Nomadix Access gateway User Manual
  1. Manuals
  2. Brands
  3. Nomadix Manuals
  4. Gateway
  5. Access Gateway
  6. User manual

Nomadix Access gateway User Manual

Access gateway
Hide thumbs Also See for Access gateway:
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
Table of Contents

Advertisement

Quick Links

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Access gateway and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Nomadix Access gateway

Summary of Contents for Nomadix Access gateway

  • Page 2 CCESS ATEWAY Access Gateway Copyright © 2014 Nomadix, Inc. All Rights Reserved. This product also includes software developed by: The University of California, Berkeley and its contributors; Carnegie Mellon University, Copyright © 1998 by Carnegie Mellon University All Rights Reserved; Go Ahead Software, Inc., Copyright ©...
  • Page 3 For technical support information, see the Appendix in this User Guide. Write your product serial number in this box: Patent Information Please see the Nomadix website for a list of US and foreign patents covering this product release. Disclaimer Nomadix, Inc. makes no warranty, either express or implied, including but not limited to any implied warranties of merchantability and fitness for a particular purpose, regarding the product described herein.
  • Page 4 CCESS ATEWAY CAUTION WARNING Read the instruction manual prior to operation. Risk of electric shock; do not open; no user-serviceable parts inside. ATTENTION AVERTISSEMENT Lire le mode d’emploi avant utilisation. Risque de choc electrique; ne pas ouvrir; ne pas tenter de demontre l’appareil.

  • Page 5: Table Of Contents

    Table of Contents Chapter 1: Introduction ....................1 About this Guide ........................1 Organization..........................2 Welcome to the Access Gateway....................3 Product Configuration and Licensing ................3 Key Features and Benefits ......................4 Platform Reliability......................4 Local Content and Services ....................4 Transparent Connectivity ....................
  • Page 6 Load Balancing With Users Connected to a Preferred ISP Link........38 Online Help (WebHelp) ......................40 Notes, Cautions, and Warnings ....................40 Chapter 2: Installing the Access Gateway..............41 Installation Workflow......................41 Powering Up the System ......................43 User Manual and Documentation .................... 43 Accessory Box Contents ....................
  • Page 7 Assigning the Location Information and IP Addresses ........... 65 Logging Out and Powering Down the System................ 67 Connecting the Access Gateway to the Customer’s Network ..........67 Establishing the Basic Configuration for Subscribers ............68 Setting the DHCP Options ....................69 DHCP Options from RFC 2132..................
  • Page 8 CCESS ATEWAY Group Bandwidth Limit Policy – Enable ............... 101 Group Bandwidth Limit Policy – Current Table............102 Establishing Billing Records “Mirroring” {Bill Record Mirroring} ......103 Class-Based Queueing ....................105 Clustering {Clustering} ....................108 Configuring Destination HTTP Redirection {Destination HTTP Redirection} ..... 109 Managing the DHCP service options {DHCP} .............
  • Page 9 CCESS ATEWAY Viewing NAT IP Address Usage {NAT IP Usage}............196 Displaying the Routing Tables {Routing}..............197 Displaying the Routing Tables {Routing}..............198 Displaying the Active IP Connections {Sockets} ............199 Displaying the Static Port Mapping Table {Static Port-Mapping} ....... 200 Displaying TCP Statistics {TCP}...................
  • Page 10 Adding Static Ports {Static Port-Mapping Add} ............283 Deleting Static Ports {Static Port-Mapping Delete}............284 Blocking a Subscriber Interface {Subscriber Interfaces} ..........285 Updating the Access Gateway Firmware {Upgrade} ............ 286 Chapter 4: The Subscriber Interface................287 Overview ..........................287 Authorization and Billing ......................
  • Page 11 Private Key Generation ....................346 Create a Certificate Signing Request (CSR) File ............349 Create a Public Key File (server.pem) ................350 Setting Up Access Gateway for SSL Secure Login ............353 Setting Up the Portal Page .................... 354 Mirroring Billing Records..................... 355 Sending Billing Records....................
  • Page 12 CCESS ATEWAY...

  • Page 13: Chapter 1: Introduction

    This User Guide provides information and procedures that will enable system administrators to install, configure, manage, and use the Access Gateway product successfully and efficiently. Use this guide to take full advantage of the Access Gateway’s functionality and features. Refer to “Product Specifications”...

  • Page 14: Organization

    Gateway and establishing the start-up configuration. Chapter 3– System Administration. Provides all the instructions and procedures necessary to manage and administer the Access Gateway on the customer’s network, following a successful installation. Chapter 4– The Subscriber Interface. Provides an overview and sample scenario for the Access Gateway’s subscriber interface.

  • Page 15: Welcome To The Access Gateway

    802.11 networks, including Mesh and WiMAX technologies. Access Gateway The Access Gateway yields a complete solution to a set of complex issues in the Enterprise, Public-LAN, and Residential segments. Product Configuration and Licensing All Nomadix Access Gateway products are powered by our patented and patent-pending suite of embedded software, called the Nomadix Service Engine™...

  • Page 16: Key Features And Benefits

    RS232 serial port for connecting to a Property Management System (PMS) and for system management and administration, while maintaining one billing relationship with their chosen provider. The Access Gateway enables a wide variety of network deployment options for different venue types. For example: Allows for flexible WAN Connectivity (T1/E1, Cable, xDSL, and ISDN).

  • Page 17: Transparent Connectivity

    CCESS ATEWAY Offers both pre and post authentication redirects of the user’s browser, providing  maximum flexibility in service branding. Transparent Connectivity Resolving configuration conflicts is difficult and time consuming for network users who are constantly on the move, and costly to the solution provider. In fact, most users are reluctant to make changes to their computer’s network settings and won’t even bother.

  • Page 18: Billing Enablement

    Access Control and Authentication The Access Gateway ensures that all traffic to the Internet is blocked until authentication has been completed, creating an additional level of security in the network. Also, the Access Gateway allows service providers to create their own unique “walled garden,” enabling users to access only certain predetermined Web sites before they have been authenticated.
  • Page 19 CCESS ATEWAY The Information and Control Console (ICC) contains multiple opportunities for an operator to display its branding or the branding of partners during the user’s session. As an alternative to the ICC, a simple pop-up window provides the opportunity to display a single logo.

  • Page 20: Nse Core Functionality

    ATEWAY NSE Core Functionality Powering Nomadix’ family of Access Gateways, the Nomadix Service Engine (NSE) delivers a full range of features needed to successfully deploy public access networks. These “core” features solve issues of connectivity, security, billing, and roaming in a Wi-Fi public access network.

  • Page 21: Access Control

    Secure Socket Layer (SSL)  Secure XML API  Session Rate Limiting (SRL)  Session Termination Redirect  Smart Client Support  SNMP Nomadix Private MIB  Static Port Mapping  Tri-Mode Authentication  URL Filtering  Walled Garden ...

  • Page 22: Bandwidth Management

    With the Nomadix ICC feature enabled, subscribers can increase or decrease their own bandwidth and pricing plans for their service dynamically.

  • Page 23: Class-Based Queueing

    “remove” your product from the network without physically disconnecting the unit. Class-Based Queueing The Nomadix Class-Based Queueing feature provides the ability to define multiple groups (classes) of users. You can prioritized groups and guarantee minimum bandwidth on a per- group basis.
  • Page 24 CCESS ATEWAY The sum of minimums across all classes should not exceed the total available bandwidth. It is generally recommended to set the Maximum to equal the total available bandwidth across all classes. This allows all classes to take advantage of the full bandwidth when there is no contention.

  • Page 25: Command Line Interface

    “Class-Based Queueing” on page 105. Command Line Interface The Command Line Interface (CLI) is a character-based user interface that can be accessed remotely or via a direct cable connection. Until your Nomadix product is up and running on the Introduction...

  • Page 26: Credit Card

    End User Licensee Count The NSE supports a range of simultaneous user counts depending on the Nomadix Access Gateway you choose. In addition, depending on your platform, various user count upgrades are available for each of our NSE-powered products that allow you to increase the simultaneous user count.

  • Page 27: External Web Server Mode

     complex billing plans. Recycle existing Web page content for the centrally hosted portal page.  If you choose to use the EWS interface, Nomadix Technical Support can provide you with sample scripts. See also, “Contact Information” on page 365.

  • Page 28: Information And Control Console

     Information and Control Console The Nomadix ICC is a HTML-based pop-up window that is presented to subscribers with their Web browser. The ICC allows subscribers to select their bandwidth and billing options quickly and efficiently from a simple pull-down menu. For credit card accounts, the ICC displays a dynamic “time”...

  • Page 29: Initial Nse Configuration

     Information and Control Console  Initial NSE Configuration “Installing the Access Gateway” on page 41 for initial installation and configuration instructions. Internal Web Server The NSE offers an embedded Internal Web Server (IWS) to deliver Web pages stored in flash memory.

  • Page 30: Ip Upsell

    “Information and Control Console” on page MAC Filtering MAC Filtering enhances Nomadix' access control technology by allowing system administrators to block malicious users based on their MAC address. Up to 50 MAC addresses can be blocked at any one time. See also, “Session Rate Limiting (SRL)”...

  • Page 31: Multi-Level Administration Support

    (Submit, Reset, Reboot, Add, Delete, etc.), but operators cannot change any system settings. When Administration Concurrency is enabled, one manager and three operators can access the Access Gateway platform at any one time. Multi-WAN Interface Management NSE releases 8.2 and later support multiple independently configurable WAN interfaces, to optimize ISP resource allocation, and provide load balancing (optional), fail-over and upsell capabilities.

  • Page 32: Radius-Driven Auto Configuration

    Once configured, this methodology can also be effectively used to centrally manage configuration profiles for all Nomadix devices in the public access network.

  • Page 33: Realm-Based Routing

    CCESS ATEWAY RADIUS messages to the various RADIUS servers. This functionality can be effectively deployed to: Support a wholesale WISP model directly from the edge without the need for any  centralized AAA proxy infrastructure. Support EAP authenticators (for example, WLAN APs) on the subscriber-side of the ...

  • Page 34: Secure Socket Layer (Ssl)

    NSE’s standards-driven, peer-to-peer IPSec tunneling with strong data encryption. Establishing the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on the subscriber side...

  • Page 35: Secure Xml Api

    XML enables solution providers to customize and enhance their product installations. This feature allows the operator to use Nomadix' popular XML API using the built-in SSL certificate functionality in the NSE so that parameters passed between the Gateway and the centralized Web server are secured via SSL.

  • Page 36: Static Port Mapping

    For example, in addition to supporting the secure browser-based Universal Access Method (UAM) via SSL, Nomadix is the only company to simultaneously support port-based authentication using IEEE 802.1x and authentication mechanisms used by Smart Clients.

  • Page 37: Web Management Interface

    CCESS ATEWAY Web Management Interface Nomadix’ Access Gateways can be managed remotely via the built-in Web Management Interface where various levels of administration can be established. See also, “Using the Web Management Interface (WMI)” on page Introduction...

  • Page 38: Optional Nse Modules

    CCESS ATEWAY Optional NSE Modules Load Balancing Load Balancing requires an optional NSE product license With the Load Balancing Module (NSE releases 8.2 and later), Internet traffic is balanced across multiple WAN/ISP connections to ensure that traffic is distributed based on the capability of each connection.

  • Page 39: Pms Integration

    The optional High Availability Module offers enhanced network uptime and service availability when delivering high-quality Wi-Fi service by providing Fail-Over functionality. This module allows a secondary Nomadix Access Gateway to be placed in the network that can take over if the primary device fails, ensuring Wi-Fi service remains uninterrupted.

  • Page 40: Network Architecture (Sample)

    CCESS ATEWAY Network Architecture (Sample) The Access Gateway can be deployed effectively in a variety of wireless and wired broadband environments where there are many users—usually mobile—who need high speed access to the Internet. The following example shows a potential Hospitality application:...

  • Page 41: Multiple Unit Clustering

    In the recent past, it was necessary to segment the network to serve a number of subscribers that exceed the user count on a Nomadix gateway. Now with clustering all subscribers can be on the same segment, as the subscribers are distributed across multiple gateways. A large number of subscribers can be distributed to as many as 250 gateways, thus providing a design capacity of 1 million subscribers being served.
  • Page 42 CCESS ATEWAY The following graphic illustrates a clustering scenario with 12,000 users and three gateways. Introduction...

  • Page 43: Load Balancing And Link Failover

    This means that a total of 7.5Mbps of bandwidth is available to be shared across all users, but a single user can receive a maximum of 1.5Mbps. All load-balancing appliances, as well as the Nomadix NSE, support link aggregation. In most cases, link aggregation and load balancing is effectively the same thing.
  • Page 44 The alternative is to use random ISP selection, whereby the load balancer or NSE selects the ISP to be used according to the current load conditions. The Nomadix NSE uses random ISP selection by default.
  • Page 45 ISP link failure occurrences. Additional consideration must be made as to what actions should be taken when a failed ISP link recovers. The Nomadix approach is to rebalance as the ISP links change, thus making sure the maximum level of service is always provided.

