can be managed and administered remotely with any of the following interface options: Using the Web Management Interface (WMI) - Provides a powerful and flexible Web interface for network administrators.
Page 70: Using The Web Management Interface (Wmi)
The Web Management Interface (WMI) is a “graphical” version of the Command Line Interface, comprised of HTML files. The HTML files are embedded in the AG 5500 and are dynamically linked to the system’s functional command sets. You can access the WMI from any Web browser.
Page 71: Using An Snmp Manager
The following example shows a (partial) SNMP screen response. Using a Telnet Client There are many Telnet clients that you can use to connect with the AG 5500. Using Telnet provides a simple terminal emulation that allows you to see and interact with the AG 5500’s Command Line Interface (as if you were connected via the serial interface).
Page 72: Logging In
AG 5500 Logging In To access the AG 5500’s Web Management Interface, use the Manager or Operator login user name and password you defined during the installation process (refer to “Assigning Login User Names and Passwords” on page 42). User names and passwords are case-sensitive.
Page 73 AG 5500 System Administration...
Page 74 AG 5500 to accept and process XML commands from an external source. XML commands are sent over the network to the AG 5500. The AG 5500 parses the query string, executes the commands specified by the string, and returns data to the system that initiated the command request.
Page 75 AAA Passthrough Port System administrators can set the AG 5500 to pass-through HTTPS traffic, in addition to standard port 80 traffic, without being redirected. When access to a non-HTTPS address (for example, a Search Engine or News site) has been requested, the subscriber is then redirected as usual.
Page 76 AG 5500 If AAA passthrough is enabled, enter the corresponding port number. The port number must be different than 80, 2111, 1111, or 1112. Both AAA and RADIUS Authentication must be enabled for 802.1x Authentication support. Enable or disable the feature, as required.
Page 77 AG 5500 Enabling AAA Services with the Internal Web Server You are here because you want to enable the AAA Services with the AG 5500’s Internal Web Server. The AG 5500 maintains an internal database of authorized subscribers, based on their MAC (hardware address) and user name (if enabled).
Page 78 280. SSL support allows for the creation of an end-to-end encrypted link between the AG 5500 and its clients by enabling the Internal Web Server (IWS) to display pages under a secure link—important when transmitting AAA information in a network.
Page 79 Enabling the Smart Client option in the AG 5500 automatically supports all GIS compliant clients using the Internal Web Server. Enabling “Support for GIS Clients” under the Portal Page feature means that the AG 5500 will defer the managment of the GIS clients to the Portal Page server.
Page 80 SSL Support Reboot after changes are saved? (the AG 5500 must be rebooted every time the SSL Support feature is enabled or disabled). Click on the button to save your changes, or click on the...
Page 81 Enabling AAA Services with an External Web Server You are here because you want to enable the AAA Services with an External Web Server (EWS). In the EWS mode, the AG 5500 redirects the subscriber’s login request to an external server.
Page 82: Establishing Secure Administration {Access Control
A login is permitted only to the interfaces that have not been blocked, and only if a match is made with the master “Source IP” list contained on the AG 5500. If a match is not made with the “Source IP list,” the login is denied, even if a correct login name and password are supplied.
Page 83 AG 5500 . The From the Web Management Interface, click on Configuration , then Access Control Access Control screen appears: System Administration...
Page 84 Do not enable the blocking of all interfaces without setting up and enabling SNMP. Enabling the blocking of all interfaces and disabling SNMP will completely block access to the AG 5500 administration interface. For assistance, contact Nomadix Technical Support. Enable or disable subscriber-side interface blocking for any of the following interfaces...
Page 85 CLI to disable the Access Control feature, or change the range of allowed IP addresses to access the management interfaces. If you have changed the serial port to act as a PMS interface, please contact Nomadix technical support. In this case, refer to “Contact Information” on page 305.
Page 86: Defining Automatic Configuration Settings {Auto Configuration
AG 5500 Defining Automatic Configuration Settings {Auto Configuration} The AG 5500 allows you to define parameters to enable the automatic configuration of the system. See also, RADIUS-driven Auto Configuration. From the Web Management Interface, click on , then Configuration Auto Configuration...
Page 87 As shown in the diagram below, two subsequent events drive the automatic configuration of Nomadix devices: A flow of RADIUS Authentication Request and Reply messages between the Nomadix gateway and the centralized RADIUS server that specifies the location of the meta...
Page 88 Administrative Steps to Enable Auto-Config for the NOC Administrator: Add NAS IP address. Add Nomadix Auto-Config VSA to the Nomadix dictionary file on the RADIUS server. Create a RADIUS profile with the configuration VSA. Create an FTP server with the configuration files.
Page 89: Setting Up Bandwidth Management {Bandwidth Management
AG 5500 Setting Up Bandwidth Management {Bandwidth Management} The AG 5500 allows system administrators to manage the bandwidth for subscribers, defined in Kbps (Kilobits per seconds) for both upstream and downstream data transmissions. With the ICC feature enabled, subscribers can increase or decrease their own bandwidth dynamically (by the minute, or on an hourly, daily, weekly, or monthly basis), and also adjust the pricing plan for their service.
Page 90: Establishing Billing Records "Mirroring" {Bill Record Mirroring
AG 5500 can also send copies of billing records to predefined “carbon copy” servers. Additionally, if the primary and secondary servers are down, the AG 5500 can store up to 2,000 credit card transaction records. When a connection is re-established (with either server), the AG 5500 sends the stored information to the server—no records are lost!
Page 91 Primary IP Secret Key The AG 5500 and the “mirror” servers must use the same secret key. Repeat Step 4 for the secondary server (if any) and all carbon copy servers. Define the “fail-safe” provisions, including: Retransmit Method – Alternate, or do not alternate.
Page 92: Managing The Dhcp Service Options {Dhcp
AG 5500, you can either enable the DHCP relay (routed to an external DHCP server IP address), or you can enable the AG 5500 to act as its own DHCP server. In both cases, DHCP functionality is necessary if you want to automatically assign IP addresses to subscribers.
Page 93 DHCP Services DHCP services. By default, the AG 5500 is configured to act as its own DHCP server and the relay feature is “disabled.” If you want the AG 5500 to act as its own DHCP server, do not enable the relay. Go directly to Step 8.
Page 94 AG 5500 If you want to add a new DHCP Pool, click on the button. The Add DHCP Pools screen appears: Enter a valid address for the DHCP server. DHCP Server IP Enter the DHCP Server Netmask Enter the starting and ending IP addresses for the DHCP address pool you want to use:...
Page 95 AG 5500 Enter the DHCP Lease Minutes Select , as required. Public Pool Private Pool A “public” IP address will not be translated by DAT. If required, make this an and/or the by checking the IP Upsell Pool Default Pool appropriate boxes.
Page 96: Managing The Dns Options {Dns
DNS allows subscribers to enter meaningful URLs into their browsers (instead of complicated numeric IP addresses) by automatically converting the URLs into the correct IP addresses. You can assign a primary, secondary, or tertiary (third) DNS server. The AG 5500 utilizes whichever server is currently available.
Page 97 AG 5500 Enter the IP addresses for the DNS servers (located at the customer’s network operating center where DNS requests are sent). Servers include: Primary DNS Server Secondary DNS Server Tertiary DNS Sever The secondary and tertiary DNS servers are only utilized if the primary DNS server is unavailable.
Page 98: Managing The Dynamic Dns Options {Dynamic Dns
AG 5500 Managing the Dynamic DNS Options {Dynamic DNS} These settings can be accessed under the following menus: WMI Configuration Go to Configuration->Dynamic DNS CLI Configuration Go to Configuration->dyndns Go to Configuration->dyndns->configure for configurations System Administration...
Page 99 AG 5500 Enable Checkbox This is the checkbox to enable or disable the Dynamic DNS functionality. Provider Information This is to specify provider details. Currently only dyndns.org is supported. Protocol the vendor supports Server and Port to which the client sends updates to the DDNS server.
Page 100: Gre Tunneling {Gre Tunneling
AG 5500 GRE Tunneling {Gre Tunneling} Use the following procedure to set the GRE Tunneling options. From the Web Management Interface, click , then . The GRE Configuration Gre Tuneling Tuneling screen appears: Click the checkbox for to enable this feature.
Page 101: Setting The Home Page Redirection Options {Home Page Redirect
If required, click on the check box for Parameter Passing Parameter passing allows the AG 5500 to track a subscriber’s initial Web request (usually their home page) and pass the information on to the solution provider. The solution provider uses this information to ensure that the subscriber can return to their home page easily.
Page 102: Enabling Intelligent Address Translation (Inat)
Our patent-pending iNAT™ feature contains an advanced, real-time translation engine that analyzes all data packets being communicated between the private and public address domains. The Nomadix iNAT engine performs a defined mode of network address translation based on packet type and protocol (for example, GRE, IKE etc…).
Page 103: Defining Ipsec Tunnel Settings {Ipsec
AG 5500 Defining IPSec Tunnel Settings {IPSec} From the Web Management Interface, click on , then (You can also Configuration IPSec. access IPSec from the CLI by going to Configuration->IPSec to configure settings, and Network Info->IPSec to view IPSec Tunnel status.)
