Page 2 AG 2100 AG 2100 Copyright © 2005 Nomadix, Inc. All Rights Reserved. This product also includes software developed by: The University of California, Berkeley and its contributors; Carnegie Mellon University, Copyright © 1998 by Carnegie Mellon University All Rights Reserved; Go Ahead Software, Inc., Copyright ©...
Page 3 Disclaimer Nomadix, Inc. makes no warranty, either express or implied, including but not limited to any implied warranties of merchantability and fitness for a particular purpose, regarding the product described herein. In no event shall Nomadix, Inc. be liable to anyone for special, collateral, incidental, or consequential damages in connection with or arising from the use of Nomadix, Inc.
Page 4 AG 2100 Notifications This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
Page 5 AG 2100 CAUTION WARNING Read the instruction manual prior to operation. Risk of electric shock; do not open; no user-serviceable parts inside. ATTENTION AVERTISSEMENT Lire le mode d’emploi avant utilisation. Risque de choc electrique; ne pas ouvrir; ne pas tenter de demontre l’appareil.
Page 6 AG 2100 This page intentionally left blank.
Page 7: Table Of Contents
Table of Contents Introduction ........................1 About this User’s Guide......................1 Organization..........................1 Why Choose Wireless? ......................2 Welcome to the Nomadix AG 2100..................3 Product Definitions......................3 Ensuring Compatibility....................... 3 Offering Speed and Efficiency .................... 4 Optimizing Performance..................... 4 Providing Effective Security ....................
Page 8 Network Architecture (Sample) ....................27 Product Specifications ......................28 Online Help (WebHelp) ......................31 Notes, Cautions, and Warnings ....................31 Chapter 1: Installing the AG 2100 ................33 Unpacking the AG 2100 ......................34 Installation Workflow......................35 Connecting the System ......................36 Installation Considerations ......................
Page 9 AG 2100 Resetting the AG 2100 ...................... 47 Resetting Administrative Login Name and Password ..........47 Resetting Settings to Factory Defaults ..............47 Warm Reboot ......................47 Other Cases ......................47 Functionality Summary..................... 48 Error Reporting ......................48 Changes to Existing Functionality ................49 Setting the SNMP Parameters (optional) .................
Page 10 AG 2100 Establishing Your Location {Location} ................. 104 Managing Log Options {Logging} ................. 106 Assigning Passthrough Addresses (Passthrough Addresses)......... 109 Setting Up Port Locations {Port-Location} ..............111 In Room Port Mapping ................... 114 Defining the RADIUS Client Settings {RADIUS Client}..........116 Miscellaneous Options ....................
Page 11 AG 2100 Importing Port-Location Assignments {Import}............. 161 Viewing the “location.txt” File ................162 Creating a “location.txt” File ................162 Displaying the Port-Location Mappings {List} .............. 163 Subscriber Administration Menu ..................164 Adding Subscriber Profiles {Add} .................. 164 Displaying Current Subscriber Connections {Current} ..........167 Deleting Subscriber Profiles by MAC Address {Delete by MAC}........
Page 12 Adding Static Ports {Static Port-mapping Add} ............225 Deleting Static Ports {Static Port-mapping Delete} ............227 Blocking a Subscriber Interface {Subscriber Interfaces} ..........228 Updating the AG 2100 Firmware {Upgrade} ..............228 Defining Wireless Configuration {Wireless Configuration}.......... 229 Virtual AP Setup...................... 231 Chapter 3: The Subscriber Interface................
Page 13 Private Key Generation ....................286 Create a Certificate Signing Request (CSR) File ............288 Create a Public Key File (server.pem) ................290 Setting Up AG 2100 for SSL Secure Login ..............294 Setting Up the Portal Page ..................... 294 Mirroring Billing Records..................... 295 Sending Billing Records....................
Page 14 AG 2100 This page intentionally left blank. viii Table of Contents...
Page 15: Introduction
Chapter 3 – The Subscriber Interface. This chapter provides an overview and sample scenario for the AG 2100’s subscriber interface. It also includes an outline of the authorization and billing processes utilized by the system. Chapter 4 – Quick Reference Guide.
Page 16: Why Choose Wireless
AG 2100 Why Choose Wireless? Wireless Local Area Networks (WLANs) are cellular computer networks that transmit and receive data with radio signals instead of wires. Wireless LANs are used increasingly in both home and office environments, and public access locations such as airports, coffee shops and universities.
Page 17: Welcome To The Nomadix Ag 2100
Windows, and can be easily integrated into a large network. Nomadix AG 2100 By strictly adhering to IEEE standards, the AG 2100 allows users to securely access the data they want, when and where they want it, and enjoy the freedom that wireless networking delivers.
Page 18: Offering Speed And Efficiency
Internet. By offering transfer rates up to 54 Mbps, the AG 2100 enables large data packets to travel from the router to a remote desktop or roaming laptop PC at up to five times the speed of previous wireless devices.
Page 19: Enabling Flexible Deployment Options
All Nomadix Access Gateway products, including the AG 2100, are powered by our patented and patent-pending suite of embedded software, called the Nomadix Service Engine™ (NSE). The AG 2100 uses our NSE core software package with the option to purchase additional modules to expand product functionality.
Page 20: Key Features And Benefits
AG 2100 Key Features and Benefits The AG 2100 allows carriers to deploy Wi-Fi service into a wide range of large or small public access locations while keeping deployment costs low. Key features and benefits include: Transparent Connectivity Resolving configuration conflicts is difficult and time consuming for network users who are constantly on the move, and costly to the solution provider.
Page 21: Local Content And Services
The Portal Page feature intercepts the user’s browser settings and directs them to a Web site to securely sign up for service or log in if they have a pre-existing account. Nomadix offers both pre and post authentication redirects of the user’s browser providing maximum flexibility in branding for both the carrier and the HotSpot owner.
Page 22: Billing Enablement
The AG 2100 supports a variety of billing models to enable the deployment of profitable public access networks. The AG 2100 supports billing plans that use credit cards or scratch cards, or plans that enable monthly subscriptions, then facilitates billing by a host of different parameters including time, volume, IP address type, or bandwidth.
Page 23: Nse Core Functionality
AG 2100 NSE Core Functionality The Nomadix Service Engine (NSE) powers the Nomadix family of Access Gateways, and delivers a full range of features needed to successfully deploy Wi-Fi public access networks. These “core” features solve issues of connectivity, security, billing, and roaming in a Wi-Fi public access network.
Page 24: Access Control
AG 2100 Secure Management Secure Socket Layer (SSL) Secure XML API Session Rate Limiting (SRL) Session Termination Redirect Smart Client Support SNMP Nomadix Private MIB Dual-Mode Authentication URL Filtering Virtual Access Points (VAPs) Walled Garden Web Management Interface Access Control For IP-based access control, the NSE incorporates a master access control list that checks the source (IP address) of administrator logins.
Page 25: Bandwidth Management
AG 2100 Bandwidth Management The NSE optimizes bandwidth by limiting bandwidth usage symmetrically or asymmetrically on a per device (MAC address/User) basis, and manages WAN Link traffic to provide complete bandwidth management over the entire network. You can ensure that every user has a quality experience by placing a bandwidth ceiling on each device accessing the network, so every user gets a fair share of the available bandwidth.
Page 26: Command Line Interface
The Command Line Interface (CLI) is a character-based user interface that can be accessed remotely. Until your Nomadix product is up and running on the network, the CLI is the Network Administrator’s window to the system. Software upgrades can only be performed from the CLI.
Page 27: External Web Server Mode
Take advantage of the comprehensive Nomadix XML API to implement more complex billing plans. Recycle existing web page content for the centrally hosted portal page. If you choose to use the EWS interface, Nomadix Technical Support can provide you with sample scripts. See “Contact Information” on page 303.
Page 28: Inat
AG 2100 iNAT™ Nomadix invented intelligent Network Address Translation (iNAT™), a new way of intelligently supporting multiple VPN connections to the same termination at the same time, thus solving a key problem of many public access networks. Nomadix’ patent-pending iNAT™ feature contains an advanced, real-time translation engine that analyzes all data packets being communicated between the private address realm and the public address realm.
Page 29: Information And Control Console
AG 2100 Information and Control Console The Nomadix Information and Control Console (ICC) is an HTML-based pop-up window that is presented to subscribers with their Web browser. The ICC allows subscribers to select their bandwidth and billing options quickly and efficiently from a simple pull-down menu. For credit card accounts, the ICC displays a dynamic “time”...
Page 30: Internal Web Server
AG 2100 Internal Web Server The NSE offers an embedded Internal Web Server (IWS) to deliver web pages stored in flash memory. These system administrator can configure these web pages by selecting various parameters to be displayed on the internal pages. When providers or HotSpot owners do not want to develop their own content, the IWS is the answer.
Page 31: Ip Upsell
“Information and Control Console” on page MAC Filtering MAC Filtering enhances Nomadix access control technology by allowing system administrators to block malicious users based on their MAC address. Up to 50 MAC addresses can be blocked at any one time. See also, “Session Rate Limiting (SRL)”...
Page 32: Ntp Support
As part of the Portal Page Redirect feature, the NSE can send a defined set of parameters to the portal page redirection logic to allow an External Web Server to perform a redirection based AG 2100 ID and IP Address Origin Server...
Page 33: Radius-Driven Auto Configuration
Optionally, the RADIUS authentication process and FTP download can be secured by sending traffic through a peer-to-peer IPSec tunnel established by the Nomadix gateway and terminated at the NOC (Network Operations Center). See also, “Secure Management” on...
Page 34: Radius Proxy
AG 2100 RADIUS Proxy The RADIUS Proxy feature relays authentication and accounting packets between the parties performing the authentication process. Different realms can be set up to directly channel RADIUS messages to the various RADIUS servers. This functionality can be effectively...
Page 35: Secure Management
NSE’s standards-driven, peer-to-peer IPSec tunneling with strong data encryption. Establishing the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on...
Page 36: Secure Socket Layer (Ssl)
XML enables solution providers to customize and enhance their product installations. This feature allows the operator to use Nomadix' popular XML API using the built-in SSL certificate functionality in the NSE, so that parameters passed between the Gateway and the centralized Web server are secured via SSL.
Page 37: Session Rate Limiting (Srl)
Adjungo Networks, Boingo Wireless, GoRemote and iPass. SNMP Nomadix Private MIB Nomadix’ Access Gateways can be easily managed over the Internet with an SNMP client manager (for example, HP OpenView or Castle Rock). To take advantage of the functionality provided with Nomadix’ private Management Information Base (MIB), simply import the nomadix.mib file from the Accessories CD...
Page 38: Dual-Mode Authentication
For example, in addition to supporting the secure browser-based Universal Access Method (UAM) via SSL, Nomadix is the only company to simultaneously support port-based authentication using IEEE 802.1x and authentication mechanisms used by Smart Clients.
Page 39: Walled Garden
“Walled Garden” within the Internet where unauthenticated users can be granted or denied access to sites of your choosing. Web Management Interface Nomadix’ Access Gateways can be managed remotely via the built-in Web Management Interface where various levels of administration can be established. See also, “Using the Web Management Interface (WMI)”...
Page 40: Optional Nse Modules
The optional High Availability Module offers enhanced network uptime and service availability when delivering high-quality Wi-Fi service by providing Fail-Over functionality. This module allows a secondary Nomadix Access Gateway to be placed in the network which can take over if the primary device fails, ensuring Wi-Fi service remains uninterrupted.
Page 41: Network Architecture (Sample)
AG 2100 Network Architecture (Sample) The AG 2100 is an ideal solution for single- or dual-cell public access environments. Introduction...
Page 42: Product Specifications
Specifications UBLIC CCESS User Support: AG 2100 supports a total of 100 wired and wireless users. Nomadix recommends a maximum of 50 wireless concurrent users. Dynamic Address Translation (DAT) Home Page Redirection (Pre and Post Authentication) iNAT (for seamless VPN connectivity)
Page 43 AG 2100 Specifications ETWORKING IEEE 802.3 / 3u IEEE 802.1d PoE per IEEE 802.3af DHCP Server DHCP Relay DHCP Client RADIUS Client (MD-5, PAP, CHAP, MS-CHAPv1, v2) PPPoE Client ECURITY 64-bit/128-bit WEP with dynamic keying iNAT MAC Address Filtering and Session Limiting...
