Page 3
Disclaimer Nomadix, Inc. makes no warranty, either express or implied, including but not limited to any implied warranties of merchantability and fitness for a particular purpose, regarding the product described herein. In no event shall Nomadix, Inc. be liable to anyone for special, collateral, incidental, or consequential damages in connection with or arising from the use of Nomadix, Inc.
Page 4
AG 2100 Notifications This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
Page 5
AG 2100 CAUTION WARNING Read the instruction manual prior to operation. Risk of electric shock; do not open; no user-serviceable parts inside. ATTENTION AVERTISSEMENT Lire le mode d’emploi avant utilisation. Risque de choc electrique; ne pas ouvrir; ne pas tenter de demontre l’appareil.
Page 6
AG 2100 This page intentionally left blank.
Table of Contents Introduction ........................1 About this User’s Guide......................1 Organization..........................1 Why Choose Wireless? ......................2 Welcome to the Nomadix AG 2100..................3 Product Definitions......................3 Ensuring Compatibility....................... 3 Offering Speed and Efficiency .................... 4 Optimizing Performance..................... 4 Providing Effective Security ....................
Page 8
Network Architecture (Sample) ....................27 Product Specifications ......................28 Online Help (WebHelp) ......................31 Notes, Cautions, and Warnings ....................31 Chapter 1: Installing the AG 2100 ................33 Unpacking the AG 2100 ......................34 Installation Workflow......................35 Connecting the System ......................36 Installation Considerations ......................
Page 9
AG 2100 Resetting the AG 2100 ...................... 47 Resetting Administrative Login Name and Password ..........47 Resetting Settings to Factory Defaults ..............47 Warm Reboot ......................47 Other Cases ......................47 Functionality Summary..................... 48 Error Reporting ......................48 Changes to Existing Functionality ................49 Setting the SNMP Parameters (optional) .................
Page 10
AG 2100 Establishing Your Location {Location} ................. 104 Managing Log Options {Logging} ................. 106 Assigning Passthrough Addresses (Passthrough Addresses)......... 109 Setting Up Port Locations {Port-Location} ..............111 In Room Port Mapping ................... 114 Defining the RADIUS Client Settings {RADIUS Client}..........116 Miscellaneous Options ....................
Page 11
AG 2100 Importing Port-Location Assignments {Import}............. 161 Viewing the “location.txt” File ................162 Creating a “location.txt” File ................162 Displaying the Port-Location Mappings {List} .............. 163 Subscriber Administration Menu ..................164 Adding Subscriber Profiles {Add} .................. 164 Displaying Current Subscriber Connections {Current} ..........167 Deleting Subscriber Profiles by MAC Address {Delete by MAC}........
Page 12
Adding Static Ports {Static Port-mapping Add} ............225 Deleting Static Ports {Static Port-mapping Delete} ............227 Blocking a Subscriber Interface {Subscriber Interfaces} ..........228 Updating the AG 2100 Firmware {Upgrade} ..............228 Defining Wireless Configuration {Wireless Configuration}.......... 229 Virtual AP Setup...................... 231 Chapter 3: The Subscriber Interface................
Page 13
Private Key Generation ....................286 Create a Certificate Signing Request (CSR) File ............288 Create a Public Key File (server.pem) ................290 Setting Up AG 2100 for SSL Secure Login ..............294 Setting Up the Portal Page ..................... 294 Mirroring Billing Records..................... 295 Sending Billing Records....................
Page 14
AG 2100 This page intentionally left blank. viii Table of Contents...
Chapter 3 – The Subscriber Interface. This chapter provides an overview and sample scenario for the AG 2100’s subscriber interface. It also includes an outline of the authorization and billing processes utilized by the system. Chapter 4 – Quick Reference Guide.
AG 2100 Why Choose Wireless? Wireless Local Area Networks (WLANs) are cellular computer networks that transmit and receive data with radio signals instead of wires. Wireless LANs are used increasingly in both home and office environments, and public access locations such as airports, coffee shops and universities.
Windows, and can be easily integrated into a large network. Nomadix AG 2100 By strictly adhering to IEEE standards, the AG 2100 allows users to securely access the data they want, when and where they want it, and enjoy the freedom that wireless networking delivers.
Internet. By offering transfer rates up to 54 Mbps, the AG 2100 enables large data packets to travel from the router to a remote desktop or roaming laptop PC at up to five times the speed of previous wireless devices.
All Nomadix Access Gateway products, including the AG 2100, are powered by our patented and patent-pending suite of embedded software, called the Nomadix Service Engine™ (NSE). The AG 2100 uses our NSE core software package with the option to purchase additional modules to expand product functionality.
AG 2100 Key Features and Benefits The AG 2100 allows carriers to deploy Wi-Fi service into a wide range of large or small public access locations while keeping deployment costs low. Key features and benefits include: Transparent Connectivity Resolving configuration conflicts is difficult and time consuming for network users who are constantly on the move, and costly to the solution provider.
The Portal Page feature intercepts the user’s browser settings and directs them to a Web site to securely sign up for service or log in if they have a pre-existing account. Nomadix offers both pre and post authentication redirects of the user’s browser providing maximum flexibility in branding for both the carrier and the HotSpot owner.
The AG 2100 supports a variety of billing models to enable the deployment of profitable public access networks. The AG 2100 supports billing plans that use credit cards or scratch cards, or plans that enable monthly subscriptions, then facilitates billing by a host of different parameters including time, volume, IP address type, or bandwidth.
AG 2100 NSE Core Functionality The Nomadix Service Engine (NSE) powers the Nomadix family of Access Gateways, and delivers a full range of features needed to successfully deploy Wi-Fi public access networks. These “core” features solve issues of connectivity, security, billing, and roaming in a Wi-Fi public access network.
AG 2100 Secure Management Secure Socket Layer (SSL) Secure XML API Session Rate Limiting (SRL) Session Termination Redirect Smart Client Support SNMP Nomadix Private MIB Dual-Mode Authentication URL Filtering Virtual Access Points (VAPs) Walled Garden Web Management Interface Access Control For IP-based access control, the NSE incorporates a master access control list that checks the source (IP address) of administrator logins.
AG 2100 Bandwidth Management The NSE optimizes bandwidth by limiting bandwidth usage symmetrically or asymmetrically on a per device (MAC address/User) basis, and manages WAN Link traffic to provide complete bandwidth management over the entire network. You can ensure that every user has a quality experience by placing a bandwidth ceiling on each device accessing the network, so every user gets a fair share of the available bandwidth.
The Command Line Interface (CLI) is a character-based user interface that can be accessed remotely. Until your Nomadix product is up and running on the network, the CLI is the Network Administrator’s window to the system. Software upgrades can only be performed from the CLI.
Take advantage of the comprehensive Nomadix XML API to implement more complex billing plans. Recycle existing web page content for the centrally hosted portal page. If you choose to use the EWS interface, Nomadix Technical Support can provide you with sample scripts. See “Contact Information” on page 303.
AG 2100 iNAT™ Nomadix invented intelligent Network Address Translation (iNAT™), a new way of intelligently supporting multiple VPN connections to the same termination at the same time, thus solving a key problem of many public access networks. Nomadix’ patent-pending iNAT™ feature contains an advanced, real-time translation engine that analyzes all data packets being communicated between the private address realm and the public address realm.
AG 2100 Information and Control Console The Nomadix Information and Control Console (ICC) is an HTML-based pop-up window that is presented to subscribers with their Web browser. The ICC allows subscribers to select their bandwidth and billing options quickly and efficiently from a simple pull-down menu. For credit card accounts, the ICC displays a dynamic “time”...
AG 2100 Internal Web Server The NSE offers an embedded Internal Web Server (IWS) to deliver web pages stored in flash memory. These system administrator can configure these web pages by selecting various parameters to be displayed on the internal pages. When providers or HotSpot owners do not want to develop their own content, the IWS is the answer.
“Information and Control Console” on page MAC Filtering MAC Filtering enhances Nomadix access control technology by allowing system administrators to block malicious users based on their MAC address. Up to 50 MAC addresses can be blocked at any one time. See also, “Session Rate Limiting (SRL)”...
As part of the Portal Page Redirect feature, the NSE can send a defined set of parameters to the portal page redirection logic to allow an External Web Server to perform a redirection based AG 2100 ID and IP Address Origin Server...
Optionally, the RADIUS authentication process and FTP download can be secured by sending traffic through a peer-to-peer IPSec tunnel established by the Nomadix gateway and terminated at the NOC (Network Operations Center). See also, “Secure Management” on...
AG 2100 RADIUS Proxy The RADIUS Proxy feature relays authentication and accounting packets between the parties performing the authentication process. Different realms can be set up to directly channel RADIUS messages to the various RADIUS servers. This functionality can be effectively...
NSE’s standards-driven, peer-to-peer IPSec tunneling with strong data encryption. Establishing the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on...
XML enables solution providers to customize and enhance their product installations. This feature allows the operator to use Nomadix' popular XML API using the built-in SSL certificate functionality in the NSE, so that parameters passed between the Gateway and the centralized Web server are secured via SSL.
Adjungo Networks, Boingo Wireless, GoRemote and iPass. SNMP Nomadix Private MIB Nomadix’ Access Gateways can be easily managed over the Internet with an SNMP client manager (for example, HP OpenView or Castle Rock). To take advantage of the functionality provided with Nomadix’ private Management Information Base (MIB), simply import the nomadix.mib file from the Accessories CD...
For example, in addition to supporting the secure browser-based Universal Access Method (UAM) via SSL, Nomadix is the only company to simultaneously support port-based authentication using IEEE 802.1x and authentication mechanisms used by Smart Clients.
“Walled Garden” within the Internet where unauthenticated users can be granted or denied access to sites of your choosing. Web Management Interface Nomadix’ Access Gateways can be managed remotely via the built-in Web Management Interface where various levels of administration can be established. See also, “Using the Web Management Interface (WMI)”...
The optional High Availability Module offers enhanced network uptime and service availability when delivering high-quality Wi-Fi service by providing Fail-Over functionality. This module allows a secondary Nomadix Access Gateway to be placed in the network which can take over if the primary device fails, ensuring Wi-Fi service remains uninterrupted.
Specifications UBLIC CCESS User Support: AG 2100 supports a total of 100 wired and wireless users. Nomadix recommends a maximum of 50 wireless concurrent users. Dynamic Address Translation (DAT) Home Page Redirection (Pre and Post Authentication) iNAT (for seamless VPN connectivity)
Page 43
AG 2100 Specifications ETWORKING IEEE 802.3 / 3u IEEE 802.1d PoE per IEEE 802.3af DHCP Server DHCP Relay DHCP Client RADIUS Client (MD-5, PAP, CHAP, MS-CHAPv1, v2) PPPoE Client ECURITY 64-bit/128-bit WEP with dynamic keying iNAT MAC Address Filtering and Session Limiting...
