Page 3
ATEWAY Trademarks symbol, , and Nomadix Service Engine™ are trademarks of Nomadix, Inc. All other trademarks and brand names are marks of their respective holders. Patent Information Covered by one or more of the following U.S. and foreign patents: US6,789,110,...
Page 4
ATEWAY NOTIFICATIONS This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
Page 5
ATEWAY CAUTION WARNING Read the instruction manual prior to operation. Risk of electric shock; do not open; no user- serviceable parts inside. ATTENTION AVERTISSEMENT Lire le mode d’emploi avant utilisation. Risque de choc electrique; ne pas ouvrir; ne pas tenter de demontre l’appareil. ACHTUNG Lesen Sie das Handbuch bevor Sie das Gerät in WARNUNG...
Table of Contents Introduction ......................1 About this User’s Guide ..................... 1 Organization ....................... 1 Welcome to the Nomadix HotSpot Gateway ............. 2 Product Configuration and Licensing..............3 Key Features and Benefits..................4 Platform Reliability ..................... 4 Local Content and Services................. 5 Transparent Connectivity..................
Page 9
ATEWAY Archiving Your Configuration Settings ..............56 Installing the Nomadix Private MIB ................ 56 Chapter 2: System Administration..............57 Choosing a Remote Connection ................57 Using the Web Management Interface (WMI) ..........58 Using an SNMP Manager ................. 59 Using a Telnet Client..................59 Logging In ........................
Page 10
ATEWAY Enabling Dynamic Multiple Subnet Support (Subnets) ........130 Displaying Your Configuration Settings {Summary}........132 Setting the System Date and Time {Time}............133 Setting Up URL Filtering {URL Filtering} ............135 Enabling Secure Management {VPN Tunnel} ..........136 Network Info Menu ....................138 Displaying ARP Table Entries {ARP}..............
Page 11
ATEWAY Viewing RADIUS Proxy Accounting History {RADIUS Session History}..178 Displaying Current Profiles and Connections {Statistics} ......179 Subscriber Interface Menu ..................180 Defining the Billing Options {Billing Options}..........180 Duration-based Billing Plans ..............180 Setting Up a “Normal” Billing Plan............185 Setting Up an X over Y Billing Plan ............
Page 12
Authentication-Request ..................277 Authentication-Reply (Accept) ................. 278 Accounting-Request ..................279 Selected Detailed Descriptions ................ 280 Nomadix Vendor Specific Attributes ..............282 Setting Up the SSL Feature ..................283 Prerequisites ....................283 Obtain a Private Key File (cakey.pem)............284 Installing Cygwin and OpenSSL on a PC ............285 Private Key Generation ...................
Page 13
ATEWAY Setting Up the Portal Page................299 Mirroring Billing Records ..................300 Sending Billing Records .................. 300 XML Interface ....................301 XML for the External Server..............301 HSG to External Server: ................301 Example of a Negative Acknowledgement: ..........303 Format for each Field:................
Page 14
ATEWAY This page intentionally left blank. viii Table of Contents...
Nomadix, Inc. directly. Appendix B: Addendum. The Addendum provides information and procedures that will enable system administrators to configure and use the specific features introduced in the 1.3 Maintenance, 1.3 M+ and 1.4 releases for the Nomadix HotSpot Gateway (HSG). Introduction...
User’s Guide. Welcome to the Nomadix HotSpot Gateway The Nomadix HotSpot Gateway (HSG) is a freestanding, fully featured network appliance that enables public access service providers to offer broadband Internet connectivity to their customers.
ATEWAY Product Configuration and Licensing All Nomadix Access Gateway products, including the HSG, are powered by our patented and patent-pending suite of embedded software, called the Nomadix Service Engine™ (NSE). The HSG employs our NSE core software package with the option to purchase additional modules to expand the product’s functionality.
ATEWAY Key Features and Benefits The HSG addresses the specific needs of the public access HotSpot, making it an excellent choice for mid-sized venue deployments. The HSG supports up to 50 simultaneous users, with the option to purchase two additional 50 count upgrades of 50 users per upgrade for a maximum of 150 simultaneous users.
Web site to securely sign up for service or log in if they have a pre- existing account. Allows the provider or HotSpot owner to present their customers with local services or have the user sign up for service at zero expense.
The HSG ensures that all traffic to the Internet is blocked until authentication has been completed, creating an additional level of security in the network. Also, allows HotSpot operators to create their own unique “walled garden,” enabling users to access only certain predetermined Web sites before they have been authenticated.
Session Rate Limiting (SRL) feature, and MAC filtering for improved network reliability. 5-Step Service Branding A network enabled with the Nomadix HSG (or any other Nomadix Access Gateway) offers a 5-Step service branding methodology for public access operators and their partners, comprising: Initial Flash Page branding.
ATEWAY NSE Core Functionality Powering Nomadix’ family of Access Gateways, the Nomadix Service Engine (NSE) delivers a full range of features needed to successfully deploy Wi-Fi public access networks. These “core” features solve issues of connectivity, security, billing, and roaming in a Wi-Fi public access network.
With the Nomadix Information and Control Console (ICC) feature enabled, subscribers can increase or decrease their own bandwidth dynamically (by the minute, or on an hourly, daily, weekly, or monthly basis), and also adjust the pricing plan for their service (see graphic).
The Command Line Interface (CLI) is a character-based user interface that can be accessed remotely or via a direct cable connection. Until your Nomadix product is up and running on the network, the CLI is the Network Administrator’s window to the system.
Take advantage of the comprehensive Nomadix XML API to implement more complex billing plans. Recycle existing Web page content for the centrally hosted portal page. If you choose to use the EWS interface, Nomadix Technical Support can provide you with sample scripts. See also, “Contact Information” on page 312.
ATEWAY iNAT™ Nomadix invented a new way of intelligently supporting multiple VPN connections to the same termination at the same time (iNAT™), thus solving a key problem of many public access networks. Nomadix’ patent-pending iNAT™ (intelligent Network Address Translation) feature contains an advanced, real-time translation engine that analyzes all data packets being communicated between the private address realm and the public address realm.
When providers or HotSpot owners do not want to develop their own content, the IWS is the answer. A banner at the top of each IWS page is configurable and contains the customer's company logo or any other image file they desire.
ATEWAY International Language Support The NSE allows you to define the text displayed to your users by the IWS without any HTML or ASP knowledge. The language you select determines the language encoding that the IWS instructs the browser to use. See also, “Internal Web Server”...
ATEWAY MAC Filtering MAC Filtering enhances Nomadix' access control technology by allowing system administrators to block malicious users based on their MAC address. Up to 50 MAC addresses can be blocked at any one time. See also, “Session Rate Limiting (SRL)”...
Optionally, the RADIUS authentication process and FTP download can be secured by sending the traffic through a peer-to-peer IPSec tunnel established by the Nomadix gateway and terminated at the NOC (Network Operations Center). See also, “Secure...
ATEWAY RADIUS Proxy The RADIUS Proxy feature relays authentication and accounting packets between the parties performing the authentication process. Different realms can be set up to directly channel RADIUS messages to the various RADIUS servers. This functionality can be effectively deployed to: Support a wholesale WISP model directly from the edge without the need for any centralized AAA proxy infrastructure.
Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on the subscriber side of the Nomadix gateway. See also, “Enabling Secure Management {VPN Tunnel}”...
XML enables solution providers to customize and enhance their product installations. This feature allows the operator to use Nomadix' popular XML API using the built-in SSL certificate functionality in the NSE so that parameters passed between the Gateway and the centralized Web server are secured via SSL.
Adjungo Networks, Boingo Wireless, GRIC and iPass. SNMP Nomadix Private MIB Nomadix’ Access Gateways can be easily managed over the Internet with an SNMP client manager (for example, HP OpenView or Castle Rock). To take advantage of the functionality provided with Nomadix’ private MIB...
For example, in addition to supporting the secure browser-based Universal Access Method (UAM) via SSL, Nomadix is the only company to simultaneously support port-based authentication using IEEE 802.1x and authentication mechanisms used by Smart Clients.
Your product license may not support this feature. The optional Wholesale Roaming Module provides advanced NAI (Network Access Identifier) routing capabilities, enabling multiple service providers to share a HotSpot location, further supporting a Wi-Fi wholesale model. This functionality allows users to interact only with their chosen provider in a seamless and transparent manner.
ATEWAY Optional Standalone Applications The following supplemental applications—delivered on a separate CD-ROM—are available from Nomadix: Meeting Room Scheduler (MRS) If you have purchased the NSE’s optional Hospitality Module, our Meeting Room Scheduler (MRS) application can further enhance your product’s integration into the hospitality environment.
ATEWAY Product Specifications Specifications ERFORMANCE User Support: 50 users concurrently, with option to expand (up to 150 users) Throughput: 75Mbits/s* *As defined by RFC1242, Section 3.17 HYSICAL Dimensions: 1U, free standing 8.66 (W) x 10.00 (D) x 1.75 (H) inches 220 (W) x 254 (D) x 44 (H) mm Weight: 4.05 pounds (1.84 Kg)
ATEWAY Specifications LED I NDICATORS ACT/LINK and 10/100 for each Ethernet port Power ETWORK ANAGEMENT Multi-Level Administration Controls Access Control Lists Web Administration UI SNMP XML API CLI via Telnet and Serial Port Online Help (WebHelp) The HSG incorporates an online Help system called “WebHelp” which is accessible through the Web Management Interface (when a remote Internet connection is established following a successful installation).
ATEWAY Notes, Cautions, and Warnings The following symbols are used throughout this User’s Guide: This symbol is used for general notes and additional information that may be useful to you. This symbol is used for cautions and warnings. Cautions and warnings provide important information to eliminate the risk of a system malfunction or possible damage.
Page 42
ATEWAY This page intentionally left blank. Introduction...
Logging Out and Powering Down the System Connecting the HSG to the Customer’s Network Establishing the Basic Configuration for Subscribers Archiving Your Configuration Settings Installing the Nomadix Private MIB See also “Installation Workflow” on page 31.. Once you have installed your HSG and established the configuration settings, you should write the settings to an archive file.
DB9 female-to-female serial connector/cable (6 ft. length), for establishing a direct serial connection with the HSG. “Accessories” CD-ROM (containing this User’s Guide, README file, NOMADIX Enterprise MIB file, and any other useful accessories. Quick Start Guide End User License Agreement (EULA)
When prompted, accept to the Nomadix End User License Agreement (EULA). You must accept the EULA before the HSG can connect with the Nomadix License Key Server. When the key is successfully received from the server, your HSG will reboot. You can now power down and connect the HSG to the customer’s network.
ATEWAY Powering Up the System Use this procedure to establish a direct cable connection between the HSG and your laptop computer, and to power up the system. Place the HSG on a flat and stable work surface. Connect the power cord. Connect the DB9 female-to-female serial cable (6 ft.
HSG’s management interface successfully. If this is an initial installation which requires the HSG to receive a license key from the Nomadix License Key Server, you must accept the Nomadix End User License Agreement (EULA).
ATEWAY The Management Interfaces (CLI and Web) The HSG supports various methods for managing the system remotely. These include, an embedded graphical Web Management Interface (WMI), an SNMP client, or Telnet. However, until the unit is installed and running, system management is performed from the HSG’s embedded CLI via a direct serial cable connection.
ATEWAY Menu Organization (Web Management Interface) When you have successfully installed and configured the HSG from the CLI, you can then access the HSG from its embedded Web Management Interface (WMI). The WMI is easier to use (point and click) and includes some items not found in the CLI. You can use either interface, depending on your preference.