Page 104 AG 5500 IPSec Tunnel Peers Tunnel Peer IP address of peer Peer Authentication Method Choice of Pre-shared key or X.509 certificates Enter the Pre-shared Key in the Shared Key text field if Pre-shared Key is selected Enter the filename of the private and public certificates if X.509 is selected. Note: files must exist on flash first.
Page 105 AG 5500 IKE Channel Security Parameters Encryption Algorithm – at least one must be selected Hash Algorithm – at least one must be selected Key Strength (a.k.a. Diffie-Hellman) – either Group 1 (768 bit) or Group 2 (1024 bit) Lifetime – in seconds; Data life size is NOT supported...
Page 106 AG 5500 IPSec Tunnel Security Policies System Administration...
Page 107 AG 5500 Tunnel Peer Address Select a Peer IP Address from the pull-down menu with which this security association is to be established. Must select a Peer if the policy is using ESP or AH. Able to select ‘none’ only if policy is a discard or bypass policy...
Page 108 AG 5500 Security Parameters Choice of Discard, Bypass, ESP, or AH. Discard/Bypass => a select direction type ESP only => select all acceptable encryption algorithms ESP/AH => select all acceptable authentication algorithms Perfect Forward Secrecy Strength Maximum Lifetime Maximum Life size Automatic renewal Perfect Forward Secrecy checkbox =>...
Page 109: Establishing Your Location {Location
AG 5500 Establishing Your Location {Location} This command sets up your location and the corresponding IP addresses for the network interface, subscriber interface, subnet, and default gateway. You *must* provide your full location information. From the Web Management Interface, click on...
Page 110 AG 5500 System Administration...
Page 111 You may lose your connection if you change the IP settings incorrectly (using invalid IP addresses). If you “misconfigure” the AG 5500 and network connectivity is lost, you can still access the AG 5500 from the Command Line Interface (CLI) via a direct serial connection. In this case, refer to:...
Page 112 Enter a valid subscriber IP address in the field. Subscriber IP Address The IP addresses from subscribers that are on a subnet different from the AG 5500 (for example, misconfigured) are translated by Nomadix’ Dynamic Address Translation (DAT) patented technology to the Subscriber IP Address The subscriber interface acts as a multifunctional “translator.”...
Page 113 Default Gateway field. The default gateway is the IP address of the router that the AG 5500 uses to transmit data to the Internet. When finished, you must reboot the system for the new settings to take effect. Click on the...
Page 114: Managing The Log Options {Logging
AG 5500 Managing the Log Options {Logging} System logging creates log files and error messages generated at the system level. AAA logging creates activity log files for the AAA (Authorization, Authentication, and Accounting) functions. You can enable either of these options.
Page 115 AG 5500 System Administration...
Page 116 System Log When system logging is enabled, the standard SYSLOG protocol (UDP) is used to send all message logs generated by the AG 5500 to the specified SYSLOG server. Enter a unique number (between 0 and 7) in the field. This ID System Log Number number is assigned to the System Log Server.
Page 117 Username are included besides the source and destination information of each session. There are IN and OUT messages for the beginning and ending of each session. Examples: INFO [AG 5500 v2.4.113] LI : IN-->: THU JUN 23 11:43:58 2007 | testlab | S(192.168.2.4/3444), D(66.163.175.128/80), X(67.130.149.4/5004), non-proxy , 00:90:27:78:81:00, RADIUS, IPASS/0U0000 INFO [AG 5500 v2.4.113] LI : OUT-->: THU JUN 23 11:44:01 2007 | testlab |...
Page 118 AG 5500 PageFaults are stored in the file named “lograw.txt” in the /flash directory and is not viewable on the web management interface. Click on the Submit button to save your changes, or click on the Reset button if you want to reset all the values to their previous state.
Page 119: Enabling Mac Authentication {Mac Authentication
AG 5500 Enabling MAC Authentication {MAC Authentication} These settings can be accessed under the following menus: WMI Configuration Go to Configuration->MAC authentication CLI Configuration Go to configuration->macauth SNMP Configuration Go to nse->aaa.aaaMacAuth (enterprises.3309.1.x.2.28) for MAC-based Authentication configuration branch MAC Authentication Checkbox This checkbox enables/disables the MAC-based Authentication functionality.
Page 120 AG 5500 Retry Frequency in seconds This is the time in seconds to wait after an unsuccessful MAC authentication attempt to initiate another request. The minimum and default value is 10 seconds. MAC Address Format Specifies the format in which the subscriber’s MAC address will be expressed in the RADIUS username and password attributes.
Page 121: Enabling The Meeting Room Scheduler {Meeting Room Scheduler
Reset button if you want to reset all the values to their previous state. For detailed information about installing, configuring, and using the NOMADIX™ Meeting Room Scheduler application, refer to the following documentation: Meeting Room Scheduler User’s Guide (P/N 200-1007-001)
Page 122: Assigning Passthrough Addresses (Passthrough Addresses)
AG 5500 Assigning Passthrough Addresses (Passthrough Addresses) The AG 5500 allows up to 300 IP passthrough addresses and DNS names. This feature allows users to “pass through” the AG 5500 and access predetermined services (for example, the redirected home page) at the solution provider’s discretion, even though they may not have subscribed to the broadband Internet service.
Page 123 IP address or DNS name of the pass-through you want to add or remove from the system. The system only accepts route DNS names (for example, www.nomadix.com). Do not include protocol, port, or path information. If adding this pass-through, click on the...
Page 124: Assigning A Pms Service {Pms
PMS, the AG 5500 can post charges for Internet access directly to a guest’s hotel bill. In this case, the guest is billed only once. The AG 5500 outputs a call accounting record to the PMS system whenever a subscriber purchases Internet service and decides to post the charges to their room.
Page 125 AG 5500 Supported PMS interfaces include: Lodging Link (PTI) Holodex (AutoClerk) HOBIC (OSPS, TSPS, 1BT2, TEST, RSI) Galaxy (Post Only) Marriot NH (post-paid only) Micros Fidelio (Query & Post, Post Only, and Post Only with TCP/IP) Micros (1700/2000/3700/4700/8700 System Software Emulation)
Page 126 AG 5500 System Administration...
Page 127 If the “Skip First Char in Last Name” feature is enabled, the space is reserved for purposes other than the first character of the last name, so the AG 5500 will skip the first space in the last name field for name verification. System Administration...
Page 128 Reset button if you want to reset all the values to their previous state. Based on the HOBIC interface standards, Nomadix, Inc. has also certified interoperability with a number of other PMS and call accounting solutions such as Ramesys’ ImagInn, Xeta Virtual XL, and Hilton’s proprietary standard OnQ.
Page 129: Setting Up Port Locations {Port-Location
AG 5500 Setting Up Port Locations {Port-Location} Port-Location allows you to establish the mode of operation for devices. From the Web Management Interface, click on , then Configuration Port-Location. Port-Location Settings screen appears: System Administration...
Page 130 If you enabled In Room Port Mapping, you must assign a . You Username Password will need these when you perform port mapping from the subscriber side of the AG 5500. Go to “In Room Port Mapping” on page 120 to map rooms from the subscriber side of the AG 5500.
Page 131 AG 5500 These options enable an SNMP query to “ask” the access concentration device which card, slot, or port the information is coming from. The information can then be “sent to” and “billed by” the PMS. You must enter the IP address (not name), SNMP community, and SNMP query duration (maximum time it takes to detect subscriber migration) of all access concentrators connected to the site.
Page 132 This section shows In Room Port Mapping from the subscriber side, when the In Room Port Mapping feature is enabled. AG 5500 multiple VLAN tagged systems can use the same tags and be placed on different Subscriber ports. Although it is technically possible to place two different VLAN tagged switches (one on each Subscriber side) that have the same VLAN tags designated, this configuration can cause problems.
Page 133 AG 5500 Enter your user name and password, then click on the button. The In Room Port Mapping screen appears: Enter the room number and a description for this room. Select the access mode you want to assign to this room:...
Page 134: Defining The Radius Client Settings {Radius Client
AG 5500 Defining the RADIUS Client Settings {RADIUS Client} The AG 5500 supports Remote Authentication Dial-In User Service (RADIUS). RADIUS is an authentication and accounting system used by many Internet Service Providers. The “Usernames” function must be enabled for a RADIUS login. See also, “Defining the AAA Services {AAA}”...
Page 135 AG 5500 From the Web Management Interface, click on Configuration , then RADIUS Client. RADIUS Client Settings screen appears: System Administration...
Page 136 Default User Idle Timeout before the subscriber’s session times out and they must login again. The AG 5500 can reauthenticate “repeat” subscribers who return to the system within 720 hours. To enable this feature, click on the check box for...
Page 137 (if you want the system to display a post session “goodbye” page). The “goodbye” page can be defined as a RADIUS VSA or be driven by the AG 5500’s Internal Web Server (IWS). If required, check the box for . To enable the default 802.1q Enable WAN 802.1q Attribute...
Page 138: Defining The Radius Proxy Settings {Radius Proxy
AG 5500 Defining the RADIUS Proxy Settings {RADIUS Proxy} A RADIUS Proxy allows the NSE to relay authentication and accounting packets between the parties performing the authentication process. Different realms can be set up to directly channel RADIUS messages to the various RADIUS servers.