  • Page 46: Load Balancing Across Multiple Low Speed Links

    6. It may be desirable to have certain users connected to a particular ISP link, and other users connected to a different ISP link. Nomadix NSE releases 8.2 provide a "preferred WAN" radius attribute (VSA). For example, paying users may be connected to an expensive high-quality link, with free users connected to a lower-quality link, with link failover still available if the preferred link fails.

  • Page 47: Separate Guest Hsia And Admin Isp Links, With Failover Between Each Isp Link

    The organization only wishes for this link to be used when the main ISP circuit is not available. The Nomadix NSE is configured for failover only from the WAN to port Eth2 on the NSE. Separate Guest HSIA and Admin ISP Links, with Failover Between Each ISP Link In this scenario, the hotel has separate HSIA and Hotel Admin ISP circuits.

  • Page 48: Guest Hsia Failover Only, To Admin Network

    Admin network. The hotel wants the Admin network to be available as a back-up link in case the Guest HSIA ISP link fails. There is no back-up for the Admin ISP network. The Nomadix NSE is configured with link failover between the WAN port and port ETH2, which is connected to the hotel Admin network router.

  • Page 49: Sharing Guest Hsia Network And Hotel Admin Network Among Multiple Isp Links

    Sharing Guest HSIA Network and Hotel Admin Network Among Multiple ISP Links In this scenario, multiple ISP links are connected to the Nomadix NSE, in a similar method to the first scenario, but both the guest HSIA network and the Hotel Admin network are connected to the NSE and share the aggregate bandwidth of the combined ISP links.

  • Page 50: Load Balancing With Users Connected To A Preferred Isp Link

    CCESS ATEWAY Load Balancing With Users Connected to a Preferred ISP Link In this scenario the hotel has purchased 2 x ISP links for guest HSIA. One is a high-quality, high-cost "business grade" ISP circuit, and the other is a low-cost, lower-grade domestic service provided by the local cable TV operator.
  • Page 51 CCESS ATEWAY Introduction...

  • Page 52: Online Help (Webhelp)

    Windows, Macintosh, or UNIX-based platforms) using either Internet Explorer or Netscape Navigator (see note). WebHelp is useful when you have an Internet connection to the Access Gateway and you want to access information quickly and efficiently. It contains all the information you will find in this User Guide.

  • Page 53: Chapter 2: Installing The Access Gateway

    ATEWAY Installing the Access Gateway This section provides installation instructions for the hardware and software components of the Access Gateway. It also includes an overview of the management interface, some helpful hints for system administrators, a Quick Reference Guide, and procedures.
  • Page 54 When prompted, accept to the Nomadix End User License Agreement (EULA). You must accept the EULA before the AG can connect with the Nomadix License Key Server. When the key is successfully received from the server, your AG will reboot.

  • Page 55: Powering Up The System

    CCESS ATEWAY Powering Up the System Use this procedure to establish a direct cable connection between the Access Gateway and your laptop computer, and to power up the system. Place the Access Gateway on a flat and stable work surface.

  • Page 56: Accessory Box Contents

    2 – Rack Mount Brackets 1 – Bumper and Screw Kit Start Here Unpack the Nomadix Access Gateway and place the product on a flat and stable work surface. Register the gateway for support services by completing and returning the Nomadix Gateway Registration Form;...
  • Page 57 Once the key has been obtained, the web management interface (WMI) can be used to continue configuration. LCD Messages Some Access Gateway hardware models are equipped with an LCD panel, that displays the following system information: Platform and Firmware Version Installed ...

  • Page 58: Configuration

    IN ORDER TO PROCEED WITH INSTALLATION. SEE USER'S GUIDE FOR LICENSE KEY INFORMATION. INSTALLATION WILL NOW TRY TO CONTACT THE NOMADIX LICENSE KEY SERVER. IN ORDER TO PROCEED, THE NSE MUST BE ABLE TO CONNECT TO THE INTERNET. DO YOU WANT TO CONFIGURE THE NSE'S IP AND DNS SETTINGS? [yes/no]: y...
  • Page 59 Gateway IP [10.0.0.1 ] : Your gateway IP address WAN 802.1Q tagging [Disabled ] : VLAN ID [1 ] : DNS Domain Name [nomadix.com ] : DNS Server 1 [0.0.0.2 ] : Your primary DNS IP DNS Server 2 [0.0.0.0 ] : DNS Server 3 [0.0.0.0 ] :...

  • Page 60: Step 1B: Dhcp Client Configuration

    Otherwise, select an option from the Ethernet port configuration menu to display or make changes to the WAN port settings. When finished with settings, type b(ack) to return to the previous menu, and go to step 2. Installing the Access Gateway...

  • Page 61: Step 1C: Pppoe Dynamic Ip Client Configuration

    PPP Maximum TCP MSS [1452 ] : WAN 802.1Q tagging [Disabled ] : VLAN ID [1 ] : DNS Domain Name [nomadix.com ] : DNS Server 3 [0.0.0.0 ] : Figure 6: Selecting PPPoE with dynamic IP configuration. A WAN port summary page will then be displayed as shown in Figure 7.

  • Page 62: Step 1D: Pppoe Static Ip Client Configuration

    Ethernet port/WAN interface configuration>b Please enter your Company Name [ ]: Your company name Please enter your Site Name [ ]: Your site name Please enter your Address (Line 1) [ ]: (Line 2) [ ]: Installing the Access Gateway...

  • Page 63: Step 3: Retrieving Your License Key

    PLEASE READ THE NOMADIX END USER LICENSE AGREEMENT ('AGREEMENT') INCLUDED WITH THE NOMADIX PRODUCT. BY USING THIS SOFTWARE, YOU INDICATE YOUR ACCEPTANCE OF THE AGREEMENT. I AGREE TO THE TERMS AND CONDITIONS OF THE NOMADIX END USER LICENSE AGREEMENT. (Y)ES (N)O The system will now try to contact the Nomadix License Key Server.

  • Page 64: Step 5: Configuring Ag Dhcp Server Settings

    DHCP Server (Yes / No) Only if the DHCP Relay is disabled DHCP Server IP Address 10. 0. 0.4 DHCP Server Subnet Mask 255.255.255.0 DHCP Pool Start IP Address 10.0.0.12 DHCP Pool End IP Address 10.0.0.72 DHCP Lease Minutes 1440 Installing the Access Gateway...

  • Page 65: The Management Interfaces (Cli And Web)

    CLI is the administrator’s window to the system. This is where you establish all the Access Gateway start-up configuration parameters, depending on the customer’s network architecture. The Access Gateway Menu is your starting point. From here, you access all the system administration items from the 5 (five) primary menus available: Configuration ...

  • Page 66: Making Menu Selections And Inputting Data With The Cli

    Making Menu Selections and Inputting Data with the CLI The CLI is character-based. It recognizes the fewest unique characters it needs to correctly identify an entry. For example, in the Access Gateway Menu you need only enter to access the...
  • Page 67 CCESS ATEWAY Note: Your browser preferences or Internet options should be set to compare loaded pages with cached pages. Installing the Access Gateway...

  • Page 68: Inputting Data - Maximum Character Lengths

    Location settings (all fields) Partner Image File Name Password (adding subscriber profiles) Port Description (finding ports by description) Redirection Frequency (in minutes) 2,147,483,647 (recommend 3600) Reservation Number Username (adding subscriber profiles) Valid SSL Certificate DNS Name Installing the Access Gateway...

  • Page 69: Online Documentation And Help

    Click here to access the online Help system Other online documentation resources, available from our corporate Web site (www.nomadix.com/support), include a full PDF version of this User Guide (viewable with Acrobat™ Reader), README files, white papers, technical notes, and business cases. Quick Reference Guide This section provides information to help you navigate and use the management interfaces (CLI and Web) quickly and efficiently.

  • Page 70: Establishing The Start Up Configuration

    The CLI allows you to administer the Access Gateway’s start-up configuration settings. When establishing the start-up configuration for a new installation, you are connected to the Access Gateway via a direct serial connection (you do not have remote access capability because the Access Gateway is not yet configured or connected to a network).

  • Page 71: Assigning Login User Names And Passwords

    (Submit, Reset, Reboot, Add, Delete, etc.), but operators cannot change any system settings. When Administration Concurrency is enabled, one manager and three operators can access the Access Gateway at any one time (the default setting for this feature is “disabled”). Enter (system) at the Access Gateway Menu.

  • Page 72: Setting The Snmp Parameters (Optional)

    You must use the new login user name(s) and password(s) to access the system. Setting the SNMP Parameters (optional) You can address the Access Gateway using an SNMP client manager (for example, HP OpenView). SNMP is the standard protocol that regulates network management over the Internet.

  • Page 73: Configuring The Wan Interface

    Trap recipient: 10.11.12.13 Reboot to enable new changes? [yes/no] y Rebooting... You can now address the Access Gateway using an SNMP client manager. Configuring the WAN interface NSE releases 8.2 and later add the following configuration steps. If a license key is not present, you will still be directed to set up the WAN configuration as soon as you log into the CLI.However, the subsequent steps are new and network settings are...

  • Page 74: Enabling The Logging Options (Recommended)

    CCESS ATEWAY You will now see the Nomadix location configuration page. Enter contact data and agree to the Nomadix End User License Agreement. Your license will be retrieved when you enter “y”. The NSE will then reboot to activate your license settings.
  • Page 75 Select an option from above [7]: 7 Enter AAA Log Server IP [255.255.255.255]: 10.10.10.10 Enable/disable AAA Log Save to file [disabled ]: enable Enable/disable RADIUS History Log [disabled ]: enable Enter RADIUS History Log Number (0-7) [0 ]: 2 Installing the Access Gateway...
  • Page 76 10.10.10.10 AAA Log Save to file Enabled RADIUS History Log Enabled RADIUS History Log Number RADIUS History Log Filter RADIUS History Log Server IP 10.10.10.10 RADIUS History Log Save to file Enabled System Report Log Enabled Installing the Access Gateway...

  • Page 77: Assigning The Location Information And Ip Addresses

    IP address, the subnet mask, and the default gateway IP address. All of these Access Gateway “location” parameters must be set up as part of the system’s start up configuration (otherwise the Access Gateway will not be “visible” on the network).
  • Page 78 (the factory default is 10.0.0.1). This is the IP address of the router that the Access Gateway uses to transmit data to the Internet. Enter a valid default gateway IP address. After establishing all “Location” settings, you must reboot the Access Gateway for your changes to take effect. Sample Screen Response: Configuration>loc...

  • Page 79: Logging Out And Powering Down The System

    Disconnect the serial cable between the Access Gateway and your computer. Connecting the Access Gateway to the Customer’s Network Use this procedure to connect the Access Gateway to the customer’s network (after the start up configuration parameters have been established).

  • Page 80: Establishing The Basic Configuration For Subscribers

    Establishing the Basic Configuration for Subscribers When you have successfully established the start up configuration and installed the unit onto the customer’s network, connect to the Access Gateway via Telnet. You must now set up the basic configuration parameters for subscribers, including: Setting the DHCP Options –...

  • Page 81: Setting The Dhcp Options

    Access Gateway, you can either enable the DHCP relay (routed to an external DHCP server IP address), or you can enable the Access Gateway to act as its own DHCP server. In both cases, DHCP functionality is necessary if you want to automatically assign IP addresses to subscribers.

  • Page 82: Dhcp Options From Rfc 2132

    The following DHCP option codes are supported: Option Description Option Code Single IP address 16, 28, 32 List of one or more IP addresses 3-5, 7-11, 41-42, 44-45, 48-49, 65, 69-76 List of zero or more IP addresses Installing the Access Gateway...
  • Page 83 It is the administrator’s responsibility to ensure that the option codes and data entered are legitimate. The following screens illustrate adding additional DHCP options to a DHCP Pool. Installing the Access Gateway...
  • Page 84 CCESS ATEWAY Installing the Access Gateway...

  • Page 85: Dhcp Dynamic Enable And Disable

    Enable this DHCP Pool Red below. Note that DHCP enable/disable is dynamic, no reboot required. Click -> . A new column under existing DHCP Pools table for DHCP Configuration DHCP pool enable is introduced. See box in Red below. Installing the Access Gateway...

  • Page 86: Setting The Dns Options

    DHCP leases on the NSE. Setting the DNS Options DNS allows subscribers to enter meaningful URLs into their browsers (instead of complicated numeric IP addresses) by automatically converting the URLs into the correct IP addresses. You Installing the Access Gateway...
  • Page 87 “nomadix”). Enter a valid domain name (the Internet domain that DNS requests will utilize). Enter the host name (the DNS name of the Access Gateway). The host name must not contain any spaces. After assigning the host name, the system requests IP addresses for the primary, secondary, and tertiary DNS servers (the default for the DNS primary address is 0.0.0.2).