Page 44 CE Mark CE/R&TTE: EN301328 / EN301893 / EN301489-1, EN301489-17 VCCI Class B, Telec UL 1950, CSA22.2 No 950, TÜV/GS(EN60950) For further information on the certifications for the AG 2100 product, visit www.nomadix.com/downloads. OMPATIBILITY Communicates with all Wi-Fi certified wireless adapters HYSICAL 9.25(L) x 6.25(W) x 1.5(H) inches...
Page 45: Online Help (Webhelp)
WebHelp is best viewed using Internet Explorer, version 4.0 or higher. WebHelp is useful when you have an Internet connection to the AG 2100 and you want to access information quickly and efficiently. It contains all the information found in this User’s Guide.
Page 46 AG 2100 This page intentionally left blank. Introduction...
Page 47: Chapter 1: Installing The Ag 2100
Installing the AG 2100 This chapter provides installation instructions for the hardware and software components of the AG 2100. It also includes an overview of the management interface, some helpful hints for system administrators, and procedures for the following tasks:...
Page 48: Unpacking The Ag 2100
AG 2100 Unpacking the AG 2100 When you unpack the AG 2100, you will find the following items in the carton: Item PoE power entry module Power supply Power supply AC cord Plastic anchor Wall mounting screws Rubber feet Protective cardboard ends...
Page 49: Installation Workflow
Review this flowchart before attempting to install the AG 2100 on the customer’s network. Place the AG 2100 on a flat and stable work surface and connect the power cord. Connect the AG 2100 to a “live” network. Start a Telnet session to communicate with the AG 2100 via the product’s IP address (172.30.30.172) or its default DHCP address.
Page 50: Connecting The System
(via adapter) to Router or Switch (see note) A straight-through cable is required when connecting the AG 2100 to a Router or Switch. A cross-over cable is required when connecting the AG 2100 directly to an Ethernet adapter on a computer.
Page 51: Installation Considerations
AG 2100 Installation Considerations Designed with an indoor range of up to 328 feet (100 meters), the AG 2100 wireless gateway allows you to access your network using a wireless connection from virtually anywhere. However, the number, thickness and location of walls, ceilings or other objects that the wireless signals must pass through may limit the range.
Page 52: Logging In To The Command Line Interface
Start a Telnet session to communicate with the AG 2100 via the product’s management IP address (172.30.30.172) or its default DHCP address. When connected to the AG 2100, a login prompt appears on your screen. The default login user name is “admin.” The password is “admin.” Login names and passwords are case- sensitive.
Page 53: The Management Interfaces (Cli And Web)
AG 2100 The Management Interfaces (CLI and Web) The AG 2100 supports various methods for managing the system remotely. These include an embedded graphical Web Management Interface (WMI), an SNMP client, or Telnet. However, until the unit is installed and running, system management is performed from the product’s embedded Command Line Interface...
Page 54: Making Menu Selections And Inputting Data With The Cli
Enter. The system does not accept data or commands until you hit Enter. Menu Organization (Web Management Interface) When you have successfully installed and configured the AG 2100 from the CLI, you can then access the AG 2100 from its embedded Web Management Interface (WMI). The WMI is easier to use (point and click) and includes some items not found in the CLI.
Page 55 AG 2100 Note: Your browser preferences or Internet options should be set to compare loaded pages with cached pages. Installing the AG 2100...
Page 56: Inputting Data - Maximum Character Lengths
Location settings (all fields) Partner Image File Name Password (adding subscriber profiles) Port Description (finding ports by description) Redirection Frequency (in minutes) 2,147,483,647 (recommend 3600) Reservation Number Username (adding subscriber profiles) Valid SSL Certificate DNS Name Installing the AG 2100...
Page 57: Online Documentation And Help
Help system Other online documentation resources, available from our corporate Web site (www.nomadix.com), include a full PDF version of this User’s Guide (viewable with Acrobat™ Reader, version 4.0 or higher), white papers, technical notes, and business cases. The PDF version of this User’s Guide and associated README files are also available on the “Accessories”...
Page 58: Establishing The Start Up Configuration
Web Management Interface, an SNMP client manager of your choice, or a simple Telnet interface. The start up configuration must be established before connecting the AG 2100 to a customer’s network. The start up configuration settings include: Assigning Login User Names and Passwords - You must assign a unique login user name and password that enables you to administer and manage the AG 2100 securely.
Page 59 Assigning the Subnet Mask – The subnet mask defines the number of IP addresses that are available on the routed subnet where the AG 2100 is located. Assigning the Default Gateway IP Address – This is the IP address of the router that the AG 2100 uses to transmit data to the Internet.
Page 60: Assigning Login User Names And Passwords
(Submit, Reset, Reboot, Add, Delete, etc.), but operators cannot change any system settings. When Administration Concurrency is enabled, one manager and three operators can access the AG 2100 at any one time (the default setting for this feature is disabled).
Page 61: Resetting The Ag 2100
Performs a warm reboot. Resetting Settings to Factory Defaults The AG 2100 resets the current settings to factory defaults when the reset button is clicked five times in a two second window. When the trigger for this event is detected the device will: Rename the existing current.txt to current.bak (an existing current.bak is discarded if...
Page 62: Functionality Summary
Reset switch: reboot requested 2 click(s) INFO Reset switch: administrative login/password reset requested WARNING Reset switch: incorrect input, 4 clicks INFO Reset switch: factory reset requested 6 or more WARNING Reset switch: incorrect input, N clicks Installing the AG 2100...
Page 63: Changes To Existing Functionality
Setting the SNMP Parameters (optional) You can address the AG 2100 using an SNMP client manager (for example, HP OpenView). SNMP is the standard protocol that regulates network management over the Internet. To do this, you must set up the SNMP communities and identifiers.
Page 64 AG 2100 If you enabled the SNMP daemon, you must reboot the system for your changes to take effect. In this case, enter y (yes) to reboot your AG 2100. Sample Screen Response: Configuration>sn Enable the SNMP Daemon? [Yes]: Enter new system contact: newname@domainname.com...
Page 65: Enabling The Logging Options (Recommended)
IP addresses. When system logging is enabled, the standard SYSLOG protocol (UDP) is used to send all message logs generated by the AG 2100 to the specified server. Enter log (logging) at the Configuration menu. The system displays the current logging status (enabled or disabled).
Page 66 Enter Tracking number (0-7) [0]: Enter Tracking server IP [0.0.0.0]: 9.10.11.12 Enable/disable Tracking log save to file [disabled]: enable System log Enabled System log number System log filter System log server IP 8.9.10.11 System log Save to file Disabled Installing the AG 2100...
Page 67 System Report log Enabled System Report log number System Report log server IP 8.9.10.11 System Report log Save to file Disabled Tracking logging Enabled Tracking log number Tracking log server IP 8.9.10.11 Tracking log Save to file Disabled Installing the AG 2100...
Page 68: Assigning The Location Information And Ip Addresses
The system now displays the current network interface IP address and prompts you for a valid address. The network interface IP address is the public IP address that allows administrators to see the AG 2100 on the network. Use this address when you need to make a network connection with the AG 2100.
Page 69 24. Lab / Test 25. Other Please enter a number from the above list [ 1]: Select Network Interface Configuration Mode: 0 - Static 1 - DHCP Client 2 - PPPoE Client Select the Network Interface Configuration Mode: [0]: Installing the AG 2100...
Page 70 The system must be reset to function properly. Reboot? [yes/no]: y Your new settings are displayed and the AG 2100 reboots. When the system restarts, the Telnet interface is enabled (based on your new configuration settings which are saved to the AG 2100’s on-board flash memory).
Page 71: Establishing The Basic Configuration For Subscribers
AG 2100, you can either enable the DHCP relay (routed to an external DHCP server IP address), or you can enable the AG 2100 to act as its own DHCP server. In both cases, DHCP functionality is necessary if you want to automatically assign IP addresses to subscribers.
Page 72 Wenn einen DHCP Relay agent einen IP Adresse fuer die DHCP Relay einrichtet, machen sie sicher dass die benutzte IP Adresse nicht Konfliktieren mit Geraete an der Netzwerk Seite des AG 2100. Although you cannot enable the DHCP relay and the DHCP service at the same time, you can disable both functions from the Command Line Interface.
Page 73: Setting The Dns Options
“nomadix”). Enter a valid domain name (the Internet domain that DNS requests will utilize). Enter the host name (the DNS name of the AG 2100). The host name must not contain any spaces. After assigning the host name, the system requests IP addresses for the primary, secondary, and tertiary DNS servers (the default for the DNS primary address is 0.0.0.2).
Page 74: Archiving Your Configuration Settings
IP addresses automatically. Archiving Your Configuration Settings Once you install your AG 2100 and establish the configuration settings, you should write the settings to an archive file. If you ever experience problems with the system, you can restore your archived settings at any time.
Page 75: Installing The Nomadix Private Mib
SNMP objects on your AG 2100. Procedure Import the nomadix.mib file into your SNMP client manager. Connect to the AG 2100 from a node on the network that is accessible via the AG 2100’s Daemon network port. Be sure to enable the SNMP on the AG 2100 (available on the CLI or Web Management Interface, under the Configuration menu –...
Page 76 AG 2100 This page intentionally left blank. Installing the AG 2100...
Page 77: Chapter 2: System Administration
2.4 GHz frequency range. Before you can use your AG 2100 in a wireless environment, you must configure the unit for wireless connectivity. To configure the AG 2100 using the product’s embedded Web Management Interface, go to “Defining Wireless Configuration {Wireless Configuration}”...
Page 78: Choosing A Remote Connection
Command Line Interface (CLI). To use any of the remote connections (Web, SNMP, or Telnet), the network interface IP address for the AG 2100 must be established (you did this during the installation process). Using the Web Management Interface (WMI) - Provides a powerful and flexible web interface for network administrators.
Page 79: Using An Snmp Manager
The following example shows a (partial) SNMP screen response. Using a Telnet Client You can use many Telnet clients to connect with the AG 2100. Using Telnet provides a simple terminal emulation that lets you see and interact with the AG 2100’s Command Line Interface.
Page 80: Using The Web Management Interface (Wmi)
The Web Management Interface (WMI) is a graphical version of the Command Line Interface, comprised of HTML files. The HTML files are embedded in the AG 2100 and are dynamically linked to the system’s functional command sets. You can access the WMI from any Web browser.
Page 81: Logging In
AG 2100 Logging In To access the AG 2100’s Web Management Interface, use the Manager or Operator login user name and password you defined during the installation process (refer to “Assigning Login User Names and Passwords” on page 46). User names and passwords are case-sensitive.
Page 82 AG 2100 System Administration...
Page 83 AG 2100 to accept and process XML commands from an external source. XML commands are sent over the network to the AG 2100. The AG 2100 parses the query string, executes the commands specified by the string, and returns data to the system that initiated the command request.
Page 84 AAA Passthrough Port System administrators can set the AG 2100 to passthrough HTTPS traffic, in addition to standard port 80 traffic, without being redirected. When access to a non-HTTPS address (for example, a search engine or news site) has been requested, the subscriber is then redirected as usual.
Page 85: Enabling Aaa Services With The Internal Web Server
AG 2100 instantly recognizes new subscribers on the network. You can configure the AG 2100 to handle new subscribers in various ways (see the table on this page). With the IWS, you also have the option of enabling SSL support (if your license includes the SSL support feature and you have the certificate files server.pem, cakey.pem,...
Page 86 AG 2100 You must reboot the AG 2100 every time you enable or disable SSL Support. If you want to designate a portal page, you must enable the Portal Page , otherwise leave this feature disabled. The Portal Page IP or DNS address are added to the IP passthrough list...
Page 87 Relogin After Timeout You can now enable or disable the Credit Card Service. When enabled, subscribers are prompted for their credit card information for billing purposes. The AG 2100 is configured to use either Authorize.net or Chainfusion (selected from a pull-down menu).
Page 88 AG 2100 Enter the information for the following fields: Credit Card Server URL Credit Card Server IP Merchant ID (a valid ID issued by the credit card reconciliation service provider – Authorize.net or Chainfusion). Enable or disable the SIM Compliant feature, as required. With this feature enabled, you can change the transaction key at your discretion.
Page 89: Enabling Aaa Services With An External Web Server
After enabling the External Web Server you must enter a Secret Key. The Secret Key ensures that the response the AG 2100 gets from the EWS is valid. (The AG 2100 and the external authorization server must use the same Secret Key.) DNS must be configured if you want to enter meaningful URLs instead of numeric IP addresses into any of the product’s configuration screens (for example, the...