Page 139 Adding an Upstream RADIUS NAS If you want to add a new Upstream RADIUS NAS (for example, an 802.11 Access Point on the subscriber side of the AG 5500)., click on the button. The Add Upstream RADIUS NAS screen appears: To make this entry the “active”...
Page 140 AG 5500 Select the from the pull-down menu (see note). Default RADIUS Service Profile RADIUS requests originating from this Upstream NAS will be routed via the specified profile if it cannot be routed based on realm. Leave this field blank if default routing is not desired.
Page 141: Defining The Realm-Based Routing Settings {Realm-Based Routing
AG 5500 Defining the Realm-Based Routing Settings {Realm-Based Routing} Use this procedure when setting up RADIUS Service Profiles (up to 10) and Realm-based Routing Policies (up to 50). For additional RADIUS information, see also: “Defining the RADIUS Client Settings {RADIUS Client}” on page 122.
Page 142 AG 5500 From the Web Management Interface, click on , then Configuration RADIUS Routing. The RADIUS Routing Settings screen appears: System Administration...
Page 143 AG 5500 Define RADIUS Service Profiles RADIUS service profiles are used to direct username access requests for both plain RADIUS users and users who supply realm/domain in their username. In response to a RADIUS access request, these RADIUS servers will return the L2TP tunnel parameters which the NSE will use to establish an L2TP tunnel.
Page 144 The secret key is a valuable and necessary security measure. The AG 5500 and the RADIUS servers must use the same secret key. Repeat Steps 2 through 4 for the secondary RADIUS authentication server (if used).
Page 145 AG 5500 Retransmission Options This category requires you to define the data retransmission method (failover or round-robin), the retransmission frequency, and how many retransmissions the system should attempt. Select the Retransmission Method (Failover or Round Robin). Enter a value for the time (in seconds) in the field.
Page 146 AG 5500 Define Realm Routing Policies Realm routing policies are used to determine how supplied username/password input is used to authenticate users. Create a realm routing policy for each realm that will be handled. The realm routing policy will reference either a RADIUS service profile or a tunnel profile. Many different realm routing policies can reference the same RADIUS service or tunnel profile.
Page 147 AG 5500 Click on the Strip off routing information check box if you want to remove the routing information. Click on the button to add this Realm Routing Policy. When you have completed the definition of your Realm Routing Policy, you can return to...
Page 148 AG 5500 The following screen shows a realm routing policy that handles suffix-based usernames using a tunnel profile. This differences in this example are that the realm name is “tcisp.com”, “Suffix match only” is enabled (the delimiter in this case is “@”), and a tunnel profile, “LNSOne”, is selected instead of a RADIUS service profile.
Page 149 AG 5500 Again, as before, the username passed to the tunnel server will have realm information stripped since the checkbox for “Strip off routing information when sending to tunnel server” is checked. This checkbox may be unchecked if it is necessary for usernames to contain realm information for user authentication.
Page 150 AG 5500 The Realm Routing Policy you just created is added to the list. Your new RADIUS Service Profiles are added to this list Your new Realm Routing Policies are added to this list System Administration...
Page 151: Managing Smtp Redirection {Smtp
Managing SMTP Redirection {SMTP} When SMTP redirection is enabled (for misconfigured or properly configured subscribers), the AG 5500 redirects the subscriber’s E-mail through a dedicated SMTP server, including SMTP servers which support login authentication. To the subscriber, sending and receiving E-mail is as easy as it’s always been.
Page 152: Managing The Snmp Communities {Snmp
AG 5500 Managing the SNMP Communities {SNMP} You can address the AG 5500 using an SNMP client manager (for example, HP OpenView). SNMP is the standard protocol that regulates network management over the Internet. To do this, you must set up the SNMP communities and identifiers. For more information about SNMP, see “Using an SNMP Manager”...
Page 153 Submit Reset button if you want to reset all the values to their previous state. You can now use your SNMP client to manage the AG 5500 via the Internet. System Administration...
Page 154: Enabling Dynamic Multiple Subnet Support (Subnets)
AG 5500 Enabling Dynamic Multiple Subnet Support (Subnets) Nomadix’ dynamic multiple subnet support allows you to create flexible and cost-effective IP pool solutions to meet the demands of complex networks in large residential and public access networks. For example: Establish a maximum of 15 different DHCP pools for routable IP addresses at the same time.
Page 155 (Public Subnets Settings). To edit the “Current Public DHCP Subnets” table, go to “Managing the DHCP Service Options {DHCP}” on page For additional information about the multiple subnet feature, go to “Contact Information” on page 305 for Nomadix Technical Support. System Administration...
Page 156: Displaying Your Configuration Settings {Summary
AG 5500 Displaying Your Configuration Settings {Summary} You can display a summary listing of all your current Configuration settings. To view the summary listing, go to the Web Management Interface, click on Configuration then click on Summary. The Summary of Configuration Settings screen appears (partial screen shown here): More listings ...
Page 157: Setting The System Date And Time {Time
After entering new data for the final parameter (minutes), the system writes the information into its BIOS, then displays the new date and time. The AG 5500 also allows you to enter a “Time offset from UTC.” This parameter is the Universal Coordinated...
Page 158 AG 5500 If required, enter UTC offset values for in the appropriate fields and Hours Minutes define whether this time is plus or minus from the pull-down menu. When finished, click on the button to save your changes, or click on the...
Page 159: Setting Up Url Filtering {Url Filtering
AG 5500 Setting Up URL Filtering {URL Filtering} The AG 5500 can restrict access to specified Web sites based on URLs defined by the system administrator. URL filtering will block access to a list of sites and/or domains entered by the administrator using the following three methods: Host IP address (for example, 1.2.3.4)
Page 160: Enabling Secure Management {Vpn Tunnel
NSE’s standards-driven, peer-to-peer IPSec tunneling with strong data encryption. Establishing the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on...
Page 161 Basic IPSec parameters must be entered by the system administrator to successfully establish the VPN session. We recommend that you create different private subnets behind the VPN termination device and the AG 5500. This menu has changed; please refer to the addendum user guide for the latest configuration information.
Page 162: Network Info Menu
AG 5500 Network Info Menu Displaying ARP Table Entries {ARP} You can display a table that shows the current status of the ARP (Address Resolution Protocol) assignments. ARP is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address.
Page 163: Displaying Dat Sessions {Dat
AG 5500 Displaying DAT Sessions {DAT} The AG 5500 provides “plug-and-play” access to subscribers who are misconfigured with static (permanent) IP addresses, or subscribers that do not have DHCP functionality on their computers. Dynamic Address Translation (DAT) allows all users to obtain network access, regardless of their computer’s network settings.
Page 164: Displaying The Host Table {Hosts
AG 5500 Displaying the Host Table {Hosts} You can display a table which lists the hosts that are currently configured. This table includes the assigned host names, their corresponding IP addresses, and any aliases that may be assigned to each host. Hosts provide services to other computers that are linked to it by a network.
Page 165: Displaying Icmp Statistics {Icmp
AG 5500 Displaying ICMP Statistics {ICMP} You can display the current ICMP (Internet Control Message Protocol) statistics. ICMP is a standard Internet protocol that delivers error and control messages from hosts to message requestors. These statistics are presented as a listing which details the current status of each ICMP transmission element.
Page 166: Displaying The Network Interfaces {Interfaces
AG 5500 Displaying the Network Interfaces {Interfaces} You can display the network interfaces which are presented as a detailed listing of all interface communication elements and their current status. To view the Network Interfaces, go to the Web Management Interface, click on...
Page 167: Displaying The Ip Statistics {Ip
AG 5500 Displaying the IP Statistics {IP} You can display the IP (Internet Protocol) statistics which are presented as a detailed listing of all IP elements and their current status. With IP transmissions, data is broken up into packets which are then sent over the network. By using IP addressing, Internet Protocol ensures that the data reaches its destination, even though different packets may “pass through”...
Page 168: Displaying The Routing Tables {Routing
AG 5500 Displaying the Routing Tables {Routing} You can display the current Routing Tables, including any dynamically generated routes, unreachable routes, or wildcard routes. To view the Routing Tables, go to the Web Management Interface, click on , then Network Info...
Page 169: Displaying The Active Ip Connections {Sockets
AG 5500 Displaying the Active IP Connections {Sockets} You can display a table which provides a detailed listing of all currently active IP (Internet Protocol) connections. To view the Socket Table, go to the Web Management Interface, click on Network Info...
Page 170: Displaying The Static Port Mapping Table {Static Port-Mapping
AG 5500 Displaying the Static Port Mapping Table {Static Port-Mapping} You can display a table which provides a detailed listing of the currently active static port mapping scheme. To view the Static Port-Mapping Table, go to the Web Management Interface, click on...
Page 171: Displaying Tcp Statistics {Tcp
AG 5500 Displaying TCP Statistics {TCP} You can display the TCP (Transmission Control Protocol) statistics which are presented as a detailed listing of all TCP elements and their current status. TCP is a standard protocol that manages data transmissions across networks.
Page 172: Displaying Udp Statistics {Udp
AG 5500 Displaying UDP Statistics {UDP} You can display the UDP (User Datagram Protocol) statistics which are presented as a detailed listing of all UDP elements and their current status. UDP is an Internet standard transport layer protocol. It is a connectionless protocol which adds a level of reliability and multiplexing to the Internet Protocol (IP).