  • Page 88: Archiving Your Configuration Settings

    The Nomadix Private Management Information Base (MIB) allows you to view and manage SNMP objects on your Access Gateway. To use the MIB, you must obtain the appropriate nomadix.mib file for your Access Gateway. This file is available in the Support area of the Nomadix web site.
  • Page 89 Configuring the Management Information Base Import the nomadix.mib file into your SNMP client manager. Connect to the Access Gateway from a node on the network that is accessible via the Access Gateway’s network port (Internet, LAN, etc.). Be sure to enable the SNMP daemon on the Access Gateway (available on the Access Gateway’s CLI or Web...
  • Page 90 CCESS ATEWAY Installing the Access Gateway...

  • Page 91: Chapter 3: System Administration

    Access Gateway from the Web Management Interface (WMI) viewpoint. Choosing a Remote Connection Once installed and configured for the customer’s network, the Access Gateway can be managed and administered remotely with any of the following interface options: Using the Web Management Interface (WMI) - Provides a powerful and flexible Web ...

  • Page 92: Using The Web Management Interface (Wmi)

    The Web Management Interface (WMI) is a “graphical” version of the Command Line Interface, comprised of HTML files. The HTML files are embedded in the Access Gateway and are dynamically linked to the system’s functional command sets. You can access the WMI from any Web browser.

  • Page 93: Using An Snmp Manager

    The following example shows a (partial) SNMP screen response. Using a Telnet Client There are many Telnet clients that you can use to connect with the Access Gateway. Using Telnet provides a simple terminal emulation that allows you to see and interact with the Access Gateway’s Command Line Interface (as if you were connected via the serial interface).

  • Page 94: Logging In

    CCESS ATEWAY Logging In To access the Access Gateway’s Web Management Interface, use the Manager or Operator login user name and password you defined during the installation process (refer to Assigning Login User Names and Passwords). User names and passwords are case-sensitive.
  • Page 95 CCESS ATEWAY System Administration...
  • Page 96 CCESS ATEWAY System Administration...
  • Page 97 XML commands from an external source. XML commands are sent over the network to the Access Gateway. The Access Gateway parses the query string, executes the commands specified by the string, and returns data to the system that initiated the command request.
  • Page 98 System administrators AAA Passthrough Port can set the Access Gateway to pass-through HTTPS traffic, in addition to standard port 80 traffic, without being redirected. When access to a non-HTTPS address (for example, a Search Engine or News site) has been requested, the subscriber is then redirected as usual.
  • Page 99 Enabling AAA Services with the Internal Web Server You are here because you want to enable the AAA Services with the Access Gateway’s Internal Web Server. The Access Gateway maintains an internal database of authorized subscribers, based on their MAC (hardware address) and user name (if enabled).
  • Page 100 Gateway and its clients by enabling the Internal Web Server (IWS) to display pages under a secure link—important when transmitting AAA information in a network. Adding SSL support to the Access Gateway requires service providers to obtain digital certificates from VeriSign™ to create HTTPS pages. Instructions for obtaining certificates are provided by Nomadix.
  • Page 101 Credit Card Service subscribers are prompted for their credit card information (for billing purposes). The Access Gateway is configured to use Authorize.net. You will need to open a merchant account with Authorize.net or Datacenter (Luxembourg) before this feature can be used.
  • Page 102 Enabling AAA Services with an External Web Server You are here because you want to enable the AAA Services with an External Web Server (EWS). In the EWS mode, the Access Gateway redirects the subscriber’s login request to an external server.
  • Page 103 CCESS ATEWAY Configure the Parameter Signing options. Redirection Parameter Signing for more information about parameter signing. Click on the button to save your changes, or click on the button if you want Submit Reset to reset all the values to their previous state (making changes to the EWS settings does not require a system reboot).

  • Page 104: Establishing Secure Administration {Access Control

    Technical Support. Establishing Secure Administration {Access Control} The Access Gateway allows you to block administrator access to interfaces (Telnet, WMI and FTP, SSH and SFTP) and incorporates a master access control list that checks the source (IP address) of administrator logins. A login is permitted only to the interfaces that have not been blocked, and only if a match is made with the master “Source IP”...
  • Page 105 CCESS ATEWAY If the required certificates are not resident on the flash, an attempted https connection will generate an error syslog. From the Web Management Interface, click on , then Configuration Access Control. Access Control screen appears. System Administration...
  • Page 106 Do not enable the blocking of all interfaces without setting up and enabling SNMP. Enabling the blocking of all interfaces and disabling SNMP will completely block access to the Access Gateway administration interface. For assistance, contact Nomadix Technical Support. Enable or disable subscriber-side interface blocking for any of the following interfaces enables/disables blocking of Telnet access from the subscriber-side to ...

  • Page 107: Defining Automatic Configuration Settings {Auto Configuration

    365. Defining Automatic Configuration Settings {Auto Configuration} The Access Gateway allows you to define parameters to enable the automatic configuration of the system. See also, “RADIUS-driven Auto Configuration” on page NSE releases 8.2 and later provide a Radius VSA that supports assigning specific users to specific WAN interface.
  • Page 108 CCESS ATEWAY VSA Value: Either WAN, Eth1, Eth2, Eth3, Eth4, or Eth5 to identify what interface  the user will try to send traffic on. (The interface will internally select properly on the 5600 and 2400). From the Web Management Interface, click on Configuration , then Auto Configuration.
  • Page 109 As shown in the diagram below, two subsequent events drive the automatic configuration of Nomadix devices: A flow of RADIUS Authentication Request and Reply messages between the Nomadix gateway and the centralized RADIUS server that specifies the location of the meta...

  • Page 110: Setting Up Bandwidth Management {Bandwidth Management

    Administrative Steps to Enable Auto-Config for the NOC Administrator: Add NAS IP address. Add Nomadix Auto-Config VSA to the Nomadix dictionary file on the RADIUS server. Create a RADIUS profile with the configuration VSA. Create an FTP server with the configuration files.
  • Page 111 WAN interface in Ethernet Ports/WAN. If you made any changes to the settings on this screen, you must click the check box for (the Access Gateway must be rebooted). Reboot after changes are saved? Click on the...

  • Page 112: Group Bandwidth Limit Policy

    The Group Bandwidth Limit Policy allows the you to assign a common bandwidth rate limiting policy to a group of subscriber devices. All devices within the group share the total bandwidth allocated to the policy. The Group Bandwidth Limit Policy feature defines the following vendor-specific attributes (VSAs): Nomadix Name Role/Value VSA # GROUP_BW_POLICY_ID Defines the ID the for the group policy.

  • Page 113: Group Bandwidth Limit Policy - Enable

    CCESS ATEWAY The lifetime of a group policy record in the collection is determined by the session time of the authorized (i.e. VALID) subscribers participating in the group. Group policy records are removed from the collection when the last subscriber device belonging to the group is logged out of the NSE regardless of the reason (e.g.

  • Page 114: Group Bandwidth Limit Policy - Current Table

    CCESS ATEWAY Group Bandwidth Limit Policy – Current Table When the feature is enabled, a group bandwidth policy ID column is displayed in the current table. Once policies are instantiated, policy information can be viewed via XML. System Administration...

  • Page 115: Establishing Billing Records "Mirroring" {Bill Record Mirroring

    “carbon copy” servers. Additionally, if the primary and secondary servers are down, the Access Gateway can store up to 2,000 credit card transaction records. When a connection is re- established (with either server), the Access Gateway sends the stored information to the server—no records are lost!
  • Page 116  Secret Key  The Access Gateway and the “mirror” servers must use the same secret key. Repeat Step 4 for the secondary server (if any) and all carbon copy servers. Define the “fail-safe” provisions, including: Retransmit Method – Alternate, or do not alternate.

  • Page 117: Class-Based Queueing

    Class-Based Queueing Nomadix Class-Based Queueing provides a flexible way to control the bandwidth provided to individual groups of users (classes). Classes have both maximum and minimum bandwidth specifications.
  • Page 118 CCESS ATEWAY The Class Based Queueing screen appears. Click and then to enable Class-Based Queueing. Enable Submit Click to add a class. Class names are case-sensitive. “Dot” notation (e.g., Add Class <top-level class>.<subclass>) is used to associate top-level classes and subclasses.
  • Page 119 CCESS ATEWAY Click on a class name to change the class name or modify the attributes of a class. Click Throughput Estimator to evaluate traffic scenarios. Given different loads per class, the interface provides the estimated effective throughput. You can use this tool to preview how bandwidth will be assigned,, based on Class-Based Queueing structure and priority settings.

  • Page 120: Clustering {Clustering

    Subscribers can be assigned to a specific class/sub-class using Radius VSA. Subscribers with no class membership are assigned a priority of 8. ATTRIBUTE Nomadix-Bw-Class-Name 27 string For example, when a subscriber logs in and this attribute is defined as follows, the subscriber gets assigned to the class priority1.Subclass.

  • Page 121: Configuring Destination Http Redirection {Destination Http Redirection

    Subscribers requesting a website at that DNS will obtain a DNS response that contains a “magic” IP address (which is the same value obtained when the subscriber queries the DNS string “logout.nomadix.com”). The NSE will process HTTP requests for that “magic” IP address (configurable on the AAA page), and will reply with an HTTP redirection (which may include a number of signed redirection parameters) to a configured URL.
  • Page 122 CCESS ATEWAY User External Server  DNS query: www.example.com? portal1.myhotel.com/ * DNS response: 1.1.1.1 GET / HTTP/1.1… Magic IP Address ** Redirect Message Host:www.example.com *** OK Accept Message ** HTTP/1.0 302  RD Location:  TS=..&NO portal1.myhotel.com/details?OS=..&UI=..&MA=..&RN=..&PORT=..&SIP=..& NCE=..&SIGN=..&SIGNED=..&METHOD=.. … GET  details?OS=..& TS=..&NONCE=..&SIGN=..& UI=..&MA=..&RN=..&PORT=..&SIP=..& SIGNED=..&METHOD=.. HTTP/1.1 Host:  portal1.myhotel.com *** HTTP/1.1 200  OK … The figure above illustrates destination HTTP redirection, assuming a DNS query string for www.example.com, a magic IP address of 1.1.1.1, and a portal page URL of portal1.myhotel.com.
  • Page 123 CCESS ATEWAY After successful redirection occurs the list of signed parameters and signature  methods are passed to the portal page. HTTP/1.0 302 RD http://portal1.myhotel.com/details?OS=<Original Server>&UI=<NSE’s ID>&MA=<subscriber’s MAC>&RN=<Room name>&PORT=<VLAN>&SIP=<subscriber’s IP>&TS=<timestamp>&NONCE=<16 chars>&SIGN=<signature>& SIGNED=<list of signed parameters>& METHOD=<signature method> From the Web Management Interface, click on Configuration , then Destination HTTP...

  • Page 124: Managing The Dhcp Service Options {Dhcp

    Access Gateway, you can either enable the DHCP relay (routed to an external DHCP server IP address), or you can enable the Access Gateway to act as its own DHCP server. In both cases, DHCP functionality is necessary if you want to automatically assign IP addresses to subscribers.
  • Page 125 By default, the Access Gateway is configured to act as its own DHCP server and the relay feature is disabled. If you want the Access Gateway to act as its own DHCP server, do not enable the relay. Go directly to Step 8.
  • Page 126 DHCP Relay Agent IP address. The DHCP Relay Agent allows the Access Gateway to request a specific range of IP addresses from different IP pools from the DHCP Server. Leaving these fields blank forces the system to use the IP pool that contains IP addresses that are on the same subnet as the Access Gateway.
  • Page 127 CCESS ATEWAY If you want to add a new DHCP Pool, click on the button. The Add DHCP Pools screen appears: Enter a valid DHCP Server IP address for the DHCP server. Enter the DHCP Server Netmask Enter the starting and ending IP addresses for the DHCP address pool you want to use: DHCP Pool Start IP ...

  • Page 128: Enabling Dnssec Support

    Reset their previous state. The existing lease pool and lease table are deleted and the Access Gateway reboots. The Access Gateway can issue IP addresses to any DHCP enabled subscriber who enters the network.

  • Page 129: Managing The Dns Options {Dns

    DNS allows subscribers to enter meaningful URLs into their browsers (instead of complicated numeric IP addresses) by automatically converting the URLs into the correct IP addresses. You can assign a primary, secondary, or tertiary (third) DNS server. The Access Gateway utilizes whichever server is currently available.

  • Page 130: Managing The Dynamic Dns Options {Dynamic Dns

    CCESS ATEWAY Enter the (the DNS name of the Access Gateway). Host Name The host name must not contain any spaces. Enter a valid name (the Internet domain that DNS requests will utilize). Domain Enter the IP addresses for the DNS servers (located at the customer’s network operating center where DNS requests are sent).
  • Page 131 CCESS ATEWAY From the Web Management Interface, click Configuration , then Dynamic DNS . The Dynamic DNS Configuration screen appears: Check the checkbox to enable Dynamic DNS (DDNS) functionality. The default Enable setting is disabled. Enter the Provider Info Select the provider protocol from the menu.