Page 51
ATEWAY Note: Your browser preferences or Internet options should be set to compare loaded pages with cached pages. Installing the HSG...
ATEWAY Inputting Data – Maximum Character Lengths The following table details the maximum allowable character lengths when inputting data: Data Field Max. Characters All Messages (billing options) All Messages (subscriber error messages) All Messages (subscriber login UI) All Messages (subscriber “other” messages) Description of Service (billing options Plan) Home Page URL Host Name and Domain Name (DNS settings)
Help system Other online documentation resources, available from our corporate Web site (www.nomadix.com), include a full PDF version of this User’s Guide (viewable with Acrobat™ Reader, version 4.0 or higher), white papers, technical notes, and business cases. The PDF version of this User’s Guide and associated README files are also available on the “Accessories”...
ATEWAY Quick Reference Guide This manual contains a “Quick Reference Guide” on page 257 which provides information to help you navigate and use the management interfaces (CLI and Web) quickly and efficiently. It also contains the product specifications, a listing of the factory default settings, sample log reports, listings of commands (by menu and alphabetical), HyperTerminal settings, and some common keyboard shortcuts.
Page 55
ATEWAY Assigning the Location Information and IP Addresses: Assigning the Network Interface IP Address – This is the public IP address that allows administrators and subscribers to see the HSG on the network. Use this address when you need to make a network connection with the HSG.
ATEWAY Assigning Login User Names and Passwords When you initially powered up the HSG and logged in to the Management Interface, the default login user name and password you used was “admin.” The HSG allows you to define 2 concurrent access levels to differentiate between managers and operators, where managers are permitted read/write access and operators are restricted to read access only.
Sample Screen Response Configuration>sn Enable the SNMP Daemon? [Yes]: Enter new system contact: newname@domainname.com [Nomadix, Westlake Village, CA] Enter new system location: Office, Westlake Village, CA Enter read/get community[public ]: Enter write/set community[private]: Enter IP of trap recipient[0.0.0.0 ]: 10.11.12.13...
ATEWAY Enabling the Logging Options (recommended) System logging creates log files and error messages generated at the system level. AAA logging creates activity log files for the AAA (Authentication, Authorization, and Accounting) functions. You can enable either of these options. Although the AAA and billing logs can go to the same server, we recommend that they have their own unique server ID number assigned (between 0 and 7).
Page 59
ATEWAY Enter system server IP [0.0.0.0]: 8.9.10.11 Enable/disable system log savefile [disabled]: enable Enable/disable AAA logging [disabled]: enable Enter AAA number (0-7) [0]: Enter AAA log filter Enter AAA server IP [0.0.0.0]: 9.10.11.12 Enable/disable log save to file [disabled]: enable Enable/disable RADIUS History log [disabled]: enable...
Page 60
ATEWAY System Report log Save to file Disabled Tracking logging Enabled Tracking log number Tracking log server IP 8.9.10.11 Tracking log Save to file Disabled Installing the HSG...
IP address (the default is 10.0.0.11). The IP addresses from subscribers that are on a subnet different from the HSG (for example, misconfigured) are translated by Nomadix’ Dynamic Address Translation (DAT) patented technology to the Subscriber IP Address Enter a valid subscriber interface IP address.
Page 62
ATEWAY Enter a valid subnet mask. After assigning the subnet mask, the system displays the current default gateway IP address (the factory default is 10.0.0.1). This is the IP address of the router that the HSG uses to transmit data to the Internet. Enter a valid default gateway IP address.
Page 63
ATEWAY 25. Other Please enter a number from the above list [ 1]: Select Network Interface Configuration Mode: 0 - Static 1 - DHCP Client 2 - PPPoE Client Select the Network Interface Configuration Mode: [0]: Enter network interface IP Enter subnet mask Enter default gateway IP Please enter your ISO country code...
ATEWAY Logging Out and Powering Down the System Use this procedure to log out and power down the HSG. Enter (logout) at the HSG Menu. Your serial session closes automatically. Sample Screen Response HSG >l Serial session 1 closing Turn off the HSG and disconnect the power cord. Disconnect the serial cable between the HSG and your computer.
ATEWAY Connecting the HSG to the Customer’s Network Use this procedure to connect the HSG to the customer’s network (after the start up configuration parameters have been established). Choose an appropriate physical location that allows a minimum clearance of 4cm either side of the unit (for adequate airflow).
ATEWAY Establishing the Basic Configuration for Subscribers When you have successfully established the start up configuration and installed the unit onto the customer’s network, connect to the HSG via Telnet. You must now set up the basic configuration parameters for subscribers, including: Setting the DHCP Options –...
Page 67
ATEWAY When assigning a DHCP Relay Agent IP address for the DHCP Relay, ensure that the IP address you use does not conflict with devices on the network side of the HSG. Although you cannot enable the DHCP relay and the DHCP service at the same time, it is possible to “disable”...
Enter (dns) at the Configuration menu. The system displays the current domain (the default is “nomadix”). Enter a valid domain name (the Internet domain that DNS requests will utilize). Enter the host name (the DNS name of the HSG). The host name must not contain any spaces.
Page 69
ATEWAY You must now reboot the system for your settings to take effect. Enter (yes) to reboot the HSG. Sample Screen Response Configuration>dn Enter domain [domainname ]: newdomainname Enter host name <no spaces>[dnshostname]: newhostname Enter primary DNS[0.0.0.2 ]: 20.21.22.23 Enter secondary DNS[0.0.0.0 ]: 21.22.23.24 Enter tertiary DNS[0.0.0.0 ]: 22.23.24.25...
Installing the Nomadix Private MIB The Nomadix Private MIB is supplied on the “Accessories” CD-ROM, delivered with your HSG. After importing the nomadix.mib file from the CD-ROM you will be able to view and manage SNMP objects on your HSG.
ATEWAY System Administration This chapter provides all the instructions and procedures necessary for system administrators to manage the HSG on the customer’s network (after a successful installation). The system administration procedures in this chapter are organized as they are listed under their respective Web Management Interface (WMI) menus: Configuration Menu Network Info Menu...
ATEWAY Using the Web Management Interface (WMI) The Web Management Interface (WMI) is a “graphical” version of the Command Line Interface, comprised of HTML files. The HTML files are embedded in the HSG and are dynamically linked to the system’s functional command sets. You can access the WMI from any Web browser.
Management Information Base (MIB). SNMP enables managers and agents to communicate with each other for the purpose of accessing these MIBs and retrieving data. See also, “Installing the Nomadix Private MIB” on page The following example shows a (partial) SNMP screen response. Using a Telnet Client There are many Telnet clients that you can use to connect with the HSG.
About Your Product License Some features included in this chapter will not be available to you unless you have purchased the appropriate product license from Nomadix. In this case, the following statement will appear either immediately below the section heading or when the feature is mentioned in the body text.
Page 75
ATEWAY The Authentication, Authorization, and Accounting Settings screen appears: System Administration...
Page 76
ATEWAY Continued... Enable or disable . If you enable AAA Services, go to Step 3, AAA Services otherwise this feature is disabled and you can exit the procedure. Enable or disable the , as required. XML Interface XML (eXtensible Markup Language) is used by the HSG’s subscriber management module for port location and user administration.
Page 77
ATEWAY Enable or disable Print Billing Command , as required. This feature enables NSE to support Driverless Print servers. If this feature is enabled, you must enable the XML interface and enter the IP address for the XML interface (Step 3 and Step 4).
Page 78
ATEWAY If AAA passthrough is enabled, enter the corresponding port number. The port number must be different than 80, 2111, 1111, or 1112. Enable or disable the feature, as required. 802.1x Authentication Support Both AAA and RADIUS Authentication must be enabled for 802.1x Authentication support.
ATEWAY Depending on which authorization mode you choose, go to the following sub- sections in this procedure: Enabling AAA Services with the Internal Web Server – The IWS is “flashed” into the system’s memory and the subscriber’s login page is served directly from the HSG.
Page 80
Adding SSL support to the HSG requires service providers to obtain digital certificates from VeriSign™ to create HTTPS pages. Instructions for obtaining certificates are provided by Nomadix. To enable SSL Support, your HSG’s flash must include the server.pem, cakey.pem, and cacert.pem certificate files (the “cacert.pem” file is provided with your HSG).
Page 81
ATEWAY If you want to designate a portal page, you must enable the Portal Page feature, otherwise leave this feature disabled. The Portal Page IP or DNS address are added to the IP passthrough list automatically. If you enabled the Portal Page feature, provide the following supporting information: Portal Page URL Parameter Passing (enabled or disabled)
Page 82
The HSG is configured to use either Authorize.net or Chainfusion (selected from a pull-down menu). You will need to open a merchant account with Authorize.net, Chainfusion or Datacenter (Luxembourg) before this feature can be used. Please contact Nomadix Technical Support for assistance. Refer to “Contact Information” on page 312.
ATEWAY You can assign a session idle timeout parameter for subscribers (see following note). To assign an idle timeout, simply enter a numeric value (in seconds) in the box (the default is 1200). Subscriber Idle Timeout Subscriber Idle Timeout does not apply to RADIUS subscribers. If you enabled or disabled SSL Support on this screen, you must click the check box for (the HSG must be rebooted every...
ATEWAY Establishing Secure Administration {Access Control} The HSG allows you to block administrator access to interfaces (Telnet, WMI and FTP) and incorporates a master access control list that checks the source (IP address) of administrator logins. A login is permitted only to the interfaces that have not been blocked, and only if a match is made with the master “Source IP”...
Page 85
Do not enable the blocking of all interfaces without setting up and enabling SNMP. Enabling the blocking of all interfaces and disabling SNMP will completely block access to the HSG administration interface. For assistance, contact Nomadix Technical Support. Click the check box for...
Page 86
ATEWAY Click on the button to remove the IP address (or range of IP addresses) Remove from the list. If you enabled Access Control and have “locked yourself out,” of the system (for example, because you’ve forgotten your password), you must establish a local serial connection with the CLI to disable the Access Control feature, or change the range of allowed IP addresses to access the management interfaces.
ATEWAY Defining Automatic Configuration Settings {Auto Configuration} The HSG allows you to define parameters to enable the automatic configuration of the system. See also, “RADIUS-driven Auto Configuration” on page From the Web Management Interface, click on Configuration , then Auto Configuration.
Nomadix devices: A flow of RADIUS Authentication Request and Reply messages between the Nomadix gateway and the centralized RADIUS server that specifies the location of the meta configuration file (containing a listing of the individual configuration files and their download frequency status) are downloaded from an FTP server into the flash of the Nomadix device.
Page 89
Setup Username and Password for RADIUS Authentication. Administrative Steps to Enable Auto-Config for the NOC Administrator Add NAS IP address. Add Nomadix Auto-Config VSA to the Nomadix dictionary file on the RADIUS server. Create a RADIUS profile with the configuration VSA.
Page 90
ATEWAY The Nomadix device will automatically initiate one reboot to enable the new settings. Configuration updates for network maintenance can be accomplished by simply enabling the Auto-Configuration option and rebooting the device (for example, using SNMP). See also, “Defining Automatic Configuration Settings {Auto Configuration}”...
ATEWAY Setting Up Bandwidth Management {Bandwidth Management} The HSG allows system administrators to manage the bandwidth for subscribers, defined in Kbps (Kilobits per seconds) for both upstream and downstream data transmissions. With the ICC feature enabled, subscribers can increase or decrease their own bandwidth dynamically (by the minute, or on an hourly, daily, weekly, or monthly basis), and also adjust the pricing plan for their service.