Page 90: Establishing Secure Administration {Access Control
Logins are permitted only to interfaces that have not been blocked, and only if a match is made with the master Source IP list on the AG 2100. If a match is not made with the Source IP list, the login is denied, even if a correct login name and password are supplied.
Page 91 Ohne SNMP einstellungen koennen Sie besser nicht alle interfaces blokkieren. Dass festsetzen blokkierung aller Interfaces und dass freigeben (disabling) SNMP wird es keinen zugang geben zur AG 2100 Administration. Fuer Support bitte nehmen Sie Kontakt auf mit Nomadix “Appendix A: Technical Support”...
Page 92 System, dann muessen die Access Kontrolle moeglichkeit der Command Line Interface (CLI) blokkiert (disabled) werden. Oder Sie koennen die moegliche IP Adressen zum acces management interface aendern. Wenn moeglich nehmne Sie Kontakt auf mit Nomadix “Appendix A: Technical Support” on page 303 fuer Auskuenfte.
Page 93: Defining Automatic Configuration Settings {Auto Configuration
AG 2100 Defining Automatic Configuration Settings {Auto Configuration} The AG 2100 lets you define parameters to enable automatic configuration of the system. See also: “RADIUS-Driven Auto Configuration” on page From the Web Management Interface, click , then Configuration Auto Configuration.
Page 94: Enabling Auto Configuration
Nomadix devices: A flow of RADIUS Authentication Request and Reply messages between the Nomadix gateway and the centralized RADIUS server that specifies the location of the meta configuration file (containing a listing of the individual configuration files and their download frequency status) are downloaded from an FTP server into the flash of the Nomadix device.
Page 95 Administrative Steps to Enable Auto-Config for the NOC Administrator Add NAS IP address. Add Nomadix Auto-Config VSA to the Nomadix dictionary file on the RADIUS server. Create a RADIUS profile with the configuration VSA. Create an FTP server with the configuration files.
Page 96 AG 2100 The Nomadix device will automatically initiate one reboot to enable the new settings. Configuration updates for network maintenance can be accomplished by simply enabling the Auto Configuration option and rebooting the device (for example, using SNMP). See also, “Defining Automatic Configuration Settings {Auto Configuration}”...
Page 97: Setting Up Bandwidth Management {Bandwidth Management
AG 2100 Setting Up Bandwidth Management {Bandwidth Management} The AG 2100 allows system administrators to manage bandwidth for subscribers, defined in Kbps (Kilobits per seconds) for both upstream and downstream data transmissions. With the “Information and Control Console (ICC)” on page 250...
Page 98: Establishing Billing Records "Mirroring" {Bill Record Mirroring
Your product license may not support this feature. The AG 2100 can send copies of credit card transaction billing records to external servers that have been previously defined by system administrators. The AG 2100 assumes control of billing transmissions and saving billing records.
Page 99 Primary IP Secret Key Port The AG 2100 and the “mirror” servers must use the same secret key. Die AG 2100 und die "mirror" server muessen die gleichen Geheimnis Schluessel (password) benutzten. Repeat Step 4 for the secondary server (if any) and all carbon copy servers.
Page 100: Managing The Dhcp Service Options {Dhcp
AG 2100, you can either enable the DHCP relay (routed to an external DHCP server IP address), or you can enable the AG 2100 to act as its own DHCP server. In both cases, DHCP functionality is necessary if you want to automatically assign IP addresses to subscribers.
Page 101 IP pools from the DHCP Server. Leaving these fields blank forces the system to use the IP pool that contains IP addresses that are on the same subnet as the AG 2100. You must disable the DHCP server before enabling the DHCP relay. Both features cannot be enabled concurrently.
Page 102 AG 2100 Enter a valid address for the DHCP server. DHCP Server IP Enter the DHCP Server Netmask Enter the starting and ending IP addresses for the DHCP address pool you want to use: DHCP Pool Start IP DHCP Pool Stop IP...
Page 103 Reset When the system restarts, DHCP is enabled and configured. The existing lease pool and lease table are deleted and the AG 2100 reboots. The AG 2100 can issue IP addresses to any DHCP enabled subscriber who enters the network.
Page 104: Managing The Dns Options {Dns
DNS allows subscribers to enter meaningful URLs into their browsers (instead of complicated numeric IP addresses) by automatically converting the URLs into the correct IP addresses. You can assign a primary, secondary, or tertiary (third) DNS server. The AG 2100 utilizes whichever server is currently available.
Page 105 AG 2100 Enter the IP addresses for the DNS servers (located at the customer’s network operating center where DNS requests are sent). Servers include: Primary DNS Server Secondary DNS Server Tertiary DNS Sever The secondary and tertiary DNS servers are only utilized if the primary DNS server is unavailable.
Page 106: Configuring Dynamic Dns {Dynamic Dns
AG 2100 Configuring Dynamic DNS {Dynamic DNS} These settings can be accessed under the following menus: WMI Configuration Go to Configuration->Dynamic DNS CLI Configuration Go to Configuration->dyndns Go to Configuration->dyndns->configure for configurations SNMP Configuration Go to ag->dyndns (enterprises.3309.1.3.50) for DDNS configuration branch...
Page 107 AG 2100 Enable Checkbox This is the checkbox to enable or disable the Dynamic DNS functionality Provider Information This is to specify provider details. Currently only dyndns.org is supported. Protocol the vendor supports. Server and Port to which the client sends updates to the DDNS server.
Page 108: Gre Tunneling {Gre Tunneling
AG 2100 GRE Tunneling {Gre Tunneling} Use the following procedure to set the GRE Tunneling options. From the Web Management Interface, click , then Configuration Gre Tuneling The GRE Tuneling screen appears: Click the checkbox for GRE Tunneling to enable this feature.
Page 109: Setting Home Page Redirection Options {Home Page Redirect
Parameter Passing . Parameter passing allows the AG 2100 to track a subscriber’s initial web request (usually the subscriber’s home page) and pass the information on to the solution provider. The solution provider uses this information to ensure that the subscriber can return to their home page easily.
Page 110: Enabling Intelligent Address Translation (Inat™)
Our patent-pending iNAT™ feature contains an advanced, real-time translation engine that analyzes all data packets being communicated between the private and public address domains. The Nomadix iNAT™ engine performs a defined mode of network address translation based on packet type and protocol (for example, GRE, IKE etc…).
Page 111 AG 2100 Configure the iNAT Address Pool. To add or remove an IP address (or range of IP addresses) to or from the list, enter the starting IP address in the field. If you iNAT Start IP are adding or removing a range of IP addresses to the iNAT list, you must now enter the ending IP address in the field.
Page 112: Defining Ipsec Tunnel Settings {Ipsec
AG 2100 Defining IPSec Tunnel Settings {IPSec} From the Web Management Interface, click on Configuration, then IPSec (You can also access IPSec from the CLI by going to Configuration->IPSec to configure settings, and Network Info->IPSec to view IPSec Tunnel status.)
Page 113: Ipsec Tunnel Peers
AG 2100 Click on Add button in the Peers and Security Policy (SP) tables to add an entry. Peer IP addresses in Peers and SP tables are links to the configured policies. IPSec Tunnel Peers System Administration...
Page 114 AG 2100 Tunnel Peer IP address of peer Peer Authentication Method Choice of Pre-shared key or X.509 certificates Enter the Pre-shared Key in the Shared Key text field if Pre-shared Key is selected Enter the filename of the private and public certificates if X.509 is selected. Note: files must exist on flash first.
Page 115: Ipsec Tunnel Security Policies
AG 2100 IPSec Tunnel Security Policies System Administration...
Page 116 AG 2100 Tunnel Peer Address Select a Peer IP Address from the pull-down menu with which this security association is to be established. Must select a Peer if the policy is using ESP or AH. Able to select ‘none’ only if policy is a discard or bypass policy...
Page 117 AG 2100 Security Parameters Choice of Discard, Bypass, ESP, or AH. Discard/Bypass => a select direction type ESP only => select all acceptable encryption algorithms ESP/AH => select all acceptable authentication algorithms Perfect Forward Secrecy Strength Maximum Lifetime Maximum Life size...
Page 118: Establishing Your Location {Location
AG 2100 Establishing Your Location {Location} This command sets up your location and the corresponding IP addresses for the network interface, subnet, and default gateway. You must provide your full location information. From the Web Management Interface, click , then...
Page 119 You may lose your connection if you change the IP settings incorrectly (using invalid IP addresses). If you misconfigure the AG 2100 and network connectivity is lost, you can still access the AG 2100 from the Admin IP address (172.30.30.172).
Page 120: Managing Log Options {Logging
Default Gateway field. The default gateway is the IP address of the router that the AG 2100 uses to transmit data to the Internet. When finished, you must reboot the system for the new settings to take effect. Click the...
Page 121 AG 2100 From the Web Management Interface, click Configuration , then Logging. The Log Settings screen appears: System Administration...
Page 122 System Log logging is enabled, the standard SYSLOG protocol (UDP) is used to send all message logs generated by the AG 2100 to the specified SYSLOG server. Enter a unique number (between 0 and 7) in the field. This ID System Log Number number is assigned to the System Log Server.
Page 123: Assigning Passthrough Addresses (Passthrough Addresses)
AG 2100 Assigning Passthrough Addresses (Passthrough Addresses) The AG 2100 allows up to 52 IP passthrough addresses and DNS names. This feature allows users to “pass through” the AG 2100 and access predetermined services (for example, the redirected home page) at the solution provider’s discretion, even though users may not have subscribed to the broadband Internet service.
Page 124 IP address or DNS name of the passthrough you want IP/DNS Name to add or remove from the system. The system only accepts route DNS names (for example, www.nomadix.com). Do not include protocol, port, or path information. If adding this passthrough, click...
Page 125: Setting Up Port Locations {Port-Location
AG 2100 Setting Up Port Locations {Port-Location} Port-Location allows you to establish the mode of operation for devices. From the Web Management Interface, click on , then Configuration Port-Location. Port-Location Settings screen appears: System Administration...
Page 126 If you enabled In Room Port Mapping, you must assign a . You Username Password will need these when you perform port mapping from the subscriber side of the AG 2100. Go to “In Room Port Mapping” on page 114 to map rooms from the subscriber side of the AG 2100.
Page 127 AG 2100 These options enable an SNMP query to “ask” the access concentration device which card, slot, or port the information is coming from. You must enter the IP address (not name), SNMP community, and SNMP query duration (maximum time it takes to detect subscriber migration) of all access concentrators connected to the site.
Page 128: In Room Port Mapping
This section shows In Room Port Mapping from the subscriber side, when the In Room Port Mapping feature is enabled. AG 2100 multiple VLAN tagged systems can use the same tags and be placed on different Subscriber ports. Although it is technically possible to place two different VLAN tagged switches (one on each Subscriber side) that have the same VLAN tags designated, this configuration can cause problems.
Page 129 AG 2100 Enter your user name and password, then click on the button. The In Room Port Mapping screen appears: Enter the room number and a description for this room. Select the access mode you want to assign to this room:...
Page 130: Defining The Radius Client Settings {Radius Client
AG 2100 Defining the RADIUS Client Settings {RADIUS Client} The AG 2100 supports Remote Authentication Dial-In User Service (RADIUS). RADIUS is an authentication and accounting system used by many Internet Service Providers. The “Usernames” function must be enabled for a RADIUS login. See also, “Defining the AAA Services {AAA}”...
Page 131 AG 2100 For additional RADIUS information, see also: “Defining the Realm-Based Routing Settings {Realm-Based Routing}” on page 122. “RADIUS Attributes” on page 271. From the Web Management Interface, click on Configuration , then RADIUS Client. RADIUS Client Settings screen appears:...
Page 132: Miscellaneous Options
Default User Idle Timeout before the subscriber’s session times out and they must login again. The AG 2100 can reauthenticate “repeat” subscribers who return to the system within 720 hours. To enable this feature, click on the check box for...
Page 133: Defining The Radius Proxy Settings {Radius Proxy
AG 2100 Defining the RADIUS Proxy Settings {RADIUS Proxy} A RADIUS Proxy allows the NSE to relay authentication and accounting packets between the parties performing the authentication process. Different realms can be set up to directly channel RADIUS messages to the various RADIUS servers.
Page 134: Adding An Upstream Radius Nas
Adding an Upstream RADIUS NAS If you want to add a new Upstream RADIUS NAS (for example, an 802.11 Access Point on the subscriber side of the AG 2100)., click on the button. The Add Upstream RADIUS NAS screen appears: To make this entry the “active”...