Page 173: Port-Location Menu
AG 5500 Port-Location Menu The Port Location capabilities on the NSE have been enhanced. It is now possible to define a policy on a port. The billing methods (RADIUS, Credit Card, PMS, L2TP Tunneling) and the billing plans available on each port can now be individually configured.
Page 174 AG 5500 System Administration...
Page 175: Adding And Updating Port-Location Assignments {Add
There may even be multiple ports assigned to a single room or location. The AG 5500 uses a port-location authorization table to manage the assigned ports and ensure accurate billing for the services used by a particular port.
Page 176 AG 5500 Enter a location identifier in the field. Locations can be assigned as an alpha, Location numeric, or alpha-numeric value unless a PMS interface is used (see notes). All alpha characters (used for locations and descriptions) are case-sensitive. If you are using a PMS interface, ensure that the “Location” field consists only of numbers (no alpha characters or symbols).
Page 177 AG 5500 Please note that while it is possible to set the value of a per-port configuration parameter independently of the value of the corresponding global parameter, the feature itself is disabled for a port unless both the per-port and global parameters are set to enabled. Thus: RADIUS authentication for a port is enabled only if the RADIUS Client is globally enabled AND the per-port enable RADIUS billing parameter is set.
Page 178: Deleting All Port-Location Assignments {Delete All
AG 5500 Deleting All Port-Location Assignments {Delete All} This procedure shows you how to delete all port-location assignments. The AG 5500 displays a warning and prompts you to confirm this action before deleting all the port-locations currently assigned in the system.
Page 179: Deleting Port-Location Assignments By Location {Delete By Location
This procedure shows you how to delete a port-location assignment, based on its location. The AG 5500 prompts you to confirm this action before deleting the requested port-location. If you have updated a port-location assignment, you may want to change its description to distinguish from the old assignment.
Page 180: Deleting Port-Location Assignments By Port {Delete By Port
AG 5500 Deleting Port-Location Assignments by Port {Delete by Port} This procedure shows you how to delete a port-location assignment, based on its port. The AG 5500 prompts you to confirm this action before deleting the requested port-location. If you are unsure which port-locations are currently mapped to the system, you can view a list at “Displaying the Port-Location Mappings {List}”...
Page 181: Exporting Port-Location Assignments {Export
“location.txt” file. The location.txt file is stored in: /flash/location.txt (resident in the AG 5500’s flash memory). Exporting your current port-location assignments to the AG 5500’s flash memory will overwrite the existing location.txt file. From the Web Management Interface, click on...
Page 182: Finding Port-Location Assignments By Description {Find By Description
AG 5500 Finding Port-Location Assignments by Description {Find by Description} This procedure shows you how to find a port-location assignment, based on its description. This procedure is useful if you want to review the details of a specific port-location. You can also find port-locations based on their location or port.
Page 183: Finding Port-Location Assignments By Location {Find By Location
AG 5500 Finding Port-Location Assignments by Location {Find by Location} This procedure shows you how to find a port-location assignment, based on its location. This procedure is useful if you want to review the details of a specific port-location. You can also find port-locations based on their description or port.
Page 184: Finding Port-Location Assignments By Port {Find By Port
AG 5500 Finding Port-Location Assignments by Port {Find by Port} This procedure shows you how to find a port-location assignment, based on its location. This procedure is useful if you want to review the details of a specific port-location. You can also find port-locations based on their description or location.
Page 185: Importing Port-Location Assignments {Import
Importing Port-Location Assignments {Import} This procedure shows you how to import port-location assignments from the “location.txt” file. The location.txt file is stored in: /flash/location.txt (resident in the AG 5500’s flash memory). If you have never exported port-location assignments (since installing the AG 5500 at this site), the location.txt is empty.
Page 186 You can click on the “View location.txt” link if you want to view the current contents of the file. Creating a “location.txt” File You can create your own “location.txt” file and upload the file to the AG 5500’s flash memory at [IP address]/flash/location.txt. Use the following format when creating the file: “1”,1,00:00:00:00:00:00,0.0.0.0,0, “Room 101”...
Page 187: Displaying The Port-Location Mappings {List
AG 5500 Displaying the Port-Location Mappings {List} You can display a listing of all port-locations assigned to this system. To view the listing of port-location assignments, go to the Web Management Interface, click Network Info , then click on List.
Page 188: Subscriber Administration Menu
Subscriber Administration Menu Adding Subscriber Profiles {Add} AAA Services must be enabled before you can add a subscriber profile into the AG 5500’s internal authorization database. Refer to, “Defining the AAA Services {AAA}” on page This procedure shows you how to add subscriber profiles into a table of authorized users. Use this procedure when the credit card service option is disabled and the solution provider wants to limit access to pre-qualified users only.
Page 189 AG 5500 From the Web Management Interface, click on Subscriber Administration , then Add. The Add a Subscriber Profile to the Database screen appears: Choose for this profile. Subscriber Device Define the DHCP Address Type: (only used when the IP Upsell feature...
Page 190 AG 5500 Enter a valid for the subscriber. MAC Address If you have chosen to manage this subscriber by user name only, you do not need to enter a MAC address (but you must enter a user name). Enter the of the subscriber.
Page 191: Displaying Current Subscriber Connections {Current
AG 5500 Displaying Current Subscriber Connections {Current} You can display a listing of all the subscribers currently connected to the system. The list includes the MAC addresses of the subscribers, their active state, the individual expiration times, port numbers (if assigned), and the number of bytes that have been passed from the subscriber to the Internet.
Page 192: Deleting Subscriber Profiles By Mac Address {Delete By Mac
AG 5500 Deleting Subscriber Profiles by MAC Address {Delete by MAC} This procedure shows you how to delete a subscriber profile from the AG 5500’s database of authorized subscribers, based on the profile’s MAC address. To see a current listing of the subscriber database, sorted by MAC addresses, go “Listing Subscriber Profiles by MAC Address {List by MAC}”...
Page 193: Deleting Subscriber Profiles By User Name {Delete By User
AG 5500 Deleting Subscriber Profiles by User Name {Delete by User} This procedure shows you how to delete a subscriber profile from the AG 5500’s database of authorized subscribers, based on the profile’s user name. To see a current listing of the subscriber database, sorted by user name, go to “Listing Subscriber Profiles by User Name {List by User}”...
Page 194: Displaying The Currently Allocated Dhcp Leases {Dhcp Leases
, then click on Subscriber Administration DHCP Leases. To utilize this feature, your AG 5500 must be set to act as its own DHCP Server. The DHCP function cannot be set to DHCP Relay. Refer to “Managing the DHCP Service Options {DHCP}” on page...
Page 195: Deleting All Expired Subscriber Profiles {Expired
AG 5500 Deleting All Expired Subscriber Profiles {Expired} This procedure shows you how to delete all expired subscriber profiles from the AG 5500’s database of authorized subscribers. Use this procedure when you want to “clean up” the subscriber database. From the Web Management Interface, click on...
Page 196: Finding Subscriber Profiles By Mac Address {Find By Mac
AG 5500 Finding Subscriber Profiles by MAC Address {Find by MAC} This procedure shows you how to find a subscriber profile from the AG 5500’s database of authorized subscribers, based on the profile’s MAC address. Use this procedure when you want to see the statistics corresponding to the MAC address.
Page 197: Finding Subscriber Profiles By User Name {Find By User
Finding Subscriber Profiles by User Name {Find by User} This procedure shows you how to find a subscriber profile from the AG 5500’s database of authorized subscribers, based on the profile’s user name. Use this procedure when you want to see the statistics corresponding to the user name.
Page 198: Listing Subscriber Profiles By Mac Address {List By Mac
AG 5500 Listing Subscriber Profiles by MAC Address {List by MAC} You can display the currently active database of authorized subscribers, based on MAC addresses. To view the list of Authorized Subscriber Profiles, go to the Web Management Interface, click...
Page 199: Listing Subscriber Profiles By User Name {List By User
AG 5500 Listing Subscriber Profiles by User Name {List by User} You can display the currently active database of authorized subscribers, based on user names. You can display the currently active database of authorized subscribers, based on their user names.
Page 200: Viewing Radius Proxy Accounting Logs {Radius Session History
AG 5500 Viewing RADIUS Proxy Accounting Logs {RADIUS Session History} These settings are available under Subscriber Administration/RADIUS Session History menu. Enable Logfile checkbox When this setting is enabled any RADIUS proxy accounting messages sent or received by the RADIUS proxy application are logged into a file named “RADHIST.RAD” in the /flash directory.
Page 201: Displaying Current Profiles And Connections {Statistics
AG 5500 Displaying Current Profiles and Connections {Statistics} You can view the total number of profiles and connections currently stored in the AG 5500’s database of authorized subscribers. The displayed list includes the number of subscribers currently in the database (Current Table) and a numerical breakdown of how the subscribers can utilize the system (for example, free access, credit card, etc.).
Page 202: Subscriber Interface Menu
Plan C: 1 week, 1Mbit/s downstream, 1Mbit/s upstream, public IP address, $99 charge. In addition to credit card billing, Property Management Systems used by hotels are also supported along with the internal data base of the AG 5500 and billing via Nomadix' secure XML API. See also, “Assigning a PMS Service {PMS}”...