ATEWAY Establishing Billing Records “Mirroring” {Bill Record Mirroring} The Bill Record Mirroring feature contained in the Credit Card and Hospitality optional modules is optional. Your product license may not support this feature. The HSG can send copies of credit card transaction to external servers that have been previously defined by system administrators.
Page 93
ATEWAY If you want to enable the billing records “mirroring” functionality for credit card transactions (and you have purchased the appropriate product license), click on the check box for Enable/Disable Mirroring. Enter the property identification code in the field. Property ID Enter the communication parameters for the primary server that is to be used for mirroring, including: Primary IP...
ATEWAY Managing the DHCP Service Options {DHCP} When a device connects to the network, the DHCP server assigns it a “dynamic” IP address for the duration of the session. Most users have DHCP capability on their computer. To enable this service on the HSG, you can either enable the DHCP relay (routed to an external DHCP server IP address), or you can enable the HSG to act as its own DHCP server.
Page 95
ATEWAY Nomadix’ patented Dynamic Address Translation (DAT) functionality is automatically configured to facilitate “plug-and-play” access to subscribers who are misconfigured with static (permanent) IP addresses, or subscribers that do not have DHCP capability on their computers. DAT allows all users to obtain network access, regardless of their computer’s network settings.
Page 96
ATEWAY If required, enable the feature. IP Upsell System administrators can set two different DHCP pools for the same physical LAN. When DHCP subscribers select a service plan with a public pool address, the HSG associates their MAC address with their public IP address for the duration of the service level agreement.
Page 97
ATEWAY Enter the DHCP Server Netmask Enter the starting and ending IP addresses for the DHCP address pool you want to use: DHCP Pool Start IP DHCP Pool Stop IP Enter the DHCP Lease Minutes Select , as required. Public Pool Private Pool A “public”...
ATEWAY Managing the DNS Options {DNS} DNS allows subscribers to enter meaningful URLs into their browsers (instead of complicated numeric IP addresses) by automatically converting the URLs into the correct IP addresses. You can assign a primary, secondary, or tertiary (third) DNS server.
Page 99
ATEWAY Enter the IP addresses for the DNS servers (located at the customer’s network operating center where DNS requests are sent). Servers include: Primary DNS Server Secondary DNS Server Tertiary DNS Sever The secondary and tertiary DNS servers are only utilized if the primary DNS server is unavailable.
ATEWAY Configuring Dynamic DNS {Dynamic DNS} These settings can be accessed under the following menus: WMI Configuration Go to Configuration->Dynamic DNS CLI Configuration Go to Configuration->dyndns Go to Configuration->dyndns->configure for configurations SNMP Configuration Go to ag->dyndns (enterprises.3309.1.3.50) for DDNS configuration branch System Administration...
Page 101
ATEWAY Enable Checkbox This is the checkbox to enable or disable the Dynamic DNS functionality Provider Information This is to specify provider details. Currently only dyndns.org is supported. Protocol the vendor supports. Server and Port to which the client sends updates to the DDNS server. Account Information The Host Name is the DDNS name mapped to the client IP address;...
ATEWAY GRE Tunneling {Gre Tunneling} Use the following procedure to set the GRE Tunneling options. From the Web Management Interface, click , then Configuration Gre Tuneling The GRE Tuneling screen appears: Click the checkbox for GRE Tunneling to enable this feature. Enter the VPN Concentrator IP Address.
ATEWAY Setting the Home Page Redirection Options {Home Page Redirect} This procedure shows you how to redirect the subscriber’s browser to a specified home page. Subscribers may also be redirected to a page specified by the solution provider, without any interaction with the credit card authentication process. You must configure DNS if you want to enter meaningful URLs instead of numeric IP addresses into any of the HSG’s configuration screens.
Page 104
ATEWAY If required, click on the check box for Parameter Passing Parameter passing allows the HSG to track a subscriber’s initial Web request (usually their home page) and pass the information on to the solution provider. The solution provider uses this information to ensure that the subscriber can return to their home page easily.
Our patent-pending iNAT™ feature contains an advanced, real-time translation engine that analyzes all data packets being communicated between the private and public address domains. The Nomadix iNAT engine performs a defined mode of network address translation based on packet type and protocol (for example, GRE, IKE etc…).
ATEWAY Defining IPSec Tunnel Settings {IPSec} From the Web Management Interface, click on Configuration, then IPSec (You can also access IPSec from the CLI by going to Configuration->IPSec to configure settings, and Network Info->IPSec to view IPSec Tunnel status.) The IPSEC Tunnel Settings screen appears: To enable this feature, click on the Enable IPSEC check box.
ATEWAY IPSec Tunnel Peers System Administration...
Page 108
ATEWAY Tunnel Peer IP address of peer Peer Authentication Method Choice of Pre-shared key or X.509 certificates Enter the Pre-shared Key in the Shared Key text field if Pre-shared Key is selected Enter the filename of the private and public certificates if X.509 is selected. Note: files must exist on flash first.
ATEWAY IPSec Tunnel Security Policies System Administration...
Page 110
ATEWAY Tunnel Peer Address Select a Peer IP Address from the pull-down menu with which this security association is to be established. Must select a Peer if the policy is using ESP or AH. Able to select ‘none’ only if policy is a discard or bypass policy Traffic Selector Protocol To select a specific protocol via pull-down menu or protocol number...
Page 111
ATEWAY Security Parameters Choice of Discard, Bypass, ESP, or AH. Discard/Bypass => a select direction type ESP only => select all acceptable encryption algorithms ESP/AH => select all acceptable authentication algorithms Perfect Forward Secrecy Strength Maximum Lifetime Maximum Life size Automatic renewal Perfect Forward Secrecy checkbox - When selected, it enables PFS.
ATEWAY Establishing Your Location {Location} This command sets up your location and the corresponding IP addresses for the network interface, subscriber interface, subnet, and default gateway. You *must* provide your full location information. From the Web Management Interface, click on , then Configuration Location.
Page 113
ATEWAY Enter your location information in the following fields: Company Name Address (Line 1 and Line 2) City, State, Zip, and Country E-mail Address ISO Country Code Phone Country Code Calling Area Code Select the area type that most resembles your location from the drop down list. Enter a Network SSID/Zone.
Page 114
ATEWAY The network interface and subscriber interface addresses must be on the same subnet. Enter a valid IP address in the Subnet Mask field. The subnet mask defines the number of IP addresses that are available on the routed subnet where the HSG is located. Enter a valid default gateway IP address in the field.
ATEWAY Managing the Log Options {Logging} System logging creates log files and error messages generated at the system level. AAA logging creates activity log files for the AAA (Authorization, Authentication, and Accounting) functions. You can enable either of these options. Although the AAA and billing logs can go to the same server, we recommend that they have their own unique server ID number assigned (between 0 and 7).
Page 117
ATEWAY If required, click on the check box for System Log to enable system logging. When system logging is enabled, the standard SYSLOG protocol (UDP) is used to send all message logs generated by the HSG to the specified SYSLOG server. Enter a unique number (between 0 and 7) in the System Log Number field.
Page 118
ATEWAY Subscriber Tracking Log Enabling this checkbox enables the Subscriber Tracking log. Use this to track the network usage of specific Subscribers on the network by receiving a syslog of every Session that is opened by each subscriber. Each new DAT session that is created for subscribers is logged in these syslogs.
Page 119
ATEWAY PageFaults are stored in the file named “lograw.txt” in the /flash directory and is not viewable on the web management interface. Click on the button to save your changes, or click on the button if you Submit Reset want to reset all the values to their previous state. When logging is enabled, log files and error messages are sent to these servers for future retrieval.
Reset you want to reset all the values to their previous state. For detailed information about installing, configuring, and using the NOMADIX™ Meeting Room Scheduler application, refer to the following documentation: Meeting Room Scheduler User’s Guide (P/N 200-1007-001) Click on the...
ATEWAY Assigning Passthrough Addresses {Passthrough Addresses} The HSG allows up to 300 IP passthrough addresses and DNS names. This feature allows users to “pass through” the HSG and access predetermined services (for example, the redirected home page) at the solution provider’s discretion, even though they may not have subscribed to the broadband Internet service.
Page 122
IP/DNS Name you want to add or remove from the system. The system only accepts route DNS names (for example, www.nomadix.com). Do not include protocol, port, or path information. If adding this pass-through, click on the button, otherwise click on Remove to delete this pass-through from the list.
ATEWAY Setting Up Port Locations {Port-Location} Port-Location allows you to establish the mode of operation for devices. From the Web Management Interface, click on , then Configuration Port- Location. The Port-Location Settings screen appears: System Administration...
Page 124
ATEWAY System administrators can set the properties for each room from the subscriber side of the HSG. The system automatically detects which port number the administrator is using and allows them to enter the fields for the room corresponding to the port they are using. If required, click on the check box for to enable this In Room Port Mapping...
Page 125
ATEWAY If you are using an access concentration device that cannot handle VLAN IDs, select one of the available Access Concentrator Query options: The devices in the following list must be assigned an IP address on the same subnet as the HSG. You must remove “old” concentrator types before entering new ones.
Page 126
ATEWAY Tut Systems RFC1493 Systems From the Cascading Support screen, you can return to the main Port-Location Settings screen at any time by pressing the button. Back Click on the button to save your changes, or click on the button if you Submit Reset want to reset all the values to their previous state.
ATEWAY In Room Port Mapping This section shows In Room Port Mapping from the subscriber side, when the In Room Port Mapping feature is enabled. HSG multiple VLAN tagged systems can use the same tags and be placed on different Subscriber ports. Although it is technically possible to place two different VLAN tagged switches (one on each Subscriber side) that have the same VLAN tags designated, this configuration can cause problems.
Page 128
ATEWAY Enter your user name and password, then click on the button. The In Room Port Mapping screen appears: Enter the room number and a description for this room. Select the access mode you want to assign to this room: Room Free Access Room For Charge Room Blocked...
“Defining the AAA Services {AAA}” on page Nomadix offers an integrated RADIUS client, allowing service providers to track or bill users based on the number of connections, location of the connection, bytes sent and received, connect time, etc. The customer database can exist in a central RADIUS server, along with associated attributes for each user.
Page 130
ATEWAY From the Web Management Interface, click on , then Configuration RADIUS Client. The RADIUS Client Settings screen appears: Under the Server Selection options, choose the Routing Mode Disabled (to disable RADIUS authentication) Realm-Based (for Realm routing) Fixed (for routing to predefined RADIUS servers) Select the from the pull-down menu.
ATEWAY Miscellaneous Options In the “Miscellaneous Options” category, Enter a value for the time (in seconds) in the field. This value determines how much “idle” Default User Idle Timeout time elapses before the subscriber’s session times out and they must login again. The HSG can reauthenticate “repeat”...
ATEWAY Defining the RADIUS Proxy Settings {RADIUS Proxy} A RADIUS Proxy allows the NSE to relay authentication and accounting packets between the parties performing the authentication process. Different realms can be set up to directly channel RADIUS messages to the various RADIUS servers. For additional RADIUS information, see also: “Defining the RADIUS Client Settings {RADIUS Client}”...
ATEWAY Enable or disable RADIUS Proxy Services , as required, by clicking on the appropriate check box. If you enabled RADIUS Proxy Services, you must provide the Authentication Server Port and the references. Accounting Server Port Click on the button to save your changes, or click on the button if Submit Reset...