Page 44
CE Mark CE/R&TTE: EN301328 / EN301893 / EN301489-1, EN301489-17 VCCI Class B, Telec UL 1950, CSA22.2 No 950, TÜV/GS(EN60950) For further information on the certifications for the AG 2100 product, visit www.nomadix.com/downloads. OMPATIBILITY Communicates with all Wi-Fi certified wireless adapters HYSICAL 9.25(L) x 6.25(W) x 1.5(H) inches...
WebHelp is best viewed using Internet Explorer, version 4.0 or higher. WebHelp is useful when you have an Internet connection to the AG 2100 and you want to access information quickly and efficiently. It contains all the information found in this User’s Guide.
Page 46
AG 2100 This page intentionally left blank. Introduction...
Installing the AG 2100 This chapter provides installation instructions for the hardware and software components of the AG 2100. It also includes an overview of the management interface, some helpful hints for system administrators, and procedures for the following tasks:...
AG 2100 Unpacking the AG 2100 When you unpack the AG 2100, you will find the following items in the carton: Item PoE power entry module Power supply Power supply AC cord Plastic anchor Wall mounting screws Rubber feet Protective cardboard ends...
Review this flowchart before attempting to install the AG 2100 on the customer’s network. Place the AG 2100 on a flat and stable work surface and connect the power cord. Connect the AG 2100 to a “live” network. Start a Telnet session to communicate with the AG 2100 via the product’s IP address (172.30.30.172) or its default DHCP address.
(via adapter) to Router or Switch (see note) A straight-through cable is required when connecting the AG 2100 to a Router or Switch. A cross-over cable is required when connecting the AG 2100 directly to an Ethernet adapter on a computer.
AG 2100 Installation Considerations Designed with an indoor range of up to 328 feet (100 meters), the AG 2100 wireless gateway allows you to access your network using a wireless connection from virtually anywhere. However, the number, thickness and location of walls, ceilings or other objects that the wireless signals must pass through may limit the range.
Start a Telnet session to communicate with the AG 2100 via the product’s management IP address (172.30.30.172) or its default DHCP address. When connected to the AG 2100, a login prompt appears on your screen. The default login user name is “admin.” The password is “admin.” Login names and passwords are case- sensitive.
AG 2100 The Management Interfaces (CLI and Web) The AG 2100 supports various methods for managing the system remotely. These include an embedded graphical Web Management Interface (WMI), an SNMP client, or Telnet. However, until the unit is installed and running, system management is performed from the product’s embedded Command Line Interface...
Enter. The system does not accept data or commands until you hit Enter. Menu Organization (Web Management Interface) When you have successfully installed and configured the AG 2100 from the CLI, you can then access the AG 2100 from its embedded Web Management Interface (WMI). The WMI is easier to use (point and click) and includes some items not found in the CLI.
Page 55
AG 2100 Note: Your browser preferences or Internet options should be set to compare loaded pages with cached pages. Installing the AG 2100...
Location settings (all fields) Partner Image File Name Password (adding subscriber profiles) Port Description (finding ports by description) Redirection Frequency (in minutes) 2,147,483,647 (recommend 3600) Reservation Number Username (adding subscriber profiles) Valid SSL Certificate DNS Name Installing the AG 2100...
Help system Other online documentation resources, available from our corporate Web site (www.nomadix.com), include a full PDF version of this User’s Guide (viewable with Acrobat™ Reader, version 4.0 or higher), white papers, technical notes, and business cases. The PDF version of this User’s Guide and associated README files are also available on the “Accessories”...
Web Management Interface, an SNMP client manager of your choice, or a simple Telnet interface. The start up configuration must be established before connecting the AG 2100 to a customer’s network. The start up configuration settings include: Assigning Login User Names and Passwords - You must assign a unique login user name and password that enables you to administer and manage the AG 2100 securely.
Page 59
Assigning the Subnet Mask – The subnet mask defines the number of IP addresses that are available on the routed subnet where the AG 2100 is located. Assigning the Default Gateway IP Address – This is the IP address of the router that the AG 2100 uses to transmit data to the Internet.
(Submit, Reset, Reboot, Add, Delete, etc.), but operators cannot change any system settings. When Administration Concurrency is enabled, one manager and three operators can access the AG 2100 at any one time (the default setting for this feature is disabled).
Performs a warm reboot. Resetting Settings to Factory Defaults The AG 2100 resets the current settings to factory defaults when the reset button is clicked five times in a two second window. When the trigger for this event is detected the device will: Rename the existing current.txt to current.bak (an existing current.bak is discarded if...
Setting the SNMP Parameters (optional) You can address the AG 2100 using an SNMP client manager (for example, HP OpenView). SNMP is the standard protocol that regulates network management over the Internet. To do this, you must set up the SNMP communities and identifiers.
Page 64
AG 2100 If you enabled the SNMP daemon, you must reboot the system for your changes to take effect. In this case, enter y (yes) to reboot your AG 2100. Sample Screen Response: Configuration>sn Enable the SNMP Daemon? [Yes]: Enter new system contact: newname@domainname.com...
IP addresses. When system logging is enabled, the standard SYSLOG protocol (UDP) is used to send all message logs generated by the AG 2100 to the specified server. Enter log (logging) at the Configuration menu. The system displays the current logging status (enabled or disabled).
Page 66
Enter Tracking number (0-7) [0]: Enter Tracking server IP [0.0.0.0]: 9.10.11.12 Enable/disable Tracking log save to file [disabled]: enable System log Enabled System log number System log filter System log server IP 8.9.10.11 System log Save to file Disabled Installing the AG 2100...
Page 67
System Report log Enabled System Report log number System Report log server IP 8.9.10.11 System Report log Save to file Disabled Tracking logging Enabled Tracking log number Tracking log server IP 8.9.10.11 Tracking log Save to file Disabled Installing the AG 2100...
The system now displays the current network interface IP address and prompts you for a valid address. The network interface IP address is the public IP address that allows administrators to see the AG 2100 on the network. Use this address when you need to make a network connection with the AG 2100.
Page 69
24. Lab / Test 25. Other Please enter a number from the above list [ 1]: Select Network Interface Configuration Mode: 0 - Static 1 - DHCP Client 2 - PPPoE Client Select the Network Interface Configuration Mode: [0]: Installing the AG 2100...
Page 70
The system must be reset to function properly. Reboot? [yes/no]: y Your new settings are displayed and the AG 2100 reboots. When the system restarts, the Telnet interface is enabled (based on your new configuration settings which are saved to the AG 2100’s on-board flash memory).
AG 2100, you can either enable the DHCP relay (routed to an external DHCP server IP address), or you can enable the AG 2100 to act as its own DHCP server. In both cases, DHCP functionality is necessary if you want to automatically assign IP addresses to subscribers.
Page 72
Wenn einen DHCP Relay agent einen IP Adresse fuer die DHCP Relay einrichtet, machen sie sicher dass die benutzte IP Adresse nicht Konfliktieren mit Geraete an der Netzwerk Seite des AG 2100. Although you cannot enable the DHCP relay and the DHCP service at the same time, you can disable both functions from the Command Line Interface.
“nomadix”). Enter a valid domain name (the Internet domain that DNS requests will utilize). Enter the host name (the DNS name of the AG 2100). The host name must not contain any spaces. After assigning the host name, the system requests IP addresses for the primary, secondary, and tertiary DNS servers (the default for the DNS primary address is 0.0.0.2).
IP addresses automatically. Archiving Your Configuration Settings Once you install your AG 2100 and establish the configuration settings, you should write the settings to an archive file. If you ever experience problems with the system, you can restore your archived settings at any time.
SNMP objects on your AG 2100. Procedure Import the nomadix.mib file into your SNMP client manager. Connect to the AG 2100 from a node on the network that is accessible via the AG 2100’s Daemon network port. Be sure to enable the SNMP on the AG 2100 (available on the CLI or Web Management Interface, under the Configuration menu –...
Page 76
AG 2100 This page intentionally left blank. Installing the AG 2100...
2.4 GHz frequency range. Before you can use your AG 2100 in a wireless environment, you must configure the unit for wireless connectivity. To configure the AG 2100 using the product’s embedded Web Management Interface, go to “Defining Wireless Configuration {Wireless Configuration}”...
Command Line Interface (CLI). To use any of the remote connections (Web, SNMP, or Telnet), the network interface IP address for the AG 2100 must be established (you did this during the installation process). Using the Web Management Interface (WMI) - Provides a powerful and flexible web interface for network administrators.
The following example shows a (partial) SNMP screen response. Using a Telnet Client You can use many Telnet clients to connect with the AG 2100. Using Telnet provides a simple terminal emulation that lets you see and interact with the AG 2100’s Command Line Interface.
The Web Management Interface (WMI) is a graphical version of the Command Line Interface, comprised of HTML files. The HTML files are embedded in the AG 2100 and are dynamically linked to the system’s functional command sets. You can access the WMI from any Web browser.
AG 2100 Logging In To access the AG 2100’s Web Management Interface, use the Manager or Operator login user name and password you defined during the installation process (refer to “Assigning Login User Names and Passwords” on page 46). User names and passwords are case-sensitive.
Page 83
AG 2100 to accept and process XML commands from an external source. XML commands are sent over the network to the AG 2100. The AG 2100 parses the query string, executes the commands specified by the string, and returns data to the system that initiated the command request.
Page 84
AAA Passthrough Port System administrators can set the AG 2100 to passthrough HTTPS traffic, in addition to standard port 80 traffic, without being redirected. When access to a non-HTTPS address (for example, a search engine or news site) has been requested, the subscriber is then redirected as usual.
AG 2100 instantly recognizes new subscribers on the network. You can configure the AG 2100 to handle new subscribers in various ways (see the table on this page). With the IWS, you also have the option of enabling SSL support (if your license includes the SSL support feature and you have the certificate files server.pem, cakey.pem,...
Page 86
AG 2100 You must reboot the AG 2100 every time you enable or disable SSL Support. If you want to designate a portal page, you must enable the Portal Page , otherwise leave this feature disabled. The Portal Page IP or DNS address are added to the IP passthrough list...
Page 87
Relogin After Timeout You can now enable or disable the Credit Card Service. When enabled, subscribers are prompted for their credit card information for billing purposes. The AG 2100 is configured to use either Authorize.net or Chainfusion (selected from a pull-down menu).
Page 88
AG 2100 Enter the information for the following fields: Credit Card Server URL Credit Card Server IP Merchant ID (a valid ID issued by the credit card reconciliation service provider – Authorize.net or Chainfusion). Enable or disable the SIM Compliant feature, as required. With this feature enabled, you can change the transaction key at your discretion.