  • Page 132: Ethernet Ports/Wan

    Each interface has its own IP, DNS, Bandwidth, VLAN, and NAT IP addresses, and can obtain its IP address by DHCP, PPPoE, or Static configuration. The number of configurable WANs will vary with the Access Gateway hardware. See “Product Specifications” on page 315 for these details.
  • Page 133 CCESS ATEWAY To view and configure WAN interfaces, select Configuration > Ethernet Ports/WAN . The Current Interfaces Settings screen appears, which summarizes all WAN connections. System Administration...

  • Page 134: Setting The Home Page Redirection Options {Home Page Redirect

    Subscribers may also be redirected to a page specified by the solution provider, without any interaction with the authentication process. You must configure DNS if you want to enter meaningful URLs instead of numeric IP addresses into any of the Access Gateway’s configuration screens. System Administration...

  • Page 135: Enabling Intelligent Address Translation (Inat™)

    If required, click on the check box for Parameter Passing Parameter passing allows the Access Gateway to track a subscriber’s initial Web request (usually their home page) and pass the information on to the solution provider. The solution provider uses this information to ensure that the subscriber can return to their home page easily.
  • Page 136 CCESS ATEWAY Each of the displayed ports has individual iNAT / Subscriber tunnel settings  accessible by clicking on that port’s link. The interface allows easy deletion of any iNAT address range.  On NSE releases 8.2 and later, iNAT settings are configured individually for each interface. From the Web Management Interface, click on , then Configuration...

  • Page 137: Defining Ipsec Tunnel Settings {Ipsec

    CCESS ATEWAY PPTP CALL ID  IPSEC  SIP (removed in NSE releases 8.2 and later)  Click on the button to save your options. Submit Use the fields to enter an IP address or range of IP addresses (up iNAT Start iNAT End to 50), then click on the...
  • Page 138 CCESS ATEWAY Check Enable NAT Traversal to allow packets to traverse NAT/IPsec boundaries. Click to save the setting. Submit To add or modify IPsec tunnel peers, see “Managing IPSec Tunnel Peers” on page 126. To add or modify IPsec security policies, see “Managing IPSec Security Policies”...
  • Page 139 CCESS ATEWAY Authenticate via pre-shared key – Enter the pre-shared key in the Shared Key field.  Authenticate via X.509 Certificate –  Enter the filename of the private certificate in the field. Private Key Filename  Enter the filename of the public certificate in the field.
  • Page 140 CCESS ATEWAY Adding a New IPSec Security Policy In the table, click the button to add an entry. The IPsec IPSec Security Policies Tunnel Security Policy Settings screen opens. Select the tunnel peer IP address for which you would like to add a security policy from Tunnel peer IP address menu.
  • Page 141 CCESS ATEWAY Next you will define selectors of the Security Policy. All selectors must match for the policy to be applied. Define the following selectors for the Remote End – Enter the IP address of the remote network secured by the IPSec ...
  • Page 142 CCESS ATEWAY – See “Setting joint ESP and AH parameters” on page 130 to set  parameters that pertain to both ESP and AH policies. Setting joint ESP and AH parameters These parameters affect both ESP and AH policies. Select all the by putting a check in the ...

  • Page 143: Load Balancing

    CCESS ATEWAY Load Balancing Load Balancing is an optional licensed feature for NSE releases 8.2 and later. For an overview of Nomadixload balancing and common use cases, see “Load Balancing and Link Failover” on page The NSE can balance subscriber assignment between all active WAN interfaces when Load Balancing mode is enabled.
  • Page 144 CCESS ATEWAY You can choose to trigger the Load Balancing / Failover feature either by the link status of the port(s) or by the new active Interface Monitoring feature. When either Interface Monitoring or link status is used, WAN ports will be characterized as either Available or Unavailable.

  • Page 145: Establishing Your Location {Location

    CCESS ATEWAY Establishing Your Location {Location} This command sets up your location and the corresponding IP addresses for the network interface, subscriber interface, subnet, and default gateway. You *must* provide your full location information. From the Web Management Interface, click on , then Configuration Location.
  • Page 146 CCESS ATEWAY   System Administration...
  • Page 147 You may lose your connection if you change the IP settings incorrectly (using invalid IP addresses). If you “misconfigure” the Access Gateway and network connectivity is lost, you can still access the Access Gateway from the Command Line Interface (CLI) via a direct serial connection. In this case, refer to: “Powering Up the System”...
  • Page 148 Enter a valid IP address in the Network IP Address Field The IP addresses from subscribers that are on a subnet different from the Access Gateway (for example, misconfigured) are translated by Nomadix’ Dynamic Address Translation (DAT) patented technology to the Network IP Address.

  • Page 149: Managing The Log Options {Logging

    CCESS ATEWAY The default gateway is the IP address of the router that the Access Gateway uses to transmit data to the Internet. Multiple NAT IP addresses for Session Expansion can be individually added by entering each desired address in the NAT IP Address field and left clicking the Add button. Up to four additional NAT IP Addresses can be added.
  • Page 150 CCESS ATEWAY From the Web Management Interface, click on , then The Log Configuration Logging. Settings screen appears: System Administration...
  • Page 151 When system logging is enabled, the standard SYSLOG protocol (UDP) is used to send all message logs generated by the Access Gateway to the specified SYSLOG server. Enter a unique number (between 0 and 7) in the field.
  • Page 152 There are IN and OUT messages for the beginning and ending of each session. Examples: INFO [Access Gateway v2.4.113] LI : IN-->: THU JUN 23 11:43:58 2007 | testlab | S(192.168.2.4/3444), D(66.163.175.128/80), X(67.130.149.4/5004), non-proxy , 00:90:27:78:81:00, RADIUS, IPASS/0U0000 INFO [Access Gateway v2.4.113] LI : OUT-->: THU JUN 23 11:44:01 2007 | testlab |...
  • Page 153 CCESS ATEWAY PageFaults are stored in the file named “lograw.txt” in the /flash directory and is not viewable on the web management interface. Check the option to enable or disable the Subscriber Subscriber Tracking Log tracking log. Note: NTP must be enabled on the NSE for Subscriber tracking log to be enabled.

  • Page 154: Enabling Mac Authentication {Mac Authentication

    CCESS ATEWAY Check the option to save the syslogs locally to Subscriber Tracking Log save to file the NSE flash. Note: Not recommended. Check the option to include the first 25 characters of Include User Name Reporting the username in the Syslog. Check the option and Port Location: Include Port Reporting...

  • Page 155: Assigning Passthrough Addresses (Passthrough Addresses)

    Reset Assigning Passthrough Addresses (Passthrough Addresses) The Access Gateway allows up to 300 IP passthrough addresses and DNS names. This feature allows users to “pass through” the Access Gateway and access predetermined services (for example, the redirected home page) at the solution provider’s discretion, even though they may not have subscribed to the broadband Internet service.

  • Page 156: Assigning A Pms Service {Pms

    The Access Gateway can be integrated with existing Property Management Systems. For example, by integrating with a hotel’s PMS, the Access Gateway can post charges for Internet access directly to a guest’s hotel bill. In this case, the guest is billed only once. The Access Gateway outputs a call accounting record to the PMS system whenever a subscriber purchases Internet service and decides to post the charges to their room.
  • Page 157 Refer to “Contact Information” on page 365. Before you can change the PMS settings, a PMS must be connected to the Access Gateway via the serial port on the rear panel. See also, “Connecting the Access Gateway to the Customer’s Network”...
  • Page 158 Xeta Virtual XL  For Micros Fidelio FIAS, Nomadix also supports a serial Redirector Service, which provides a means to send FIAS command messages through the NSE XML interface. Nomadix offers the following standards-based interfaces, generally used to establish an...
  • Page 159 CCESS ATEWAY From the Web Management Interface, click on Configuration , then PMS. The Property Management System Settings screen appears: 8.1 and Later Only You have the option of disabling PMS services by clicking on the PMS services disabled radio button, then clicking on the button to save your choice.
  • Page 160 Match Last Name Only  Skip First Char in Last Name  OnQ Compliant (Enable this option if you want to use Nomadix Micros POS  emulation to query & post to Hilton Corporation's OnQ PMS system). In the group, you may enable phonetic name matching for WFB, Miscellaneous Settings FOSSE, MICROS, and MICROS Fidelio.
  • Page 161 CCESS ATEWAY System Administration...
  • Page 162 If the “Skip First Char in Last Name” feature is enabled, the space is reserved for purposes other than the first character of the last name, so the Access Gateway will skip the first space in the last name field for name verification.

  • Page 163: Setting Up Port Locations {Port-Location

    Reset Based on the HOBIC interface standards, Nomadix, Inc. has also certified interoperability with a number of other PMS and call accounting solutions such as Ramesys’ ImagInn, Xeta Virtual XL, and Hilton’s proprietary standard OnQ.
  • Page 164 CCESS ATEWAY From the Web Management Interface, click on , then Configuration Port-Location. Port-Location Settings screen appears: System Administration...
  • Page 165 System administrators can set the properties for each room from the subscriber side of the Access Gateway. The system automatically detects which port number the administrator is using and allows them to enter the fields for the room corresponding to the port they are using.
  • Page 166 CCESS ATEWAY These options enable an SNMP query to “ask” the access concentration device which card, slot, or port the information is coming from. The information can then be “sent to” and “billed by” the PMS. You must enter the (not name), , and IP address...
  • Page 167 This section shows In Room Port Mapping from the subscriber side, when the In Room Port Mapping feature is enabled. Access Gateway multiple VLAN tagged systems can use the same tags and be placed on different Subscriber ports. Although it is technically possible to place two different VLAN tagged switches (one on each Subscriber side) that have the same VLAN tags designated, this configuration can cause problems.
  • Page 168 CCESS ATEWAY Enter your user name and password, then click on the button. The In Room Port Mapping screen appears: Enter the room number and a description for this room. Select the access mode you want to assign to this room: Room Free Access ...

  • Page 169: Setting Up Quality Of Service {Qos

    CCESS ATEWAY Setting up Quality of Service {QoS} The Quality of Service feature allows subscriber traffic to be classified so that it can then be acted upon by devices that support QoS prioritization or other QoS capabilities. This requires the use of 802.1q-based VLANS on the network, as it is based on 802.1p Class of Service (CoS) marking.

  • Page 170: Defining The Radius Client Settings {Radius Client

    The “Usernames” function must be enabled for a RADIUS login. See also, “Configuration Menu” on page Nomadix offers an integrated RADIUS client, allowing service providers to track or bill users based on the number of connections, location of the connection, bytes sent and received, connect time, etc.
  • Page 171 (including bytes transferred, connect time, etc.). The Access Gateway's RADIUS implementation also handles vendor specific attributes (VSAs), required by WISPs that want to enable more advanced services and billing schemes, such as a per device/per month connectivity fee.
  • Page 172 CCESS ATEWAY For additional RADIUS information, see also: “Defining the RADIUS Proxy Settings {RADIUS Proxy}” on page 163  “Defining the Realm-Based Routing Settings {Realm-Based Routing}” on page 167  “RADIUS Attributes” on page 336  From the Web Management Interface, click on Configuration , then RADIUS Client.
  • Page 173 Default User Idle Timeout before the subscriber’s session times out and they must login again. The Access Gateway can reauthenticate “repeat” subscribers who return to the system within 720 hours. To enable this feature, click on the check box for...
  • Page 174 The following VSAs are used for implementation of volume- and time-based Radius termination action: VSA Name Value Termination-Action Session-Timeout Nomadix-MaxBytesDown 3000000 Nomadix-MaxBytesUp 3000000 If required, check the box for Enable Session-Terminate-End-Of-Day When Authorized (to allow business policies that want to terminate the session at midnight of every day).

  • Page 175: Defining The Radius Proxy Settings {Radius Proxy

    (if you want the system to display a post session “goodbye” page). The “goodbye” page can be defined as a RADIUS VSA or be driven by the Access Gateway’s Internal Web Server (IWS). If required, check the box to create a link that users can go...
  • Page 176 CCESS ATEWAY From the Web Management Interface, click on , then Configuration RADIUS Proxy. RADIUS Proxy Settings screen appears: Enable or disable , as required, by clicking on the appropriate RADIUS Proxy Services check box. If you enabled RADIUS Proxy Services, you must provide the Authentication Server Port and the references.
  • Page 177 Adding an Upstream RADIUS NAS If you want to add a new Upstream RADIUS NAS (for example, an 802.11 Access Point on the subscriber side of the Access Gateway), click on the button. The Add Upstream RADIUS NAS screen appears: To make this entry the “active”...
  • Page 178 CCESS ATEWAY Place a check in the box of the Nomadix VSAs to be enforced by the Proxy for this entry : The Radius VSA for Bandwidth-Up will be passed on Enforce Bandwidth-Up VSA  to the Upstream NAS when enabled.