Page 134
ATEWAY Select the from the pull-down menu (see note). Default RADIUS Service Profile RADIUS requests originating from this Upstream NAS will be routed via the specified profile if it cannot be routed based on realm. Leave this field blank if default routing is not desired. Click on the button to add this Upstream RADIUS NAS definition, then click on the...
ATEWAY Defining the Realm-Based Routing Settings {Realm-Based Routing} Use this procedure when setting up RADIUS Service Profiles (up to 10) and Realm- based Routing Policies (up to 50). For additional RADIUS information, see also: “Defining the RADIUS Client Settings {RADIUS Client}” on page 115.
ATEWAY See also: “Adding a RADIUS Service Profile” on page 122 “Adding a Realm Routing Policy” on page 125 Adding a RADIUS Service Profile To add a RADIUS Service Profile, click on the appropriate button. The Add RADIUS Service Profile screen appears: Enter a name of your choice for this service profile in the field.
Page 137
ATEWAY Authentication This category requires input for enabling RADIUS authentication and requires you to define IP addresses, ports, and secret keys for the primary and secondary RADIUS servers (the secondary server is optional). Enable or disable the RADIUS Authentication Service, as required, by clicking on the check box.
Page 138
ATEWAY Retransmission Options This category requires you to define the data retransmission method (failover or round-robin), the retransmission frequency, and how many retransmissions the system should attempt. Select the (Failover or Round Robin). Retransmission Method Enter a value for the time (in seconds) in the field.
ATEWAY Adding a Realm Routing Policy Your product license may not support this feature. To add a RADIUS Service Profile, click on the appropriate button on the Realm-Based Routing Settings screen. The Add Realm Routing Policy screen appears: To make this entry the “active” entry, click on the Entry Active check box.
Page 140
ATEWAY Select the required from the pull-down menu. RADIUS Service Profile Click on the check box if you want to remove the Strip off routing information routing information. Click on the button to add this Realm Routing Policy. When you have completed the definition of your Realm Routing Policy, you can return to the previous screen (Realm-Based Routing Settings) by clicking on the link.
ATEWAY Managing SMTP Redirection {SMTP} When SMTP redirection is enabled (for misconfigured or properly configured subscribers), the HSG redirects the subscriber’s E-mail through a dedicated SMTP server, including SMTP servers which support login authentication. To the subscriber, sending and receiving E-mail is as easy as it’s always been. This function is transparent to subscribers.
ATEWAY Managing the SNMP Communities {SNMP} You can address the HSG using an SNMP client manager (for example, HP OpenView). SNMP is the standard protocol that regulates network management over the Internet. To do this, you must set up the SNMP communities and identifiers. For more information about SNMP, see “Using an SNMP Manager”...
Page 143
ATEWAY Enter the SNMP parameters (communities and identifiers), including: System Contact System Location Get (Read) Community Set (Write) Community Trap Community Trap Recipient IP Your SNMP manager needs this information to enable network management over the Internet. When finished, you must reboot the system for the new settings to take effect. Click on the check box for to reboot the Reboot after changes are saved?
ATEWAY Enabling Dynamic Multiple Subnet Support (Subnets) Nomadix’ dynamic multiple subnet support allows you to create flexible and cost- effective IP pool solutions to meet the demands of complex networks in large residential and public access networks. For example: Establish a maximum of 15 different DHCP pools for routable IP addresses at the same time.
Page 145
(Public Subnets Settings). To edit the “Current Public DHCP Subnets” table, go to “Managing the DHCP Service Options {DHCP}” on page For additional information about the multiple subnet feature, go to “Contact Information” on page 312 for Nomadix Technical Support. System Administration...
ATEWAY Displaying Your Configuration Settings {Summary} You can display a summary listing of all your current Configuration settings. To view the summary listing, go to the Web Management Interface, click on , then click on Configuration Summary. The Summary of Configuration Settings screen appears (partial screen shown here): li ti System Administration...
ATEWAY Setting the System Date and Time {Time} This procedure shows you how to set the system date and time. From the Web Management Interface, click on , then Configuration Time. The Set Date and Time screen appears: If required, enter the new date and time parameters in the relevant fields: Year (####) Month (1-12) Day (1-31)
Page 148
ATEWAY If required, enter UTC offset values for in the appropriate Hours Minutes fields and define whether this time is plus or minus from the pull-down menu. When finished, click on the button to save your changes, or click on the Submit button if you want to reset all the values to their previous state.
ATEWAY Setting Up URL Filtering {URL Filtering} The HSG can restrict access to specified Web sites based on URLs defined by the system administrator. URL filtering will block access to a list of sites and/or domains entered by the administrator using the following three methods: Host IP address (for example, 1.2.3.4) Host DNS name (for example, www.yahoo.com) DNS domain name (for example, *.yahoo.com, meaning all sites under the...
Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on the subscriber side of the Nomadix gateway. The advantage of using IPSec is that all types of management traffic are supported,...
Page 151
ATEWAY Two subsequent events drive the secure management function of the Nomadix gateway and the devices behind it: Establishing an IPSec tunnel to a centralized IPSec termination server (for example, Nortel Contivity). As part of the session establishment process, key tunnel parameters are exchanged (for example, Hash Algorithm, Security Association Lifetimes, etc.).
ATEWAY Network Info Menu Displaying ARP Table Entries {ARP} You can display a table that shows the current status of the ARP (Address Resolution Protocol) assignments. ARP is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address. ARP is limited to a single physical network that supports hardware broadcasting.
ATEWAY Displaying DAT Sessions {DAT} The HSG provides “plug-and-play” access to subscribers who are misconfigured with static (permanent) IP addresses, or subscribers that do not have DHCP functionality on their computers. Dynamic Address Translation (DAT) allows all users to obtain network access, regardless of their computer’s network settings.
ATEWAY Displaying the Host Table {Hosts} You can display a table which lists the hosts that are currently configured. This table includes the assigned host names, their corresponding IP addresses, and any aliases that may be assigned to each host. Hosts provide services to other computers that are linked to it by a network.
ATEWAY Displaying ICMP Statistics {ICMP} You can display the current ICMP (Internet Control Message Protocol) statistics. ICMP is a standard Internet protocol that delivers error and control messages from hosts to message requestors. These statistics are presented as a listing which details the current status of each ICMP transmission element.
ATEWAY Displaying the Network Interfaces {Interfaces} You can display the network interfaces which are presented as a detailed listing of all interface communication elements and their current status. To view the Network Interfaces, go to the Web Management Interface, click on , then click on Network Info Interfaces.
ATEWAY Displaying the IP Statistics {IP} You can display the IP (Internet Protocol) statistics which are presented as a detailed listing of all IP elements and their current status. With IP transmissions, data is broken up into packets which are then sent over the network. By using IP addressing, Internet Protocol ensures that the data reaches its destination, even though different packets may “pass through”...
ATEWAY Displaying the Routing Tables {Routing} You can display the current Routing Tables, including any dynamically generated routes, unreachable routes, or wildcard routes. To view the Routing Tables, go to the Web Management Interface, click on Network Info , then click on Routing.
ATEWAY Displaying the Active IP Connections {Sockets} You can display a table which provides a detailed listing of all currently active IP (Internet Protocol) connections. To view the Socket Table, go to the Web Management Interface, click on Network , then click on Info Sockets.
ATEWAY Displaying the Static Port Mapping Table {Static Port-Mapping} You can display a table which provides a detailed listing of the currently active static port mapping scheme. To view the Static Port-Mapping Table, go to the Web Management Interface, click on , then click on Network Info Static Port-Mapping.
ATEWAY Displaying TCP Statistics {TCP} You can display the TCP (Transmission Control Protocol) statistics which are presented as a detailed listing of all TCP elements and their current status. TCP is a standard protocol that manages data transmissions across networks. To view the TCP Statistics, go to the Web Management Interface, click on Network , then click on...
ATEWAY Displaying UDP Statistics {UDP} You can display the UDP (User Datagram Protocol) statistics which are presented as a detailed listing of all UDP elements and their current status. UDP is an Internet standard transport layer protocol. It is a connectionless protocol which adds a level of reliability and multiplexing to the Internet Protocol (IP).
ATEWAY Port-Location Menu The Port Location capabilities on the NSE have been enhanced. It is now possible to define a policy on a port. The billing methods (RADIUS, Credit Card, L2TP Tunneling) and the billing plans available on each port can now be individually configured.
ATEWAY Adding and Updating Port-Location Assignments {Add} Port-locations can be assigned at any level (for example, a specific room in a hotel or apartment building, a floor number, wing, or building). There may even be multiple ports assigned to a single room or location. The HSG uses a port-location authorization table to manage the assigned ports and ensure accurate billing for the services used by a particular port.
Page 165
ATEWAY Enter a location identifier in the Location field. Locations can be assigned as an alpha, numeric, or alpha-numeric value. All alpha characters (used for locations and descriptions) are case- sensitive. In the field, enter the port (the VLAN ID when using 802.1Q 2-way). Port In the field, enter a meaningful description for this port-location...
ATEWAY Tunneling for a port is enabled only if Tunneling is globally enabled AND the per-port enable Tunneling parameter is set. Click on the button to save your changes (the message: Entry added or appears), or click on the button if you want to updated in the location file Reset reset all the values to their previous state.
ATEWAY Deleting All Port-Location Assignments {Delete All} This procedure shows you how to delete all port-location assignments. The HSG displays a warning and prompts you to confirm this action before deleting all the port-locations currently assigned in the system. From the Web Management Interface, click on , then Port-Location Delete All.
ATEWAY Deleting Port-Location Assignments by Location {Delete by Location} This procedure shows you how to delete a port-location assignment, based on its location. The HSG prompts you to confirm this action before deleting the requested port-location. If you are unsure which port-locations are currently mapped to the system, you can view a list at “Displaying the Port-Location Mappings {List}”...
ATEWAY Deleting Port-Location Assignments by Port {Delete by Port} This procedure shows you how to delete a port-location assignment, based on its port. The HSG prompts you to confirm this action before deleting the requested port- location. If you are unsure which port-locations are currently mapped to the system, you can view a list at “Displaying the Port-Location Mappings {List}”...
ATEWAY Exporting Port-Location Assignments {Export} This procedure shows you how to export your current port-location assignments to the “location.txt” file. The location.txt file is stored in: /flash/location.txt (resident in the HSG’s flash memory). Exporting your current port-location assignments to the HSG’s flash memory will overwrite the existing location.txt file.
ATEWAY Finding Port-Location Assignments by Description {Find by Description} This procedure shows you how to find a port-location assignment, based on its description. This procedure is useful if you want to review the details of a specific port-location. You can also find port-locations based on their location or port. From the Web Management Interface, click on Port-Location , then...
Page 172
ATEWAY The requested port-location is displayed: Active link to “Port” processing screen System Administration...
ATEWAY Finding Port-Location Assignments by Location {Find by Location} This procedure shows you how to find a port-location assignment, based on its location. This procedure is useful if you want to review the details of a specific port- location. You can also find port-locations based on their description or port. From the Web Management Interface, click on , then Port-Location...
Page 174
ATEWAY The requested port-location is displayed: Active link to “Port” processing screen System Administration...
ATEWAY Finding Port-Location Assignments by Port {Find by Port} This procedure shows you how to find a port-location assignment, based on its location. This procedure is useful if you want to review the details of a specific port- location. You can also find port-locations based on their description or location. From the Web Management Interface, click on , then Port-Location...