Page 203 AG 5500 The Internal Billing Options Setup screen appears: System Administration...
Page 204 AG 5500 Review the billing plans (normal plans and X over Y plans) that are currently active. To view or edit a billing plan, simply click on the View/Edit/Delete button opposite the corresponding plan. The Internal Billing Options Plan Setup or Internal Billing Options XoverY Plan Setup screen appears for the billing plan (and type) you selected (see next page for sample of X over Y plan setup screen).
Page 205 AG 5500 Sample of Internal Billing Options XoverY Plan Setup Screen System Administration...
Page 206 Time Unit One time unit is assigned to each billing plan. The AG 5500 allows you to define multiple billing plans with different time units at the same time. For example, you can define one billing plan that changes by the hour (e.g.
Page 207 AG 5500 Define the messages you want to present to subscribers, including: Introduction Message Offer Message Policy Message Define the (Minute, Hour, Day, Week, or Month) you want to make Units of Access available to subscribers. If you want to allow free access to subscribers, you can define the following free billing...
Page 208 AG 5500 Define the DHCP Pool (public or private) -- see following note. The “public” option requires IP Upsell to be turned on, otherwise subscribers will receive private IP addresses. Click on the button to save your changes and establish this billing plan.
Page 209: Setting Up The Information And Control Console {Icc Setup
AG 5500 Setting Up the Information and Control Console {ICC Setup} The Nomadix Information and Control Console (ICC) is a HTML pop-up window that is presented to subscribers, allowing them to select their bandwidth and billing plan options quickly and efficiently, and displays a dynamic “time” field to inform them of the time remaining on their account.
Page 210 AG 5500 System Administration...
Page 211 If you enabled either of the ICC pop-up options, you can choose a unique name for the console. Simply type a meaningful name in the field. Title Define the physical location where you want the Nomadix Logout Console to appear on the subscriber’s screen. Choose one of the following options: Upper Left Corner...
Page 212 When assigning images for buttons, refer to: “Pixel Sizes” on page 203. If you assign (or change) button images or banner images, the AG 5500 must be rebooted for your changes to take effect. When you have completed assigning all your redirect buttons, click on the...
Page 213 AG 5500 Assigning Banners From the Subscriber Console (Information and Control Console - ICC) Setup screen, click on the link. The Subscriber Console (Information and Control Configure Banners Console - ICC) Banners Setup screen appears: Click here to return to the previous screen You can display up to 5 banners, but they must be defined here.
Page 214: Reboot
Start Time (Optional) Stop Time (Optional) If you assign (or change) button images or banner images, the AG 5500 must be rebooted for your changes to take effect. If you changed any of the Image Name definitions, click on the check box for Reboot (to reboot the AG 5500).
Page 215 AG 5500 Pixel Sizes Use the following parameters when defining images for buttons and banners: Banners – 373 pixels (width) x 32 pixels (height) ISP Button – 98 pixels (width) x 26 pixels (height) Small buttons – 45 pixels (width) x 26 pixels (height)
Page 216: Defining Languages {Language Support
AG 5500 Defining Languages {Language Support} The AG 5500 allows you to define the text displayed to your users by the Internal Web Server (IWS) without any HTML or ASP knowledge. The language you select here will determine the language encoding that the AG 5500’s Internal Web Server instructs the browser to use.
Page 217 Interface and the subscriber’s portal page, choose the Other option, then choose one of the available Japanese character sets from the drop-down menu. If sufficient space is available, the AG 5500’s Internal Web Server also supports multiple languages at the same time.
Page 218: Enable Serving Of Local Web Pages {Local Web Server
AG 5500 Enable Serving of Local Web Pages {Local Web Server} Here are the quick setup instructions to enable serving of local web pages. Upload the required pages and images to the /flash/web directory using FTP. Total file size of all pages and images cannot exceed 200 KB. File names should be labeled using the 8.3 format.
Page 219 AG 5500 Web Page File Name This text box lets you add or remove the names of the web pages that you intend to serve to the end users. Note: The name of the web page has to be added in order for it to be served to the end users.
Page 220: Defining The Subscriber's Login Ui {Login Ui
AG 5500 Defining the Subscriber’s Login UI {Login UI} This procedure allows you to set up the presentation and content of the subscriber’s login User Interface (UI). From the Web Management Interface, click on , then Subscriber Interface Login UI.
Page 221 Click on the check box for if you want to enable (or Enable “Remember Me” option disable) this feature. This option enables the AG 5500 to “remember” logins for a predetermined duration (see next step). The “Remember Me” option requires JavaScript to be enabled.
Page 222 (see notes). You must reboot the AG 5500 for the “Image File Name” or “Partner Image File Name” settings to take effect. You can view a grid of acceptable screen colors. To view the grid, simply click on the “View Color Grid”...
Page 223 If you made changes to the Partner Image File Name Image File fields, you must reboot the AG 5500 for your changes Name Partner Image File Name to take effect. In this case, click on the check box for...
Page 224: Defining The Post Session User Interface (Post Session Ui)
The Post Session UI (Goodbye Page) can be defined either as a RADIUS VSA or be driven by the AG 5500’s Internal Web Server (IWS). Using the IWS option means that this functionality is available for other post-paid billing mechanisms (for example, post-paid PMS—if your product license supports PMS).
Page 225 AG 5500 From the Web Management Interface, click on Subscriber Interface , then Post Session The Subscriber Post Session User Interface Settings screen appears: System Administration...
Page 226 AG 5500 Click on the check box to enable (or disable) the IWS Enable IWS Goodbye Page Goodbye Page, as required. If you enabled the IWS Goodbye Page, select your preferred display options by checking the corresponding boxes: Display IP Address...
Page 227: Defining Subscriber Ui Buttons {Subscriber Buttons
AG 5500 Defining Subscriber UI Buttons {Subscriber Buttons} This procedure allows you to define how each of the control buttons are displayed to subscribers. From the Web Management Interface, click on Subscriber Interface , then Subscriber The Subscriber Page -- Control Button Definitions screen appears: Buttons.
Page 228: Defining Subscriber Ui Labels {Subscriber Labels
AG 5500 Defining Subscriber UI Labels {Subscriber Labels} This procedure allows you to define how the user interface (UI) field labels are displayed to subscribers. From the Web Management Interface, click on , then Subscriber Interface Subscriber The Subscriber Page -- Field Label Definitions screen appears: Labels.
Page 229 AG 5500 Enter the definitions you want for each label in the corresponding fields. Click on the button to save your changes, or click on the button if you want Submit Reset to reset all the values to their previous state.
Page 230: Defining Subscriber Error Messages {Subscriber Errors
AG 5500 Defining Subscriber Error Messages {Subscriber Errors} This procedure allows you to define how error messages are displayed to subscribers. There are 2 (two) pages of error messages available. From the Web Management Interface, click on , then Subscriber Interface...
Page 231 AG 5500 Repeat Steps 1 – 3 for page 2 of 2 (see following screen): System Administration...
Page 232: Defining Subscriber Messages {Subscriber Messages
AG 5500 Defining Subscriber Messages {Subscriber Messages} This procedure allows you to define how “other” subscriber messages are displayed. There are 3 (three) pages of subscriber messages available. From the Web Management Interface, click on , then Subscriber Interface Subscriber The Subscriber Page -- Other Message Definitions, 1 of 3 screen Messages, 1 of 3.
Page 233 AG 5500 Enter the definitions you want for each subscriber message in the corresponding fields. Click on the button to save your changes, or click on the button if you want Submit Reset to reset all the values to their previous state.
Page 234 AG 5500 Repeat Steps 1 – 3 for page 3 of 3 (see following screen): System Administration...
Page 235: System Menu
AG 5500 System Menu Adding an ARP Table Entry {ARP Add} ARP (Address Resolution Protocol) is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address. ARP is limited to a single physical network that supports hardware broadcasting.
Page 236: Deleting An Arp Table Entry {Arp Delete
AG 5500 Deleting an ARP Table Entry {ARP Delete} ARP (Address Resolution Protocol) is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address. ARP is limited to a single physical network that supports hardware broadcasting.
Page 237: Enabling The Bridge Mode Option {Bridge Mode
“remove” the AG 5500 from the network without physically disconnecting the unit. You can still manage the AG 5500 when Bridge Mode is enabled, but you have no other functionality. If you enable the Bridge Mode option and then plug the AG 5500 into a network, all you need to do is assign it routable IP addresses.
Page 238: Exporting Configuration Settings To The Archive File {Export
AG 5500 Exporting Configuration Settings to the Archive File {Export} This procedure shows you how to export the current system configuration settings to an archive file for future retrieval. This function is useful if you want to change the configuration settings and you are unsure of the effect that the changes will have.
Page 239: Importing The Factory Defaults {Factory
If you restore the factory default configuration settings, you will no longer be able to access the AG 5500 remotely. However, you always have the option of using the “import” function to restore system configuration settings from the archive file.
Page 240 Click here to view the Click here to view the “factory.txt” file “current.txt” file Click on the button to replace the current system configuration Submit and Reboot settings with the factory default settings and reboot the AG 5500. System Administration...