  • Page 179: Defining The Realm-Based Routing Settings {Realm-Based Routing

    CCESS ATEWAY The Upstream RADIUS NAS definition you just added appears in the list. You can add up to 10 definitions. Repeat Steps 5 through 11 to add more Upstream RADIUS NAS definitions, as required. To view your configured RADIUS Service Profiles and Realm Routing Policies, click on the link: Click here to see configured RADIUS service profiles and Realm Routing (this will take you to the Realm-Based Routing Settings screen).
  • Page 180 CCESS ATEWAY “Setting Up the SSL Feature” on page 342  From the Web Management Interface, click on , then Configuration Realm-Based Routing. The Realm-Based Routing Settings screen appears: Define RADIUS Service Profiles RADIUS service profiles are used to direct username access requests for both plain RADIUS users and users who supply realm/domain in their username.
  • Page 181 CCESS ATEWAY To add a RADIUS Service Profile, click on the appropriate button. The Add RADIUS Service Profile screen appears: Enter a name of your choice for this service profile in the field. Unique Name Authentication This category requires input for enabling RADIUS authentication and requires you to define IP addresses, ports, and secret keys for the primary and secondary RADIUS servers (the secondary server is optional).
  • Page 182 The secret key is a valuable and necessary security measure. The Access Gateway and the RADIUS servers must use the same secret key. Repeat Steps 2 through 4 for the secondary RADIUS authentication server (if used).
  • Page 183 CCESS ATEWAY Define Tunnel Profiles Tunnel profiles can be defined when L2TP tunnel parameters are known and it is not necessary to send an access request to a RADIUS server to obtain those parameters or for accounting purposes. Create a tunnel profile for each L2TP tunnel whose parameters are known. The tunnel parameters that the profile contains are the IP address of the LNS and the tunnel password.
  • Page 184 CCESS ATEWAY The tunnel server in this case is configured to authenticate users via another RADIUS server that handles a single realm. Since it handles a single realm, no realm information is needed for users and so must be stripped. In this case, it is stripped by the NSE, but it could easily have been stripped by the tunnel server, or by the tunnel server’s RADIUS server.
  • Page 185 CCESS ATEWAY System Administration...
  • Page 186 CCESS ATEWAY The following screen shows a realm routing policy that handles suffix-based usernames using a tunnel profile. This differences in this example are that the realm name is “tcisp.com”, “Suffix match only” is enabled (the delimiter in this case is “@”), and a tunnel profile, “LNSOne”, is selected instead of a RADIUS service profile.
  • Page 187 CCESS ATEWAY The “Local hostname” field is also blank is this example which means that the NSE will use the default value of “usg_lac” during tunnel negotiation. Configure RADIUS Client The NSE RADIUS client must be setup for realm-based routing mode since realm information will be used by the NSE’s L2TP tunnel feature to determine how to handle usernames that contain realm information.

  • Page 188: Managing Smtp Redirection {Smtp

    Managing SMTP Redirection {SMTP} When SMTP redirection is enabled (for misconfigured or properly configured subscribers), the Access Gateway redirects the subscriber’s E-mail through a dedicated SMTP server, including SMTP servers which support login authentication. To the subscriber, sending and receiving E- mail is as easy as it’s always been.

  • Page 189: Managing The Snmp Communities {Snmp

    ATEWAY Managing the SNMP Communities {SNMP} You can address the Access Gateway using an SNMP client manager (for example, HP OpenView). SNMP is the standard protocol that regulates network management over the Internet. To do this, you must set up the SNMP communities and identifiers. For more information about SNMP, see “Using an SNMP Manager”...

  • Page 190: Enabling Dynamic Multiple Subnet Support (Subnets)

    Reset You can now use your SNMP client to manage the Access Gateway via the Internet. Enabling Dynamic Multiple Subnet Support (Subnets) Nomadix’ dynamic multiple subnet support allows you to create flexible and cost-effective IP pool solutions to meet the demands of complex networks in large residential and public access networks.
  • Page 191 CCESS ATEWAY From the Web Management Interface, click on Configuration , then Subnets. The Public Subnets Settings screen appears: Click on the button to add a new public subnet. The Add Public Subnets screen appears: Enter a valid IP address for this subnet in the field.

  • Page 192: Displaying Your Configuration Settings {Summary

    For additional information about the multiple subnet feature, go to “Contact Information” on page 365 for Nomadix Technical Support. Displaying Your Configuration Settings {Summary} You can display a summary listing of all your current Configuration settings. To view the summary listing, go to the Web Management Interface, click on...

  • Page 193: Setting The System Date And Time {Time

    CCESS ATEWAY The Summary of Configuration Settings screen appears (partial screen shown here): More listings... Setting the System Date and Time {Time} This procedure shows you how to set the system date and time. System Administration...
  • Page 194 CCESS ATEWAY From the Web Management Interface, click on , then The Set Date Configuration Time. and Time screen appears: if you Select Internal Time to use the local hardware time or select External Time Server want to use NTP instead of the internal clock of the NSE If you select , enter the new date and time parameters in the relevant fields Internal Time...

  • Page 195: Setting Up Traffic Descriptors

    Time Server 1-4 correct time. The Access Gateway also allows you to enter a “Time offset from UTC.” This parameter is the Universal Coordinated Time, based on the ISO 8601 standard, and is used in conjunction with RADIUS servers (for example, if the RADIUS server is setup for a time zone that is different from the Access Gateway).

  • Page 196: Setting Up Url Filtering {Url Filtering

    Setting Up URL Filtering {URL Filtering} The Access Gateway can restrict access to specified Web sites based on URLs defined by the system administrator. URL filtering will block access to a list of sites and/or domains entered by the administrator using the following three methods: Host IP address (for example, 1.2.3.4)

  • Page 197: Selecting User Agent Filtering Settings

    (the address will be added to the displayed list). Add or remove addresses, as required. Selecting User Agent Filtering Settings The Access Gateway can ignore traffic being generated by unsubscribed user devices that are not accessing walled garden sites or an unauthenticated users.

  • Page 198: Zone Migration

    CCESS ATEWAY From the Web Management Interface, click on , then Configuration User Agent Filtering. The User Agent Filtering Settings screen appears: Enable to use the filtering capabilities for the User-Agents. User-Agent Filtering Add the names of the different User-Agents that you want to filter to the HTTP User- field.
  • Page 199 CCESS ATEWAY From the Web Management Interface, click on Configuration , then Zone Migration. Zone Migration Settings screen appears: Select to enable the Zone Migration feature. Relogin after migration Add a new Zone In the section, new zones can be added and initially configured, using Zone-Based Migration the following parameter fields: –...

  • Page 200: Defining Ipsec Tunnel Settings

    NSE’s standards-driven, peer-to-peer IPSec tunneling with strong data encryption. Establishing the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on the subscriber side...
  • Page 201 CCESS ATEWAY Two subsequent events drive the secure management function of the Nomadix gateway and the devices behind it: Establishing an IPSec tunnel to a centralized IPSec termination server (for example, Nortel Contivity). As part of the session establishment process, key tunnel parameters are exchanged (for example, Hash Algorithm, Security Association Lifetimes, etc.).

  • Page 202: Network Info Menu

    CCESS ATEWAY Network Info Menu Displaying ARP Table Entries {ARP} You can display a table that shows the current status of the ARP (Address Resolution Protocol) assignments. ARP is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address.

  • Page 203: Displaying The Host Table {Hosts

    CCESS ATEWAY The DAT Session Table screen appears: Click on the button to clear all current subscriber sessions. Delete all sessions Deleting DAT sessions will cause all misconfigured subscribers to lose their Internet connection for a short period of time. Displaying the Host Table {Hosts} You can display a table which lists the hosts that are currently configured.

  • Page 204: Displaying Icmp Statistics {Icmp

    CCESS ATEWAY Displaying ICMP Statistics {ICMP} You can display the current ICMP (Internet Control Message Protocol) statistics. ICMP is a standard Internet protocol that delivers error and control messages from hosts to message requesters. These statistics are presented as a listing which details the current status of each ICMP transmission element.
  • Page 205 CCESS ATEWAY The Network Interfaces screen appears: System Administration...

  • Page 206: Interface Monitoring

    CCESS ATEWAY Interface Monitoring As a complementary feature to Load Balancing, NSE releases 8.2 and later introduce the ability to actively monitor each WAN connection to assure that full network functionality exists. Interface Monitoring must be enabled; it is off by default. It is set separately for each configured WAN interface.

  • Page 207: Displaying The Ip Statistics {Ip

    CCESS ATEWAY Click on any interface name to configure individual interface settings: Displaying the IP Statistics {IP} You can display the IP (Internet Protocol) statistics which are presented as a detailed listing of all IP elements and their current status. With IP transmissions, data is broken up into packets which are then sent over the network.

  • Page 208: Viewing Ipsec Tunnel Status {Ipsec

    CCESS ATEWAY The IP Statistics screen appears: Viewing IPSec Tunnel Status {IPSec} To view the current IPSec Tunnel Status, go to the Web Management Interface, click on , then click on Network Info IPSec. Viewing NAT IP Address Usage {NAT IP Usage} To view the current NAT IP Address Usage, go to the Web Management Interface, click on , then click on Network Info...

  • Page 209: Displaying The Routing Tables {Routing

    CCESS ATEWAY Displaying the Routing Tables {Routing} You can display the current Routing Tables, including any dynamically generated routes, unreachable routes, or wildcard routes. To view the Routing Tables, go to the Web Management Interface, click on Network Info> Routing ( NSE releases 8.2 and later ) or System>Routing.

  • Page 210: Displaying The Routing Tables {Routing

    CCESS ATEWAY The Routing Tables screen appears: Displaying the Routing Tables {Routing} In NSE releases 8.2 and later, routing tables are available at System>Routing. The Routing Tables screen appears. You will make all routing configuration additions and deletions from this screen. This screen includes; Active Routing Table, which provides routing configuration details and the ability to ...

  • Page 211: Displaying The Active Ip Connections {Sockets

    CCESS ATEWAY Static/Persistent Routing Table, grouped in a separate section for easy reference and  modification. Add a New Static or Persistent Route  Displaying the Active IP Connections {Sockets} You can display a table which provides a detailed listing of all currently active IP (Internet Protocol) connections.

  • Page 212: Displaying The Static Port Mapping Table {Static Port-Mapping

    CCESS ATEWAY The Socket Table screen appears: Displaying the Static Port Mapping Table {Static Port-Mapping} You can display a table which provides a detailed listing of the currently active static port mapping scheme. To view the Static Port-Mapping Table, go to the Web Management Interface, click on , then click on Network Info Static Port-Mapping.

  • Page 213: Displaying Tcp Statistics {Tcp

    CCESS ATEWAY Displaying TCP Statistics {TCP} You can display the TCP (Transmission Control Protocol) statistics which are presented as a detailed listing of all TCP elements and their current status. TCP is a standard protocol that manages data transmissions across networks. To view the TCP Statistics, go to the Web Management Interface, click on , then Network Info...

  • Page 214: Displaying Udp Statistics {Udp

    CCESS ATEWAY The TCP Statistics screen appears: Displaying UDP Statistics {UDP} You can display the UDP (User Datagram Protocol) statistics which are presented as a detailed listing of all UDP elements and their current status. UDP is an Internet standard transport layer protocol.

  • Page 215: Port-Location Menu

    CCESS ATEWAY To view the UDP Statistics, go to the Web Management Interface, click on Network Info , then click on UDP. The UDP Statistics screen appears: Port-Location Menu The Port Location capabilities on the NSE have been enhanced. It is now possible to define a policy on a port.

  • Page 216: Adding And Updating Port-Location Assignments {Add

    There may even be multiple ports assigned to a single room or location. The Access Gateway uses a port-location authorization table to manage the assigned ports and ensure accurate billing for the services used by a particular port.
  • Page 217 CCESS ATEWAY Adding a Port-Location Assignment This procedure shows you how to add a port-location assignment. If you want to update an existing assignment, go to Updating a Port-Location Assignment. From the Web Management Interface, click on Port-Location , then .
  • Page 218 CCESS ATEWAY In the field, enter a meaningful description for this port-location assignment. Description “Provide DHCP Service” is selected by default. De-select this option if you wish to disable subscriber-side DHCP for this port location. See “Managing the DHCP service options {DHCP}”...

  • Page 219: Deleting All Port-Location Assignments {Delete All

    Deleting All Port-Location Assignments {Delete All} This procedure shows you how to delete all port-location assignments. The Access Gateway displays a warning and prompts you to confirm this action before deleting all the port-locations currently assigned in the system.

  • Page 220: Deleting Port-Location Assignments By Location {Delete By Location

    Deleting Port-Location Assignments by Location {Delete by Location} This procedure shows you how to delete a port-location assignment, based on its location. The Access Gateway prompts you to confirm this action before deleting the requested port- location. If you are unsure which port-locations are currently mapped to the system, you can view a list at “Displaying the Port-Location Mappings {List}”...

  • Page 221: Exporting Port-Location Assignments {Export

    “location.txt” file. The location.txt file is stored in: /flash/location.txt (resident in the Access Gateway’s flash memory). Exporting your current port-location assignments to the Access Gateway’s flash memory will overwrite the existing location.txt file. From the Web Management Interface, click on...

  • Page 222: Finding Port-Location Assignments By Description {Find By Description

    CCESS ATEWAY Finding Port-Location Assignments by Description {Find by Description} This procedure shows you how to find a port-location assignment, based on its description. This procedure is useful if you want to review the details of a specific port-location. You can also find port-locations based on their location or port.