ATEWAY Importing Port-Location Assignments {Import} This procedure shows you how to import port-location assignments from the “location.txt” file. The location.txt file is stored in: /flash/location.txt (resident in the HSG’s flash memory). If you have never exported port-location assignments (since installing the HSG at this site), the location.txt is empty.
ATEWAY Viewing the “location.txt” File You can click on the “View location.txt” link if you want to view the current contents of the file. System Administration...
ATEWAY Creating a “location.txt” File You can create your own “location.txt” file and upload the file to the HSG’s flash memory at [IP address]/flash/location.txt. Use the following format when creating the file: “1”,1,00:00:00:00:00:00,0.0.0.0,0, “Room 101” The 4 (four) fields used in the format represent the standard format for port-location assignments (location, port, modem MAC address for RiverDelta, subnet, state, description).
ATEWAY Displaying the Port-Location Mappings {List} You can display a listing of all port-locations assigned to this system. To view the listing of port-location assignments, go to the Web Management Interface, click on Network Info , then click on List. The List Port-Location Assignments screen appears: System Administration...
ATEWAY Subscriber Administration Menu Adding Subscriber Profiles {Add} AAA Services must be enabled before you can add a subscriber profile into the HSG’s internal authorization database. Refer to, “Defining the AAA Services {AAA}” on page This procedure shows you how to add subscriber profiles into a table of authorized users.
Page 181
ATEWAY From the Web Management Interface, click on Subscriber Administration , then The Add a Subscriber Profile to the Database screen appears: Add. Choose for this profile. Subscriber Device Define the DHCP Address Type: (only used when the IP Public Private Upsell feature is enabled, otherwise leave this set to “private”).
Page 182
ATEWAY Enter the of the subscriber. IP Address Enter a valid address for this subscriber. Subnet In the field, enter a user name for this subscriber. If you entered a Username MAC address and you do not want to assign a user name, skip Step 9 (password). User names and passwords are case-sensitive.
ATEWAY Displaying Current Subscriber Connections {Current} You can display a listing of all the subscribers currently connected to the system. The list includes the MAC addresses of the subscribers, their active state, the individual expiration times, port numbers (if assigned), and the number of bytes that have been passed from the subscriber to the Internet.
ATEWAY Deleting Subscriber Profiles by MAC Address {Delete by MAC} This procedure shows you how to delete a subscriber profile from the HSG’s database of authorized subscribers, based on the profile’s MAC address. To see a current listing of the subscriber database, sorted by MAC addresses, go to “Listing Subscriber Profiles by MAC Address {List by MAC}”...
ATEWAY Deleting Subscriber Profiles by User Name {Delete by User} This procedure shows you how to delete a subscriber profile from the HSG’s database of authorized subscribers, based on the profile’s user name. To see a current listing of the subscriber database, sorted by user name, go to “Listing Subscriber Profiles by User Name {List by User}”...
ATEWAY Displaying the Currently Allocated DHCP Leases {DHCP Leases} You can display a listing of the DHCP (Dynamic Host Configuration Protocol) leases that are currently active on the system’s DHCP server. DHCP is a standard method for assigning IP addresses automatically to network devices. DHCP leases define the amount of time that subscribers can utilize the system’s DHCP service.
ATEWAY Deleting All Expired Subscriber Profiles {Expired} This procedure shows you how to delete all expired subscriber profiles from the HSG’s database of authorized subscribers. Use this procedure when you want to “clean up” the subscriber database. From the Web Management Interface, click on , then Subscriber Administration The Remove Expired Profiles screen appears:...
ATEWAY Finding Subscriber Profiles by MAC Address {Find by MAC} This procedure shows you how to find a subscriber profile from the HSG’s database of authorized subscribers, based on the profile’s MAC address. Use this procedure when you want to see the statistics corresponding to the MAC address. Statistics include user name and password (if any) and the access time remaining for this subscriber.
ATEWAY Finding Subscriber Profiles by User Name {Find by User} This procedure shows you how to find a subscriber profile from the HSG’s database of authorized subscribers, based on the profile’s user name. Use this procedure when you want to see the statistics corresponding to the user name. Statistics include the subscriber’s MAC address and the access time remaining for this subscriber.
ATEWAY Listing Subscriber Profiles by MAC Address {List by MAC} You can display the currently active database of authorized subscribers, based on MAC addresses. To view the list of Authorized Subscriber Profiles, go to the Web Management Interface, click on , then click on Subscriber Administration List by MAC.
ATEWAY Listing Subscriber Profiles by User Name {List by User} You can display the currently active database of authorized subscribers, based on user names. You can display the currently active database of authorized subscribers, based on their user names. To view the list of Authorized Subscriber Profiles, go to the Web Management Interface, click on , then click on Subscriber Administration...
ATEWAY Viewing RADIUS Proxy Accounting History {RADIUS Session History} These settings are available under Subscriber Administration/RADIUS Session History menu. Enable Logfile checkbox When this setting is enabled any RADIUS proxy accounting messages sent or received by the RADIUS proxy application are logged into a file named “RADHIST.RAD”...
ATEWAY Displaying Current Profiles and Connections {Statistics} You can view the total number of profiles and connections currently stored in the HSG’s database of authorized subscribers. The displayed list includes the number of subscribers currently in the database (Current Table) and a numerical breakdown of how the subscribers can utilize the system (for example, free access, credit card, etc.).
ATEWAY Subscriber Interface Menu Defining the Billing Options {Billing Options} You can define various billing options for use with the Internal Web Server (IWS), based on: Setting Up a “Normal” Billing Plan, including pricing and bandwidth. Duration-based Billing Plans Setting Up an X over Y Billing Plan Messages displayed to subscribers, including an Introduction Message, Offer Message and Policy Message Billing schemes (units of access)
Page 196
ATEWAY Review the billing plans (normal plans and X over Y plans) that are currently active. To view or edit a billing plan, simply click on the View/Edit/Delete button opposite the corresponding plan. The Internal Billing Options Plan Setup or Internal Billing Options XoverY Plan Setup screen appears for the billing plan (and type) you selected (see next page for sample of X over Y plan setup screen).
ATEWAY Depending on the type of plan you want to set up, go to: “Setting Up a “Normal” Billing Plan” on page 185. “Setting Up an X over Y Billing Plan” on page 187. Setting Up a “Normal” Billing Plan If required, click on the check box to enable (make active) this billing Enable...
Page 200
ATEWAY Define the messages you want to present to subscribers, including: Introduction Message Offer Message Policy Message Define the Units of Access (Minute, Hour, Day, Week, or Month) you want to make available to subscribers. If you want to allow free access to subscribers, you can define the following free billing options: Default Free Access Time (in days) Maximum Subscriber Lifetime (in days)
ATEWAY Setting Up an X over Y Billing Plan If required, click on the Enable check box to enable (make active) this billing plan. Define a “label” for this billing plan in the field. Label Each plan must have a unique label, different from other plans. Enter a description for this billing plan in the field.
ATEWAY Setting Up the Information and Control Console {ICC Setup} The Nomadix Information and Control Console (ICC) is a HTML pop-up window that is presented to subscribers, allowing them to select their bandwidth and billing plan options quickly and efficiently, and displays a dynamic “time” field to inform them of the time remaining on their account.
Page 203
ATEWAY The ICC Setup screen appears: System Administration...
Page 204
If you enabled either of the ICC pop-up options, you can choose a unique name for the console. Simply type a meaningful name in the field. Title Define the physical location where you want the Nomadix Logout Console to appear on the subscriber’s screen. Choose one of the following options: Upper Left Corner...
ATEWAY Assigning Buttons When assigning the redirect buttons that will appear in the ICC, you can define (large button) and up to 8 smaller buttons ( ISP Logo Button Button 2 through Button 9 ), with the following parameters: Name/Text – The name of the button and the mouse-over text. The mouse- over text is the text that appears in the ICC’s Message Bar when your mouse pointer “rolls”...
ATEWAY Assigning Banners From the Subscriber Console (Information and Control Console - ICC) Setup screen, click on the Configure Banners link. The Subscriber Console (Information and Control Console - ICC) Banners Setup screen appears: Click here to return to the previous screen You can display up to 5 banners, but they must be defined here.
Page 207
ATEWAY Define the parameters for your banner(s): Name/Text Target URL Image Name (see following note) Duration (secs) Start Time (Optional) Stop Time (Optional) If you assign (or change) button images or banner images, the HSG must be rebooted for your changes to take effect. If you changed any of the Image Name definitions, click on the check box for Reboot after changes are saved? (to reboot the HSG).
ATEWAY Pixel Sizes Use the following parameters when defining images for buttons and banners: Banners – 373 pixels (width) x 32 pixels (height) ISP Button – 98 pixels (width) x 26 pixels (height) Small buttons – 45 pixels (width) x 26 pixels (height) Banner (373 x 32 pixels) Small Buttons...
ATEWAY Defining Languages {Language Support} The HSG allows you to define the text displayed to your users by the Internal Web Server (IWS) without any HTML or ASP knowledge. The language you select here will determine the language encoding that the HSG’s Internal Web Server instructs the browser to use.
Page 210
ATEWAY Select the language you want to use (see notes). There are currently 6 (six) “pre-translated” language options. If you want to have the ICC pre-translated into Japanese and enter and display Japanese characters on the Web Management Interface and the subscriber’s portal page, choose the Japanese (Shift_JIS) option.
ATEWAY Enabling Local Web Serving {Local Web Server} Here are the quick setup instructions to enable serving of local web pages. Upload the required pages and images to the /flash/web directory using FTP. Total file size of all pages and images cannot exceed 200 KB. File names should be labeled using the 8.3 format.
Page 212
ATEWAY Web Page File Name This text box lets you add or remove the names of the web pages that you intend to serve to the end users. Note: The name of the web page has to be added in order for it to be served to the end users.
ATEWAY Defining the Subscriber’s Login UI {Login UI} This procedure allows you to set up the presentation and content of the subscriber’s login User Interface (UI). From the Web Management Interface, click on Subscriber Interface , then Login The Subscriber Login User Interface Settings screen appears: System Administration...
Page 215
ATEWAY Define the messages you want subscribers to see when they log in. Keep messages brief and to the point. Available message categories include: Service Selection Message Existing Username Message New Username Message Contact Message PMS Username Message (PMS is not available with the AG 2100) If any of your devices do not support Java™...
Page 216
ATEWAY Take care when mixing font and background colors. You may want to experiment before establishing these settings to ensure that your chosen color scheme is both presentable and readable to subscribers (see notes). You must reboot the HSG for the “Image File Name” or “Partner Image File Name”...
ATEWAY Defining the Post Session User Interface (Post Session UI) The Post Session UI (Goodbye Page) can be defined either as a RADIUS VSA or be driven by the HSG’s Internal Web Server (IWS). Using the IWS option means that this functionality is available for other post-paid billing mechanisms.
Page 219
ATEWAY From the Web Management Interface, click on Subscriber Interface , then Post Session UI. The Subscriber Post Session User Interface Settings screen appears: System Administration...
Page 220
ATEWAY Click on the check box to enable (or disable) the Enable IWS Goodbye Page IWS Goodbye Page, as required. If you enabled the IWS Goodbye Page, select your preferred display options by checking the corresponding boxes: Display IP Address Display Authen Type Display Start Time Display Stop Time...
ATEWAY Defining Subscriber UI Buttons {Subscriber Buttons} This procedure allows you to define how each of the control buttons are displayed to subscribers. From the Web Management Interface, click on Subscriber Interface , then The Subscriber Page -- Control Button Definitions screen Subscriber Buttons.