Page 241: Defining The Fail Over Options {Fail Over
Many large scale networks require fail-over support for all devices in the Public access network. The AG 5500 allows two Nomadix Gateways to act as siblings, where one device will take up the users should the other device become disconnected from the network. As part of this functionality, the settings (except IP addresses) between the two devices will be synchronized automatically.
Page 242: Viewing The History Log {History
– User name of the Administrator / Operator. Login – Source IP address (see note). The source IP displayed may be the source IP of a NAT router instead of the client of the person accessing the AG 5500. System Administration...
Page 243: Establishing Icmp Blocking Parameters {Icmp
AG 5500 Establishing ICMP Blocking Parameters {ICMP} The AG 5500 includes the option to block all ICMP traffic from “pending” or “non authenticated” users that are destined to addresses other than those defined in the pass-through (walled garden) list. The default setting for this option is “disabled” since ICMP pass-through is a useful end-user troubleshooting feature and also required by certain smart clients (for example, GRIC).
Page 244: Importing Configuration Settings From The Archive File {Import
AG 5500 Importing Configuration Settings from the Archive File {Import} This procedure shows you how to restore the system configuration settings from an archive file (previously created with the export function). The archived configuration settings you want to restore may not contain valid IP addresses.
Page 245: Establishing Login Access Levels {Login
(Submit, Reset, Reboot, Add, Delete, etc.), but operators cannot change any system settings. When this feature is enabled, one manager and three operators can access the AG 5500 at any one time (the default is “disabled”). This feature supports the following interfaces: Telnet Command Line Interface (CLI) –...
Page 246 AG 5500 Click on the check box for Administration Concurrency if you want to assign concurrent Manager and Operator logins. In the field, enter a login name for this manager. Manager Login Login names and passwords are case-sensitive. Use login names and passwords that are easy to remember (up to 11 characters, any character type).
Page 247 If you enabled Administration Concurrency, repeat steps 3 to 5 for an operator login. As part of its Smart Client feature, the AG 5500 offers a remote RADIUS testing feature (enabled by default). With this feature, the AG 5500 provides a password-protected Web page.
Page 248: Defining The Mac Filtering Options {Mac Filtering
AG 5500 Defining the MAC Filtering Options {Mac Filtering} MAC Address filtering enhances Nomadix' access control technology by allowing System Administrators to block malicious users based on their MAC address. Up to 50 MAC addresses can be blocked at any one time (see caution).
Page 249: Rebooting The System {Reboot
AG 5500 Rebooting the System {Reboot} This procedure shows you how to reboot the AG 5500. The “reboot” procedure outlined on this page allows you to decide when to reboot (if you are making multiple changes to different menu functions and you want to reboot just one time after completing all your changes).
Page 250: Adding A Route {Route Add
AG 5500 Adding a Route {Route Add} This procedure shows you how to add a route into the AG 5500’s routing table. This is accomplished by establishing the route’s destination IP address, and by setting the gateway or router IP address by which the route’s destination can be reached.
Page 251: Deleting A Route {Route Delete
AG 5500 Deleting a Route {Route Delete} This procedure shows you how to delete a route to a specific IP destination. From the Web Management Interface, click on , then The Delete System Route Delete. Static Routes screen appears: Enter the address of the route you want to delete from the routing table.
Page 252: Establishing Session Rate Limiting {Session Limit
AG 5500 Establishing Session Rate Limiting {Session Limit} Session Rate Limiting (SRL) significantly reduces the risk of “Denial of Service” attacks by allowing administrators to limit the number of DAT sessions any one user can take over a given time period and, if necessary, then block malicious users.
Page 253: Adding Static Ports {Static Port-Mapping Add
AG 5500. The advantage for the network administrator is that free private IP addresses can be used to manage devices (such as Access Points) on the subscriber side of the AG 5500 without setting them up with public IP addresses.
Page 254 Internal Port Enter a valid MAC Address Enter the External IP Address The External IP address field will default to the IP address of the AG 5500. Enter the External Port reference. Optional: Enter the Remote IP Address . Leave this field set to zero if you want to connect to the internal device from any network-side workstation.
Page 255: Deleting Static Ports {Static Port-Mapping Delete
AG 5500. The advantage for the network administrator is that free private IP addresses can be used to manage devices (such as Access Points) on the subscriber side of the AG 5500 without setting them up with public IP addresses.
Page 256: Blocking A Subscriber Interface {Subscriber Interfaces
Updating the AG 5500 Firmware {Upgrade} Upgrading the AG 5500 firmware is performed from the AG 5500’s Command Line Interface (CLI) only. Refer to the Firmware Upgrade Procedure (separate document available from Nomadix Technical Support).
Page 257: Chapter 3: The Subscriber Interface
When a subscriber accesses the solution provider’s high speed network, the AG 5500 points their browser to a sign-in page. The AG 5500 then creates a database entry that automatically records the subscriber’s Media Access Control (MAC) address and integrates this address with a PMS interface for secure billing.
Page 258: Authorization And Billing
AG 5500 Authorization and Billing As a gateway device, the AG 5500 enables plug-and-play access to broadband networks. Broadband network solution providers can now offer their subscribers a wide range of high speed services, including access to the Internet. Of course, a high speed Internet connection is not free –...
Page 259: The Aaa Structure
(in the hotel scenario), via a mailed invoice, or directly to the subscriber’s credit card account. The following illustration shows the functional relationship between the AG 5500’s internal modules and the external support systems. The Subscriber Interface...
Page 260 AG 5500 Subscriber Login Subscriber Management Internal Web Server External Web Server (on flash for login pages) (for login & portal pages) Internal Web Management Interface Authentication Internal User Database Authorization Table Internal User Database PMS System Credit Card Server...
Page 261 Only subscribers that are correctly identified and authenticated are authorized to access the system. Once authorized, the subscriber’s activity is logged and billed through the AG 5500’s Accounting module. The Accounting module fully supports the following functions: Credit card billing (for example, interaction with AuthorizeNet).
Page 262: Process Flow (Aaa)
Process Flow (AAA) The following flowchart outlines the AAA and billing process. All actions depicted in the chart are administered and tracked by the AG 5500. AG 5500 detects connection and verifies user against authorization table New User Existing Subscriber...
Page 263: Internal And External Web Servers
English, Chinese, French, German, Japanese, and Spanish. Home Page Redirection The AG 5500 can be configured to redirect all valid subscribers to a Web portal or home page determined by the solution provider. After a specified time, from the first home page redirection (determined by the system administrator), subscribers are redirected again to the portal at the next Web page request.
Page 264: Subscriber Management
Credit card Combinations of two or more subscriber management models can be used. When a subscriber connects to the network and attempts to access the Internet, the AG 5500 looks for each model in the given order above. Subscriber Management Models The system administrator establishes the subscriber management model via the Command Line Interface (CLI) or the Web Management Interface.
Page 265: Configuring The Subscriber Management Models
Credit card Enable the AAA services. You have the choice of enabling the AG 5500’s internal authorization module or using an external credit card authorization server. Internal Authorization Enabled Enter the credit card server’s URL and IP address, then enter the merchant ID you obtain from Authorize.Net.
Page 266: Information And Control Console (Icc)
AG 5500 Information and Control Console (ICC) The Information and Control Console (ICC) is a HTML pop-up window that is presented to subscribers, allowing them to select their bandwidth and billing options quickly and efficiently, and displays a dynamic “time” field to inform them of the time remaining on their account. The ICC also offers service providers an opportunity to display advertising banners and provide a choice of redirection options.
Page 267: Logout Console
AG 5500 Logout Console The AG 5500 allows System Administrators to define a simple HTML-based pop-up window for explicit logout that can be used as an alternative to the more fully featured ICC. The pop-up Logout Console can display the elapsed/count-down time and one logo for intra-session service branding.
Page 268 AG 5500 This page intentionally left blank. The Subscriber Interface...
Page 269: Chapter 4: Quick Reference Guide
Web Management Interface (WMI) Menus The following tables contain a listing and brief explanation of all menus and menu items contained in the AG 5500’s Web Management Interface (WMI), listed as they appear on screen. Main Page Menus...
Page 270: Configuration Menu Items
(IP address) of administrator logins. A login is permitted only if a match is made with the master list contained on the AG 5500. If a match is not made, the login is denied, even if a correct login name and password are supplied.
Page 271 PMS feature. Port-Location Establishes the Access Concentrator settings. RADIUS Client With the appropriate product license, the AG 5500 supports Remote Authentication Dial-In User Service (RADIUS). This procedure sets up the RADIUS client. RADIUS Proxy Establishes RADIUS proxies, where different realms can be set up to directly channel RADIUS messages to the various RADIUS servers.
Page 272: Network Info Menu Items
AG 5500 Network Info Menu Items Item Description Displays the ARP table, including the destination IP address and the gateway MAC address. Displays the DAT session table. Hosts Displays the host table, including host names, associated IP addresses and any assigned aliases.
Page 273: Port-Location Menu Items
AG 5500 Port-Location Menu Items Items Description Adds or updates port-location assignments. Delete All Deletes all port-location assignments. Use this command with caution. Delete by Location Deletes port-location assignments, based on a specified location. Delete by Port Deletes port-location assignments, based on a specified port (VLAN tag).