  • Page 223: Finding Port-Location Assignments By Port {Find By Port

    CCESS ATEWAY In the Enter Location field, enter the location of the assignment you want to find. The system ignores the case (upper or lower) of the characters you enter. Click on the button to view the specified port-location assignment, or click on the Show button if you want to reset the “location”...
  • Page 224 CCESS ATEWAY From the Web Management Interface, click on , then Port-Location Find by Port. Find a Port-Location Assignment by Port screen appears: In the Enter Port field, enter the port you want to find. The “port” is the VLAN ID (when using 802.1Q 2-way). Click on the button to view the Process Port-Location Assignments screen, or click Show...

  • Page 225: Importing Port-Location Assignments {Import

    Importing Port-Location Assignments {Import} This procedure shows you how to import port-location assignments from the “location.txt” file. The location.txt file is stored in: /flash/location.txt (resident in the Access Gateway’s flash memory). If you have never exported port-location assignments (since installing the Access Gateway at this site), the location.txt is empty.
  • Page 226 CCESS ATEWAY Creating a “location.txt” File You can create your own “location.txt” file and upload the file to the Access Gateway’s flash memory at [IP address]/flash/location.txt. Use the following format when creating the file: “1”,1,00:00:00:00:00:00,0.0.0.0,0, “Room 101” The 4 (four) fields used in the format represent the standard format for port-location assignments (location, port, modem MAC address for RiverDelta, subnet, state, description).

  • Page 227: Displaying The Port-Location Mappings {List

    CCESS ATEWAY Displaying the Port-Location Mappings {List} You can display a listing of all port-locations assigned to this system. To view the listing of port-location assignments, go to the Web Management Interface, click on , then click on The List Port-Location Assignments screen appears: Port-Location List.

  • Page 228: Subscriber Administration Menu

    CCESS ATEWAY Click Allow Intra-port communication Click Add/Update Subscriber Administration Menu Adding Subscriber Profiles {Add} This procedure shows you how to add subscriber profiles into a table of authorized users. Three types of subscriber profiles are provided; see the following sections for configuration information for the different profile types: “Adding a Subscriber Type Profile”...
  • Page 229 CCESS ATEWAY For more information about subscriber access and billing options, see the following sections: “Authorization and Billing” on page 288  “Subscriber Management” on page 294  “Subscriber Management Models” on page 294  “Configuring the Subscriber Management Models” on page 295 ...
  • Page 230 CCESS ATEWAY Enter a valid for the subscriber. MAC Address If you have chosen to manage this subscriber by user name only, you do not need to enter a MAC address (but you must enter a user name). Enter the of the subscriber.
  • Page 231 CCESS ATEWAY Adding a Device Type Profile From the Web Management Interface, click on Subscriber Administration , then Add. The Add a Subscriber Profile to the Database screen appears: Choose the account type for this profile. Device If required, enable the feature.
  • Page 232 CCESS ATEWAY Define the range for this Min Downstream Bandwidth Max Downstream Bandwidth device (in Kbps). If using Class-Based Queuing, enter the primary and subclass for this device in the Class field. Enter these values in the format: <top-level class>.<subclass> (top-level class and subclass separated by a period).
  • Page 233 CCESS ATEWAY From the Web Management Interface, click on Subscriber Administration , then Add. The Add a Subscriber Profile to the Database screen appears: Choose the ype for this profile. Group Account t Define the DHCP Address Type: (only used when the IP Upsell feature Public Private is enabled, otherwise leave this set to “private”).

  • Page 234: Displaying Current Subscriber Connections {Current

    CCESS ATEWAY Enter an amount in the field. Paid The next two fields ( ) are optional. Use these User Definable 1 User Definable 2 fields for simple notations about the subscriber. Define the range for this Min Upstream Bandwidth Max Upstream Bandwidth subscriber (in Kbps).

  • Page 235: Deleting Subscriber Profiles By Mac Address {Delete By Mac

    Current Subscribers table on any field. Click any table header to sort on that field. Deleting Subscriber Profiles by MAC Address {Delete by MAC} This procedure shows you how to delete a subscriber profile from the Access Gateway’s database of authorized subscribers, based on the profile’s MAC address.

  • Page 236: Deleting Subscriber Profiles By User Name {Delete By User

    “MAC Address” value to the 00 state. Deleting Subscriber Profiles by User Name {Delete by User} This procedure shows you how to delete a subscriber profile from the Access Gateway’s database of authorized subscribers, based on the profile’s user name.

  • Page 237: Displaying The Currently Allocated Dhcp Leases {Dhcp Leases

    , then click on Subscriber Administration DHCP Leases. To use this feature, your Access Gateway must be set to act as its own DHCP Server. The DHCP function cannot be set to DHCP Relay. Refer to “Managing the DHCP service options {DHCP}” on page 112.

  • Page 238: Finding Subscriber Profiles By Mac Address {Find By Mac

    Finding Subscriber Profiles by MAC Address {Find by MAC} This procedure shows you how to find a subscriber profile from the Access Gateway’s database of authorized subscribers, based on the profile’s MAC address. Use this procedure when you want to see the statistics corresponding to the MAC address.

  • Page 239: Finding Subscriber Profiles By User Name {Find By User

    ATEWAY Finding Subscriber Profiles by User Name {Find by User} This procedure shows you how to find a subscriber profile from the Access Gateway’s database of authorized subscribers, based on the profile’s user name. Use this procedure when you want to see the statistics corresponding to the user name. Statistics include the subscriber’s MAC address and the access time remaining for this subscriber.

  • Page 240: Listing Subscriber Profiles By User Name {List By User

    CCESS ATEWAY The Authorized Subscriber Profiles screen appears: Click on a link to view the associated subscriber -1 indicates a subscriber added by Admin or XML useradd with no associated plans. Listing Subscriber Profiles by User Name {List by User} You can display the currently active database of authorized subscribers, based on user names.
  • Page 241 CCESS ATEWAY The Authorized Subscriber Profiles screen appears: Click on a link to view the associated subscriber -1 indicates a subscriber added by Admin or XML useradd with no associated plans. System Administration...

  • Page 242: Viewing Radius Proxy Accounting Logs {Radius Session History

    CCESS ATEWAY Viewing RADIUS Proxy Accounting Logs {RADIUS Session History} These settings are available under Subscriber Administration/RADIUS Session History menu. Enable Logfile checkbox When this setting is enabled any RADIUS proxy accounting messages sent or received by the RADIUS proxy application are logged into a file named “RADHIST.RAD” in the /flash directory.

  • Page 243: Displaying Current Profiles And Connections {Statistics

    (for example, free access, credit card, etc.). The total number of user profiles stored in the Access Gateway’s internal database is also shown. To view the Subscriber Statistics, go to the Web Management Interface, click on...
  • Page 244  charge. In addition to credit card billing, Property Management Systems used by hotels are also supported along with the internal data base of the Access Gateway and billing via Nomadix' secure XML API. See also, “Assigning a PMS Service {PMS}” on page 144 (see following note).
  • Page 245 CCESS ATEWAY From the Web Management Interface, click on Subscriber Interface , then Billing . The Internal Billing Options Setup screen appears: Options System Administration...
  • Page 246 CCESS ATEWAY Review the billing plans (normal plans and X over Y plans) that are currently active. To view or edit a billing plan, click the View/Edit/Delete button opposite the corresponding plan. The Internal Billing Options Plan Setup or Internal Billing Options XoverY Plan Setup screen appears for the billing plan (and type) you selected.
  • Page 247 CCESS ATEWAY Sample of Internal Billing Options XoverY Plan Setup Screen Depending on the type of plan you want to set up, go to: “Setting Up a “Normal” Billing Plan” on page 235.  “Setting Up an X over Y Billing Plan” on page 237.
  • Page 248 Time Unit One time unit is assigned to each billing plan. The Access Gateway allows you to define multiple billing plans with different time units at the same time. For example, you can define one billing plan that changes by the hour (e.g. $2.95 per hour) and a second plan that charges per day (e.g.
  • Page 249 CCESS ATEWAY Define the messages you want to present to subscribers, including: Introduction Message  Offer Message  Policy Message  Define the (Minute, Hour, Day, Week, or Month) you want to make Units of Access available to subscribers. If you want to allow free access to subscribers, you can define the following free billing options: Default Free Access Time (in days) ...

  • Page 250: Setting Up The Information And Control Console {Icc Setup

    (previous) screen. Setting Up the Information and Control Console {ICC Setup} The Nomadix ICC is a HTML pop-up window that is presented to subscribers, allowing them to select their bandwidth and billing plan options quickly and efficiently, and displays a dynamic “time”...
  • Page 251 CCESS ATEWAY (described above). The pop-up Logout Console offers the opportunity to display the elapsed/ count-down time and one logo for intra-session service branding. Featured Logout Console This procedure allows you to set up how the ICC is displayed to subscribers. For more information about the ICC, go to “Information and Control Console (ICC)”...
  • Page 252 CCESS ATEWAY From the Web Management Interface, click on , then Subscriber Interface ICC Setup The ICC Setup screen appears: System Administration...
  • Page 253 If you enabled either of the ICC pop-up options, you can choose a unique name for the console. Simply type a meaningful name in the field. Title Define the physical location where you want the Nomadix Logout Console to appear on the subscriber’s screen. Choose one of the following options: Upper Left Corner ...
  • Page 254 When assigning images for buttons, refer to: “Pixel Sizes” on page 244. If you assign (or change) button images or banner images, the Access Gateway must be rebooted for your changes to take effect. When you have completed assigning all your redirect buttons, click on the...
  • Page 255 CCESS ATEWAY Assigning Banners From the Subscriber Console (Information and Control Console - ICC) Setup screen, click on the link. The Subscriber Console (Information and Control Configure Banners Console - ICC) Banners Setup screen appears: Click here to return to the previous screen You can display up to 5 banners, but they must be defined here.
  • Page 256 Stop Time (Optional)  If you assign (or change) button images or banner images, the Access Gateway must be rebooted for your changes to take effect. If you changed any of the Image Name definitions, click on the check box for...

  • Page 257: Defining Languages {Language Support

     Defining Languages {Language Support} The Access Gateway allows you to define the text displayed to your users by the Internal Web Server (IWS) without any HTML or ASP knowledge. The language you select here will determine the language encoding that the Access Gateway’s Internal Web Server instructs the browser to use.
  • Page 258 CCESS ATEWAY Japanese (Shift_JIS)  Spanish  Other, with drop-down menu (see note)  If running NSE releases 8.2 and later, you can also change the language of the Web Management Interface. See “Selecting the language of the Web Management Interface” on page From the Web Management Interface, click on Subscriber Interface , then...

  • Page 259: Enable Serving Of Local Web Pages {Local Web Server

    Other option, then choose one of the available Japanese character sets from the drop-down menu. If sufficient space is available, the Access Gateway’s Internal Web Server also supports multiple languages at the same time.
  • Page 260 CCESS ATEWAY Upload the required pages and images to the /flash/web directory using FTP. Total file size of all pages and images cannot exceed 200 KB. File names should be labeled using the 8.3 format. Go to WMI>Subscriber Interface>Local Web Server and add the names of the HTML or image files that were uploaded to the /flash/web directory.

  • Page 261: Defining The Subscriber's Login Ui {Login Ui

    CCESS ATEWAY Image File Name This text box lets you add or remove the names of the image files that you intend to server to the end users. Note: The name of the image file has to be added in order for it to be served to the end users.
  • Page 262 CCESS ATEWAY From the Web Management Interface, click on , then Subscriber Interface Login UI. Subscriber Login User Interface Settings screen appears: Define the messages you want subscribers to see when they log in. Keep messages brief and to the point. Available message categories include: Service Selection Message ...
  • Page 263 Click on the check box for if you want to enable (or Enable “Remember Me” option disable) this feature. This option enables the Access Gateway to “remember” logins for a predetermined duration (see next step). The “Remember Me” option requires JavaScript to be enabled.
  • Page 264 Image File Name Partner Image File Name must reboot the Access Gateway for your changes to take effect. In this case, click on the check box for Reboot after changes are saved? The partner image (splash screen) is not the same screen that is defined by the Image File Name (IWS screen) field.

  • Page 265: Defining The Post Session User Interface (Post Session Ui)

    The Post Session UI (Goodbye Page) can be defined either as a RADIUS VSA or be driven by the Access Gateway’s Internal Web Server (IWS). Using the IWS option means that this functionality is available for other post-paid billing mechanisms (for example, post-paid PMS—if your product license supports PMS).
  • Page 266 CCESS ATEWAY Freely configurable hypertext link (in case the ISP wants to link the user back to a  sign-up/help page). Sample of Post Session UI (Goodbye Page) System Administration...
  • Page 267 CCESS ATEWAY From the Web Management Interface, click on Subscriber Interface , then Post Session The Subscriber Post Session User Interface Settings screen appears: System Administration...