After enabling the External Web Server you must enter a Secret Key. The Secret Key ensures that the response the AG 2100 gets from the EWS is valid. (The AG 2100 and the external authorization server must use the same Secret Key.) DNS must be configured if you want to enter meaningful URLs instead of numeric IP addresses into any of the product’s configuration screens (for example, the...
Logins are permitted only to interfaces that have not been blocked, and only if a match is made with the master Source IP list on the AG 2100. If a match is not made with the Source IP list, the login is denied, even if a correct login name and password are supplied.
Page 91
Ohne SNMP einstellungen koennen Sie besser nicht alle interfaces blokkieren. Dass festsetzen blokkierung aller Interfaces und dass freigeben (disabling) SNMP wird es keinen zugang geben zur AG 2100 Administration. Fuer Support bitte nehmen Sie Kontakt auf mit Nomadix “Appendix A: Technical Support”...
Page 92
System, dann muessen die Access Kontrolle moeglichkeit der Command Line Interface (CLI) blokkiert (disabled) werden. Oder Sie koennen die moegliche IP Adressen zum acces management interface aendern. Wenn moeglich nehmne Sie Kontakt auf mit Nomadix “Appendix A: Technical Support” on page 303 fuer Auskuenfte.
AG 2100 Defining Automatic Configuration Settings {Auto Configuration} The AG 2100 lets you define parameters to enable automatic configuration of the system. See also: “RADIUS-Driven Auto Configuration” on page From the Web Management Interface, click , then Configuration Auto Configuration.
Nomadix devices: A flow of RADIUS Authentication Request and Reply messages between the Nomadix gateway and the centralized RADIUS server that specifies the location of the meta configuration file (containing a listing of the individual configuration files and their download frequency status) are downloaded from an FTP server into the flash of the Nomadix device.
Page 95
Administrative Steps to Enable Auto-Config for the NOC Administrator Add NAS IP address. Add Nomadix Auto-Config VSA to the Nomadix dictionary file on the RADIUS server. Create a RADIUS profile with the configuration VSA. Create an FTP server with the configuration files.
Page 96
AG 2100 The Nomadix device will automatically initiate one reboot to enable the new settings. Configuration updates for network maintenance can be accomplished by simply enabling the Auto Configuration option and rebooting the device (for example, using SNMP). See also, “Defining Automatic Configuration Settings {Auto Configuration}”...
AG 2100 Setting Up Bandwidth Management {Bandwidth Management} The AG 2100 allows system administrators to manage bandwidth for subscribers, defined in Kbps (Kilobits per seconds) for both upstream and downstream data transmissions. With the “Information and Control Console (ICC)” on page 250...
Your product license may not support this feature. The AG 2100 can send copies of credit card transaction billing records to external servers that have been previously defined by system administrators. The AG 2100 assumes control of billing transmissions and saving billing records.
Page 99
Primary IP Secret Key Port The AG 2100 and the “mirror” servers must use the same secret key. Die AG 2100 und die "mirror" server muessen die gleichen Geheimnis Schluessel (password) benutzten. Repeat Step 4 for the secondary server (if any) and all carbon copy servers.
AG 2100, you can either enable the DHCP relay (routed to an external DHCP server IP address), or you can enable the AG 2100 to act as its own DHCP server. In both cases, DHCP functionality is necessary if you want to automatically assign IP addresses to subscribers.
Page 101
IP pools from the DHCP Server. Leaving these fields blank forces the system to use the IP pool that contains IP addresses that are on the same subnet as the AG 2100. You must disable the DHCP server before enabling the DHCP relay. Both features cannot be enabled concurrently.
Page 102
AG 2100 Enter a valid address for the DHCP server. DHCP Server IP Enter the DHCP Server Netmask Enter the starting and ending IP addresses for the DHCP address pool you want to use: DHCP Pool Start IP DHCP Pool Stop IP...
Page 103
Reset When the system restarts, DHCP is enabled and configured. The existing lease pool and lease table are deleted and the AG 2100 reboots. The AG 2100 can issue IP addresses to any DHCP enabled subscriber who enters the network.
DNS allows subscribers to enter meaningful URLs into their browsers (instead of complicated numeric IP addresses) by automatically converting the URLs into the correct IP addresses. You can assign a primary, secondary, or tertiary (third) DNS server. The AG 2100 utilizes whichever server is currently available.
Page 105
AG 2100 Enter the IP addresses for the DNS servers (located at the customer’s network operating center where DNS requests are sent). Servers include: Primary DNS Server Secondary DNS Server Tertiary DNS Sever The secondary and tertiary DNS servers are only utilized if the primary DNS server is unavailable.
AG 2100 Configuring Dynamic DNS {Dynamic DNS} These settings can be accessed under the following menus: WMI Configuration Go to Configuration->Dynamic DNS CLI Configuration Go to Configuration->dyndns Go to Configuration->dyndns->configure for configurations SNMP Configuration Go to ag->dyndns (enterprises.3309.1.3.50) for DDNS configuration branch...
Page 107
AG 2100 Enable Checkbox This is the checkbox to enable or disable the Dynamic DNS functionality Provider Information This is to specify provider details. Currently only dyndns.org is supported. Protocol the vendor supports. Server and Port to which the client sends updates to the DDNS server.
AG 2100 GRE Tunneling {Gre Tunneling} Use the following procedure to set the GRE Tunneling options. From the Web Management Interface, click , then Configuration Gre Tuneling The GRE Tuneling screen appears: Click the checkbox for GRE Tunneling to enable this feature.
Parameter Passing . Parameter passing allows the AG 2100 to track a subscriber’s initial web request (usually the subscriber’s home page) and pass the information on to the solution provider. The solution provider uses this information to ensure that the subscriber can return to their home page easily.
Our patent-pending iNAT™ feature contains an advanced, real-time translation engine that analyzes all data packets being communicated between the private and public address domains. The Nomadix iNAT™ engine performs a defined mode of network address translation based on packet type and protocol (for example, GRE, IKE etc…).
Page 111
AG 2100 Configure the iNAT Address Pool. To add or remove an IP address (or range of IP addresses) to or from the list, enter the starting IP address in the field. If you iNAT Start IP are adding or removing a range of IP addresses to the iNAT list, you must now enter the ending IP address in the field.
AG 2100 Defining IPSec Tunnel Settings {IPSec} From the Web Management Interface, click on Configuration, then IPSec (You can also access IPSec from the CLI by going to Configuration->IPSec to configure settings, and Network Info->IPSec to view IPSec Tunnel status.)
AG 2100 Click on Add button in the Peers and Security Policy (SP) tables to add an entry. Peer IP addresses in Peers and SP tables are links to the configured policies. IPSec Tunnel Peers System Administration...
Page 114
AG 2100 Tunnel Peer IP address of peer Peer Authentication Method Choice of Pre-shared key or X.509 certificates Enter the Pre-shared Key in the Shared Key text field if Pre-shared Key is selected Enter the filename of the private and public certificates if X.509 is selected. Note: files must exist on flash first.
AG 2100 IPSec Tunnel Security Policies System Administration...
Page 116
AG 2100 Tunnel Peer Address Select a Peer IP Address from the pull-down menu with which this security association is to be established. Must select a Peer if the policy is using ESP or AH. Able to select ‘none’ only if policy is a discard or bypass policy...
Page 117
AG 2100 Security Parameters Choice of Discard, Bypass, ESP, or AH. Discard/Bypass => a select direction type ESP only => select all acceptable encryption algorithms ESP/AH => select all acceptable authentication algorithms Perfect Forward Secrecy Strength Maximum Lifetime Maximum Life size...
AG 2100 Establishing Your Location {Location} This command sets up your location and the corresponding IP addresses for the network interface, subnet, and default gateway. You must provide your full location information. From the Web Management Interface, click , then...
Page 119
You may lose your connection if you change the IP settings incorrectly (using invalid IP addresses). If you misconfigure the AG 2100 and network connectivity is lost, you can still access the AG 2100 from the Admin IP address (172.30.30.172).
Default Gateway field. The default gateway is the IP address of the router that the AG 2100 uses to transmit data to the Internet. When finished, you must reboot the system for the new settings to take effect. Click the...
Page 121
AG 2100 From the Web Management Interface, click Configuration , then Logging. The Log Settings screen appears: System Administration...
Page 122
System Log logging is enabled, the standard SYSLOG protocol (UDP) is used to send all message logs generated by the AG 2100 to the specified SYSLOG server. Enter a unique number (between 0 and 7) in the field. This ID System Log Number number is assigned to the System Log Server.
AG 2100 Assigning Passthrough Addresses (Passthrough Addresses) The AG 2100 allows up to 52 IP passthrough addresses and DNS names. This feature allows users to “pass through” the AG 2100 and access predetermined services (for example, the redirected home page) at the solution provider’s discretion, even though users may not have subscribed to the broadband Internet service.
Page 124
IP address or DNS name of the passthrough you want IP/DNS Name to add or remove from the system. The system only accepts route DNS names (for example, www.nomadix.com). Do not include protocol, port, or path information. If adding this passthrough, click...
AG 2100 Setting Up Port Locations {Port-Location} Port-Location allows you to establish the mode of operation for devices. From the Web Management Interface, click on , then Configuration Port-Location. Port-Location Settings screen appears: System Administration...
Page 126
If you enabled In Room Port Mapping, you must assign a . You Username Password will need these when you perform port mapping from the subscriber side of the AG 2100. Go to “In Room Port Mapping” on page 114 to map rooms from the subscriber side of the AG 2100.
Page 127
AG 2100 These options enable an SNMP query to “ask” the access concentration device which card, slot, or port the information is coming from. You must enter the IP address (not name), SNMP community, and SNMP query duration (maximum time it takes to detect subscriber migration) of all access concentrators connected to the site.
This section shows In Room Port Mapping from the subscriber side, when the In Room Port Mapping feature is enabled. AG 2100 multiple VLAN tagged systems can use the same tags and be placed on different Subscriber ports. Although it is technically possible to place two different VLAN tagged switches (one on each Subscriber side) that have the same VLAN tags designated, this configuration can cause problems.
Page 129
AG 2100 Enter your user name and password, then click on the button. The In Room Port Mapping screen appears: Enter the room number and a description for this room. Select the access mode you want to assign to this room:...
AG 2100 Defining the RADIUS Client Settings {RADIUS Client} The AG 2100 supports Remote Authentication Dial-In User Service (RADIUS). RADIUS is an authentication and accounting system used by many Internet Service Providers. The “Usernames” function must be enabled for a RADIUS login. See also, “Defining the AAA Services {AAA}”...
Page 131
AG 2100 For additional RADIUS information, see also: “Defining the Realm-Based Routing Settings {Realm-Based Routing}” on page 122. “RADIUS Attributes” on page 271. From the Web Management Interface, click on Configuration , then RADIUS Client. RADIUS Client Settings screen appears:...