Page 274: Subscriber Administration Menu Items
AG 5500 Subscriber Administration Menu Items Items Description Adds subscriber profiles to the database. Current Displays a list of all currently connected subscribers. Delete by MAC Deletes a subscriber, based on a specific MAC address. Delete by User Deletes a subscriber, based on a specific user name.
Page 275: Subscriber Interface Menu Items
AG 5500 Subscriber Interface Menu Items Items Description Billing Options Establishes the various billing plans and rates (schemes), including messages and appearance. ICC Setup Sets up the Information and Control Console (ICC) for subscribers. Language Support Defines the language to be displayed on the Web Management Interface and the subscriber’s portal page.
Page 276: System Menu Items
Exports the system’s configuration settings to an archive file. Factory Imports the factory default settings. FailOver Sets up a “sibling” Nomadix Gateway, allowing one device to take up the users should the other device become disconnected from the network. History Displays a history log of the system’s activity, including Access,...
Page 277: Alphabetical Listing Of Menu Items (Wmi)
Obtain the latest Firmware Upgrade Procedure from Nomadix Technical Support. Alphabetical Listing of Menu Items (WMI) The menu items listed here are for a fully featured AG 5500 (with all optional modules included). Refer to, “About Your Product License” on page...
Page 278 Summary .......Display a summary of the configuration settings ............Configuration TCP ........Display the TCP performance statistics................Network Info Time ........Set the system date and time..................Configuration UDP........Display the UDP performance statistics...............Network Info Upgrade.........Upgrade the AG 5500 system firmware .................System URL Filtering......Define URLs for filtering .................... Configuration Quick Reference Guide...
Page 279: Default (Factory) Configuration Settings
AG 5500 Default (Factory) Configuration Settings The following table shows a partial listing of the AG 5500’s primary default configuration settings (the settings established at manufacturing). For a complete listing of the factory default settings, refer to the file. For more information, go to “Importing the Factory...
Page 280 AG 5500 Function Default Setting AAA Logging Disabled AAA Log Server Number AAA Log Server IP 0.0.0.0 SYSLOG (System Logging) Disabled SYSLOG Server Number SYSLOG Server IP 0.0.0.0 AAA Services Disabled Internal Authorization Enabled New Subscribers Enabled Credit Card Service...
Page 281: Sample Aaa Log
AG 5500 Sample AAA Log The following table shows a sample AAA log. This log is generated by the AG 5500 and sent to the SYSLOG server that is assigned to AAA logging. Expi- Type Subscriber ratio Date Time 5500...
Page 282: Message Definitions (Aaa Log)
Removed_by_administrator authorization table. Sample SYSLOG Report Syslog reports are generated by the AG 5500 and sent to the syslog server that is assigned to general error detection and reporting. 2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [AG 5500 v5.4.03] DHCP: ndxDHCPInit: 0021 DHCP initialized 2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [AG 5500 v5.4.03]...
Page 283: Sample History Log
AG 5500 Sample History Log A history log is generated by the AG 5500 which includes the system’s activity (Access, Reboot and Uptime). More listings ... Quick Reference Guide...
Page 284: Keyboard Shortcuts
AG 5500 Keyboard Shortcuts The following table shows the most common keyboard shortcuts. Action Keyboard Shortcut Cut selected data and place it on the clipboard. Ctrl + X Copy selected data to the clipboard. Ctrl + C Paste data from the clipboard into a document (at Ctrl + V the insertion point).
Page 285: Radius Attributes
Optionally, the RADIUS server can instruct the NAS to perform other functions; for example, the RADIUS server can tell the AG 5500 what upstream and downstream bandwidth the subscriber should receive. If RADIUS cannot authenticate the subscriber, it will instruct the NAS to deny access to the network.
Page 286: Authentication-Request
AG 5500 The Nomadix AG 5500 RADIUS functionality can be broken down into the following categories: Authentication-Request Authentication-Reply (Accept) Accounting-Request Selected Detailed Descriptions Nomadix Vendor Specific Attributes Authentication-Request Username Password Service-Type NAS-Port (port number) NAS-Identifier Framed-IP Address NAS-IP Address NAS-Port-Type...
Page 287: Authentication-Reply (Accept)
AG 5500 Authentication-Reply (Accept) Reply-Message Reject-Message State (used/tested for 802.1x) Class Session-Timeout Idle-Timeout EAP-Packet (used for 802.1x) Message-Authenticator (used for 802.1x) Acct-Interim-Interval Nomadix VSAs: Nomadix-Bw-Up Nomadix-Bw-Down Nomadix-URL-Redirection Nomadix-IP-Upsell Nomadix-MaxBytesUp Nomadix-MaxBytesDown Nomadix-Net-VLAN Nomadix-Session-Terminate-End-Of-Day Nomadix-Subnet Nomadix-Expiration Quick Reference Guide...
Page 288: Accounting-Request
AG 5500 Accounting-Request Username Acct-Status-Type (Start/Stop/Update) Acct-Session-ID Acct-Output-Octets Acct-Input-Octets Acct-Output-Packets Acct-Input-Packets Class Nomadix VSAs: Nomadix-Subnet Nomadix-URL-Redirection Nomadix-IP-Upsell Acct-Session-Time (Stop) Terminate-Cause (Stop) NAS ID NAS-IP Address NAS-Port-Type NAS-Port Framed-IP Address Acct-Delay-Time Called-Station-ID Calling-Station-ID Quick Reference Guide...
Page 289: Selected Detailed Descriptions
“0” means forever. Timeout Detection If a subscriber is sending traffic through the AG 5500, the AG 5500 will immediately detect a Session-Timeout. However in the case of an Idle-Timeout or an inactive subscriber Session- Timeout, the AG 5500 detects it via a clean-up function that is currently called every 2 minutes.
Page 290 AG 5500 Called-Station-ID This is the Media Access Control (MAC) address of the AG 5500. Calling-Station-ID This is the Media Access Control (MAC) address of the client's computer. New Attributes in Acct-Request The AG 5500 has to send the following attributes in an Accounting-Stop: Acct-Output-Packets: number of packets sent by subscriber.
Page 291: Nomadix Vendor Specific Attributes
This attribute allows the administrator to redirect the user to a page of the administrators choice each time the user logs in. Nomadix-IP-Upsell This attribute allows the user to receive a public address from a DHCP pool when the AG 5500 has the IP-Upsell feature enabled. Nomadix-Volume-Based-Session-Timeout This attribute allows you to terminate a session once a specified data volume has been reached.
Page 292: Setting Up The Ssl Feature
AG 5500 Setting Up the SSL Feature This section describes how to set up the AG 5500’s SSL feature. Prerequisites The AG 5500 should support SSL feature. Please go to “Displaying Your Configuration Settings {Summary}” on page 144 and verify that the Licensed Features include "AAA SSL Support".
Page 293: Installing Cygwin And Openssl On A Pc
AG 5500 Installing Cygwin and OpenSSL on a PC The example in this document is based on downloading the software with Netscape 4.75. The procedure starts from the Cygwin Net Release Setup Program screen: Click on the button. Next The following screen appears: Click on the button to display the next setup screen.
Page 294 Next Click on the button to display the next setup screen. Next Select a location and click on the button. Next For the purposes of this document, Nomadix used: ftp://planetmirror.com. Quick Reference Guide...
Page 295 AG 5500 In the following screens, please skip all packages except “cygwin” and “openssl,” then click on the Next when you are done. At the time of this writing, there are more than 70 packages to install. Please ensure that you “skip” all of them except the two packages mentioned above.
Page 296 AG 5500 Click on the button to start the “install” process. Wait for the install process to complete. Next There will be a pop-up dialog to inform you that the installation process is completed. At the pop-up dialog, click on the button.
Page 297: Private Key Generation
AG 5500 Private Key Generation Create a directory from Root and put 5 random files, a.dat b.dat c.dat d.dat , and e.dat (see note) into the C:\cygwin\bin\ directory (or the directory where you installed openssl.exe). These random files can be any file type, such as Word, Excel, etc. Change the files to .dat files (shown above).
Page 298 However, if you are saving them as different names, you must change the names back to “cakey.pem” when trying to FTP to the AG 5500. Do not include “-des3” option to keep the private key in an unencrypted form.
Page 299 AG 5500 Here is the output of cakey.pem: Quick Reference Guide...
Page 300: Create A Certificate Signing Request (Csr) File
The “Common Name” is the name used in the AG 5500->AAA->SSL Certificate Domain Name. The Common Name in the Public Key must match the SSL Certificate Domain Name in the Web Management Interface of the AG 5500 (refer to the AG 5500 setup information later in this document).
Page 301 AG 5500 Here is the output of server.csr: Quick Reference Guide...
Page 302: Create A Public Key File (Server.pem)
AG 5500 Create a Public Key File (server.pem) VeriSign Purchasing Process The signing process varies by Certificate Authority. Generally, you will need to send a Certificate Signing Request to the Certificate Authority (CA) and the CA will create a public key base on the certificate request.
Page 303 Some older versions of popular browsers only support 40-bit or 56-bit encryption. Since it impossible to forecast the browsers that may be used in a visitor-based network, Nomadix recommends implementing a 40-bit Public Key. During the process, VeriSign will ask for your business information and verification. There are several ways to proof the existence of your business.