  • Page 268: Defining Subscriber Ui Buttons {Subscriber Buttons

    CCESS ATEWAY Click on the check box to enable (or disable) the IWS Enable IWS Goodbye Page Goodbye Page, as required. If you enabled the IWS Goodbye Page, select your preferred display options by checking the corresponding boxes: Display IP Address ...

  • Page 269: Defining Subscriber Ui Labels {Subscriber Labels

    CCESS ATEWAY From the Web Management Interface, click on Subscriber Interface , then Subscriber The Subscriber Page -- Control Button Definitions screen appears: Buttons. Caution Enter the definitions you want for each control button in the corresponding fields. Only the Login button should be named “Login.” Do not assign this name to any other button.
  • Page 270 CCESS ATEWAY From the Web Management Interface, click on , then Subscriber Interface Subscriber The Subscriber Page -- Field Label Definitions screen appears: Labels. Enter the definitions you want for each label in the corresponding fields. Click on the button to save your changes, or click on the button if you want Submit Reset...

  • Page 271: Defining Subscriber Error Messages {Subscriber Errors

    CCESS ATEWAY Defining Subscriber Error Messages {Subscriber Errors} This procedure allows you to define how error messages are displayed to subscribers. There are 2 (two) pages of error messages available. From the Web Management Interface, click on , then Subscriber Interface Subscriber Errors, 1 of 2.
  • Page 272 CCESS ATEWAY If you want to reset all field values to their default state, click on the button. Revert Repeat Steps 1 – 3 for page 2 of 2 (see following screen): System Administration...

  • Page 273: Defining Subscriber Messages {Subscriber Messages

    CCESS ATEWAY Defining Subscriber Messages {Subscriber Messages} This procedure allows you to define how “other” subscriber messages are displayed. There are 3 (three) pages of subscriber messages available. From the Web Management Interface, click on , then Subscriber Interface Subscriber The Subscriber Page -- Other Message Definitions, 1 of 3 screen Messages, 1 of 3.
  • Page 274 CCESS ATEWAY Enter the definitions you want for each subscriber message in the corresponding fields. Click on the button to save your changes, or click on the button if you want Submit Reset to reset all the values to their previous state. If you want to reset all field values to their default state, click on the button.
  • Page 275 CCESS ATEWAY Repeat Steps 1 – 3 for page 3 of 3 (see following screen): System Administration...

  • Page 276: System Menu

    CCESS ATEWAY System Menu Adding an ARP Table Entry {ARP Add} ARP (Address Resolution Protocol) is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address. ARP is limited to a single physical network that supports hardware broadcasting.

  • Page 277: Deleting An Arp Table Entry {Arp Delete

    CCESS ATEWAY Click on the button to add your entry, or click on the Reset button if you want to reset all the values to their previous state. Deleting an ARP Table Entry {ARP Delete} Note: NSE releases 8.2 and later consolidate ARP operations to a single screen. See Adding and Deleting ARP Table Entries.

  • Page 278: Configurable Gateway Arp Refresh Interval

    CCESS ATEWAY From the Web Management Interface, click on , then The ARP Tables screen System ARP. appears. You can view, delete, or add new ARP table entries from this screen. Configurable Gateway ARP Refresh Interval The NSE will periodically refresh its ARP cache entry for the gateway IP. When gateway redundancy is implemented via the use of multiple gateway devices with the same IP address, the periodic refresh enables the NSE to quickly discover the new MAC address of the gateway.

  • Page 279: Enabling The Bridge Mode Option {Bridge Mode

    “remove” the Access Gateway from the network without physically disconnecting the unit. You can still manage the Access Gateway when Bridge Mode is enabled, but you have no other functionality. If you enable the Bridge Mode option and then plug the Access Gateway into a network, all you need to do is assign it routable IP addresses.

  • Page 280: Exporting Configuration Settings To The Archive File {Export

    Click on the check box for Bridge Mode to enable this feature. The Access Gateway should be rebooted if this setting is changed. If you want the changes to take effect immediately, Select to “Reboot immediately after changes are saved”.

  • Page 281: Importing The Factory Defaults {Factory

    CCESS ATEWAY From the Web Management Interface, click on System , then Export. The Export Configuration screen appears: Click here to view the Click here to view the “archive.txt” file “current.txt” file Click on the button to export the current authentication settings to the archive.txt file. Importing the Factory Defaults {Factory} This procedure shows you how to replace the current authentication settings with the settings that were established at the factory.

  • Page 282: Defining The Fail Over Options {Fail Over

    Many large scale networks require fail-over support for all devices in the public access network. The Fail Over Options feature allows two Nomadix Gateways to act as siblings, where one device will take up the users should the other device become disconnected from the network.

  • Page 283: Viewing The History Log {History

    Secondary will wait while not receiving messages from the Primary before it takes over. Click on the check box for Reboot after changes are saved? If you are using RADIUS, it is recommended to add both Nomadix gateways to the RADIUS server. Click on the...

  • Page 284: Establishing Icmp Blocking Parameters {Icmp

    Access Gateway. Establishing ICMP Blocking Parameters {ICMP} The Access Gateway includes the option to block all ICMP traffic from “pending” or “non authenticated” users that are destined to addresses other than those defined in the pass-through...

  • Page 285: Importing Configuration Settings From The Archive File {Import

    CCESS ATEWAY (walled garden) list. The default setting for this option is “disabled” because ICMP pass- through is a useful end-user troubleshooting feature and is also required by certain smart clients (for example, GRIC). From the Web Management Interface, click on , then The ICMP screen System...

  • Page 286: Establishing Login Access Levels {Login

    Administrative Concurrency may be enabled to further restrict the amount of management sessions allowed at one time. When this feature is enabled, one manager and three operators can access the Access Gateway at any one time (the default is “disabled”).
  • Page 287 CCESS ATEWAY Telnet  Command Line Interface (CLI) – serial  Web Management Interface (WMI)  FTP and SFTP (no operator access allowed)  SSH Shell Access   Only managers can assign a username and password for the remote RADIUS testing login option.
  • Page 288 URL for the test page is http://<Nomadix Access Gateway IP>/radtest/testradius.htm and can be accessed from the network side of the Access Gateway. You must open a separate browser to utilize this feature. The “Framed IP” field is configurable by the user and can be set to any IP address.

  • Page 289: Defining The Mac Filtering Options {Mac Filtering

    Reset Defining the MAC Filtering Options {MAC Filtering} MAC Address filtering enhances Nomadix' access control technology by allowing System Administrators to block malicious users based on their MAC address. Up to 600 MAC addresses can be blocked at any one time (see caution).

  • Page 290: Utilizing Packet Capturing {Packet Capture

    CCESS ATEWAY From the Web Management Interface, click on , then The MAC System MAC Filtering. Filtering screen appears: Click on the check box for MAC Filtering to enable (or disable) this feature, as required. Enter a MAC address in the field, then click on the button to add this address to the “blocked”...
  • Page 291 CCESS ATEWAY From the Web Management Interface, click on System, then Packet Capture. The Packet Capture Settings screen appears: To initiate a capture on a given interface, click that interface’s associated Start button. The button label will change to Stop, indicating that a capture is in progress. Click the button again to stop the capture.

  • Page 292: Rebooting The System {Reboot

    ATEWAY Rebooting the System {Reboot} This procedure shows you how to reboot the Access Gateway. The “reboot” procedure outlined on this page allows you to decide when to reboot (if you are making multiple changes to different menu functions and you want to reboot just one time after completing all your changes).
  • Page 293 CCESS ATEWAY To view the routing tables, choose System > Routing . The Routing Tables screen appears. You can view the routes associated with each physical NSE port by clicking on the tab for the port. In the screen shot above, only the WAN port is in use. Adding a Route On the Routing Tables screen, scroll to Add a New Static or Persistent Route...

  • Page 294: Establishing Session Rate Limiting {Session Limit

    CCESS ATEWAY Enter the address of the route you want to add to the routing Destination IP/Prefix Length table. This is the Destination IP or Subnet that the Route is trying to reach, with the prefix length to determine how large the subnet might be. Enter the address for the Route being added so that the NSE knows what to Gateway IP...

  • Page 295: Adding Static Ports {Static Port-Mapping Add

    Access Gateway. The advantage for the network administrator is that free private IP addresses can be used to manage devices (such as Access Points) on the subscriber side of the Access Gateway without setting them up with public IP addresses.

  • Page 296: Deleting Static Ports {Static Port-Mapping Delete

    Access Gateway. The advantage for the network administrator is that free private IP addresses can be used to manage devices (such as Access Points) on the subscriber side of the Access Gateway without setting them up with public IP addresses.

  • Page 297: Blocking A Subscriber Interface {Subscriber Interfaces

    “Displaying the Static Port Mapping Table {Static Port-Mapping}” on page 200  “Adding Static Ports {Static Port-Mapping Add}” on page 283  Blocking a Subscriber Interface {Subscriber Interfaces} The Access Gateway allows System Administrators to block subscriber interfaces. System Administration...

  • Page 298: Updating The Access Gateway Firmware {Upgrade

    Updating the Access Gateway Firmware {Upgrade} Upgrading the Access Gateway firmware is performed from the Access Gateway’s Command Line Interface (CLI) only. Refer to the Firmware Upgrade Procedure (separate document available from Nomadix Technical Support).

  • Page 299: Chapter 4: The Subscriber Interface

    When a subscriber accesses the solution provider’s high speed network, the Access Gateway points the subscriber’s browser to a sign-in page. The Access Gateway then creates a database entry that automatically records the subscriber’s Media Access Control (MAC) address and integrates this address with a PMS interface for secure billing.

  • Page 300: Authorization And Billing

    CCESS ATEWAY customer (the subscriber). The Access Gateway’s role in this customer/supplier relationship is effectively “invisible” to subscribers. Subscriber Broadband Network Subscriber Gateway Portal AAA Module Internet Billing Authorization and Billing As a gateway device, the Access Gateway enables plug-and-play access to broadband networks.

  • Page 301: The Aaa Structure

    (in the hotel scenario), via a mailed invoice, or directly to the subscriber’s credit card account. The following illustration shows the functional relationship between the Access Gateway’s internal modules and the external support systems. The Subscriber Interface...
  • Page 302 CCESS ATEWAY Subscriber Login Subscriber Management Internal Web Server External Web Server Internal Web Management Interface (on flash for login pages) (for login & portal pages) Authentication Internal User Database Authorization Table Internal User Database Credit Card Server PMS System Internal Accounting Log (AAA) Accounting Billing Mirror Server(s)
  • Page 303 CCESS ATEWAY The initial login page can be presented in various ways, depending on the system’s configuration. The Access Gateway supports any of the following methods and tools: Internal and external Web pages.  External “portal” page for redirection. ...

  • Page 304: Process Flow (Aaa)

    ATEWAY Process Flow (AAA) The following flowchart outlines the AAA and billing process. All actions depicted in the chart are administered and tracked by the Access Gateway. AG detects connection and verifies user against authorization table New User Existing Subscriber...

  • Page 305: Internal And External Web Servers

    English, Chinese, French, German, Japanese, and Spanish. Home Page Redirection The Access Gateway can be configured to redirect all valid subscribers to a Web portal or home page determined by the solution provider. After a specified time, from the first home page redirection (determined by the system administrator), subscribers are redirected again to the portal at the next Web page request.

  • Page 306: Subscriber Management

     Combinations of two or more subscriber management models can be used. When a subscriber connects to the network and attempts to access the Internet, the Access Gateway looks for each model in the given order above. Subscriber Management Models The system administrator establishes the subscriber management model via the Command Line Interface (CLI) or the Web Management Interface.

  • Page 307: Configuring The Subscriber Management Models

    Credit card Enable the AAA services. You have the choice of enabling the Access Gateway’s internal authorization module or using an external credit card authorization server. Internal Authorization Enabled Enter the credit card server’s URL and IP address, then enter the merchant ID you obtain from Authorize.Net.

  • Page 308: Information And Control Console (Icc)

    CCESS ATEWAY Information and Control Console (ICC) The ICC is a HTML pop-up window that is presented to subscribers, allowing them to select their bandwidth and billing options quickly and efficiently, and displays a dynamic “time” field to inform them of the time remaining on their account. The ICC also offers service providers an opportunity to display advertising banners and provide a choice of redirection options.

  • Page 309: Logout Console

    ATEWAY Logout Console The Access Gateway allows System Administrators to define a simple HTML-based pop-up window for explicit logout that can be used as an alternative to the more fully featured ICC. The pop-up Logout Console can display the elapsed/count-down time and one logo for intra- session service branding.
  • Page 310 CCESS ATEWAY The Subscriber Interface...

  • Page 311: Chapter 5: Quick Reference Guide

    Web Management Interface (WMI) Menus The following tables contain a listing and brief explanation of all menus and menu items contained in the Access Gateway’s Web Management Interface (WMI), listed as they appear on screen. Menus...