Page 135 AG 2100 Click on the button to add this Upstream RADIUS NAS definition, then click on the link to return to the RADIUS Proxy Settings Back to Main RADIUS Proxy Settings page screen. The Upstream RADIUS NAS definition you just added appears in the list. You can add up to 10 definitions.
Page 136: Defining The Realm-Based Routing Settings {Realm-Based Routing
AG 2100 Defining the Realm-Based Routing Settings {Realm-Based Routing} Use this procedure when setting up RADIUS Service Profiles (up to 10) and Realm-based Routing Policies (up to 50). For additional RADIUS information, see also: “Defining the RADIUS Client Settings {RADIUS Client}” on page 116 “Defining the RADIUS Proxy Settings {RADIUS Proxy}”...
Page 137: Adding A Radius Service Profile
AG 2100 Adding a RADIUS Service Profile To add a RADIUS Service Profile, click on the appropriate button. The Add RADIUS Service Profile screen appears: Enter a name of your choice for this service profile in the field. Unique Name...
Page 138 The secret key is a valuable and necessary security measure. The AG 2100 and the RADIUS servers must use the same secret key. Die AG 2100 und der RADIUS Server muessen die gleiche Geheimen Schlues- sel (key) benutzten.
Page 139: Adding A Realm Routing Policy
AG 2100 Retransmission Options This category requires you to define the data retransmission method (failover or round-robin), the retransmission frequency, and how many retransmissions the system should attempt. Select the Retransmission Method (Failover or Round Robin). Enter a value for the time (in seconds) in the Retransmission Frequency field.
Page 140 AG 2100 The Add Realm Routing Policy screen appears: To make this entry the “active” entry, click on the Entry Active check box. To define a specific realm, choose the option and enter the destination in Specific Realm field. Alternatively, you can choose the...
Page 141 AG 2100 The Realm Routing Policy you just created is added to the list. Your new RADIUS Service Profiles are added to this list Your new Realm Routing Policies are added to this list System Administration...
Page 142: Managing Smtp Redirection {Smtp
Managing SMTP Redirection {SMTP} When SMTP redirection is enabled (for misconfigured or properly configured subscribers), the AG 2100 redirects the subscriber’s E-mail through a dedicated SMTP server, including SMTP servers which support login authentication. To the subscriber, sending and receiving E-mail is as easy as it’s always been.
Page 143: Managing The Snmp Communities {Snmp
AG 2100 Managing the SNMP Communities {SNMP} You can address the AG 2100 using an SNMP client manager (for example, HP OpenView). SNMP is the standard protocol that regulates network management over the Internet. To do this, you must set up the SNMP communities and identifiers. For more information about SNMP, see “Using an SNMP Manager”...
Page 144 Submit button if you want to reset all the values to their previous state. Reset You can now use your SNMP client to manage the AG 2100 via the Internet. System Administration...
Page 145: Enabling Dynamic Multiple Subnet Support (Subnets)
AG 2100 Enabling Dynamic Multiple Subnet Support (Subnets) Nomadix’ dynamic multiple subnet support allows you to create flexible and cost-effective IP pool solutions to meet the demands of complex networks in large residential and public access networks. For example: Establish a maximum of 15 different DHCP pools for routable IP addresses at the same time.
Page 146 (Public Subnets Settings). To edit the Current Public DHCP Subnets table, go to “Managing the DHCP Service Options {DHCP}” on page For additional information about the multiple subnet feature, go to “Contact Information” on page 303 for Nomadix Technical Support. System Administration...
Page 147: Displaying Your Configuration Settings {Summary
AG 2100 Displaying Your Configuration Settings {Summary} You can display a summary listing of all your current Configuration settings. To view the summary listing, go to the Web Management Interface, click on Configuration then click on Summary. The Summary of Configuration Settings screen appears (partial screen shown here): More listings ...
Page 148: Setting The System Date And Time {Time
The AG 2100 establishes its time relative to UTC (Universal Coordinated Time, based on the ISO 8601 standard). UTC is used in conjunction with RADIUS servers (for example, if the RADIUS server is setup for a time zone that is different from the AG 2100). Enter UTC offset values for...
Page 149: Setting Up Url Filtering {Url Filtering
AG 2100 Setting Up URL Filtering {URL Filtering} The AG 2100 can restrict access to specified Web sites based on URLs defined by the system administrator. URL filtering will block access to a list of sites and/or domains entered by the administrator using the following three methods: Host IP address (for example, 1.2.3.4)
Page 150: Enabling Secure Management {Vpn Tunnel
NSE’s standards-driven, peer-to-peer IPSec tunneling with strong data encryption. Establishing the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on the subscriber side...
Page 151 This procedure allows system administrators to establish the peer-to-peer IPSec connection. Basic IPSec parameters must be entered by the system administrator to successfully establish the VPN session. We recommend that you create different private subnets behind the VPN termination device and the AG 2100. System Administration...
Page 152: Network Info Menu
AG 2100 Network Info Menu Displaying ARP Table Entries {ARP} You can display a table that shows the current status of the ARP (Address Resolution Protocol) assignments. ARP is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address.
Page 153: Displaying Dat Sessions {Dat
AG 2100 Displaying DAT Sessions {DAT} The AG 2100 provides “plug-and-play” access to subscribers who are misconfigured with static (permanent) IP addresses, or subscribers that do not have DHCP functionality on their computers. Dynamic Address Translation (DAT) allows all users to obtain network access, regardless of their computer’s network settings.
Page 154: Displaying The Host Table {Hosts
AG 2100 Displaying the Host Table {Hosts} You can display a table which lists the hosts that are currently configured. This table includes the assigned host names, their corresponding IP addresses, and any aliases that may be assigned to each host. Hosts provide services to other computers that are linked to it by a network.
Page 155: Displaying Icmp Statistics {Icmp
AG 2100 Displaying ICMP Statistics {ICMP} You can display the current ICMP (Internet Control Message Protocol) statistics. ICMP is a standard Internet protocol that delivers error and control messages from hosts to message requestors. These statistics are presented as a listing which details the current status of each ICMP transmission element.
Page 156: Displaying The Network Interfaces {Interfaces
AG 2100 Displaying the Network Interfaces {Interfaces} You can display the network interfaces which are presented as a detailed listing of all interface communication elements and their current status. To view the Network Interfaces, go to the Web Management Interface, click on...
Page 157: Displaying The Ip Statistics {Ip
AG 2100 Displaying the IP Statistics {IP} You can display the IP (Internet Protocol) statistics which are presented as a detailed listing of all IP elements and their current status. With IP transmissions, data is broken up into packets which are then sent over the network. By using IP addressing, Internet Protocol ensures that the data reaches its destination, even though different packets may “pass through”...
Page 158: Displaying The Routing Tables {Routing
AG 2100 Displaying the Routing Tables {Routing} You can display the current Routing Tables, including any dynamically generated routes, unreachable routes, or wildcard routes. To view the Routing Tables, go to the Web Management Interface, click on , then Network Info click on Routing.
Page 159: Displaying The Active Ip Connections {Sockets
AG 2100 Displaying the Active IP Connections {Sockets} You can display a table which provides a detailed listing of all currently active IP (Internet Protocol) connections. To view the Socket Table, go to the Web Management Interface, click on , then...
Page 160: Displaying The Static Port Mapping Table {Static Port-Mapping
AG 2100 Displaying the Static Port Mapping Table {Static Port-Mapping} You can display a table which provides a detailed listing of the currently active static port mapping scheme. To view the Static Port-Mapping Table, go to the Web Management Interface, click on...
Page 161: Displaying Tcp Statistics {Tcp
AG 2100 Displaying TCP Statistics {TCP} You can display the TCP (Transmission Control Protocol) statistics which are presented as a detailed listing of all TCP elements and their current status. TCP is a standard protocol that manages data transmissions across networks.
Page 162: Displaying Udp Statistics {Udp
AG 2100 Displaying UDP Statistics {UDP} You can display the UDP (User Datagram Protocol) statistics which are presented as a detailed listing of all UDP elements and their current status. UDP is an Internet standard transport layer protocol. It is a connectionless protocol which adds a level of reliability and multiplexing to the Internet Protocol (IP).
Page 163: Port-Location Menu
AG 2100 Port-Location Menu The Port Location capabilities on the NSE have been enhanced. It is now possible to define a policy on a port. The billing methods (RADIUS, Credit Card, L2TP Tunneling) and the billing plans available on each port can now be individually configured. This ability allows for having different billing methods and billing plans on different ports of the NSE.
Page 164: Adding And Updating Port-Location Assignments {Add
There may even be multiple ports assigned to a single room or location. The AG 2100 uses a port-location authorization table to manage the assigned ports and ensure accurate billing for the services used by a particular port.
Page 165 Choose Enable PMS Billing if you want PMS based room billing to be enabled on this port. (The AG 2100 series does not support PMS billing and this option will not show.) Choose Enable Credit Card Billing if you want Credit Card based billing to be enabled on this port.
Page 166 AG 2100 Tunneling for a port is enabled only if Tunneling is globally enabled AND the per- port enable Tunneling parameter is set. Click on the button to save your changes (the message: Entry added or updated in appears), or click on the...
Page 167: Updating A Port-Location Assignment
AG 2100 Updating a Port-Location Assignment The procedure for updating a port-location assignment is similar to adding a port-location assignment. The difference between the two procedures is how they are presented to you. For example, if you already have port-locations assigned and you enter an existing “port” value, each data field that you go through (port, location, state, and description) displays the value currently assigned to the field.
Page 168: Deleting All Port-Location Assignments {Delete All
AG 2100 Deleting All Port-Location Assignments {Delete All} This procedure shows you how to delete all port-location assignments. The AG 2100 displays a warning and prompts you to confirm this action before deleting all the port-locations currently assigned in the system.
Page 169: Deleting Port-Location Assignments By Location {Delete By Location
This procedure shows you how to delete a port-location assignment, based on its location. The AG 2100 prompts you to confirm this action before deleting the requested port-location. If you have updated a port-location assignment, you may want to change its description to distinguish from the old assignment.
Page 170: Deleting Port-Location Assignments By Port {Delete By Port
AG 2100 Deleting Port-Location Assignments by Port {Delete by Port} This procedure shows you how to delete a port-location assignment, based on its port. The AG 2100 prompts you to confirm this action before deleting the requested port-location. If you are unsure which port-locations are currently mapped to the system, you can view a list at “Displaying the Port-Location Mappings {List}”...
Page 171: Exporting Port-Location Assignments {Export
“location.txt” file. The location.txt file is stored in: /flash/location.txt (resident in the AG 2100’s flash memory). Exporting your current port-location assignments to the AG 2100’s flash memory will overwrite the existing location.txt file. From the Web Management Interface, click on...
Page 172: Finding Port-Location Assignments By Description {Find By Description
AG 2100 Finding Port-Location Assignments by Description {Find by Description} This procedure shows you how to find a port-location assignment, based on its description. This procedure is useful if you want to review the details of a specific port-location. You can also find port-locations based on their location or port.
Page 173: Finding Port-Location Assignments By Location {Find By Location
AG 2100 Finding Port-Location Assignments by Location {Find by Location} This procedure shows you how to find a port-location assignment, based on its location. This procedure is useful if you want to review the details of a specific port-location. You can also find port-locations based on their description or port.
Page 174: Finding Port-Location Assignments By Port {Find By Port
AG 2100 Finding Port-Location Assignments by Port {Find by Port} This procedure shows you how to find a port-location assignment, based on its location. This procedure is useful if you want to review the details of a specific port-location. You can also find port-locations based on their description or location.
Page 175: Importing Port-Location Assignments {Import
Importing Port-Location Assignments {Import} This procedure shows you how to import port-location assignments from the “location.txt” file. The location.txt file is stored in: /flash/location.txt (resident in the AG 2100’s flash memory). If you have never exported port-location assignments (since installing the AG 2100 at this site), the location.txt is empty.
Page 176: Viewing The "Location.txt" File
You can click on the “View location.txt” link if you want to view the current contents of the file. Creating a “location.txt” File You can create your own “location.txt” file and upload the file to the AG 2100’s flash memory at [IP address]/flash/location.txt. Use the following format when creating the file: “1”,1,00:00:00:00:00:00,0.0.0.0,0, “Room 101”...
Page 177: Displaying The Port-Location Mappings {List
AG 2100 Displaying the Port-Location Mappings {List} You can display a listing of all port-locations assigned to this system. To view the listing of port-location assignments, go to the Web Management Interface, click on Network Info , then click on List.