Default User Idle Timeout before the subscriber’s session times out and they must login again. The AG 2100 can reauthenticate “repeat” subscribers who return to the system within 720 hours. To enable this feature, click on the check box for...
AG 2100 Defining the RADIUS Proxy Settings {RADIUS Proxy} A RADIUS Proxy allows the NSE to relay authentication and accounting packets between the parties performing the authentication process. Different realms can be set up to directly channel RADIUS messages to the various RADIUS servers.
Adding an Upstream RADIUS NAS If you want to add a new Upstream RADIUS NAS (for example, an 802.11 Access Point on the subscriber side of the AG 2100)., click on the button. The Add Upstream RADIUS NAS screen appears: To make this entry the “active”...
Page 135
AG 2100 Click on the button to add this Upstream RADIUS NAS definition, then click on the link to return to the RADIUS Proxy Settings Back to Main RADIUS Proxy Settings page screen. The Upstream RADIUS NAS definition you just added appears in the list. You can add up to 10 definitions.
AG 2100 Defining the Realm-Based Routing Settings {Realm-Based Routing} Use this procedure when setting up RADIUS Service Profiles (up to 10) and Realm-based Routing Policies (up to 50). For additional RADIUS information, see also: “Defining the RADIUS Client Settings {RADIUS Client}” on page 116 “Defining the RADIUS Proxy Settings {RADIUS Proxy}”...
AG 2100 Adding a RADIUS Service Profile To add a RADIUS Service Profile, click on the appropriate button. The Add RADIUS Service Profile screen appears: Enter a name of your choice for this service profile in the field. Unique Name...
Page 138
The secret key is a valuable and necessary security measure. The AG 2100 and the RADIUS servers must use the same secret key. Die AG 2100 und der RADIUS Server muessen die gleiche Geheimen Schlues- sel (key) benutzten.
AG 2100 Retransmission Options This category requires you to define the data retransmission method (failover or round-robin), the retransmission frequency, and how many retransmissions the system should attempt. Select the Retransmission Method (Failover or Round Robin). Enter a value for the time (in seconds) in the Retransmission Frequency field.
Page 140
AG 2100 The Add Realm Routing Policy screen appears: To make this entry the “active” entry, click on the Entry Active check box. To define a specific realm, choose the option and enter the destination in Specific Realm field. Alternatively, you can choose the...
Page 141
AG 2100 The Realm Routing Policy you just created is added to the list. Your new RADIUS Service Profiles are added to this list Your new Realm Routing Policies are added to this list System Administration...
Managing SMTP Redirection {SMTP} When SMTP redirection is enabled (for misconfigured or properly configured subscribers), the AG 2100 redirects the subscriber’s E-mail through a dedicated SMTP server, including SMTP servers which support login authentication. To the subscriber, sending and receiving E-mail is as easy as it’s always been.
AG 2100 Managing the SNMP Communities {SNMP} You can address the AG 2100 using an SNMP client manager (for example, HP OpenView). SNMP is the standard protocol that regulates network management over the Internet. To do this, you must set up the SNMP communities and identifiers. For more information about SNMP, see “Using an SNMP Manager”...
Page 144
Submit button if you want to reset all the values to their previous state. Reset You can now use your SNMP client to manage the AG 2100 via the Internet. System Administration...
AG 2100 Enabling Dynamic Multiple Subnet Support (Subnets) Nomadix’ dynamic multiple subnet support allows you to create flexible and cost-effective IP pool solutions to meet the demands of complex networks in large residential and public access networks. For example: Establish a maximum of 15 different DHCP pools for routable IP addresses at the same time.
Page 146
(Public Subnets Settings). To edit the Current Public DHCP Subnets table, go to “Managing the DHCP Service Options {DHCP}” on page For additional information about the multiple subnet feature, go to “Contact Information” on page 303 for Nomadix Technical Support. System Administration...
AG 2100 Displaying Your Configuration Settings {Summary} You can display a summary listing of all your current Configuration settings. To view the summary listing, go to the Web Management Interface, click on Configuration then click on Summary. The Summary of Configuration Settings screen appears (partial screen shown here): More listings ...
The AG 2100 establishes its time relative to UTC (Universal Coordinated Time, based on the ISO 8601 standard). UTC is used in conjunction with RADIUS servers (for example, if the RADIUS server is setup for a time zone that is different from the AG 2100). Enter UTC offset values for...
AG 2100 Setting Up URL Filtering {URL Filtering} The AG 2100 can restrict access to specified Web sites based on URLs defined by the system administrator. URL filtering will block access to a list of sites and/or domains entered by the administrator using the following three methods: Host IP address (for example, 1.2.3.4)
NSE’s standards-driven, peer-to-peer IPSec tunneling with strong data encryption. Establishing the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on the subscriber side...
Page 151
This procedure allows system administrators to establish the peer-to-peer IPSec connection. Basic IPSec parameters must be entered by the system administrator to successfully establish the VPN session. We recommend that you create different private subnets behind the VPN termination device and the AG 2100. System Administration...
AG 2100 Network Info Menu Displaying ARP Table Entries {ARP} You can display a table that shows the current status of the ARP (Address Resolution Protocol) assignments. ARP is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address.
AG 2100 Displaying DAT Sessions {DAT} The AG 2100 provides “plug-and-play” access to subscribers who are misconfigured with static (permanent) IP addresses, or subscribers that do not have DHCP functionality on their computers. Dynamic Address Translation (DAT) allows all users to obtain network access, regardless of their computer’s network settings.
AG 2100 Displaying the Host Table {Hosts} You can display a table which lists the hosts that are currently configured. This table includes the assigned host names, their corresponding IP addresses, and any aliases that may be assigned to each host. Hosts provide services to other computers that are linked to it by a network.
AG 2100 Displaying ICMP Statistics {ICMP} You can display the current ICMP (Internet Control Message Protocol) statistics. ICMP is a standard Internet protocol that delivers error and control messages from hosts to message requestors. These statistics are presented as a listing which details the current status of each ICMP transmission element.
AG 2100 Displaying the Network Interfaces {Interfaces} You can display the network interfaces which are presented as a detailed listing of all interface communication elements and their current status. To view the Network Interfaces, go to the Web Management Interface, click on...
AG 2100 Displaying the IP Statistics {IP} You can display the IP (Internet Protocol) statistics which are presented as a detailed listing of all IP elements and their current status. With IP transmissions, data is broken up into packets which are then sent over the network. By using IP addressing, Internet Protocol ensures that the data reaches its destination, even though different packets may “pass through”...
AG 2100 Displaying the Routing Tables {Routing} You can display the current Routing Tables, including any dynamically generated routes, unreachable routes, or wildcard routes. To view the Routing Tables, go to the Web Management Interface, click on , then Network Info click on Routing.
AG 2100 Displaying the Active IP Connections {Sockets} You can display a table which provides a detailed listing of all currently active IP (Internet Protocol) connections. To view the Socket Table, go to the Web Management Interface, click on , then...
AG 2100 Displaying the Static Port Mapping Table {Static Port-Mapping} You can display a table which provides a detailed listing of the currently active static port mapping scheme. To view the Static Port-Mapping Table, go to the Web Management Interface, click on...
AG 2100 Displaying TCP Statistics {TCP} You can display the TCP (Transmission Control Protocol) statistics which are presented as a detailed listing of all TCP elements and their current status. TCP is a standard protocol that manages data transmissions across networks.
AG 2100 Displaying UDP Statistics {UDP} You can display the UDP (User Datagram Protocol) statistics which are presented as a detailed listing of all UDP elements and their current status. UDP is an Internet standard transport layer protocol. It is a connectionless protocol which adds a level of reliability and multiplexing to the Internet Protocol (IP).
AG 2100 Port-Location Menu The Port Location capabilities on the NSE have been enhanced. It is now possible to define a policy on a port. The billing methods (RADIUS, Credit Card, L2TP Tunneling) and the billing plans available on each port can now be individually configured. This ability allows for having different billing methods and billing plans on different ports of the NSE.
There may even be multiple ports assigned to a single room or location. The AG 2100 uses a port-location authorization table to manage the assigned ports and ensure accurate billing for the services used by a particular port.
Page 165
Choose Enable PMS Billing if you want PMS based room billing to be enabled on this port. (The AG 2100 series does not support PMS billing and this option will not show.) Choose Enable Credit Card Billing if you want Credit Card based billing to be enabled on this port.
Page 166
AG 2100 Tunneling for a port is enabled only if Tunneling is globally enabled AND the per- port enable Tunneling parameter is set. Click on the button to save your changes (the message: Entry added or updated in appears), or click on the...
AG 2100 Updating a Port-Location Assignment The procedure for updating a port-location assignment is similar to adding a port-location assignment. The difference between the two procedures is how they are presented to you. For example, if you already have port-locations assigned and you enter an existing “port” value, each data field that you go through (port, location, state, and description) displays the value currently assigned to the field.
AG 2100 Deleting All Port-Location Assignments {Delete All} This procedure shows you how to delete all port-location assignments. The AG 2100 displays a warning and prompts you to confirm this action before deleting all the port-locations currently assigned in the system.
This procedure shows you how to delete a port-location assignment, based on its location. The AG 2100 prompts you to confirm this action before deleting the requested port-location. If you have updated a port-location assignment, you may want to change its description to distinguish from the old assignment.
AG 2100 Deleting Port-Location Assignments by Port {Delete by Port} This procedure shows you how to delete a port-location assignment, based on its port. The AG 2100 prompts you to confirm this action before deleting the requested port-location. If you are unsure which port-locations are currently mapped to the system, you can view a list at “Displaying the Port-Location Mappings {List}”...
“location.txt” file. The location.txt file is stored in: /flash/location.txt (resident in the AG 2100’s flash memory). Exporting your current port-location assignments to the AG 2100’s flash memory will overwrite the existing location.txt file. From the Web Management Interface, click on...
AG 2100 Finding Port-Location Assignments by Description {Find by Description} This procedure shows you how to find a port-location assignment, based on its description. This procedure is useful if you want to review the details of a specific port-location. You can also find port-locations based on their location or port.
AG 2100 Finding Port-Location Assignments by Location {Find by Location} This procedure shows you how to find a port-location assignment, based on its location. This procedure is useful if you want to review the details of a specific port-location. You can also find port-locations based on their description or port.
AG 2100 Finding Port-Location Assignments by Port {Find by Port} This procedure shows you how to find a port-location assignment, based on its location. This procedure is useful if you want to review the details of a specific port-location. You can also find port-locations based on their description or location.
Importing Port-Location Assignments {Import} This procedure shows you how to import port-location assignments from the “location.txt” file. The location.txt file is stored in: /flash/location.txt (resident in the AG 2100’s flash memory). If you have never exported port-location assignments (since installing the AG 2100 at this site), the location.txt is empty.