ATEWAY Defining Subscriber UI Labels {Subscriber Labels} This procedure allows you to define how the user interface (UI) field labels are displayed to subscribers. From the Web Management Interface, click on , then Subscriber Interface Subscriber Labels. The Subscriber Page -- Field Label Definitions screen appears: System Administration...
Page 223
ATEWAY Enter the definitions you want for each label in the corresponding fields. Click on the button to save your changes, or click on the button if Submit Reset you want to reset all the values to their previous state. If you want to reset all field values to their default state, click on the Revert button.
ATEWAY Defining Subscriber Error Messages {Subscriber Errors} This procedure allows you to define how error messages are displayed to subscribers. There are 2 (two) pages of error messages available. From the Web Management Interface, click on , then Subscriber Interface Subscriber Errors, 1 of 2.
Page 225
ATEWAY Enter the definitions you want for each error message in the corresponding fields. Click on the button to save your changes, or click on the button if Submit Reset you want to reset all the values to their previous state. If you want to reset all field values to their default state, click on the Revert button.
ATEWAY Defining Subscriber Messages {Subscriber Messages} This procedure allows you to define how “other” subscriber messages are displayed. There are 3 (three) pages of subscriber messages available. From the Web Management Interface, click on , then Subscriber Interface Subscriber Messages, 1 of 3. System Administration...
Page 227
ATEWAY The Subscriber Page -- Other Message Definitions, 1 of 3 screen appears: System Administration...
Page 228
ATEWAY Enter the definitions you want for each subscriber message in the corresponding fields. Click on the button to save your changes, or click on the button if Submit Reset you want to reset all the values to their previous state. If you want to reset all field values to their default state, click on the Revert button.
Page 229
ATEWAY Repeat Steps 1 – 3 for page 3 of 3 (see following screen): System Administration...
ATEWAY System Menu Adding an ARP Table Entry {ARP Add} ARP (Address Resolution Protocol) is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address. ARP is limited to a single physical network that supports hardware broadcasting. This procedure shows you how to add an ARP table entry.
ATEWAY Deleting an ARP Table Entry {ARP Delete} ARP (Address Resolution Protocol) is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address. ARP is limited to a single physical network that supports hardware broadcasting. This procedure shows you how to delete an ARP table entry.
ATEWAY Enabling the Bridge Mode Option {Bridge Mode} Bridge Mode allows complete and unconditional access to devices on the subscriber side of the HSG. When the Bridge Mode option is enabled, the HSG is effectively transparent to the network in which it is located, allowing clusters of switches (especially Cisco Systems switch clusters) to be managed using the STP (Spanning Tree Protocol), or any other algorithm/protocol.
ATEWAY Exporting Configuration Settings to the Archive File {Export} This procedure shows you how to export the current system configuration settings to an archive file for future retrieval. This function is useful if you want to change the configuration settings and you are unsure of the effect that the changes will have. You can restore the archived system configuration settings at any time with the import function.
ATEWAY Importing the Factory Defaults {Factory} This procedure shows you how to replace the current configuration settings with the settings that were established at the factory. If you restore the factory default configuration settings, you will no longer be able to access the HSG remotely. However, you always have the option of using the “import”...
Many large scale networks require fail-over support for all devices in the public access network. The HSG allows two Nomadix Gateways to act as siblings, where one device will take up the users should the other device become disconnected from the network.
Page 236
ATEWAY Click on the check box for Reboot after changes are saved? If you are using RADIUS, it is recommended to add both Nomadix gateways to the RADIUS server. Click on the button to save your changes, or click on the...
ATEWAY Viewing the History Log {History} You can view a history log of the system’s Access, Reboot, and Uptime activities. The history log contains up to 500 entries. Over 500 entries and each new log item removes the oldest entry in the list. The latest entry is always at the top of the list. To view the history log, go to the Web Management Interface and click on System then...
Page 238
ATEWAY The “Access and reboot History” log fields include: Message – Administrator / Operator action. Login – User name of the Administrator / Operator. IP – Source IP address (see note). The source IP displayed may be the source IP of a NAT router instead of the client of the person accessing the HSG.
ATEWAY Establishing ICMP Blocking Parameters {ICMP} The HSG includes the option to block all ICMP traffic from “pending” or “non authenticated” users that are destined to addresses other than those defined in the pass-through (walled garden) list. The default setting for this option is “disabled” since ICMP pass-through is a useful end-user troubleshooting feature and also required by certain smart clients (for example, GRIC).
ATEWAY Importing Configuration Settings from the Archive File {Import} This procedure shows you how to restore the system configuration settings from an archive file (previously created with the export function). The archived configuration settings you want to restore may not contain valid IP addresses.
ATEWAY Establishing Login Access Levels {Login} This procedure shows you how to assign differentiated access levels for operators and managers at login. The HSG allows you to define 2 concurrent access levels to differentiate between managers and operators, where managers are permitted read/write access and operators are restricted to read access only.
Page 242
ATEWAY The Login Name and Password screen appears: Click on the check box for Administration Concurrency if you want to assign concurrent Manager and Operator logins. In the field, enter a login name for this manager. Manager Login Login names and passwords are case-sensitive. Use login names and passwords that are easy to remember (up to 11 characters, any character type).
Page 243
ATEWAY In the Confirm Password field, enter the password again to confirm it. If you forget your password, you will need to contact technical support. See also, “Appendix A: Technical Support” on page 311. If you enabled Administration Concurrency, repeat steps 3 to 5 for an operator login.
ATEWAY Defining the MAC Filtering Options {Mac Filtering} MAC Address filtering enhances Nomadix' access control technology by allowing System Administrators to block malicious users based on their MAC address. Up to 50 MAC addresses can be blocked at any one time (see caution).
ATEWAY Rebooting the System {Reboot} This procedure shows you how to reboot the HSG. The “reboot” procedure outlined on this page allows you to decide when to reboot (if you are making multiple changes to different menu functions and you want to reboot just one time after completing all your changes).
ATEWAY Adding a Route {Route Add} This procedure shows you how to add a route into the HSG’s routing table. This is accomplished by establishing the route’s destination IP address, and by setting the gateway or router IP address by which the route’s destination can be reached. From the Web Management Interface, click on , then System...
ATEWAY Deleting a Route {Route Delete} This procedure shows you how to delete a route to a specific IP destination. From the Web Management Interface, click on , then System Route Delete. The Delete Static Routes screen appears: Enter the address of the route you want to delete from the routing Destination IP table.
ATEWAY Establishing Session Rate Limiting {Session Limit} Session Rate Limiting (SRL) significantly reduces the risk of “Denial of Service” attacks by allowing administrators to limit the number of DAT sessions any one user can take over a given time period and, if necessary, then block malicious users. From the Web Management Interface, click on , then System...
ATEWAY Adding Static Ports {Static Port-Mapping Add} Static Port-Mapping allows the network administrator to setup a port mapping scheme that forwards packets received on a specific port to a particular static IP (typically private and mis-configured) and port number on the subscriber side of the HSG.
Page 250
ATEWAY Enter the reference. Internal Port Enter a valid MAC Address Enter the External IP Address The External IP address field will default to the IP address of the HSG. Enter the reference. External Port Optional: Enter the . Leave this field set to zero if you want Remote IP Address to connect to the internal device from any network-side workstation.
ATEWAY Deleting Static Ports {Static Port-Mapping Delete} Static Port-Mapping allows the network administrator to setup a port mapping scheme that forwards packets received on a specific port to a particular static IP (typically private and mis-configured) and port number on the subscriber side of the HSG.
ATEWAY Changing the Function of the Serial Port {Serial} PMS is not available with the AG 2100. You can change the function of the serial port, switching between a Property Management System (PMS) and simple serial functionality (for accessing the system’s Command Line Interface).
Updating the HSG Firmware {Upgrade} Upgrading the HSG firmware is performed from the HSG’s Command Line Interface (CLI) only. Refer to the Firmware Upgrade Procedure (separate document available from Nomadix Technical Support). System Administration...
Page 254
ATEWAY This page intentionally left blank. System Administration...
ATEWAY The Subscriber Interface This chapter provides an overview of the HSG’s Subscriber Interface and sections outlining the authorization and billing processes, subscriber management modles, and the Information and Control Console (ICC). Overview The Subscriber Interface is the window to the solution provider’s Web site, and much more than that.
ATEWAY Authorization and Billing As a gateway device, the HSG enables plug-and-play access to broadband networks. Broadband network solution providers can now offer their subscribers a wide range of high speed services, including access to the Internet. Of course, a high speed Internet connection is not free –...
Page 261
ATEWAY Subscriber Launch browser Enter credit card details Network access Billing mirror server Authorize this subscriber External server bank account Solution Provider The Subscriber Interface...
ATEWAY The AAA Structure The HSG’s Authentication, Authorization, and Accounting (AAA) module enables the solution provider to provision, track, and bill new or returning subscribers. This includes: Allowing the solution provider (for example, a hotel) to bill its guests for the high speed network services it provides, track usage on the network, and deny service to those guests who have not paid.
Page 263
ATEWAY The Authentication module is responsible for ensuring that when subscribers log in to the system they are correctly identified. It can identify subscribers in many different ways. For example: Based on their hardware (MAC) address. By validating their user name and password. By looking up subscribers on a local (flash) database.
ATEWAY Process Flow (AAA) The following flowchart outlines the AAA and billing process. All actions depicted in the chart are administered and tracked by the HSG. HSG detects connection and verifies user against authorization table New User Existing Subscriber Login Page Specify lease time Lease time required, and...
ATEWAY Internal and External Web Servers The HSG supports both internal and external Web servers which act as a login interface between subscribers and the solution provider’s network, including the Internet. The internal Web server is “flashed” into the system’s memory and the login page is served directly from the HSG.
ATEWAY Subscriber Management The HSG provides several subscriber management models, including: Free access (for example, no AAA functionality) MAC address Port-Location ID (for example, by room or unit number) User name and password Credit card Combinations of two or more subscriber management models can be used. When a subscriber connects to the network and attempts to access the Internet, the HSG looks for each model in the given order above.
Page 267
ATEWAY Model What You Need To Do Free access Disable the AAA services. MAC address Enable the AAA services and add a subscriber profile to the database for each MAC address you want to enable. User Name and Enable the AAA services and Usernames. Add a Password subscriber profile to the database for each user name and password you want to enable.
ATEWAY Information and Control Console (ICC) The Information and Control Console (ICC) is a HTML pop-up window that is presented to subscribers, allowing them to select their bandwidth and billing options quickly and efficiently, and displays a dynamic “time” field to inform them of the time remaining on their account.
ATEWAY Logout Console The HSG allows System Administrators to define a simple HTML-based pop-up window for explicit logout that can be used as an alternative to the more fully featured ICC. The pop-up Logout Console can display the elapsed/count-down time and one logo for intra-session service branding.
Page 270
ATEWAY This page intentionally left blank. The Subscriber Interface...
ATEWAY Quick Reference Guide This chapter contains product reference information, organized by topic. Use this chapter to locate the information you need quickly and efficiently. Web Management Interface (WMI) Menus The following tables contain a listing and brief explanation of all menus and menu items contained in the HSG’s Web Management Interface (WMI), listed as they appear on screen.
ATEWAY Configuration Menu Items Item Description Establishes the AAA service options. Access Control To enable secure administration of the product, the HSG incorporates a master access control list that checks the source (IP address) of administrator logins. A login is permitted only if a match is made with the master list contained on the HSG.