Page 178: Subscriber Administration Menu
Subscriber Administration Menu Adding Subscriber Profiles {Add} AAA Services must be enabled before you can add a subscriber profile into the AG 2100’s internal authorization database. Refer to, “Defining the AAA Services {AAA}” on page This procedure shows you how to add subscriber profiles into a table of authorized users. Use this procedure when the credit card service option is disabled and the solution provider wants to limit access to pre-qualified users only.
Page 179 Public Private (only used when the IP Upsell feature is enabled, otherwise leave this set to “private”). Leave the check box unchecked (not required with the AG 2100). Proxy Arp For Device Leave the field blank. 802.1Q Device Port Enter a valid for the subscriber.
Page 180 AG 2100 In the field, enter a user name for this subscriber. If you entered a MAC address Username and you do not want to assign a user name, skip Step 9 (password). User names and passwords are case-sensitive. Having a user name and password...
Page 181: Displaying Current Subscriber Connections {Current
AG 2100 Displaying Current Subscriber Connections {Current} You can display a listing of all the subscribers currently connected to the system. The list includes the MAC addresses of the subscribers, their active state, the individual expiration times, port numbers (if assigned), and the number of bytes that have been passed from the subscriber to the Internet.
Page 182: Deleting Subscriber Profiles By Mac Address {Delete By Mac
AG 2100 Deleting Subscriber Profiles by MAC Address {Delete by MAC} This procedure shows you how to delete a subscriber profile from the AG 2100’s database of authorized subscribers, based on the profile’s MAC address. To see a current listing of the subscriber database, sorted by MAC addresses, go “Listing Subscriber Profiles by MAC Address {List by MAC}”...
Page 183: Deleting Subscriber Profiles By User Name {Delete By User
AG 2100 Deleting Subscriber Profiles by User Name {Delete by User} This procedure shows you how to delete a subscriber profile from the AG 2100’s database of authorized subscribers, based on the profile’s user name. To see a current listing of the subscriber database, sorted by user name, go to “Listing Subscriber Profiles by User Name {List by User}”...
Page 184: Displaying The Currently Allocated Dhcp Leases {Dhcp Leases
, then click on Subscriber Administration DHCP Leases. To utilize this feature, your AG 2100 must be set to act as its own DHCP Server. The DHCP function cannot be set to DHCP Relay. Refer to “Managing the DHCP Service Options {DHCP}” on page...
Page 185: Deleting All Expired Subscriber Profiles {Expired
AG 2100 Deleting All Expired Subscriber Profiles {Expired} This procedure shows you how to delete all expired subscriber profiles from the AG 2100’s database of authorized subscribers. Use this procedure when you want to “clean up” the subscriber database. From the Web Management Interface, click on...
Page 186: Finding Subscriber Profiles By Mac Address {Find By Mac
AG 2100 Finding Subscriber Profiles by MAC Address {Find by MAC} This procedure shows you how to find a subscriber profile from the AG 2100’s database of authorized subscribers, based on the profile’s MAC address. Use this procedure when you want to see the statistics corresponding to the MAC address.
Page 187: Finding Subscriber Profiles By User Name {Find By User
Finding Subscriber Profiles by User Name {Find by User} This procedure shows you how to find a subscriber profile from the AG 2100’s database of authorized subscribers, based on the profile’s user name. Use this procedure when you want to see the statistics corresponding to the user name.
Page 188: Listing Subscriber Profiles By Mac Address {List By Mac
AG 2100 Listing Subscriber Profiles by MAC Address {List by MAC} You can display the currently active database of authorized subscribers, based on MAC addresses. To view the list of Authorized Subscriber Profiles, go to the Web Management Interface, click...
Page 189: Listing Subscriber Profiles By User Name {List By User
AG 2100 Listing Subscriber Profiles by User Name {List by User} You can display the currently active database of authorized subscribers, based on user names. You can display the currently active database of authorized subscribers, based on their user names.
Page 190: Viewing Radius Proxy Accounting History {Radius Session History
AG 2100 Viewing RADIUS Proxy Accounting History {RADIUS Session History} These settings are available under Subscriber Administration/RADIUS Session History menu. Enable Logfile checkbox When this setting is enabled any RADIUS proxy accounting messages sent or received by the RADIUS proxy application are logged into a file named “RADHIST.RAD” in the /flash directory.
Page 191: Displaying Current Profiles And Connections {Statistics
AG 2100 Displaying Current Profiles and Connections {Statistics} You can view the total number of profiles and connections currently stored in the AG 2100’s database of authorized subscribers. The displayed list includes the number of subscribers currently in the database (Current Table) and a numerical breakdown of how the subscribers can utilize the system (for example, free access, credit card, etc.).
Page 192: Subscriber Interface Menu
AG 2100 Subscriber Interface Menu Defining the Billing Options {Billing Options} You can define various billing options for use with the Internal Web Server (IWS), based on: Billing plans, including pricing and bandwidth. Messages displayed to subscribers, including an Introduction Message, Offer Message and Policy Message.
Page 193 AG 2100 From the Web Management Interface, click on Subscriber Interface , then Billing Options The Internal Billing Options Setup screen appears: System Administration...
Page 194 AG 2100 Review the billing plans that are currently active. To view or edit a billing plan, simply click on the Show/Change button opposite the corresponding plan. The Internal Billing Options Plan Setup screen appears for the billing plan you selected...
Page 195 Time Unit One time unit is assigned to each billing plan. The AG 2100 allows you to define multiple billing plans with different time units at the same time. For example, you can define one billing plan that changes by the hour (e.g.
Page 196 AG 2100 Define the (Minute, Hour, Day, Week, or Month) you want to make Units of Access available to subscribers. If you want to allow free access to subscribers, you can define the following free billing options: Default Free Access Time (in days)
Page 197: Setting Up The Information And Control Console {Icc Setup
AG 2100 Setting Up the Information and Control Console {ICC Setup} The Nomadix Information and Control Console (ICC) is a HTML pop-up window that is presented to subscribers, allowing them to select their bandwidth and billing plan options quickly and efficiently, and displays a dynamic “time” field to inform them of the time remaining on their account.
Page 198 AG 2100 From the Web Management Interface, click on , then Subscriber Interface ICC Setup The ICC Setup screen appears: If you want subscribers to see the ICC (pop-up window), click on the check box for Display ICC (Information and Control Console) to enable this feature.
Page 199: Assigning Buttons
Image Name – The representative image file you want to use for the button. When assigning images for buttons, refer to: “Pixel Sizes” on page 188. If you assign (or change) button images or banner images, the AG 2100 must be rebooted for your changes to take effect. System Administration...
Page 200: Assigning Banners
AG 2100 When you have completed assigning all your redirect buttons, click on the check box for Reboot after changes are saved? Click on the button to save your changes, or click on the button if you want Submit Reset to reset all the values to their previous state.
Page 201 Start Time (Optional) Stop Time (Optional) If you assign (or change) button images or banner images, the AG 2100 must be rebooted for your changes to take effect. If you changed any of the Image Name definitions, click on the check box for Reboot (to reboot the AG 2100).
Page 202: Pixel Sizes
AG 2100 Pixel Sizes Use the following parameters when defining images for buttons and banners: Banners – 373 pixels (width) x 32 pixels (height) ISP Button – 98 pixels (width) x 26 pixels (height) Small buttons – 45 pixels (width) x 26 pixels (height)
Page 203: Defining Languages {Language Support
AG 2100 Defining Languages {Language Support} The AG 2100 allows you to define the text displayed to your users by the Internal Web Server (IWS) without any HTML or ASP knowledge. The language you select here will determine the language encoding that the AG 2100’s Internal Web Server instructs the browser to use.
Page 204 Interface and the subscriber’s portal page, choose the Other option, then choose one of the available Japanese character sets from the drop-down menu. If sufficient space is available, the AG 2100’s Internal Web Server also supports multiple languages at the same time.
Page 205: Enabling Local Web Serving {Local Web Server
Go to WMI->Subscriber Interface->Local Web Server and add the names of the HTML or image files that were uploaded to the /flash/web directory. Reboot the AG 2100 The pages can now be served by referencing the URL http://nseip:1111/web/<filename> or at https://nseip:1112/web/<filename> for preauthenticated end users.
Page 206 AG 2100 Web Page File Name This text box lets you add or remove the names of the web pages that you intend to serve to the end users. The name of the web page has to be added in order for it to be served to the end...
Page 207: Defining The Subscriber's Login Ui {Login Ui
AG 2100 Defining the Subscriber’s Login UI {Login UI} This procedure allows you to set up the presentation and content of the subscriber’s login User Interface (UI). From the Web Management Interface, click on , then Subscriber Interface Login UI.
Page 208 Click on the check box for Enable “Remember Me” option if you want to enable (or disable) this feature. This option enables the AG 2100 to “remember” logins for a predetermined duration (see next step). The “Remember Me” option requires JavaScript to be enabled.
Page 209 Image File Name Partner Image File Name must reboot the AG 2100 for your changes to take effect. In this case, click on the check box for Reboot after changes are saved? The partner image (splash screen) is not the same screen that is defined by the Image File Name (IWS screen) field.
Page 210: Subscriber Login Screen (Sample)
AG 2100 Subscriber Login Screen (Sample) The following sample shows a subscriber login screen: System Administration...
Page 211: Defining The Post Session User Interface (Post Session Ui)
The Post Session UI (Goodbye Page) can be defined either as a RADIUS VSA or be driven by the AG 2100’s Internal Web Server (IWS). Using the IWS option means that this functionality is available for other post-paid billing mechanisms. The IWS page displays the details of the...
Page 212 AG 2100 From the Web Management Interface, click on , then Subscriber Interface Post Session The Subscriber Post Session User Interface Settings screen appears: System Administration...
Page 213 AG 2100 Click on the Enable IWS Goodbye Page check box to enable (or disable) the IWS Goodbye Page, as required. If you enabled the IWS Goodbye Page, select your preferred display options by checking the corresponding boxes: Display IP Address...
Page 214: Defining Subscriber Ui Buttons {Subscriber Buttons
AG 2100 Defining Subscriber UI Buttons {Subscriber Buttons} This procedure allows you to define how each of the control buttons are displayed to subscribers. From the Web Management Interface, click on , then Subscriber Interface Subscriber Buttons. The Subscriber Page -- Control Button Definitions screen appears: Caution Only the Login button should be named “Login.”...
Page 215: Defining Subscriber Ui Labels {Subscriber Labels
AG 2100 Defining Subscriber UI Labels {Subscriber Labels} This procedure allows you to define how the user interface (UI) field labels are displayed to subscribers. From the Web Management Interface, click on , then Subscriber Interface Subscriber The Subscriber Page -- Field Label Definitions screen appears: Labels.
Page 216: Defining Subscriber Error Messages {Subscriber Errors
AG 2100 Defining Subscriber Error Messages {Subscriber Errors} This procedure allows you to define how error messages are displayed to subscribers. There are 2 (two) pages of error messages available. From the Web Management Interface, click on Subscriber Interface , then...
Page 217 AG 2100 Click on the Submit button to save your changes, or click on the Reset button if you want to reset all the values to their previous state. If you want to reset all field values to their default state, click on the button.
Page 218: Defining Subscriber Messages {Subscriber Messages
AG 2100 Defining Subscriber Messages {Subscriber Messages} This procedure allows you to define how “other” subscriber messages are displayed. There are 3 (three) pages of subscriber messages available. From the Web Management Interface, click on Subscriber Interface , then Subscriber The Subscriber Page -- Other Message Definitions, 1 of 3 screen Messages, 1 of 3.
Page 219 AG 2100 Enter the definitions you want for each subscriber message in the corresponding fields. Click on the button to save your changes, or click on the button if you want Submit Reset to reset all the values to their previous state.
Page 220 AG 2100 Repeat Steps 1 – 3 for page 3 of 3 (see following screen): System Administration...
Page 221: System Menu
AG 2100 System Menu Adding an ARP Table Entry {ARP Add} ARP (Address Resolution Protocol) is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address. ARP is limited to a single physical network that supports hardware broadcasting.
Page 222: Deleting An Arp Table Entry {Arp Delete
AG 2100 Deleting an ARP Table Entry {ARP Delete} ARP (Address Resolution Protocol) is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address. ARP is limited to a single physical network that supports hardware broadcasting.