You can click on the “View location.txt” link if you want to view the current contents of the file. Creating a “location.txt” File You can create your own “location.txt” file and upload the file to the AG 2100’s flash memory at [IP address]/flash/location.txt. Use the following format when creating the file: “1”,1,00:00:00:00:00:00,0.0.0.0,0, “Room 101”...
AG 2100 Displaying the Port-Location Mappings {List} You can display a listing of all port-locations assigned to this system. To view the listing of port-location assignments, go to the Web Management Interface, click on Network Info , then click on List.
Subscriber Administration Menu Adding Subscriber Profiles {Add} AAA Services must be enabled before you can add a subscriber profile into the AG 2100’s internal authorization database. Refer to, “Defining the AAA Services {AAA}” on page This procedure shows you how to add subscriber profiles into a table of authorized users. Use this procedure when the credit card service option is disabled and the solution provider wants to limit access to pre-qualified users only.
Page 179
Public Private (only used when the IP Upsell feature is enabled, otherwise leave this set to “private”). Leave the check box unchecked (not required with the AG 2100). Proxy Arp For Device Leave the field blank. 802.1Q Device Port Enter a valid for the subscriber.
Page 180
AG 2100 In the field, enter a user name for this subscriber. If you entered a MAC address Username and you do not want to assign a user name, skip Step 9 (password). User names and passwords are case-sensitive. Having a user name and password...
AG 2100 Displaying Current Subscriber Connections {Current} You can display a listing of all the subscribers currently connected to the system. The list includes the MAC addresses of the subscribers, their active state, the individual expiration times, port numbers (if assigned), and the number of bytes that have been passed from the subscriber to the Internet.
AG 2100 Deleting Subscriber Profiles by MAC Address {Delete by MAC} This procedure shows you how to delete a subscriber profile from the AG 2100’s database of authorized subscribers, based on the profile’s MAC address. To see a current listing of the subscriber database, sorted by MAC addresses, go “Listing Subscriber Profiles by MAC Address {List by MAC}”...
AG 2100 Deleting Subscriber Profiles by User Name {Delete by User} This procedure shows you how to delete a subscriber profile from the AG 2100’s database of authorized subscribers, based on the profile’s user name. To see a current listing of the subscriber database, sorted by user name, go to “Listing Subscriber Profiles by User Name {List by User}”...
, then click on Subscriber Administration DHCP Leases. To utilize this feature, your AG 2100 must be set to act as its own DHCP Server. The DHCP function cannot be set to DHCP Relay. Refer to “Managing the DHCP Service Options {DHCP}” on page...
AG 2100 Deleting All Expired Subscriber Profiles {Expired} This procedure shows you how to delete all expired subscriber profiles from the AG 2100’s database of authorized subscribers. Use this procedure when you want to “clean up” the subscriber database. From the Web Management Interface, click on...
AG 2100 Finding Subscriber Profiles by MAC Address {Find by MAC} This procedure shows you how to find a subscriber profile from the AG 2100’s database of authorized subscribers, based on the profile’s MAC address. Use this procedure when you want to see the statistics corresponding to the MAC address.
Finding Subscriber Profiles by User Name {Find by User} This procedure shows you how to find a subscriber profile from the AG 2100’s database of authorized subscribers, based on the profile’s user name. Use this procedure when you want to see the statistics corresponding to the user name.
AG 2100 Listing Subscriber Profiles by MAC Address {List by MAC} You can display the currently active database of authorized subscribers, based on MAC addresses. To view the list of Authorized Subscriber Profiles, go to the Web Management Interface, click...
AG 2100 Listing Subscriber Profiles by User Name {List by User} You can display the currently active database of authorized subscribers, based on user names. You can display the currently active database of authorized subscribers, based on their user names.
AG 2100 Viewing RADIUS Proxy Accounting History {RADIUS Session History} These settings are available under Subscriber Administration/RADIUS Session History menu. Enable Logfile checkbox When this setting is enabled any RADIUS proxy accounting messages sent or received by the RADIUS proxy application are logged into a file named “RADHIST.RAD” in the /flash directory.
AG 2100 Displaying Current Profiles and Connections {Statistics} You can view the total number of profiles and connections currently stored in the AG 2100’s database of authorized subscribers. The displayed list includes the number of subscribers currently in the database (Current Table) and a numerical breakdown of how the subscribers can utilize the system (for example, free access, credit card, etc.).
AG 2100 Subscriber Interface Menu Defining the Billing Options {Billing Options} You can define various billing options for use with the Internal Web Server (IWS), based on: Billing plans, including pricing and bandwidth. Messages displayed to subscribers, including an Introduction Message, Offer Message and Policy Message.
Page 193
AG 2100 From the Web Management Interface, click on Subscriber Interface , then Billing Options The Internal Billing Options Setup screen appears: System Administration...
Page 194
AG 2100 Review the billing plans that are currently active. To view or edit a billing plan, simply click on the Show/Change button opposite the corresponding plan. The Internal Billing Options Plan Setup screen appears for the billing plan you selected...
Page 195
Time Unit One time unit is assigned to each billing plan. The AG 2100 allows you to define multiple billing plans with different time units at the same time. For example, you can define one billing plan that changes by the hour (e.g.
Page 196
AG 2100 Define the (Minute, Hour, Day, Week, or Month) you want to make Units of Access available to subscribers. If you want to allow free access to subscribers, you can define the following free billing options: Default Free Access Time (in days)
AG 2100 Setting Up the Information and Control Console {ICC Setup} The Nomadix Information and Control Console (ICC) is a HTML pop-up window that is presented to subscribers, allowing them to select their bandwidth and billing plan options quickly and efficiently, and displays a dynamic “time” field to inform them of the time remaining on their account.
Page 198
AG 2100 From the Web Management Interface, click on , then Subscriber Interface ICC Setup The ICC Setup screen appears: If you want subscribers to see the ICC (pop-up window), click on the check box for Display ICC (Information and Control Console) to enable this feature.
Image Name – The representative image file you want to use for the button. When assigning images for buttons, refer to: “Pixel Sizes” on page 188. If you assign (or change) button images or banner images, the AG 2100 must be rebooted for your changes to take effect. System Administration...
AG 2100 When you have completed assigning all your redirect buttons, click on the check box for Reboot after changes are saved? Click on the button to save your changes, or click on the button if you want Submit Reset to reset all the values to their previous state.
Page 201
Start Time (Optional) Stop Time (Optional) If you assign (or change) button images or banner images, the AG 2100 must be rebooted for your changes to take effect. If you changed any of the Image Name definitions, click on the check box for Reboot (to reboot the AG 2100).
AG 2100 Pixel Sizes Use the following parameters when defining images for buttons and banners: Banners – 373 pixels (width) x 32 pixels (height) ISP Button – 98 pixels (width) x 26 pixels (height) Small buttons – 45 pixels (width) x 26 pixels (height)
AG 2100 Defining Languages {Language Support} The AG 2100 allows you to define the text displayed to your users by the Internal Web Server (IWS) without any HTML or ASP knowledge. The language you select here will determine the language encoding that the AG 2100’s Internal Web Server instructs the browser to use.
Page 204
Interface and the subscriber’s portal page, choose the Other option, then choose one of the available Japanese character sets from the drop-down menu. If sufficient space is available, the AG 2100’s Internal Web Server also supports multiple languages at the same time.
Go to WMI->Subscriber Interface->Local Web Server and add the names of the HTML or image files that were uploaded to the /flash/web directory. Reboot the AG 2100 The pages can now be served by referencing the URL http://nseip:1111/web/<filename> or at https://nseip:1112/web/<filename> for preauthenticated end users.
Page 206
AG 2100 Web Page File Name This text box lets you add or remove the names of the web pages that you intend to serve to the end users. The name of the web page has to be added in order for it to be served to the end...
AG 2100 Defining the Subscriber’s Login UI {Login UI} This procedure allows you to set up the presentation and content of the subscriber’s login User Interface (UI). From the Web Management Interface, click on , then Subscriber Interface Login UI.
Page 208
Click on the check box for Enable “Remember Me” option if you want to enable (or disable) this feature. This option enables the AG 2100 to “remember” logins for a predetermined duration (see next step). The “Remember Me” option requires JavaScript to be enabled.
Page 209
Image File Name Partner Image File Name must reboot the AG 2100 for your changes to take effect. In this case, click on the check box for Reboot after changes are saved? The partner image (splash screen) is not the same screen that is defined by the Image File Name (IWS screen) field.
The Post Session UI (Goodbye Page) can be defined either as a RADIUS VSA or be driven by the AG 2100’s Internal Web Server (IWS). Using the IWS option means that this functionality is available for other post-paid billing mechanisms. The IWS page displays the details of the...
Page 212
AG 2100 From the Web Management Interface, click on , then Subscriber Interface Post Session The Subscriber Post Session User Interface Settings screen appears: System Administration...
Page 213
AG 2100 Click on the Enable IWS Goodbye Page check box to enable (or disable) the IWS Goodbye Page, as required. If you enabled the IWS Goodbye Page, select your preferred display options by checking the corresponding boxes: Display IP Address...
AG 2100 Defining Subscriber UI Buttons {Subscriber Buttons} This procedure allows you to define how each of the control buttons are displayed to subscribers. From the Web Management Interface, click on , then Subscriber Interface Subscriber Buttons. The Subscriber Page -- Control Button Definitions screen appears: Caution Only the Login button should be named “Login.”...
AG 2100 Defining Subscriber UI Labels {Subscriber Labels} This procedure allows you to define how the user interface (UI) field labels are displayed to subscribers. From the Web Management Interface, click on , then Subscriber Interface Subscriber The Subscriber Page -- Field Label Definitions screen appears: Labels.
AG 2100 Defining Subscriber Error Messages {Subscriber Errors} This procedure allows you to define how error messages are displayed to subscribers. There are 2 (two) pages of error messages available. From the Web Management Interface, click on Subscriber Interface , then...
Page 217
AG 2100 Click on the Submit button to save your changes, or click on the Reset button if you want to reset all the values to their previous state. If you want to reset all field values to their default state, click on the button.
AG 2100 Defining Subscriber Messages {Subscriber Messages} This procedure allows you to define how “other” subscriber messages are displayed. There are 3 (three) pages of subscriber messages available. From the Web Management Interface, click on Subscriber Interface , then Subscriber The Subscriber Page -- Other Message Definitions, 1 of 3 screen Messages, 1 of 3.
Page 219
AG 2100 Enter the definitions you want for each subscriber message in the corresponding fields. Click on the button to save your changes, or click on the button if you want Submit Reset to reset all the values to their previous state.
Page 220
AG 2100 Repeat Steps 1 – 3 for page 3 of 3 (see following screen): System Administration...