Page 273
ATEWAY Item Description Location Sets up your location and IP addresses for the network, subscriber, subnet mask, and default gateway. Logging Enables logging options for the system and AAA functions. Meeting Room Scheduler Allows subscribers to reserve conference rooms and pay for their Internet access in advance.
ATEWAY Network Info Menu Items Item Description Displays the ARP table, including the destination IP address and the gateway MAC address. Displays the DAT session table. Hosts Displays the host table, including host names, associated IP addresses and any assigned aliases. ICMP Displays the ICMP (Internet Control Message Protocol) performance statistics.
ATEWAY Port-Location Menu Items Items Description Adds or updates port-location assignments. Delete All Deletes all port-location assignments. Use this command with caution. Delete by Location Deletes port-location assignments, based on a specified location. Delete by Port Deletes port-location assignments, based on a specified port (VLAN tag).
ATEWAY Subscriber Administration Menu Items Items Description Adds subscriber profiles to the database. Current Displays a list of all currently connected subscribers. Delete by MAC Deletes a subscriber, based on a specific MAC address. Delete by User Deletes a subscriber, based on a specific user name. DHCP Leases Sets up the current subscriber DHCP leases.
ATEWAY Subscriber Interface Menu Items Items Description Billing Options Establishes the various billing plans and rates (schemes), including messages and appearance. ICC Setup Sets up the Information and Control Console (ICC) for subscribers. Language Support Defines the language to be displayed on the Web Management Interface and the subscriber’s portal page.
Factory Imports the factory default settings. FailOver Sets up a “sibling” Nomadix Gateway, allowing one device to take up the users should the other device become disconnected from the network. History Displays a history log of the system’s activity, including Access, Reboot and Uptime.
Page 279
AG 2100.) Subscriber Interfaces Blocks subscriber interfaces. Syslog Displays syslog history. System Utilization Displays system utilization information. Upgrade Obtain the latest Firmware Upgrade Procedure from Nomadix Technical Support. User Settings Blocks IPPROTO traffic from misconfigured subscribers. Quick Reference Guide...
Export ............Export port-location assignments to file ..........Port-Location Factory............Import the factory default configuration settings ..........System FailOver............. Sets up a “sibling” Nomadix Gateway ..............System Find by Description ........Find port-location assignments by description......... Port-Location Find by Location ........Find port-location assignments by location ..........Port-Location Find by MAC ..........
Page 281
ATEWAY Realm-Based Routing ....... Sets up service profiles and realm-based routing policies ....... Configuration Reboot ............Reboot the operating system ................System Route Add ..........Add a route to the routing table ................System Route Delete..........Delete a route from the routing table ..............System Routing............
10.0.0.10 Subscriber IP 10.0.0.11 Subnet Mask 255.255.255.0 Default Gateway IP 10.0.0.1 DHCP Client Enabled Admin IP 172.30.30.172 Domain nomadix. Host Name Primary DNS 0.0.0.2 Secondary DNS 0.0.0.0 Tertiary DNS 0.0.0.0 DHCP Relay Disabled External DHCP Server IP 0.0.0.0 DHCP Relay Agent IP 0.0.0.0...
Page 283
ATEWAY Function Default Setting AAA Logging Disabled AAA Log Server Number AAA Log Server IP 0.0.0.0 SYSLOG (System Logging) Disabled SYSLOG Server Number SYSLOG Server IP 0.0.0.0 AAA Services Disabled Internal Authorization Enabled New Subscribers Enabled Credit Card Service Enabled Parameter Passing Disabled Usernames...
ATEWAY Product Specifications Specifications ERFORMANCE User Support: 50 users concurrently, with option to expand (up to 150 users) Throughput: 75Mbits/s* *As defined by RFC1242, Section 3.17 HYSICAL Dimensions: 1U, free standing 8.66 (W) x 10.00 (D) x 1.75 (H) inches 220 (W) x 254 (D) x 44 (H) mm Weight: 4.05 pounds (1.84 Kg)
Page 285
ATEWAY Specifications LED I NDICATORS ACT/LINK and 10/100 for each Ethernet port Power ETWORK ANAGEMENT Multi-Level Administration Controls Access Control Lists Web Administration UI SNMP XML API CLI via Telnet and Serial Port Quick Reference Guide...
ATEWAY Sample AAA Log The following table shows a sample AAA log. This log is generated by the HSG and sent to the SYSLOG server that is assigned to AAA logging. Expira Type Subscriber MAC Date Time Log Code Log Message tion Name of Data...
Page 287
ATEWAY Message Definitions (AAA Log) The six basic messages are defined as follows: Message Definition AAA_Authentication Successful Subscriber profile was successfully added to the HSG authorization table after being authenticated by the credit card server. AAA_Authentication Subscriber profile was not added to the HSG Unsuccessful_Error authorization table because the credit card server did not recognize the transaction.
ATEWAY Sample SYSLOG Report Syslog reports are generated by the HSG and sent to the syslog server that is assigned to general error detection and reporting. 2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [HSG v2.3.006] DHCP: ndxDHCPInit: 0021 DHCP initialized 2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [HSG v2.3.006] CLISRD: 0206 Setting COM1 to 9600 baud 2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [HSG v2.3.006] CLISRD: Starting CLI on the serial port...
ATEWAY Keyboard Shortcuts The following table shows the most common keyboard shortcuts. Action Keyboard Shortcut Cut selected data and place it on the clipboard. Ctrl + X Copy selected data to the clipboard. Ctrl + C Paste data from the clipboard into a document (at the Ctrl + V insertion point).
ATEWAY RADIUS Attributes RADIUS (Remote Authentication Dial-In User Service) was originally created to allow remote authentication to the dial-in networks of corporations and dial-up ISPs. It is defined and standardized by the IETF (Internet Engineering Task Force) and several RADIUS server packages exist in both the public domain and for commercial sale.
ATEWAY The Nomadix HSG RADIUS functionality can be broken down into the following categories: Authentication-Request Authentication-Reply (Accept) Accounting-Request Selected Detailed Descriptions Nomadix Vendor Specific Attributes Authentication-Request Username Password Service-Type NAS-Port (port number) NAS-Identifier Framed-IP Address NAS-IP Address NAS-Port-Type Acct-Session-ID Log-Off-URL EAP-Packet (used for 802.1x)
ATEWAY Selected Detailed Descriptions Acct-Session-ID The Acct-Session-ID is created when the RADIUS authentication request is built. It is transmitted in both the Access-Request and the Accounting-Request. Session Timeout There is currently no default session timeout that you can set in the HSG Web Management Interface (WMI).
Page 295
Acct-Input-Packets: number of packets received by subscriber. Upon a reboot, these 2 attributes are saved in currfile.dat the same way as for Acct- Input-Octets and Acct-Input-Octets. If you plan to implement RADIUS, go to “Contact Information” on page 312 for Nomadix Technical Support. Quick Reference Guide...
ATEWAY Nomadix Vendor Specific Attributes Nomadix-Bw-Up This attribute value (in Kbps) restricts the speed at which uploads are performed. Nomadix-Bw-Down This attribute value (in Kbps) restricts the speed at which downloads are performed. Nomadix-URL-Redirection This attribute allows the administrator to redirect the user to a page of the administrators choice each time the user logs in.
We recommend that you use VeriSign (all instructions in this document are based on obtaining a key from VeriSign). Please contact Nomadix Technical Support if you want to use a different Certificate Authority. For Nomadix technical support, go to “Contact Information”...
VeriSign). These files are put in as file1:file2:file3:file4:file5 in the key generation command. Downloading Cygwin There are several sources for obtaining “Cygwin” to install OpenSSL. One popular source is: http://sources.redhat.com/cygwin/. Nomadix used Cygwin version 1.3.2 for generating this section of the User’s Guide. Quick Reference Guide...
ATEWAY Installing Cygwin and OpenSSL on a PC The example in this document is based on downloading the software with Netscape 4.75. The procedure starts from the Cygwin Net Release Setup Program screen: Click on the button. Next The following screen appears: Quick Reference Guide...
Page 300
ATEWAY Click on the button to display the next setup screen. Next Click on the button to display the next setup screen. Next Click on the button to display the next setup screen. Next Quick Reference Guide...
Page 301
Select a location and click on the button. Next For the purposes of this document, Nomadix used: ftp:// planetmirror.com. In the following screens, please skip all packages except “cygwin” and “openssl,” then click on the Next when you are done.
Page 302
ATEWAY Click on the Next button to start the “download” process. Wait for the download process to complete. Quick Reference Guide...
Page 303
ATEWAY Click on the Next button to start the “install” process. Wait for the install process to complete. There will be a pop-up dialog to inform you that the installation process is completed. At the pop-up dialog, click on the button.
ATEWAY Private Key Generation Create a directory from Root and put 5 random files, , and a.dat b.dat c.dat d.dat (see note) into the C:\cygwin\bin\ directory (or the directory where you installed e.dat openssl.exe). These random files can be any file type, such as Word, Excel, etc. Change the files to .dat files (shown above).
Page 305
ATEWAY openssl “openssl” command. genrsa A parameter for “openssl” to generate an RSA key. Rand A parameter for “openssl” to generate a random number from the files list. file1:file2…:file5 These five large random files are residing on the workstation (large compressed log files recommended by VeriSign).
Page 306
ATEWAY Here is the output of cakey.pem: Quick Reference Guide...
ATEWAY Create a Certificate Signing Request (CSR) File Run the following command to generate the certificate signing request: >openssl req -new -key cakey.pem > server.csr The following table provides an explanation of the command elements: openssl “openssl” command A parameter for creating a request Defining a “new”...
Page 308
ATEWAY Here is the output of server.csr: Quick Reference Guide...
ATEWAY Create a Public Key File (server.pem) VeriSign Purchasing Process The signing process varies by Certificate Authority. Generally, you will need to send a Certificate Signing Request to the Certificate Authority (CA) and the CA will create a public key base on the certificate request. This is the procedure to get a 40-bit encryption or 128-bit Public Key from VeriSign.
Page 310
Some older versions of popular browsers only support 40-bit or 56-bit encryption. Since it impossible to forecast the browsers that may be used in a visitor-based network, Nomadix recommends implementing a 40-bit Public Key. During the process, VeriSign will ask for your business information and verification.
Page 311
ATEWAY CSR Submission to VeriSign Please select “Apache Freeware” to submit the CSR to VeriSign. The Certificate Signing Request is in the server.csr (created in the previous step). Open server.csr and copy and paste all data into the edit box. Select the purchase method and summit the required contact information.
Page 312
ATEWAY The file, “server.pem” will look like this: You have now finished the process of obtaining a public key. Quick Reference Guide...
ATEWAY Setting Up HSG for SSL Secure Login FTP the “cakey.pem” and “server.pem” files into the HSG platform's flash directory. FTP to the HSG by Netscape: ftp://username:password@[HSG Network IP]/ flash. Drag and drop the “cakey.pem” and “server.pem” files into the directory. Change settings in the WMI.
ATEWAY Mirroring Billing Records Multiple HSG units can send copies of credit card billing records to a number of external servers that have been previously defined by system administrators. The HSG assumes control of billing transmissions and saving billing records. By effectively “mirroring”...
ATEWAY XML Interface XML for the External Server The HSG sends a string of XML commands according to specifications. HTTP headers are added to the XML packets that are built, as the billing “mirroring” Content- information is sent to the external server in HTTP compliant XML format. length has also been added to the HTTP post.