Page 304 AG 5500 CSR Submission to VeriSign Please select “Apache Freeware” to submit the CSR to VeriSign. The Certificate Signing Request is in the server.csr (created in the previous step). Open server.csr and copy and paste all data into the edit box.
Page 305 AG 5500 The file, “server.pem” will look like this: You have now finished the process of obtaining a public key. Quick Reference Guide...
Page 306: Setting Up Ag 5500 For Ssl Secure Login
AG 5500 Setting Up AG 5500 for SSL Secure Login FTP the “cakey.pem” and “server.pem” files into the AG 5500 platform's flash directory. FTP to the AG 5500 by Netscape: ftp://username:password@[AG 5500 Network IP]/flash Drag and drop the “cakey.pem” and “server.pem” files into the directory.
Page 307: Mirroring Billing Records
By effectively “mirroring” the billing data, the AG 5500 can send copies of billing records to predefined “carbon copy” servers. Additionally, if the primary and secondary servers are down, the AG 5500 can store up to 2,000 PMS or credit card transaction records. The AG 5500 regularly attempts to connect with the primary and secondary servers.
Page 308: Xml Interface
XML Interface XML for the External Server The AG 5500 sends a string of XML commands according to specifications. HTTP headers are added to the XML packets that are built, as the billing “mirroring” information is sent to the Content-length has also been added to the external server in HTTP compliant XML format.
Page 309 The AG 5500 uses USG commands for XML strings. The AG 5500 accepts a single line of XML text in the specified format. The XML string is a command sent by the External Server to the AG 5500 product. In this case, the acknowledgement received from the External Server forms the command.
Page 310 RESULT_VALUE:OK or ERROR IP:Standard IP format (123.123.123.123) ERROR_CODE1 for OK, or any other number Please contact Nomadix Technical Support for the complete XML DTD. Refer to “Contact Information” on page 305. For more information about Billing Records Mirroring, see also: “Billing Records Mirroring”...
Page 311: Chapter 5: Troubleshooting
Common Problems General Hints and Tips The AG 5500 is both a hardware device and a powerful software utility. As a hardware computing device, the AG 5500 requires careful handling. It should be positioned in a dust-free and temperature-controlled environment. Never block the unit’s ventilation holes, and do not stack with other equipment (unless correctly mounted in a rack).
Page 312: Management Interface Error Messages
AG 5500 Management Interface Error Messages The following table contains the error messages associated with the Management Interface (CLI and Web). All messages are listed alphabetically. Error Message Cause AAA must be enabled before adding a You are attempting to add a subscriber profile subscriber to the profile database.
Page 313 When upgrading the software, the system FTP a valid boot image to the flash. needs the new boot image file. You must FTP the file from NOMADIX™ to your local hard drive. Warning: no DHCP services are available to This message is displayed because you have subscribers.
Page 314: Common Problems
255.255.255.0 The DHCP relay is disabled Check the internal DHCP and the DHCP service service settings. settings in the AG 5500 are misconfigured. Subscribers are unable to The DNS server settings are Check the DNS settings (host, route to a domain name, but misconfigured.
Page 315 When a subscriber logs in for Home page redirection is not Enable home page the first time, their browser is enabled in the AG 5500. redirection. not redirected to the specified The home page URL was Re-enter the correct URL.
Page 316 AG 5500 This page intentionally left blank. Troubleshooting...
Page 317: Appendix A: Technical Support
(if the problem is related to the AG 5500). Additionally, you should check with your network documentation to verify that the network components are functioning correctly.
Page 318 AG 5500 This page intentionally left blank. Appendix A: Technical Support...
Page 319: Glossary Of Terms
10/100 Ethernet See Ethernet. (Authentication, Authorization, and Accounting) A combination of commands used by Nomadix Gateways to authenticate, authorize, and subsequently bill subscribers for their use of the customer’s network. When a subscriber logs into the system, their unique MAC address is placed into an authorization table. The system then authenticates the subscriber’s MAC address and billing information before allowing them to access the Internet and make online...
Page 320 (ACKnowledgment) If all the transmitted data is present and correct, the receiving device sends an ACK signal, which acts as a request for the next data packet. Adaptive Configuration Technology A Nomadix, Inc. patented technology that enables Dynamic Address Translation. See also, DAT. ad-hoc mode 802.11x networking framework in which devices or stations communicate directly with each other, without the use of an Access Point (AP).
Page 321 (permanent) IP addresses, or subscribers that do not have DHCP functionality on their computers. DAT is a Nomadix, Inc. patented technology that allows all users to obtain network access, regardless of their computer’s network settings. See also, DHCP.
Page 322 AG 5500 Dynamic IP Address A temporary IP address that is assigned by the DHCP server to a device. Devices retain dynamic IP addresses only for the duration of their networking session. When a device disconnects from the network, the IP address is recaptured by the DHCP server and becomes available for reassignment to another device.
Page 323 AG 5500 FHSS (Frequency Hopping Spread Spectrum) One of two types of spread spectrum radio—the other being Direct-Sequence Spread Spectrum (DSSS). FHSS is a transmission technology used in WLAN transmissions where the data signal is modulated with a narrowband carrier signal that "hops" in a random but predictable sequence from frequency to frequency as a function of time over a wide band of frequencies.
Page 324 AG 5500 (Home Page Redirection) Nomadix Gateways enable solution providers to redirect subscribers to a “portal” home page of their choice. This allows the solution provider to generate online advertising revenues and increase business Home Page. exposure. See also, HTML (HyperText Markup Language) The programming language used to create hypertext documents for use on the Internet.
Page 325 Whenever a subscriber logs on, your Nomadix Gateway automatically translates their computer’s network settings to provide them with seamless access to the broadband network. Subscribers no longer need to alter their computer’s settings. See also,...
Page 326 Misconfigured User A Nomadix, Inc. term used to describe users who have IP address configurations that are different from the current network. For example, if the current network is 123.45.67.89 but the user’s IP address is 10.10.10.15, then this user is considered to be “misconfigured.”...
Page 327 AG 5500 Packet How data is distributed over the Internet. A packet contains the source and destination addresses, as well as the data. An ethernet packet is normally 1,518 bytes. In IP networks, packets are often called datagrams. See also,...
Page 328 AG 5500 Protocol A standard process consisting of a set of rules and conditions that regulates data transmissions between computing devices. Some examples of protocols include HTTP (HyperText Transfer Protocol), FTP (File Transfer Protocol), TCP/IP (Transmission Control Protocol/Internet Protocol), and POP (Post Office Protocol). All these protocols are responsible for regulating the transmission of their specific data file types.
Page 329 Normally, a solution provider is offering a solution that isn’t readily available on the open market. For example, NOMADIX™ is a solution provider to its customers (broadband network service providers), and those customers are solution providers to their end users (network subscribers).
Page 330 AG 5500 Subnet Address The subnet portion of an IP address that is dedicated to the subnet. In a subnetted network, the host portion of an IP IP Address address is split into a subnet portion and a host portion using an address (subnet) mask. See also, Subnet.
Page 331 AG 5500 Tunneling A technology that enables one network to send its data via another network's connections. Tunneling works by encapsulating a network protocol within packets carried by the second network. For example, Microsoft's PPTP technology enables organizations to use the Internet to transmit data across a Virtual Private Network (VPN). It does TCP/IP this by embedding its own network protocol within the TCP/IP packets carried by the Internet.
Page 332 HTML. For example, XML supports links that point to multiple documents, as opposed to HTML links, which can reference just one destination each. For all Nomadix Gateways, XML is used by the subscriber management module for port location and user administration. Enabling the XML interface allows your Nomadix Gateway to accept and process XML commands from an external source.
Page 333: Index
ARP tables choosing adding entries types of deleting entries connectivity authentication 5, contacting NOMADIX authorization 60, Copyright and billing Credit Card Module auto configuration bandwidth management 8, DAT 4, basic configuration DAT sessions billing...
Page 334 218, inputting data in-room port mapping exporting configuration settings Installation External Web Server 10, powering up the AG 5500 unpacking the AG 5500 workflow factory settings interfaces importing Internal Web Server fail over options...
Page 335 Mirroring billing records portal page redirect MRS 23, Port-Location menu multi-level administration 14, post session user interface multiple subnets powering down powering up the AG 5500 network architecture (sample) Authentication network connections Echo Request Network Info menu Keep Alive Index...
Page 336 AG 5500 Password adding Username deleting PPPoE routing tables IP Configuration Mode Maximum TCP MSS PPPoE Client secure administration Print billing command secure management Private Key Generation secure socket layer problem solving security product serial cable connection configuration service branding...
Page 337 188, UDP statistics finding by MAC UI buttons finding by user UI labels listing by MAC unpacking the AG 5500 listing by user updating firmware Subscriber tracking log URL filtering Log settings user session time adjustment Subscriber tracking log...
Page 338 AG 5500 This page intentionally left blank. Index...

Nomadix AG 5500 User Manual

Introduction

Chapter 1: Installing the AG 5500

Chapter 2: System Administration

Chapter 3: The Subscriber Interface

Chapter 4: Quick Reference Guide

Chapter 5: Troubleshooting

Appendix A: Technical Support

Glossary of Terms

Index

Quick Links

Related Manuals for Nomadix AG 5500

Summary of Contents for Nomadix AG 5500