AG 2100 System Menu Adding an ARP Table Entry {ARP Add} ARP (Address Resolution Protocol) is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address. ARP is limited to a single physical network that supports hardware broadcasting.
AG 2100 Deleting an ARP Table Entry {ARP Delete} ARP (Address Resolution Protocol) is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address. ARP is limited to a single physical network that supports hardware broadcasting.
“remove” the AG 2100 from the network without physically disconnecting the unit. You can still manage the AG 2100 when Bridge Mode is enabled, but you have no other functionality. If you enable the Bridge Mode option and then plug the AG 2100 into a network, all you need to do is assign it routable IP addresses.
AG 2100 Exporting Configuration Settings to the Archive File {Export} This procedure shows you how to export the current system configuration settings to an archive file for future retrieval. This function is useful if you want to change the configuration settings and you are unsure of the effect that the changes will have.
If you restore the factory default configuration settings, you will no longer be able to access the AG 2100 remotely. However, you always have the option of using the “import” function to restore system configuration settings from the archive file.
Page 226
Click here to view the Click here to view the “current.txt” file “factory.txt” file Click on the button to replace the current system configuration Submit and Reboot settings with the factory default settings and reboot the AG 2100. System Administration...
AG 2100 Viewing the History Log {History} You can view a history log of the system’s Access, Reboot, and Uptime activities. The history log contains up to 500 entries. Over 500 entries and each new log item removes the oldest entry in the list.
Page 228
– User name of the Administrator / Operator. – Source IP address (see note). The source IP displayed may be the source IP of a NAT router instead of the client of the person accessing the AG 2100. System Administration...
AG 2100 Establishing ICMP Blocking Parameters {ICMP} The AG 2100 includes the option to block all ICMP traffic from “pending” or “non authenticated” users that are destined to addresses other than those defined in the pass-through (walled garden) list. The default setting for this option is “disabled” since ICMP pass-through is a useful end-user troubleshooting feature and also required by certain smart clients (for example, GRIC).
AG 2100 Importing Configuration Settings from the Archive File {Import} This procedure shows you how to restore the system configuration settings from an archive file (previously created with the export function). The archived configuration settings you want to restore may not contain valid IP addresses.
(Submit, Reset, Reboot, Add, Delete, etc.), but operators cannot change any system settings. When this feature is enabled, one manager and three operators can access the AG 2100 at any one time (the default is “disabled”). This feature supports the following interfaces: Telnet Command Line Interface (CLI) –...
Page 232
AG 2100 The Login Name and Password screen appears: Click on the check box for if you want to assign concurrent Administration Concurrency Manager and Operator logins. In the field, enter a login name for this manager. Manager Login Login names and passwords are case-sensitive. Use login names and passwords that are easy to remember (up to 11 characters, any character type).
Page 233
If you enabled Administration Concurrency, repeat steps 3 to 5 for an operator login. As part of its Smart Client feature, the AG 2100 offers a remote RADIUS testing feature (enabled by default). With this feature, the AG 2100 provides a password-protected Web page.
AG 2100 Defining the MAC Filtering Options {Mac Filtering} MAC Address filtering enhances Nomadix' access control technology by allowing System Administrators to block malicious users based on their MAC address. Up to 50 MAC addresses can be blocked at any one time (see caution).
AG 2100 Rebooting the System {Reboot} This procedure shows you how to reboot the AG 2100. The “reboot” procedure outlined on this page allows you to decide when to reboot (if you are making multiple changes to different menu functions and you want to reboot just one time after completing all your changes).
AG 2100 Adding a Route {Route Add} This procedure shows you how to add a route into the AG 2100’s routing table. This is accomplished by establishing the route’s destination IP address, and by setting the gateway or router IP address by which the route’s destination can be reached.
AG 2100 Deleting a Route {Route Delete} This procedure shows you how to delete a route to a specific IP destination. From the Web Management Interface, click on System , then Route Delete. The Delete Static Routes screen appears: Enter the address of the route you want to delete from the routing table.
AG 2100 Establishing Session Rate Limiting {Session Limit} Session Rate Limiting (SRL) significantly reduces the risk of “Denial of Service” attacks by allowing administrators to limit the number of DAT sessions any one user can take over a given time period and, if necessary, then block malicious users.
AG 2100. The advantage for the network administrator is that free private IP addresses can be used to manage devices (such as Access Points) on the subscriber side of the AG 2100 without setting them up with public IP addresses.
Page 240
Internal Port Enter a valid MAC Address Enter the External IP Address The External IP address field will default to the IP address of the AG 2100. Enter the reference. External Port Optional: Enter the . Leave this field set to zero if you want to connect Remote IP Address to the internal device from any network-side workstation.
AG 2100. The advantage for the network administrator is that free private IP addresses can be used to manage devices (such as Access Points) on the subscriber side of the AG 2100 without setting them up with public IP addresses.
Updating the AG 2100 Firmware {Upgrade} Upgrading the AG 2100 firmware is performed from the AG 2100’s Command Line Interface (CLI) only. Refer to the Firmware Upgrade Procedure (separate document available from Nomadix Technical Support).
AG 2100 Defining Wireless Configuration {Wireless Configuration} This procedure allows you to configure the AG 2100’s wireless settings and optimize transmissions and wireless security. See also: “Why Choose Wireless?” on page 2 “Offering Speed and Efficiency” on page 4 “Optimizing Performance” on page 4 “Installation Considerations”...
Page 244
AG 2100 To add, edit, or remove Virtual APs (VAPs), click the Virtual AP Setup link at the top of this window. See “Virtual AP Setup” on page 231. Select a Regulatory Domain from the drop-down list: USA/Canada ETSI World...
AG 2100 Virtual AP Setup Your product license may not support this feature. The NSE can create virtual access points (VAPs) from one physical access point by assigning unique BSSIDs to each SSID. Single providers can use VAPs to offer multiple services (for example, offering access to different VLANs, using different authentication/association methods).
Page 246
AG 2100 Using the WMI: From the System menu, click Wireless Configuration, then Virtual AP Setup. The Virtual AP Setup window appears: Enable or disable Default 802.1q Tag for System Traffic, and add/edit the associated VLAN tag if necessary. Changing the default tag number may result in a loss of connectivity.
Page 248
AG 2100 Enter an SSID. The SSID (Service Set Identifier) is a unique name that identifies a wireless network. All devices on a wireless network must share the same SSID name in order to communicate on the wireless network. The SSID can be up to 32 ASCII characters.
Page 249
AG 2100 RADIUS-based WAN VLAN takes priority over Virtual AP-based WAN VLAN. If you enable WAN VLAN, enter a VLAN tag number using one to 10 numeric characters. Multiple VAPs can be mapped to the same VLAN. Select an Authentication Method:...
Page 250
AG 2100 802.11i Settings 802.11i settings are available only for WPA and WPA 2 association methods. If you chose Open or WEP, please see “WEP Settings” on page 237 IEEE 802.11 and 802.11i can be configured differently per VAP, and is recommended.
Page 251
AG 2100 WEP Settings WEP features are available only if WEP is selected for Authentication Method. If you chose a WPA or WPA 2 Authentication method, proceed to “Other Options” on page 238. Select an 802.11 Authentication Type: Open or Shared.
Page 252
AG 2100 Other Options Enable or disable UAM (Universal Access Method). UAM controls [web-browser based] Authentication, Authorization and Accounting for the VAP. UAM must be enabled for the VAP to use the Global AAA settings (see “Defining the AAA Services {AAA}” on page 67).
Page 253
AG 2100 Select a RADIUS Mode: Disabled to disable RADIUS authentication Realm-Based for Realm routing Fixed for routing to predefined RADIUS servers System Defaults to defer to the Global RADIUS Client configuration Global RADIUS Client settings must first be configured before you select a RADIUS Mode.
When a subscriber accesses the solution provider’s high speed network, the AG 2100 points their browser to a sign-in page. The AG 2100 then creates a database entry that automatically records the subscriber’s Media Access Control (MAC). Like a router, the AG 2100 continuously tracks subscriber IP and MAC settings, eliminating the need for further sign-ins and ensuring that subscriber usage and billing is recorded accurately.
AG 2100 Authorization and Billing As a gateway device, the AG 2100 enables plug-and-play access to broadband networks. Broadband network solution providers can now offer their subscribers a wide range of high speed services, including access to the Internet. Of course, a high speed Internet connection is not free –...
User-selectable options and parameters (for example, defining the time purchased). Only subscribers that are correctly identified and authenticated are authorized to access the system. Once authorized, the subscriber’s activity is logged and billed through the AG 2100’s Accounting module. The Accounting module fully supports the following functions: Credit card billing (for example, interaction with AuthorizeNet).
Process Flow (AAA) The following flowchart outlines the AAA and billing process. All actions depicted in the chart are administered and tracked by the AG 2100. AG 2100 detects connection and verifies user against authorization table New User Existing Subscriber...
English, Chinese, French, German, Japanese, and Spanish. Home Page Redirection The AG 2100 can be configured to redirect all valid subscribers to a Web portal or home page determined by the solution provider. After a specified time, from the first home page redirection (determined by the system administrator), subscribers are redirected again to the portal at the next Web page request.
Credit card Combinations of two or more subscriber management models can be used. When a subscriber connects to the network and attempts to access the Internet, the AG 2100 looks for each model in the given order above. Subscriber Management Models The system administrator establishes the subscriber management model via the Command Line Interface (CLI) or the Web Management Interface.
Credit card Enable the AAA services. You have the choice of enabling the AG 2100’s internal authorization module or using an external credit card authorization server. Internal Authorization Enabled Enter the credit card server’s URL and IP address, then enter the merchant ID you obtain from Authorize.Net.
AG 2100 Information and Control Console (ICC) The Information and Control Console (ICC) is a HTML-based pop-up window that is presented to subscribers, allowing them to select their bandwidth and billing options quickly and efficiently, and displays a dynamic “time” field to inform them of the time remaining on their account.
Web Management Interface (WMI) Menus The following tables contain a listing and brief explanation of all menus and menu items contained in the AG 2100’s Web Management Interface (WMI), listed as they appear on screen. Main Page Menus...
A login is permitted only if a match is made with the master list contained on the AG 2100. If a match is not made, the login is denied, even if a correct login name and password are supplied.
Page 267
Enables logging options for the system and AAA functions. Passthrough Addresses Allows you to establish up to 300 IP pass-through addresses. RADIUS Client With the appropriate product license, the AG 2100 supports Remote Authentication Dial-In User Service (RADIUS). This procedure sets up the RADIUS client. Realm-Based Routing...
AG 2100 Network Info Menu Items Item Description Displays the ARP table, including the destination IP address and the gateway MAC address. Displays the DAT session table. Hosts Displays the host table, including host names, associated IP addresses and any assigned aliases.