Page 223: Enabling The Bridge Mode Option {Bridge Mode
“remove” the AG 2100 from the network without physically disconnecting the unit. You can still manage the AG 2100 when Bridge Mode is enabled, but you have no other functionality. If you enable the Bridge Mode option and then plug the AG 2100 into a network, all you need to do is assign it routable IP addresses.
Page 224: Exporting Configuration Settings To The Archive File {Export
AG 2100 Exporting Configuration Settings to the Archive File {Export} This procedure shows you how to export the current system configuration settings to an archive file for future retrieval. This function is useful if you want to change the configuration settings and you are unsure of the effect that the changes will have.
Page 225: Importing The Factory Defaults {Factory
If you restore the factory default configuration settings, you will no longer be able to access the AG 2100 remotely. However, you always have the option of using the “import” function to restore system configuration settings from the archive file.
Page 226 Click here to view the Click here to view the “current.txt” file “factory.txt” file Click on the button to replace the current system configuration Submit and Reboot settings with the factory default settings and reboot the AG 2100. System Administration...
Page 227: Viewing The History Log {History
AG 2100 Viewing the History Log {History} You can view a history log of the system’s Access, Reboot, and Uptime activities. The history log contains up to 500 entries. Over 500 entries and each new log item removes the oldest entry in the list.
Page 228 – User name of the Administrator / Operator. – Source IP address (see note). The source IP displayed may be the source IP of a NAT router instead of the client of the person accessing the AG 2100. System Administration...
Page 229: Establishing Icmp Blocking Parameters {Icmp
AG 2100 Establishing ICMP Blocking Parameters {ICMP} The AG 2100 includes the option to block all ICMP traffic from “pending” or “non authenticated” users that are destined to addresses other than those defined in the pass-through (walled garden) list. The default setting for this option is “disabled” since ICMP pass-through is a useful end-user troubleshooting feature and also required by certain smart clients (for example, GRIC).
Page 230: Importing Configuration Settings From The Archive File {Import
AG 2100 Importing Configuration Settings from the Archive File {Import} This procedure shows you how to restore the system configuration settings from an archive file (previously created with the export function). The archived configuration settings you want to restore may not contain valid IP addresses.
Page 231: Establishing Login Access Levels {Login
(Submit, Reset, Reboot, Add, Delete, etc.), but operators cannot change any system settings. When this feature is enabled, one manager and three operators can access the AG 2100 at any one time (the default is “disabled”). This feature supports the following interfaces: Telnet Command Line Interface (CLI) –...
Page 232 AG 2100 The Login Name and Password screen appears: Click on the check box for if you want to assign concurrent Administration Concurrency Manager and Operator logins. In the field, enter a login name for this manager. Manager Login Login names and passwords are case-sensitive. Use login names and passwords that are easy to remember (up to 11 characters, any character type).
Page 233 If you enabled Administration Concurrency, repeat steps 3 to 5 for an operator login. As part of its Smart Client feature, the AG 2100 offers a remote RADIUS testing feature (enabled by default). With this feature, the AG 2100 provides a password-protected Web page.
Page 234: Defining The Mac Filtering Options {Mac Filtering
AG 2100 Defining the MAC Filtering Options {Mac Filtering} MAC Address filtering enhances Nomadix' access control technology by allowing System Administrators to block malicious users based on their MAC address. Up to 50 MAC addresses can be blocked at any one time (see caution).
Page 235: Rebooting The System {Reboot
AG 2100 Rebooting the System {Reboot} This procedure shows you how to reboot the AG 2100. The “reboot” procedure outlined on this page allows you to decide when to reboot (if you are making multiple changes to different menu functions and you want to reboot just one time after completing all your changes).
Page 236: Adding A Route {Route Add
AG 2100 Adding a Route {Route Add} This procedure shows you how to add a route into the AG 2100’s routing table. This is accomplished by establishing the route’s destination IP address, and by setting the gateway or router IP address by which the route’s destination can be reached.
Page 237: Deleting A Route {Route Delete
AG 2100 Deleting a Route {Route Delete} This procedure shows you how to delete a route to a specific IP destination. From the Web Management Interface, click on System , then Route Delete. The Delete Static Routes screen appears: Enter the address of the route you want to delete from the routing table.
Page 238: Establishing Session Rate Limiting {Session Limit
AG 2100 Establishing Session Rate Limiting {Session Limit} Session Rate Limiting (SRL) significantly reduces the risk of “Denial of Service” attacks by allowing administrators to limit the number of DAT sessions any one user can take over a given time period and, if necessary, then block malicious users.
Page 239: Adding Static Ports {Static Port-Mapping Add
AG 2100. The advantage for the network administrator is that free private IP addresses can be used to manage devices (such as Access Points) on the subscriber side of the AG 2100 without setting them up with public IP addresses.
Page 240 Internal Port Enter a valid MAC Address Enter the External IP Address The External IP address field will default to the IP address of the AG 2100. Enter the reference. External Port Optional: Enter the . Leave this field set to zero if you want to connect Remote IP Address to the internal device from any network-side workstation.
Page 241: Deleting Static Ports {Static Port-Mapping Delete
AG 2100. The advantage for the network administrator is that free private IP addresses can be used to manage devices (such as Access Points) on the subscriber side of the AG 2100 without setting them up with public IP addresses.
Page 242: Blocking A Subscriber Interface {Subscriber Interfaces
Updating the AG 2100 Firmware {Upgrade} Upgrading the AG 2100 firmware is performed from the AG 2100’s Command Line Interface (CLI) only. Refer to the Firmware Upgrade Procedure (separate document available from Nomadix Technical Support).
Page 243: Defining Wireless Configuration {Wireless Configuration
AG 2100 Defining Wireless Configuration {Wireless Configuration} This procedure allows you to configure the AG 2100’s wireless settings and optimize transmissions and wireless security. See also: “Why Choose Wireless?” on page 2 “Offering Speed and Efficiency” on page 4 “Optimizing Performance” on page 4 “Installation Considerations”...
Page 244 AG 2100 To add, edit, or remove Virtual APs (VAPs), click the Virtual AP Setup link at the top of this window. See “Virtual AP Setup” on page 231. Select a Regulatory Domain from the drop-down list: USA/Canada ETSI World...
Page 245: Virtual Ap Setup
AG 2100 Virtual AP Setup Your product license may not support this feature. The NSE can create virtual access points (VAPs) from one physical access point by assigning unique BSSIDs to each SSID. Single providers can use VAPs to offer multiple services (for example, offering access to different VLANs, using different authentication/association methods).
Page 246 AG 2100 Using the WMI: From the System menu, click Wireless Configuration, then Virtual AP Setup. The Virtual AP Setup window appears: Enable or disable Default 802.1q Tag for System Traffic, and add/edit the associated VLAN tag if necessary. Changing the default tag number may result in a loss of connectivity.
Page 247 AG 2100 System Administration...
Page 248 AG 2100 Enter an SSID. The SSID (Service Set Identifier) is a unique name that identifies a wireless network. All devices on a wireless network must share the same SSID name in order to communicate on the wireless network. The SSID can be up to 32 ASCII characters.
Page 249 AG 2100 RADIUS-based WAN VLAN takes priority over Virtual AP-based WAN VLAN. If you enable WAN VLAN, enter a VLAN tag number using one to 10 numeric characters. Multiple VAPs can be mapped to the same VLAN. Select an Authentication Method:...
Page 250 AG 2100 802.11i Settings 802.11i settings are available only for WPA and WPA 2 association methods. If you chose Open or WEP, please see “WEP Settings” on page 237 IEEE 802.11 and 802.11i can be configured differently per VAP, and is recommended.
Page 251 AG 2100 WEP Settings WEP features are available only if WEP is selected for Authentication Method. If you chose a WPA or WPA 2 Authentication method, proceed to “Other Options” on page 238. Select an 802.11 Authentication Type: Open or Shared.
Page 252 AG 2100 Other Options Enable or disable UAM (Universal Access Method). UAM controls [web-browser based] Authentication, Authorization and Accounting for the VAP. UAM must be enabled for the VAP to use the Global AAA settings (see “Defining the AAA Services {AAA}” on page 67).
Page 253 AG 2100 Select a RADIUS Mode: Disabled to disable RADIUS authentication Realm-Based for Realm routing Fixed for routing to predefined RADIUS servers System Defaults to defer to the Global RADIUS Client configuration Global RADIUS Client settings must first be configured before you select a RADIUS Mode.
Page 254 AG 2100 System Administration...
Page 255 AG 2100 System Administration...
Page 256 AG 2100 This page intentionally left blank. System Administration...
Page 257: Chapter 3: The Subscriber Interface
When a subscriber accesses the solution provider’s high speed network, the AG 2100 points their browser to a sign-in page. The AG 2100 then creates a database entry that automatically records the subscriber’s Media Access Control (MAC). Like a router, the AG 2100 continuously tracks subscriber IP and MAC settings, eliminating the need for further sign-ins and ensuring that subscriber usage and billing is recorded accurately.
Page 258: Authorization And Billing
AG 2100 Authorization and Billing As a gateway device, the AG 2100 enables plug-and-play access to broadband networks. Broadband network solution providers can now offer their subscribers a wide range of high speed services, including access to the Internet. Of course, a high speed Internet connection is not free –...
Page 259: The Aaa Structure
User-selectable options and parameters (for example, defining the time purchased). Only subscribers that are correctly identified and authenticated are authorized to access the system. Once authorized, the subscriber’s activity is logged and billed through the AG 2100’s Accounting module. The Accounting module fully supports the following functions: Credit card billing (for example, interaction with AuthorizeNet).
Page 260: Process Flow (Aaa)
Process Flow (AAA) The following flowchart outlines the AAA and billing process. All actions depicted in the chart are administered and tracked by the AG 2100. AG 2100 detects connection and verifies user against authorization table New User Existing Subscriber...
Page 261: Internal And External Web Servers
English, Chinese, French, German, Japanese, and Spanish. Home Page Redirection The AG 2100 can be configured to redirect all valid subscribers to a Web portal or home page determined by the solution provider. After a specified time, from the first home page redirection (determined by the system administrator), subscribers are redirected again to the portal at the next Web page request.
Page 262: Subscriber Management
Credit card Combinations of two or more subscriber management models can be used. When a subscriber connects to the network and attempts to access the Internet, the AG 2100 looks for each model in the given order above. Subscriber Management Models The system administrator establishes the subscriber management model via the Command Line Interface (CLI) or the Web Management Interface.
Page 263: Configuring The Subscriber Management Models
Credit card Enable the AAA services. You have the choice of enabling the AG 2100’s internal authorization module or using an external credit card authorization server. Internal Authorization Enabled Enter the credit card server’s URL and IP address, then enter the merchant ID you obtain from Authorize.Net.
Page 264: Information And Control Console (Icc)
AG 2100 Information and Control Console (ICC) The Information and Control Console (ICC) is a HTML-based pop-up window that is presented to subscribers, allowing them to select their bandwidth and billing options quickly and efficiently, and displays a dynamic “time” field to inform them of the time remaining on their account.
Page 265: Chapter 4: Quick Reference Guide
Web Management Interface (WMI) Menus The following tables contain a listing and brief explanation of all menus and menu items contained in the AG 2100’s Web Management Interface (WMI), listed as they appear on screen. Main Page Menus...
Page 266: Configuration Menu Items
A login is permitted only if a match is made with the master list contained on the AG 2100. If a match is not made, the login is denied, even if a correct login name and password are supplied.
Page 267 Enables logging options for the system and AAA functions. Passthrough Addresses Allows you to establish up to 300 IP pass-through addresses. RADIUS Client With the appropriate product license, the AG 2100 supports Remote Authentication Dial-In User Service (RADIUS). This procedure sets up the RADIUS client. Realm-Based Routing...
Page 268: Network Info Menu Items
AG 2100 Network Info Menu Items Item Description Displays the ARP table, including the destination IP address and the gateway MAC address. Displays the DAT session table. Hosts Displays the host table, including host names, associated IP addresses and any assigned aliases.
Page 269: Port-Location Menu Items
AG 2100 Port-Location Menu Items Items Description Adds or updates port-location assignments. Delete All Deletes all port-location assignments. Use this command with caution. Delete by Location Deletes port-location assignments, based on a specified location. Delete by Port Deletes port-location assignments, based on a specified port (VLAN tag).
Page 270: Subscriber Administration Menu Items
AG 2100 Subscriber Administration Menu Items Items Description Allows you to add subscriber profiles to the database. Current Displays a list of all currently connected subscribers. Delete by MAC Allows you to delete a subscriber, based on a specific MAC address.