Page 316
ATEWAY The packet after the HTTP headers added looks like this: XML to HSG The HSG uses USG commands for XML strings. The HSG accepts a single line of XML text in the specified format. The XML string is a command sent by the External Server to the HSG product. In this case, the acknowledgement received from the External Server forms the command.
Format for each Field: RESULT_VALUE:OK or ERROR IP:Standard IP format (123.123.123.123) ERROR_CODE1 for OK, or any other number Please contact Nomadix Technical Support for the complete XML DTD. Refer to “Contact Information” on page 312. For more information about Billing Records Mirroring, see also: “Establishing Billing Records “Mirroring”...
Page 318
ATEWAY This page intentionally left blank. Quick Reference Guide...
ATEWAY Troubleshooting This chapter provides information to help you resolve common hardware and software problems. It also contains a list of known error messages associated with the Management Interface. General Hints and Tips Management Interface Error Messages Common Problems General Hints and Tips The HSG is both a hardware device and a powerful software utility.
ATEWAY Management Interface Error Messages The following table contains the error messages associated with the Management Interface (CLI and Web). All messages are listed alphabetically.. Error Message Cause AAA must be enabled before adding a You are attempting to add a subscriber subscriber to the profile database.
Page 321
When upgrading the software, the system must FTP a valid boot image to the flash. needs the new boot image file. You must FTP the file from NOMADIX™ to your local hard drive. Warning: no DHCP services are available This message is displayed because you to subscribers.
ATEWAY Common Problems If you are having problems, you may find the answers here. An updated version of this list can be found at: http://www.nomadix.com/techsup. Problem Possible Cause Solution When using the internal The internal AAA login Enable communications AAA login Web server, server communicates with Authorize.Net on port...
Page 323
ATEWAY Problem Possible Cause Solution When a subscriber logs in Home page redirection is Enable home page for the first time, their not enabled in the HSG. redirection. browser is not redirected The home page URL was Re-enter the correct URL. to the specified home entered into the HSG page.
Page 324
ATEWAY This page intentionally left blank. Troubleshooting...
If you cannot resolve the problem with your documentation resources, try connecting to our corporate Web site. We may have new information posted here that addresses your issues. www.nomadix.com If you are still having problems, our friendly and experienced technical support team is always ready to assist you.
ATEWAY Contact Information You can contact us by Email, fax, telephone, or regular mail. Telephone ++1.818.575.2590 E-mail support@nomadix.com Address Nomadix, Inc. 1100 Business Center Circle, Suite 100 Newbury Park, CA 91320 USA Attn: Technical Support ++1818-597-1502 Appendix A: Technical Support...
This Addendum provides information and procedures that will enable system administrators to configure and use the specific features introduced in the 1.3 Maintenance, 1.3 M+ and 1.4 releases for the Nomadix HotSpot Gateway (HSG). The features covered are 1.3M and 1.3M+ Features:...
Page 330
ATEWAY PPPoE Service Name This is the Service-Name TAG. The maximum allowed length is 31 characters. PPP Keep Alive Echo Request Interval in seconds Setting this to 0 will disable echo requests from the NSE. The default value for this parameter is 30 seconds. Maximum Missed Responses allowed This is the number of echo-requests that can be allowed to go without a response before the NSE determines that the PPP link is down.
ATEWAY L2TP Tunneling Define RADIUS Service Profiles Please note: RADIUS service profiles are used to direct username access requests for both plain RADIUS users and users who supply realm/domain in their username. Certain RADIUS servers can only be set to interpret tunnel profiles in either prefix or suffix-mode so a minimum of two RADIUS servers are required if both prefix and suffix-based usernames are to be handled.
ATEWAY Define Tunnel Profiles Tunnel profiles can be defined when L2TP tunnel parameters are known and it is not necessary to send an access request to a RADIUS server to obtain those parameters or for accounting purposes. Create a tunnel profile for each L2TP tunnel whose parameters are known. The tunnel parameters that the profile contains are the IP address of the LNS and the tunnel password.
ATEWAY Define Realm Routing Policies Realm routing policies are used to determine how supplied username/password input is used to authenticate users. Create a realm routing policy for each realm that will be handled. The realm routing policy will reference either a RADIUS service profile or a tunnel profile.
Page 335
ATEWAY See next figure for a realm routing policy that handles suffix-based usernames using a tunnel profile. The differences in this example are the realm name is “tcisp.com”, “Suffix match only” is enabled (the delimiter in this case is “@”), and a tunnel profile, “LNS-One”, is selected instead of a RADIUS service profile.
Page 336
ATEWAY As before, the username passed to the tunnel server will have realm information stripped since the checkbox for “Strip off routing information when sending to tunnel server” is checked. This checkbox may be unchecked if it is necessary for usernames to contain realm information for user authentication.
ATEWAY Configure RADIUS Client The HSG RADIUS client must be setup for realm-based routing mode since realm information will be used by the HSG’s L2TP tunnel feature to determine how to handle usernames that contain realm information. See next figure for an example of setting the routing mode to handle realm-based usernames.
ATEWAY Local Syslog and Syslog Filters These settings can be accessed under the Configuration/Logging menu. Appendix B: Addendum...
Page 339
ATEWAY Log Filter Setting: The syslogs can be filtered at 7 levels as shown above. Setting the level to a number disables any syslogs above that filter setting. For e.g. setting the filter to 2:Critical only generates 0:Emergency, 1:Alert and 2:Critical level syslogs. All other syslogs are not generated.
Page 340
ATEWAY PageFaults are stored in the file named “lograw.txt” in the /flash directory and is not viewable on the web management interface. Appendix B: Addendum...
10/100 Ethernet See Ethernet. (Authentication, Authorization, and Accounting) A combination of commands used by Nomadix Gateways to authenticate, authorize, and subsequently bill subscribers for their use of the customer’s network. When a subscriber logs into the system, their unique MAC address is placed into an authorization table. The system then authenticates the subscriber’s MAC address and billing information before allowing them to...
Page 342
(ACKnowledgment) If all the transmitted data is present and correct, the receiving device sends an ACK signal, which acts as a request for the next data packet. Adaptive Configuration Technology A Nomadix, Inc. patented technology that enables Dynamic Address Translation. See also, DAT. ad-hoc mode 802.11x networking framework in which devices or stations communicate directly with each other, without the use of an Access Point (AP).
Page 343
(permanent) IP addresses, or subscribers that do not have DHCP functionality on their computers. DAT is a Nomadix, Inc. patented technology that allows all users to obtain network access, regardless of their computer’s network settings. See also, DHCP.
Page 344
ATEWAY more bits in the pattern are damaged during transmission, the original data can be recovered due to the redundancy of the transmission. DTIM (Delivery Traffic Indication Message) A message included in data packets that can increase wireless efficiency. Dynamic IP Address A temporary IP address that is assigned by the DHCP server to a device.
Page 345
ATEWAY FHSS (Frequency Hopping Spread Spectrum) One of two types of spread spectrum radio—the other being Direct-Sequence Spread Spectrum (DSSS). FHSS is a transmission technology used in WLAN transmissions where the data signal is modulated with a narrowband carrier signal that "hops" in a random but predictable sequence from frequency to frequency as a function of time over a wide band of frequencies.
Page 346
ATEWAY (Home Page Redirection) Nomadix Gateways enable solution providers to redirect subscribers to a “portal” home page of their choice. This allows the solution provider to generate online advertising revenues and Home Page. increase business exposure. See also, HTML (HyperText Markup Language) The programming language used to create hypertext documents for use on the Internet.
Page 347
Whenever a subscriber logs on, your Nomadix Gateway automatically translates their computer’s network settings to provide them with seamless access to the broadband network. Subscribers no longer...
Page 348
SNMP agent with a properly defined MIB. See also, SNMP. Misconfigured User A Nomadix, Inc. term used to describe users who have IP address configurations that are different from the current network. For example, if the current network is 123.45.67.89 but the user’s IP address is 10.10.10.15, then this user is considered to be “misconfigured.”...
Page 349
ATEWAY OSPF (Open Shortest Path First) This routing protocol was developed for IP networks based on the shortest path first or link-state algorithm. Routers use link-state algorithms to send routing information to all nodes on a network by calculating the shortest path to each node based on a topography of the Internet constructed by each node.
Page 350
ATEWAY PPTP (Point-to-Point Tunneling Protocol) Developed jointly by Microsoft Corporation, U.S. Robotics, and several remote access vendor companies, known collectively as the PPTP Forum, PPTP is a new technology used for creating Virtual Private Networks (VPNs). Because the Internet is essentially an open network, PPTP is used to ensure that messages transmitted from one VPN node to another are secure.
Page 351
Normally, a solution provider is offering a solution that isn’t readily available on the open market. For example, NOMADIX™ is a solution provider to its customers (broadband network service providers), and those customers are solution providers to their end users (network subscribers).
Page 352
ATEWAY Static IP Address An IP address that is assigned to a computing device permanently (or until the user changes it manually), unlike a dynamic IP address which is assigned to a device temporarily by the DHCP server. See also, DHCP, IP Address Dynamic IP...
Page 353
ATEWAY Throughput The net data transfer rate between an information source and its destination, using the maximum packet size without loss. Throughput is expressed as Megabits per second (Mbps), defined by RFC1242, Section 3.17. See also, Forwarding Rate, Mbps, Packet, Packet Switching Network, pps, and RFC.
Page 354
ATEWAY (Transport Layer Security) A protocol that guarantees privacy and data integrity between client/server applications communicating over the Internet. The TLS protocol is made up of two layers: TLS Record Protocol Layered on top of a reliable transport protocol, such as TCP, it ensures that the connection is private by using symmetric data encryption and ensures that the connection is reliable.
Page 355
(Wireless Local Area Network) Also referred to as LAWN. A type of local-area network that uses high- frequency radio waves rather than wires to communicate between nodes. See also, Node. (Web Management Interface) The browser-based system administrators interface for all Nomadix Gateways.
Page 356
Enabling the XML interface allows your Nomadix Gateway to accept and process XML commands from an external source. XML commands are appended to a URL in the form of an encoded query string. Nomadix Gateways parse the query string, executes the commands specified by the string, and return data to the system that initiated the command request.
6, 9, connections access levels choosing accounting types of archiving connectivity ARP tables contacting NOMADIX adding entries Credit Card Module deleting entries authentication 6, authorization 60, and billing DAT 5, auto configuration DAT sessions data...
Page 358
ATEWAY Internal Web Server Internal Web server factory settings international language support 14, 195, importing Introduction fail over options manual organization firmware welcome updating IP connections foreign language support 14, 195, IP statistics IP upsell IPSec glossary of terms IKE channel security Goodbye page tunnel peers tunnel security policies...
Page 359
ATEWAY logout console deleting by port exporting finding by description finding by location MAC filtering 15, finding by port Management Information Base importing installing mapping management interfaces updating port locations port mapping 16, 113, Meeting Room Scheduler 23, in-room port mapping menu organization portal page redirect menus...
Page 360
SMTP redirection current connections SNMP communities summary report SNMP manager support SNMP parameters administration SNMP support technical SNMPv2c Nomadix MIB user sockets Syslog History Log Filter setting up Save file start up configuration SYSLOG report static port mapping 16,...
Page 361
ATEWAY error messages hints and tips UDP statistics UI buttons UI labels unpacking the HSG updating firmware URL filtering VPN tunneling warnings Web Management Interface menu organization workflow XML API XML interface Index...
Page 362
ATEWAY This page intentionally left blank. Index...