AG 2100 Port-Location Menu Items Items Description Adds or updates port-location assignments. Delete All Deletes all port-location assignments. Use this command with caution. Delete by Location Deletes port-location assignments, based on a specified location. Delete by Port Deletes port-location assignments, based on a specified port (VLAN tag).
AG 2100 Subscriber Administration Menu Items Items Description Allows you to add subscriber profiles to the database. Current Displays a list of all currently connected subscribers. Delete by MAC Allows you to delete a subscriber, based on a specific MAC address.
AG 2100 Subscriber Interface Menu Items Items Description Billing Options Establishes the various billing plans and rates (schemes), including messages and appearance. ICC Setup Allows you to set up the Information and Control Console (ICC) for subscribers. Language Support Allows you to define the language to be displayed on the Web Management Interface and the subscriber’s portal page.
Displays system memory usage information. Reboot Reboots the AG 2100. Route Add Adds a route into the AG 2100’s routing table. Route Delete Deletes a route to a specific IP destination. Session Limit Limits the number sessions any one user can take over a given time period and, if necessary, then blocks malicious users.
Description Syslog Displays syslog history. System Utilization Enables or disables system utilization. Upgrade Obtain the latest Firmware Upgrade Procedure from Nomadix Technical Support. User Settings Enables or disables blocking of all IPPROTO Traffic from Misconfigured Subscribers. Wireless Configuration Configures the AG 2100’s wireless settings.
Description Menu AAA ........Set AAA options ..................Configuration Access Control ..... Enables secure administration of the AG 2100 .......... Configuration Add........Add subscriber profiles to the database..........Subscriber Admin ARP........Display the ARP table ................. Network Info ARP Add ......Add an ARP table entry..................System ARP Delete ......
Page 275
TCP........Display the TCP performance statistics............Network Info Time........Set the system date and time...............Configuration UDP ........Display the UDP performance statistics ............Network Info Upgrade ........Upgrade the AG 2100 system firmware ..............System URL Filtering .......Define URLs for filtering ................Configuration Wireless Configuration..Sets up the wireless configuration parameters............System...
AG 2100 Default (Factory) Configuration Settings The following table shows a partial listing of the AG 2100’s primary default configuration settings (the settings established at manufacturing). For a complete listing of the factory default settings, refer to the factory.txt file. For more information, go to “Importing the Factory...
Page 277
AG 2100 Function Default Setting Dynamic Address Translation (DAT) Enabled (cannot be changed) AAA Logging Disabled AAA Log Server Number AAA Log Server IP 0.0.0.0 SYSLOG (System Logging) Disabled SYSLOG Server Number SYSLOG Server IP 0.0.0.0 AAA Services Disabled Internal Authorization...
Specifications UBLIC CCESS User Support: AG 2100 supports a total of 100 wired and wireless users. Nomadix recommends a maximum of 50 wireless concurrent users. Dynamic Address Translation (DAT) Home Page Redirection (Pre and Post Authentication) iNAT (for seamless VPN connectivity)
Page 279
AG 2100 Specifications ETWORKING IEEE 802.3 / 3u IEEE 802.1d PoE per IEEE 802.3af DHCP Server DHCP Relay DHCP Client RADIUS Client (MD-5, PAP, CHAP, MS-CHAPv1, v2) PPPoE Client ECURITY 64-bit/128-bit WEP with dynamic keying iNAT MAC Address Filtering and Session Limiting...
Page 280
CE Mark CE/R&TTE: EN301328 / EN301893 / EN301489-1, EN301489-17 VCCI Class B, Telec UL 1950, CSA22.2 No 950, TÜV/GS(EN60950) For further information on the certifications for the AG 2100 product, visit www.nomadix.com/downloads. OMPATIBILITY Communicates with all Wi-Fi certified wireless adapters HYSICAL 9.25(L) x 6.25(W) x 1.5(H) inches...
AG 2100 Sample AAA Log The following table shows a sample AAA log. This log is generated by the AG 2100 and sent to the SYSLOG server that is assigned to AAA logging. AG 2100 Type of Subscriber MAC Expiratio...
Subscriber profile was manually removed from the authorization table. Removed_by_administrator Sample SYSLOG Report Syslog reports are generated by the AG 2100 and sent to the syslog server that is assigned to general error detection and reporting. 2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [AG v1.3.028] DHCP: ndxDHCPInit: 0021 DHCP initialized 2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [AG v1.3.028]...
AG 2100 Sample History Log A history log is generated by the AG 2100 which includes the system’s activity (Access, Reboot and Uptime). More listings ... Quick Reference Guide...
AG 2100 Keyboard Shortcuts The following table shows the most common keyboard shortcuts. Action Keyboard Shortcut Cut selected data and place it on the clipboard. Ctrl + X Copy selected data to the clipboard. Ctrl + C Paste data from the clipboard into a document (at the insertion point).
AG 2100 RADIUS Attributes RADIUS (Remote Authentication Dial-In User Service) was originally created to allow remote authentication to the dial-in networks of corporations and dial-up ISPs. It is defined and standardized by the IETF (Internet Engineering Task Force) and several RADIUS server packages exist in both the public domain and for commercial sale.
Page 286
ISP's RADIUS server. The RADIUS server decrypts the information and compares it against its list of valid users. If the subscriber can be authenticated, the RADIUS server replies to the AG 2100 with a message instructing it to grant access to the subscriber.
"0" means forever. Timeout Detection If a subscriber is sending traffic through the AG 2100, the AG 2100 will immediately detect a Session-Timeout. However in the case of an Idle-Timeout or an inactive subscriber Session- Timeout, the AG 2100 detects it via a clean-up function that is currently called every 2 minutes.
Page 291
Interim message for the specific subscriber. If this attribute is not present or equal to 0, no Interim message is sent. The precision is 2 minutes. The AG 2100 will not send Interim messages more frequently than every 2 minutes.
This attribute allows the administrator to redirect the user to a page of the administrators choice each time the user logs in. Nomadix-IP-Upsell This attribute allows the user to receive a public address from a DHCP pool when the AG 2100 has the IP-Upsell feature enabled. Nomadix-Volume-Based-Session-Timeout This attribute allows you to terminate a session once a specified data volume has been reached.
AG 2100 Setting Up the SSL Feature This section describes how to set up the AG 2100’s SSL feature. Prerequisites The AG 2100 should support SSL feature. Please go to “Displaying Your Configuration Settings {Summary}” on page 133 and verify that the Licensed Features include "AAA SSL Support".
VeriSign). These files are put in as file1:file2:file3:file4:file5 in the key generation command. Downloading Cygwin There are several sources for obtaining "Cygwin" to install OpenSSL. One popular source is: http://sources.redhat.com/cygwin/. Nomadix used Cygwin version 1.3.2 for generating this section of the User’s Guide. Quick Reference Guide...
AG 2100 Installing Cygwin and OpenSSL on a PC The example in this document is based on downloading the software with Netscape 4.75. The procedure starts from the Cygwin Net Release Setup Program screen: Click on the button. Next The following screen appears:...
Page 296
AG 2100 Click on the button to display the next setup screen. Next Click on the button to display the next setup screen. Next Click on the button to display the next setup screen. Next Quick Reference Guide...
Page 297
Select a location and click on the button. Next For the purposes of this document, Nomadix used: ftp://planetmirror.com In the following screens, please skip all packages except "cygwin" and "openssl," then click on the Next when you are done.
Page 299
AG 2100 Click on the Next button to start the “download” process. Wait for the download process to complete. Click on the button to start the “install” process. Wait for the install process to complete. Next There will be a pop-up dialog to inform you that the installation process is completed. At the pop-up dialog, click on the button.
AG 2100 Private Key Generation Create a directory from Root and put 5 random files, , and (see a.dat b.dat c.dat d.dat e.dat note) into the C:\cygwin\bin\ directory (or the directory where you installed openssl.exe). These random files can be any file type, such as Word, Excel, etc. Change the files to .dat files (shown above).
Page 301
However, if you saving them as a different namse, you must change the names back to "cakey.pem" when trying to FTP to the AG 2100. Do not include "-des3" option to keep the private key in an unencrypted form.
AG 2100 Create a Certificate Signing Request (CSR) File Run the following command to generate the certificate signing request: >openssl req -new -key cakey.pem > server.csr The following table provides an explanation of the command elements: openssl "openssl" command A parameter for creating a request Defining a "new"...
Page 303
The "Common Name" is the name used in the AG->AAA->SSL Certificate Domain Name. The Common Name in the Public Key must match the SSL Certificate Domain Name in the Web Management Interface of the AG 2100 (refer to the AG 2100 setup information). Here is the output of server.csr:...
AG 2100 Create a Public Key File (server.pem) VeriSign Purchasing Process The signing process varies by Certificate Authority. Generally, you will need to send a Certificate Signing Request to the Certificate Authority (CA) and the CA will create a public key base on the certificate request.
Page 305
Some older versions of popular browsers only support 40-bit or 56-bit encryption. Since it impossible to forecast the browsers that may be used in a visitor-based network, Nomadix recommends implementing a 40-bit Public Key. During the process, VeriSign will ask for your business information and verification. There are several ways to proof the existence of your business.
Page 306
AG 2100 CSR Submission to VeriSign Please select "Apache Freeware" to submit the CSR to VeriSign. The Certificate Signing Request is in the server.csr (created in the previous step). Open server.csr and copy and paste all data into the edit box.
Page 307
AG 2100 The file, "server.pem" will look like this: You have now finished the process of obtaining a public key. Quick Reference Guide...
AG 2100 Setting Up AG 2100 for SSL Secure Login FTP the "cakey.pem" and "server.pem" files into the AG 2100 platform's flash directory: FTP to the AG 2100 by Netscape: ftp://username:password@AG_Network_IP/flash/. Drag and drop the "cakey.pem" and "server.pem" files into the directory.
AG 2100 Mirroring Billing Records Multiple AG 2100 units can send copies of credit card billing records to a number of external servers that have been previously defined by system administrators. The AG 2100 assumes control of billing transmissions and saving billing records. By effectively "mirroring" the billing data, the AG 2100 can send copies of billing records to predefined "carbon copy"...
XML Interface XML for the External Server The AG 2100 sends a string of XML commands according to specifications. HTTP headers are added to the XML packets that are built, as the billing “mirroring” information is sent to the external server in HTTP compliant XML format. The XML string built from the billing mirror...
Page 311
The AG 2100 uses USG commands for XML strings. The AG 2100 accepts a single line of XML text in the specified format. The XML string is a command sent by the External Server to the AG 2100 product. In this case, the acknowledgement received from the External Server forms the command.