Page 271: Subscriber Interface Menu Items
AG 2100 Subscriber Interface Menu Items Items Description Billing Options Establishes the various billing plans and rates (schemes), including messages and appearance. ICC Setup Allows you to set up the Information and Control Console (ICC) for subscribers. Language Support Allows you to define the language to be displayed on the Web Management Interface and the subscriber’s portal page.
Page 272: System Menu Items
Displays system memory usage information. Reboot Reboots the AG 2100. Route Add Adds a route into the AG 2100’s routing table. Route Delete Deletes a route to a specific IP destination. Session Limit Limits the number sessions any one user can take over a given time period and, if necessary, then blocks malicious users.
Page 273: Upgrade
Description Syslog Displays syslog history. System Utilization Enables or disables system utilization. Upgrade Obtain the latest Firmware Upgrade Procedure from Nomadix Technical Support. User Settings Enables or disables blocking of all IPPROTO Traffic from Misconfigured Subscribers. Wireless Configuration Configures the AG 2100’s wireless settings.
Page 274: Alphabetical Listing Of Menu Items (Wmi)
Description Menu AAA ........Set AAA options ..................Configuration Access Control ..... Enables secure administration of the AG 2100 .......... Configuration Add........Add subscriber profiles to the database..........Subscriber Admin ARP........Display the ARP table ................. Network Info ARP Add ......Add an ARP table entry..................System ARP Delete ......
Page 275 TCP........Display the TCP performance statistics............Network Info Time........Set the system date and time...............Configuration UDP ........Display the UDP performance statistics ............Network Info Upgrade ........Upgrade the AG 2100 system firmware ..............System URL Filtering .......Define URLs for filtering ................Configuration Wireless Configuration..Sets up the wireless configuration parameters............System...
Page 276: Default (Factory) Configuration Settings
AG 2100 Default (Factory) Configuration Settings The following table shows a partial listing of the AG 2100’s primary default configuration settings (the settings established at manufacturing). For a complete listing of the factory default settings, refer to the factory.txt file. For more information, go to “Importing the Factory...
Page 277 AG 2100 Function Default Setting Dynamic Address Translation (DAT) Enabled (cannot be changed) AAA Logging Disabled AAA Log Server Number AAA Log Server IP 0.0.0.0 SYSLOG (System Logging) Disabled SYSLOG Server Number SYSLOG Server IP 0.0.0.0 AAA Services Disabled Internal Authorization...
Page 278: Product Specifications
Specifications UBLIC CCESS User Support: AG 2100 supports a total of 100 wired and wireless users. Nomadix recommends a maximum of 50 wireless concurrent users. Dynamic Address Translation (DAT) Home Page Redirection (Pre and Post Authentication) iNAT (for seamless VPN connectivity)
Page 279 AG 2100 Specifications ETWORKING IEEE 802.3 / 3u IEEE 802.1d PoE per IEEE 802.3af DHCP Server DHCP Relay DHCP Client RADIUS Client (MD-5, PAP, CHAP, MS-CHAPv1, v2) PPPoE Client ECURITY 64-bit/128-bit WEP with dynamic keying iNAT MAC Address Filtering and Session Limiting...
Page 280 CE Mark CE/R&TTE: EN301328 / EN301893 / EN301489-1, EN301489-17 VCCI Class B, Telec UL 1950, CSA22.2 No 950, TÜV/GS(EN60950) For further information on the certifications for the AG 2100 product, visit www.nomadix.com/downloads. OMPATIBILITY Communicates with all Wi-Fi certified wireless adapters HYSICAL 9.25(L) x 6.25(W) x 1.5(H) inches...
Page 281: Sample Aaa Log
AG 2100 Sample AAA Log The following table shows a sample AAA log. This log is generated by the AG 2100 and sent to the SYSLOG server that is assigned to AAA logging. AG 2100 Type of Subscriber MAC Expiratio...
Page 282: Message Definitions (Aaa Log)
Subscriber profile was manually removed from the authorization table. Removed_by_administrator Sample SYSLOG Report Syslog reports are generated by the AG 2100 and sent to the syslog server that is assigned to general error detection and reporting. 2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [AG v1.3.028] DHCP: ndxDHCPInit: 0021 DHCP initialized 2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [AG v1.3.028]...
Page 283: Sample History Log
AG 2100 Sample History Log A history log is generated by the AG 2100 which includes the system’s activity (Access, Reboot and Uptime). More listings ... Quick Reference Guide...
Page 284: Keyboard Shortcuts
AG 2100 Keyboard Shortcuts The following table shows the most common keyboard shortcuts. Action Keyboard Shortcut Cut selected data and place it on the clipboard. Ctrl + X Copy selected data to the clipboard. Ctrl + C Paste data from the clipboard into a document (at the insertion point).
Page 285: Radius Attributes
AG 2100 RADIUS Attributes RADIUS (Remote Authentication Dial-In User Service) was originally created to allow remote authentication to the dial-in networks of corporations and dial-up ISPs. It is defined and standardized by the IETF (Internet Engineering Task Force) and several RADIUS server packages exist in both the public domain and for commercial sale.
Page 286 ISP's RADIUS server. The RADIUS server decrypts the information and compares it against its list of valid users. If the subscriber can be authenticated, the RADIUS server replies to the AG 2100 with a message instructing it to grant access to the subscriber.
Page 287: Authentication-Request
AG 2100 Authentication-Request Username Password Service-Type NAS-Port (port number) NAS-Identifier Framed-IP Address NAS-IP Address NAS-Port-Type Acct-Session-ID Log-Off-URL EAP-Packet (used for 802.1x) Message-Authenticator (used for 802.1x) State (used/tested for 802.1x) Called-Station-ID Calling-Station-ID Quick Reference Guide...
Page 288: Authentication-Reply (Accept)
AG 2100 Authentication-Reply (Accept) Reply-Message Reject-Message State (used/tested for 802.1x) Class Session-Timeout Idle-Timeout EAP-Packet (used for 802.1x) Message-Authenticator (used for 802.1x) Acct-Interim-Interval Nomadix VSAs: Nomadix-Bw-Up Nomadix-Bw-Down Nomadix-URL-Redirection Nomadix-IP-Upsell Nomadix-MaxBytesUp Nomadix-MaxBytesDown Nomadix-Net-VLAN Nomadix-Session-Terminate-End-Of-Day Nomadix-Expiration Quick Reference Guide...
Page 289: Accounting-Request
AG 2100 Accounting-Request Username Acct-Status-Type (Start/Stop/Update) Acct-Session-ID Acct-Output-Octets Acct-Input-Octets Acct-Output-Packets Acct-Input-Packets Class Nomadix VSAs: Nomadix-URL-Redirection Nomadix-IP-Upsell Acct-Session-Time (Stop) Terminate-Cause (Stop) NAS ID NAS-IP Address NAS-Port-Type NAS-Port Framed-IP Address Acct-Delay-Time Called-Station-ID Calling-Station-ID Quick Reference Guide...
Page 290: Selected Detailed Descriptions
"0" means forever. Timeout Detection If a subscriber is sending traffic through the AG 2100, the AG 2100 will immediately detect a Session-Timeout. However in the case of an Idle-Timeout or an inactive subscriber Session- Timeout, the AG 2100 detects it via a clean-up function that is currently called every 2 minutes.
Page 291 Interim message for the specific subscriber. If this attribute is not present or equal to 0, no Interim message is sent. The precision is 2 minutes. The AG 2100 will not send Interim messages more frequently than every 2 minutes.
Page 292: Nomadix Vendor Specific Attributes
This attribute allows the administrator to redirect the user to a page of the administrators choice each time the user logs in. Nomadix-IP-Upsell This attribute allows the user to receive a public address from a DHCP pool when the AG 2100 has the IP-Upsell feature enabled. Nomadix-Volume-Based-Session-Timeout This attribute allows you to terminate a session once a specified data volume has been reached.
Page 293: Setting Up The Ssl Feature
AG 2100 Setting Up the SSL Feature This section describes how to set up the AG 2100’s SSL feature. Prerequisites The AG 2100 should support SSL feature. Please go to “Displaying Your Configuration Settings {Summary}” on page 133 and verify that the Licensed Features include "AAA SSL Support".
Page 294: Obtain A Private Key File (Cakey.pem)
VeriSign). These files are put in as file1:file2:file3:file4:file5 in the key generation command. Downloading Cygwin There are several sources for obtaining "Cygwin" to install OpenSSL. One popular source is: http://sources.redhat.com/cygwin/. Nomadix used Cygwin version 1.3.2 for generating this section of the User’s Guide. Quick Reference Guide...
Page 295: Installing Cygwin And Openssl On A Pc
AG 2100 Installing Cygwin and OpenSSL on a PC The example in this document is based on downloading the software with Netscape 4.75. The procedure starts from the Cygwin Net Release Setup Program screen: Click on the button. Next The following screen appears:...
Page 296 AG 2100 Click on the button to display the next setup screen. Next Click on the button to display the next setup screen. Next Click on the button to display the next setup screen. Next Quick Reference Guide...
Page 297 Select a location and click on the button. Next For the purposes of this document, Nomadix used: ftp://planetmirror.com In the following screens, please skip all packages except "cygwin" and "openssl," then click on the Next when you are done.
Page 298 AG 2100 Quick Reference Guide...
Page 299 AG 2100 Click on the Next button to start the “download” process. Wait for the download process to complete. Click on the button to start the “install” process. Wait for the install process to complete. Next There will be a pop-up dialog to inform you that the installation process is completed. At the pop-up dialog, click on the button.
Page 300: Private Key Generation
AG 2100 Private Key Generation Create a directory from Root and put 5 random files, , and (see a.dat b.dat c.dat d.dat e.dat note) into the C:\cygwin\bin\ directory (or the directory where you installed openssl.exe). These random files can be any file type, such as Word, Excel, etc. Change the files to .dat files (shown above).
Page 301 However, if you saving them as a different namse, you must change the names back to "cakey.pem" when trying to FTP to the AG 2100. Do not include "-des3" option to keep the private key in an unencrypted form.
Page 302: Create A Certificate Signing Request (Csr) File
AG 2100 Create a Certificate Signing Request (CSR) File Run the following command to generate the certificate signing request: >openssl req -new -key cakey.pem > server.csr The following table provides an explanation of the command elements: openssl "openssl" command A parameter for creating a request Defining a "new"...
Page 303 The "Common Name" is the name used in the AG->AAA->SSL Certificate Domain Name. The Common Name in the Public Key must match the SSL Certificate Domain Name in the Web Management Interface of the AG 2100 (refer to the AG 2100 setup information). Here is the output of server.csr:...
Page 304: Create A Public Key File (Server.pem)
AG 2100 Create a Public Key File (server.pem) VeriSign Purchasing Process The signing process varies by Certificate Authority. Generally, you will need to send a Certificate Signing Request to the Certificate Authority (CA) and the CA will create a public key base on the certificate request.
Page 305 Some older versions of popular browsers only support 40-bit or 56-bit encryption. Since it impossible to forecast the browsers that may be used in a visitor-based network, Nomadix recommends implementing a 40-bit Public Key. During the process, VeriSign will ask for your business information and verification. There are several ways to proof the existence of your business.
Page 306 AG 2100 CSR Submission to VeriSign Please select "Apache Freeware" to submit the CSR to VeriSign. The Certificate Signing Request is in the server.csr (created in the previous step). Open server.csr and copy and paste all data into the edit box.
Page 307 AG 2100 The file, "server.pem" will look like this: You have now finished the process of obtaining a public key. Quick Reference Guide...
Page 308: Setting Up Ag 2100 For Ssl Secure Login
AG 2100 Setting Up AG 2100 for SSL Secure Login FTP the "cakey.pem" and "server.pem" files into the AG 2100 platform's flash directory: FTP to the AG 2100 by Netscape: ftp://username:password@AG_Network_IP/flash/. Drag and drop the "cakey.pem" and "server.pem" files into the directory.
Page 309: Mirroring Billing Records
AG 2100 Mirroring Billing Records Multiple AG 2100 units can send copies of credit card billing records to a number of external servers that have been previously defined by system administrators. The AG 2100 assumes control of billing transmissions and saving billing records. By effectively "mirroring" the billing data, the AG 2100 can send copies of billing records to predefined "carbon copy"...
Page 310: Xml Interface
XML Interface XML for the External Server The AG 2100 sends a string of XML commands according to specifications. HTTP headers are added to the XML packets that are built, as the billing “mirroring” information is sent to the external server in HTTP compliant XML format. The XML string built from the billing mirror...
Page 311 The AG 2100 uses USG commands for XML strings. The AG 2100 accepts a single line of XML text in the specified format. The XML string is a command sent by the External Server to the AG 2100 product. In this case, the acknowledgement received from the External Server forms the command.
Page 312 Format for each Field: RESULT_VALUE: OK or ERROR Standard IP format (123.123.123.123) ERROR_CODE 1 for OK, or any other number Please contact Nomadix Technical Support for the complete XML DTD. Refer to “Contact Information” on page 303. Quick Reference Guide...
Page 313: Chapter 5: Troubleshooting
It also contains a list of known error messages associated with the Management Interface. General Hints and Tips The AG 2100 is both a hardware device and a powerful software utility. As a hardware computing device, the AG 2100 requires careful handling. It should be positioned in a dust-free and temperature-controlled environment.
Page 314 When upgrading the software, the system FTP a valid boot image to the flash. needs the new boot image file. You must FTP the file from NOMADIX™ to your local hard drive. Warning: no DHCP services are available to This message is displayed because you have subscribers.
Page 315: Common Problems
255.255.255.0 The DHCP relay is disabled Check the internal DHCP and the DHCP service service settings. settings in the AG 2100 are misconfigured. Subscribers are unable to The DNS server settings are Check the DNS settings (host, route to a domain name, but misconfigured.
Page 316 When a subscriber logs in for Home page redirection is not Enable home page the first time, their browser is enabled in the AG 2100. redirection. not redirected to the specified The home page URL was Re-enter the correct URL.
Page 317: Appendix A: Technical Support
We have tried to ensure that you get the most up-to-date information available about the Nomadix AG 2100, and we hope this User’s Guide has met all your operational and performance needs. However, we understand that occasionally you may run into problems that require additional technical support.
Page 318 AG 2100 This page intentionally left blank. Appendix A: Technical Support...
Page 319: Appendix B: Addendum
This Addendum provides information and procedures that will enable system administrators to configure and use the specific features introduced in the 1.3 Maintenance, 1.3 M+ and 1.4 releases for the Nomadix Wireless Access Gateway (AG 2100). The features covered are: 1.3M and 1.3M+ Features:...
Page 320: Pppoe Client
AG 2100 PPPoE Client These settings can be accessed under the following menus: WMI Configuration Go to Configuration->Location to enable PPPoE Client On Location page, click on ‘Configure PPPoE Client’ link to get to the PPPoE configuration page. CLI Configuration Go to Configuration->Location to enable PPPoE Client...
Page 321 AG 2100 Appendix B: Addendum...
Page 322 AG 2100 Appendix B: Addendum...
Page 323 AG 2100 PPPoE Service Name This is the Service-Name TAG. The maximum allowed length is 31 characters. PPP Keep Alive Echo Request Interval in seconds - Setting this to 0 will disable echo requests from the NSE. The default value for this parameter is 30 seconds.
Page 324: L2Tp Tunneling
What these RADIUS servers will return in response to a RADIUS access request is the L2TP tunnel parameters that the AG 2100 will use to establish an L2TP tunnel. See next figure for an example of a RADIUS service profile.
Page 325 AG 2100 Appendix B: Addendum...
Page 326: Define Tunnel Profiles
AG 2100 Define Tunnel Profiles Tunnel profiles can be defined when L2TP tunnel parameters are known and it is not necessary to send an access request to a RADIUS server to obtain those parameters or for accounting purposes. Create a tunnel profile for each L2TP tunnel whose parameters are known. The tunnel parameters that the profile contains are the IP address of the LNS and the tunnel password.
Page 327: Define Realm Routing Policies
Since it handles a single realm, no realm information is needed for users and so must be stripped. In this case, it is stripped by the AG 2100, but it could easily have been stripped by the tunnel server, or by the tunnel server’s RADIUS server. This was designed for maximum flexibility.
Page 328 “username@tcisp.com”. Since this policy references a tunnel profile, no RADIUS access requests will be sent to any RADIUS server. In this case, the AG 2100 will use the L2TP tunnel parameters specified in the tunnel profile to establish a tunnel and pass the username/password input to the tunnel server.
Page 329 This checkbox may be unchecked if it is necessary for usernames to contain realm information for user authentication. The “Local hostname” field is also blank in this example which means that the AG 2100 will use the default value of “usg_lac” during tunnel negotiation.
Page 330: Configure Radius Client
The AG 2100 RADIUS client must be setup for realm-based routing mode since realm information will be used by the AG 2100’s L2TP tunnel feature to determine how to handle usernames that contain realm information. See next figure for an example of setting the routing mode to handle realm-based usernames.
Page 331: Local Syslog And Syslog Filters
AG 2100 Local Syslog and Syslog Filters These settings can be accessed under the Configuration/Logging menu. Appendix B: Addendum...
Page 332 AG 2100 Log Filter Setting: The syslogs can be filtered at 7 levels as shown above. Setting the level to a number disables any syslogs above that filter setting. For e.g. setting the filter to 2:Critical only generates 0:Emergency, 1:Alert and 2:Critical level syslogs. All other syslogs are not generated.
Page 333 AG 2100 PageFaults are stored in the file named “lograw.txt” in the /flash directory and is not viewable on the web management interface. Appendix B: Addendum...
Page 334: Periodic Syslogs: System Report Syslogs
AG 2100 Periodic Syslogs: System Report Syslogs These settings can be accessed under the Configuration/Logging menu. Appendix B: Addendum...
Page 335 AG 2100 The following Logs are available for configuration on the NSE: AAA Log These logs record events related to Authentication, Authorization, and Accounting on the NSE. RADIUS History Log These logs record RADIUS proxy accounting messages sent or received by the RADIUS proxy.
Page 336 AG 2100 Subscriber Tracking Log Enabling this checkbox enables the Subscriber Tracking log. Use this to track the network usage of specific Subscribers on the network by receiving a syslog of every Session that is opened by each subscriber. Each new DAT session that is created for subscribers is logged in these syslogs.
Page 337: Glossary Of Terms
10/100 Ethernet See Ethernet. (Authentication, Authorization, and Accounting) A combination of commands used by Nomadix Gateways to authenticate, authorize, and subsequently bill subscribers for their use of the customer’s network. When a subscriber logs into the system, their unique MAC address is placed into an authorization table. The system then authenticates the subscriber’s MAC address and billing information before allowing them to access the Internet and make online...
Page 338 (ACKnowledgment) If all the transmitted data is present and correct, the receiving device sends an ACK signal, which acts as a request for the next data packet. Adaptive Configuration Technology A Nomadix, Inc. patented technology that enables Dynamic Address Translation. See also, DAT. ad-hoc mode 802.11x networking framework in which devices or stations communicate directly with each other, without the use of an Access Point (AP).
Page 339 (permanent) IP addresses, or subscribers that do not have DHCP functionality on their computers. DAT is a Nomadix, Inc. patented technology that allows all users to obtain network access, regardless of their computer’s network settings. See also, DHCP.
Page 340 AG 2100 DSSS (Direct Sequence Spread Spectrum) One of two types of spread spectrum radio—the other being Frequency Hopping WLAN Spread Spectrum (FHSS). DSSS is a transmission technology used in transmissions where a data signal at the sending station is combined with a higher data rate bit sequence, or “chipping” code, that divides the user data according to a spreading ratio.
Page 341 AG 2100 (Frequency Division Multiplexing) A multiplexing technique that uses different frequencies to combine multiple streams of data for transmission over a communications medium. FDM assigns a discrete carrier frequency to each data stream and then combines many modulated carrier frequencies for transmission. For example, television transmitters use FDM to broadcast several channels at once.
Page 342 For example, if a user in California accesses a computer in New York, the computer in New York is considered the host. (Home Page Redirection) Nomadix Gateways enable solution providers to redirect subscribers to a “portal” home page of their choice. This allows the solution provider to generate online advertising revenues and increase business Home Page.
Page 343 IP address assignments. This enables it to solve IP addressing problems in environments where the service provider does not have control over the subscriber’s network settings. Whenever a subscriber logs on, your Nomadix Gateway automatically translates their computer’s network settings to provide them with seamless Dynamic IP access to the broadband network.
Page 344 Misconfigured User A Nomadix, Inc. term used to describe users who have IP address configurations that are different from the current network. For example, if the current network is 123.45.67.89 but the user’s IP address is 10.10.10.15, then this user is considered to be “misconfigured.”...
Page 345 AG 2100 OSPF (Open Shortest Path First) This routing protocol was developed for IP networks based on the shortest path first or link- state algorithm. Routers use link-state algorithms to send routing information to all nodes on a network by calculating the shortest path to each node based on a topography of the Internet constructed by each node.
Page 346 AG 2100 Forwarding Rate, Packet, (packets per second) The rate at which packets are delivered to their destination. See also, Packet Switching Network. PPTP (Point-to-Point Tunneling Protocol) Developed jointly by Microsoft Corporation, U.S. Robotics, and several remote access vendor companies, known collectively as the PPTP Forum, PPTP is a new technology used for creating Virtual Private Networks (VPNs).
Page 347 Normally, a solution provider is offering a solution that isn’t readily available on the open market. For example, NOMADIX™ is a solution provider to its customers (broadband network service providers), and those customers are solution providers to their end users (network subscribers).
Page 348 AG 2100 (Secure Sockets Layer) A protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that is transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers.
Page 349 AG 2100 Telnet A software program and command utility used to connect between remote locations and services. Telnet connects you to the login prompt of another host (that you have access rights to). See also, Host. Throughput The net data transfer rate between an information source and its destination, using the maximum packet size without loss.
Page 350 AG 2100 (Coordinated Universal Time) A time scale that couples Greenwich Mean Time (GMT), which is based solely on the Earth's inconsistent rotation rate, with highly accurate atomic time. When atomic time and Earth time approach a one second difference, a leap second is calculated into UTC. UTC was devised on January 1, 1972 and is coordinated in Paris by the International Bureau of Weights and Measures.
Page 351 HTML. For example, XML supports links that point to multiple documents, as opposed to HTML links, which can reference just one destination each. For all Nomadix Gateways, XML is used by the subscriber management module for port location and user administration. Enabling the XML interface allows your Nomadix Gateway to accept and process XML commands from an external source.
Page 352 AG 2100 This page intentionally left blank. Glossary of Terms...
Page 353 AAA services Channel External Web Server character lengths Internal Web Server Cipher access control 7, access levels logging in accounting AG 2100 AES/CCMP logging in AG 2100 overview installation 33, Command Line Interface installation workflow inputting data unpacking logging in...
Page 354 AG 5000 importing from archive Frequency spectrum contacting NOMADIX Copyright Credit Card Module glossary of terms 323, Current table Goodbye page GRE Tunneling VAPs Group key update interval DAT sessions data inputting High Availability Module date and time hints and tips...
Page 355 IP address local content and services network architecture location Network Info menu location file network interfaces creating Nomadix private MIB locations 104, NSE core functionality Log settings NTP support AAA log RADIUS history log Subscriber tracking log System report log...
Page 356 Regulatory domain port mapping 18, 114, 146, remember me in-room port mapping Resetting the AG 2100 portal page redirect resetting setting to factory defaults Port-based billing policies resetting the administrative login name and Port-Location menu password...
Page 357 AG 5000 SNMP manager technical sockets user specifications 28, SYSLOG report SSID sample SSID broadcast System System Administration setting up System report log Start Up configuration System report log interval static port mapping 146, static ports adding TCP statistics deleting technical support mapping contact information...
Page 358 AG 5000 VLAN tags WAN VLAN tagging VPN tunneling walled garden Web Management Interface 25, menu organizatiion overview Web servers authentication default key dynamic WEP key length key type settings Wireless configuration beacon interval channel DTIM fragment length frequency spectrum power rate regulatory domain...

Nomadix AG 2100 User Manual

Table of Contents

Chapter 1: Installing the AG 2100

Chapter 2: System Administration

Chapter 3: The Subscriber Interface

Chapter 4: Quick Reference Guide

Alphabetical Listing of Menu Items (Wmi)

Chapter 5: Troubleshooting

Appendix A: Technical Support

Appendix B: Addendum

Quick Links

Chapters

Related Manuals for Nomadix AG 2100

Summary of Contents for Nomadix AG 2100