Page 312
Format for each Field: RESULT_VALUE: OK or ERROR Standard IP format (123.123.123.123) ERROR_CODE 1 for OK, or any other number Please contact Nomadix Technical Support for the complete XML DTD. Refer to “Contact Information” on page 303. Quick Reference Guide...
It also contains a list of known error messages associated with the Management Interface. General Hints and Tips The AG 2100 is both a hardware device and a powerful software utility. As a hardware computing device, the AG 2100 requires careful handling. It should be positioned in a dust-free and temperature-controlled environment.
Page 314
When upgrading the software, the system FTP a valid boot image to the flash. needs the new boot image file. You must FTP the file from NOMADIX™ to your local hard drive. Warning: no DHCP services are available to This message is displayed because you have subscribers.
255.255.255.0 The DHCP relay is disabled Check the internal DHCP and the DHCP service service settings. settings in the AG 2100 are misconfigured. Subscribers are unable to The DNS server settings are Check the DNS settings (host, route to a domain name, but misconfigured.
Page 316
When a subscriber logs in for Home page redirection is not Enable home page the first time, their browser is enabled in the AG 2100. redirection. not redirected to the specified The home page URL was Re-enter the correct URL.
We have tried to ensure that you get the most up-to-date information available about the Nomadix AG 2100, and we hope this User’s Guide has met all your operational and performance needs. However, we understand that occasionally you may run into problems that require additional technical support.
Page 318
AG 2100 This page intentionally left blank. Appendix A: Technical Support...
This Addendum provides information and procedures that will enable system administrators to configure and use the specific features introduced in the 1.3 Maintenance, 1.3 M+ and 1.4 releases for the Nomadix Wireless Access Gateway (AG 2100). The features covered are: 1.3M and 1.3M+ Features:...
AG 2100 PPPoE Client These settings can be accessed under the following menus: WMI Configuration Go to Configuration->Location to enable PPPoE Client On Location page, click on ‘Configure PPPoE Client’ link to get to the PPPoE configuration page. CLI Configuration Go to Configuration->Location to enable PPPoE Client...
Page 323
AG 2100 PPPoE Service Name This is the Service-Name TAG. The maximum allowed length is 31 characters. PPP Keep Alive Echo Request Interval in seconds - Setting this to 0 will disable echo requests from the NSE. The default value for this parameter is 30 seconds.
What these RADIUS servers will return in response to a RADIUS access request is the L2TP tunnel parameters that the AG 2100 will use to establish an L2TP tunnel. See next figure for an example of a RADIUS service profile.
AG 2100 Define Tunnel Profiles Tunnel profiles can be defined when L2TP tunnel parameters are known and it is not necessary to send an access request to a RADIUS server to obtain those parameters or for accounting purposes. Create a tunnel profile for each L2TP tunnel whose parameters are known. The tunnel parameters that the profile contains are the IP address of the LNS and the tunnel password.
Since it handles a single realm, no realm information is needed for users and so must be stripped. In this case, it is stripped by the AG 2100, but it could easily have been stripped by the tunnel server, or by the tunnel server’s RADIUS server. This was designed for maximum flexibility.
Page 328
“username@tcisp.com”. Since this policy references a tunnel profile, no RADIUS access requests will be sent to any RADIUS server. In this case, the AG 2100 will use the L2TP tunnel parameters specified in the tunnel profile to establish a tunnel and pass the username/password input to the tunnel server.
Page 329
This checkbox may be unchecked if it is necessary for usernames to contain realm information for user authentication. The “Local hostname” field is also blank in this example which means that the AG 2100 will use the default value of “usg_lac” during tunnel negotiation.
The AG 2100 RADIUS client must be setup for realm-based routing mode since realm information will be used by the AG 2100’s L2TP tunnel feature to determine how to handle usernames that contain realm information. See next figure for an example of setting the routing mode to handle realm-based usernames.
AG 2100 Local Syslog and Syslog Filters These settings can be accessed under the Configuration/Logging menu. Appendix B: Addendum...
Page 332
AG 2100 Log Filter Setting: The syslogs can be filtered at 7 levels as shown above. Setting the level to a number disables any syslogs above that filter setting. For e.g. setting the filter to 2:Critical only generates 0:Emergency, 1:Alert and 2:Critical level syslogs. All other syslogs are not generated.
Page 333
AG 2100 PageFaults are stored in the file named “lograw.txt” in the /flash directory and is not viewable on the web management interface. Appendix B: Addendum...
AG 2100 Periodic Syslogs: System Report Syslogs These settings can be accessed under the Configuration/Logging menu. Appendix B: Addendum...
Page 335
AG 2100 The following Logs are available for configuration on the NSE: AAA Log These logs record events related to Authentication, Authorization, and Accounting on the NSE. RADIUS History Log These logs record RADIUS proxy accounting messages sent or received by the RADIUS proxy.
Page 336
AG 2100 Subscriber Tracking Log Enabling this checkbox enables the Subscriber Tracking log. Use this to track the network usage of specific Subscribers on the network by receiving a syslog of every Session that is opened by each subscriber. Each new DAT session that is created for subscribers is logged in these syslogs.
10/100 Ethernet See Ethernet. (Authentication, Authorization, and Accounting) A combination of commands used by Nomadix Gateways to authenticate, authorize, and subsequently bill subscribers for their use of the customer’s network. When a subscriber logs into the system, their unique MAC address is placed into an authorization table. The system then authenticates the subscriber’s MAC address and billing information before allowing them to access the Internet and make online...
Page 338
(ACKnowledgment) If all the transmitted data is present and correct, the receiving device sends an ACK signal, which acts as a request for the next data packet. Adaptive Configuration Technology A Nomadix, Inc. patented technology that enables Dynamic Address Translation. See also, DAT. ad-hoc mode 802.11x networking framework in which devices or stations communicate directly with each other, without the use of an Access Point (AP).
Page 339
(permanent) IP addresses, or subscribers that do not have DHCP functionality on their computers. DAT is a Nomadix, Inc. patented technology that allows all users to obtain network access, regardless of their computer’s network settings. See also, DHCP.
Page 340
AG 2100 DSSS (Direct Sequence Spread Spectrum) One of two types of spread spectrum radio—the other being Frequency Hopping WLAN Spread Spectrum (FHSS). DSSS is a transmission technology used in transmissions where a data signal at the sending station is combined with a higher data rate bit sequence, or “chipping” code, that divides the user data according to a spreading ratio.
Page 341
AG 2100 (Frequency Division Multiplexing) A multiplexing technique that uses different frequencies to combine multiple streams of data for transmission over a communications medium. FDM assigns a discrete carrier frequency to each data stream and then combines many modulated carrier frequencies for transmission. For example, television transmitters use FDM to broadcast several channels at once.
Page 342
For example, if a user in California accesses a computer in New York, the computer in New York is considered the host. (Home Page Redirection) Nomadix Gateways enable solution providers to redirect subscribers to a “portal” home page of their choice. This allows the solution provider to generate online advertising revenues and increase business Home Page.
Page 343
IP address assignments. This enables it to solve IP addressing problems in environments where the service provider does not have control over the subscriber’s network settings. Whenever a subscriber logs on, your Nomadix Gateway automatically translates their computer’s network settings to provide them with seamless Dynamic IP access to the broadband network.
Page 344
Misconfigured User A Nomadix, Inc. term used to describe users who have IP address configurations that are different from the current network. For example, if the current network is 123.45.67.89 but the user’s IP address is 10.10.10.15, then this user is considered to be “misconfigured.”...
Page 345
AG 2100 OSPF (Open Shortest Path First) This routing protocol was developed for IP networks based on the shortest path first or link- state algorithm. Routers use link-state algorithms to send routing information to all nodes on a network by calculating the shortest path to each node based on a topography of the Internet constructed by each node.
Page 346
AG 2100 Forwarding Rate, Packet, (packets per second) The rate at which packets are delivered to their destination. See also, Packet Switching Network. PPTP (Point-to-Point Tunneling Protocol) Developed jointly by Microsoft Corporation, U.S. Robotics, and several remote access vendor companies, known collectively as the PPTP Forum, PPTP is a new technology used for creating Virtual Private Networks (VPNs).
Page 347
Normally, a solution provider is offering a solution that isn’t readily available on the open market. For example, NOMADIX™ is a solution provider to its customers (broadband network service providers), and those customers are solution providers to their end users (network subscribers).
Page 348
AG 2100 (Secure Sockets Layer) A protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that is transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers.
Page 349
AG 2100 Telnet A software program and command utility used to connect between remote locations and services. Telnet connects you to the login prompt of another host (that you have access rights to). See also, Host. Throughput The net data transfer rate between an information source and its destination, using the maximum packet size without loss.
Page 350
AG 2100 (Coordinated Universal Time) A time scale that couples Greenwich Mean Time (GMT), which is based solely on the Earth's inconsistent rotation rate, with highly accurate atomic time. When atomic time and Earth time approach a one second difference, a leap second is calculated into UTC. UTC was devised on January 1, 1972 and is coordinated in Paris by the International Bureau of Weights and Measures.
Page 351
HTML. For example, XML supports links that point to multiple documents, as opposed to HTML links, which can reference just one destination each. For all Nomadix Gateways, XML is used by the subscriber management module for port location and user administration. Enabling the XML interface allows your Nomadix Gateway to accept and process XML commands from an external source.
Page 352
AG 2100 This page intentionally left blank. Glossary of Terms...
Page 353
AAA services Channel External Web Server character lengths Internal Web Server Cipher access control 7, access levels logging in accounting AG 2100 AES/CCMP logging in AG 2100 overview installation 33, Command Line Interface installation workflow inputting data unpacking logging in...
Page 354
AG 5000 importing from archive Frequency spectrum contacting NOMADIX Copyright Credit Card Module glossary of terms 323, Current table Goodbye page GRE Tunneling VAPs Group key update interval DAT sessions data inputting High Availability Module date and time hints and tips...
Page 355
IP address local content and services network architecture location Network Info menu location file network interfaces creating Nomadix private MIB locations 104, NSE core functionality Log settings NTP support AAA log RADIUS history log Subscriber tracking log System report log...
Page 356
Regulatory domain port mapping 18, 114, 146, remember me in-room port mapping Resetting the AG 2100 portal page redirect resetting setting to factory defaults Port-based billing policies resetting the administrative login name and Port-Location menu password...
Page 357
AG 5000 SNMP manager technical sockets user specifications 28, SYSLOG report SSID sample SSID broadcast System System Administration setting up System report log Start Up configuration System report log interval static port mapping 146, static ports adding TCP statistics deleting technical support mapping contact information...
Page 358
AG 5000 VLAN tags WAN VLAN tagging VPN tunneling walled garden Web Management Interface 25, menu organizatiion overview Web servers authentication default key dynamic WEP key length key type settings Wireless configuration beacon interval channel DTIM fragment length frequency spectrum power rate regulatory domain...