  • Page 312: Configuration Menu Items

    (IP address) of administrator logins. A login is permitted only if a match is made with the master list contained on the Nomadix Access Gateway. If a match is not made, the login is denied, even if a correct login name and password are supplied.
  • Page 313 CCESS ATEWAY Item Description IPSec IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).
  • Page 314 CCESS ATEWAY Item Description Subnets Enables dynamic multiple subnet support. Summary Displays a summary listing of all configuration settings. Time Sets the system date and time. Traffic Descriptors Bandwidth consumed over time, active allocated bandwidth, number of using bandwidth and network capacity, URL Filtering Dynamically adds or removes up to 300 specific IP addresses and domain names to be filtered for each property.

  • Page 315: Network Info Menu Items

    CCESS ATEWAY Network Info Menu Items Item Description Displays the ARP table, including the destination IP address and the gateway MAC address. Displays the DAT session table. DNSSEC DNSSEC support adds authentication and integrity capability to DNS systems. The DNSSEC feature in the NSE allows DNSSEC queries and responses to traverse the NSE between subscribers and the NSE's configured DNS servers.

  • Page 316: Port-Location Menu Items

    CCESS ATEWAY Item Description NAT IP Interface A new separate iNAT interface page shows the settings for each port in either WAN or OOS modes. Ports in SUB mode are not shown. Each of the displayed ports has individual iNAT / Subscriber tunnel settings accessible by clicking on that port's link.
  • Page 317 CCESS ATEWAY Items Description Import Imports specified port-location assignments from the location.txt file. List Displays the port-location file, listing all port-location assignments. Quick Reference Guide...

  • Page 318: Subscriber Administration Menu Items

    CCESS ATEWAY Subscriber Administration Menu Items Items Description Adds subscriber profiles to the database. Current Displays a list of all currently connected subscribers. Delete by MAC Deletes a subscriber, based on a specific MAC address. Delete by User Deletes a subscriber, based on a specific user name. DHCP Leases Sets up the current subscriber DHCP leases.

  • Page 319: System Menu Items

    CCESS ATEWAY Items Description Local Web Server Upload the required pages and images to the /flash/web directory using FTP. Total file size of all pages and images cannot exceed 200 KB. Login UI Defines the appearance of the internal subscriber login user interface, including all the login messages and fonts, etc., and establishes the currency.
  • Page 320 Route Delete Deletes a route to a specific IP destination. Routing View Nomadix Access Gateway’s routing table; Add or delete a route to a specific IP destination. Session Limit Limits the number sessions any one user can take over a given time period and, if necessary, then blocks malicious users.
  • Page 321 Exports the system’s configuration settings to an archive file. Factory Imports the factory default settings. FailOver Sets up a “sibling” Nomadix Gateway, allowing one device to take up the users should the other device become disconnected from the network. History Displays a history log of the system’s activity, including Access,...
  • Page 322 MAC addresses can be blocked at any one time. Reboot Reboots the Access Gateway. Route Add Adds a route into the Access Gateway’s routing table. Route Delete Deletes a route to a specific IP destination. Session Limit Limits the number sessions any one user can take over a given time period and, if necessary, then blocks malicious users.

  • Page 323: Alphabetical Listing Of Menu Items (Wmi)

    CCESS ATEWAY Alphabetical Listing of Menu Items (WMI) The menu items listed here are for a fully featured Nomadix Access Gateway (with all optional modules included). Refer to “About Your Product License” on page Item Description Menu AAA ........Set AAA options ..............Configuration Access Control .....
  • Page 324 Summary .......Display a summary of the configuration settings ....Configuration TCP ........Display the TCP performance statistics........Network Info Time ........Set the system date and time...........Configuration UDP........Display the UDP performance statistics.........Network Info Upgrade.........Upgrade the Access Gateway system firmware .....System URL Filtering......Define URLs for filtering ............Configuration Quick Reference Guide...

  • Page 325: Default (Factory) Configuration Settings

    ATEWAY Default (Factory) Configuration Settings The following table shows a partial listing of the Access Gateway’s primary default configuration settings (the settings established at manufacturing). For a complete listing of the factory default settings, refer to the factory.txt file. For more information, go to “Importing the...
  • Page 326 CCESS ATEWAY Function Default Setting AAA Logging Disabled AAA Log Server Number AAA Log Server IP 0.0.0.0 SYSLOG (System Logging) Disabled SYSLOG Server Number SYSLOG Server IP 0.0.0.0 AAA Services Disabled Internal Authorization Enabled New Subscribers Enabled Credit Card Service Enabled Parameter Passing Disabled...

  • Page 327: Product Specifications

    CCESS ATEWAY Product Specifications AG2300 Specifications NSE M VAILABLE ODULES High Availability - Fail Over ERFORMANCE User Support: Up to 50 users concurrently Throughput: up to 20Mbits/s* *As defined by RFC1242, Section 3.17 HYSICAL 1U rack space in a 19” rack 10.00”(L) x 10.00”(D) x 1.73”(H) 254mm(L) x 254mm(D) x 44mm(H) Weight: 5.0 lbs.
  • Page 328 CCESS ATEWAY AG2300 Specifications NVIRONMENTAL Operating temperature: 5°C to 40° C Storage temperature: 0°C to 70° C Operating humidity: 20 - 90% RH non-condensing Storage humidity: 5 - 95% RH Altitude: Up to 15,000ft OMPLIANCE FCC Class A, Part 15 CE Mark CENELEC EN 55022: 1998 + A1: 2000 + A2: 2003, Class A CENELEC EN 61000-3-2:2000...
  • Page 329 CCESS ATEWAY AG2400 Specifications NSE M VAILABLE ODULES AG 2400 Hospitality Module AG 2400 High Availability Module ERFORMANCE 200 concurrent users or devices Throughput up to 230 Mbps as defined by RFC 1242, Section 3.17 LATFORM Intel based System NTERFACE 1-RJ 45 - WAN 3-RJ 45 - ETH 1-12VDC Power Connector...
  • Page 330 CCESS ATEWAY AG2400 Specifications IMENSIONS 215.5 W x 44 H x 190mm D 1U Rack Mountable EIGHT 1.2 kg NVIRONMENTAL ARAMETERS Temperature Ambient Operating / Storage: 0~40° / -20~70° C Humidity (RH) Ambient Operating / Ambient Non-Operating: 5~90% non-condensing / 5~95% non-condensing EGULATORY FCC Class A UL, UL (US and Canada)
  • Page 331 CCESS ATEWAY AG2400 Specifications ILLING NABLEMENT ADIUS LIENT Radius (AAA) Proxy Port-Based Policies Port Mapping Local Databases Credit Card Interface PMS Advanced XML Interface Bill Mirroring RANDING ESTABLISHMENT Parameter Passing enabling branding ETWORK ANAGEMENT Web Management Interface (WMI) Command Line Interface (CLI) Integrated VPN Client for Management Radius-Driven Configuration Multi-Level Admin Support...
  • Page 332 CCESS ATEWAY AG2400 Specifications IP A DDRESS ANAGEMENT IEEE 802.3/3u/3eb IEEE 802.1d DHCP Server DHCP Relay Multiple Subnet Support IP UPsell DHCP Client PPPoe Client NTELLIGENT OAMING Realm-Based Routing Zone Migration ERVICE ROVISIONING Home Page Redirect HTTP-Redirect HTTPS-Redirect Portal Page Redirect Session Termination Redirect Information and Control console Pop-up (explicit) logout button...
  • Page 333 CCESS ATEWAY AG3100 Specifications NSE M VAILABLE ODULES High Availability - Fail Over Hospitality Module - Property Management Interface (PMS) ERFORMANCE User Support: Up to 200 users concurrently Throughput: up to 85Mbits/s* *As defined by RFC1242, Section 3.17 HYSICAL 1U rack space in a 19" rack 10.00”(L) x 10.00”(D) x 1.73”(H) 254mm(L) x 254mm(D) x 44mm(H) Weight: 5.0 lbs.
  • Page 334 CCESS ATEWAY AG3100 Specifications NVIRONMENTAL Operating temperature: 5°C to 40° C Storage temperature: 0°C to 70° C Operating humidity: 20 - 90% RH non-condensing Storage humidity: 5 - 95% RH Altitude: Up to 15,000ft OMPLIANCE FCC Class A, Part 15 CE Mark CENELEC EN 55022: 1998 + A1: 2000 + A2: 2003, Class A CENELEC EN 61000-3-2:2000...
  • Page 335 CCESS ATEWAY AG5500 Specifications NSE M VAILABLE ODULES High Availability - Fail Over Hospitality Module - Property Management Interface (PMS) ERFORMANCE User Support: Up to 2000 users concurrently Throughput: up to 100Mbits/s* *As defined by RFC1242, Section 3.17 HYSICAL 1U rack space in a 19” rack 16.85”(L) x 10.04”(W) x 1.73”(H) 428mm(L) x 255mm(W) x 44mm(H) Weight: 6.61 lbs...
  • Page 336 CCESS ATEWAY AG5500 Specifications NVIRONMENTAL Operating temperature: 5°C to 40° C Storage temperature: 0°C to 70° C Operating humidity: 20 - 90% RH non-condensing Storage humidity: 5 - 95% RH Altitude: Up to 15,000ft OMPLIANCE COMPLIANCE FCC Class A, Part 15 CE Mark CENELEC EN 55022: 1998 + A1: 2000 + A2: 2003, Class A CENELEC EN 61000-3-2:2000...
  • Page 337 CCESS ATEWAY AG5500 Specifications ETWORKING IEEE 802.3 / 3u IEEE 802.1d DHCP Server DHCP Relay RADIUS Client (MD-5, PAP, CHAP, MS-CHAPv1, v2) AG5600 Specifications NSE M VAILABLE ODULES High Availability - Fail Over Hospitality Module - Property Management Interface (PMS) ERFORMANCE User Support: Up to 2000 users concurrently Throughput: up to 750Mbits/s*...
  • Page 338 CCESS ATEWAY AG5600 Specifications PERATING OLTAGE 100 – 240 VAC, 50/60Hz, Auto Sensing OWER ONSUMPTION 65 watts NVIRONMENTAL Operating temperature: 0°C to 40° C Storage temperature: 10°C to 70° C Operating humidity: 20 - 90% RH non-condensing Storage humidity: 5 - 95% RH Altitude: Up to 15,000ft OMPLIANCE UL (US and Canada)
  • Page 339 CCESS ATEWAY AG5600 Specifications LED I NDICATORS ACT/LINK and 10/100/1000 for each Ethernet port Power ETWORK ANAGEMENT Multi-Level Administration Controls Integrated VPN Client (IPSec) for secure connection to an NOC Access Control Lists Web Administration UI CLI via Telnet and Serial Port SNMPv2c Secure XML API Auto Configuration and Upgrades...
  • Page 340 CCESS ATEWAY AG5800 Specifications LUG AND Dynamic Address Translation (DAT) Dynamic Transparent Proxy ERVICE PROVISIONING Home Page Redirect HTTP - Redirect Portal Page Redirect Session Termination Redirect Information and Control console Pop-up (Explicit) Logout Button International Language Support External Web Server Mode Internal Web Server Mode Secure XML API over SSL Login Page Failover...
  • Page 341 CCESS ATEWAY AG5800 Specifications CCESS ONTROL AND UTHENTICATION Authorization, Authentication and Accounting (AAA) Walled Garden Group Accounts Tri Mode Authentication Universal Access Method over SSL IEEE 802.1x Smart Client Support (Boingo, iPass) MAC Authentication Remember Me Log-in DVANCED ECURITY iNAT IPSec Support PPTP Support Session Rate Limiting (SRL)
  • Page 342 CCESS ATEWAY AG5800 Specifications RANDING Parameter Passing-enabled branding ETWORK ANAGEMENT Web Management Interface (WMI) Command Line Interface (CLI) Integrated VPN Client for Management RADIUS-Driven Configuration Multi-level Admin Support Centralized Radius Authentication SMTP Redirection Access Control Bridge Mode SNMPv2c Syslog/AAALog EDIA CCESS ONTROL CSMA/CA...
  • Page 343 CCESS ATEWAY AG5800 Specifications EGULATORY FCC Class A UL, UL (US and Canada) EN 55022: 2010 Class A, EN 61000-3-2:2006/A1:2009/A2:2009, EN 61000-3- 3:2008, EN55024:2010 (IEC 61000-4-2:2008, IEC 61000-4-3:2006/A1:2007/ A2:2010, IEC 6100-4-4:2004/A1:2010, IEC 6100-4-5:2006, IEC 61000-4-6:2008, IEC 61000-4-8:2009, IEC 6100-4-11:2004), Australian Standard AZ/NZS CISPR 22:2009 Class A CB Scheme HYSICAL 1U rack space in a 19”...

  • Page 344: Sample Aaa Log

    CCESS ATEWAY Sample AAA Log The following table shows a sample AAA log. This log is generated by the Access Gateway and sent to the SYSLOG server that is assigned to AAA logging. Access Type Subscriber Expi- Date Time Gateway...

  • Page 345: Sample Syslog Report

    Removed_by_administrator authorization table. Sample SYSLOG Report Syslog reports are generated by the Access Gateway and sent to the syslog server that is assigned to general error detection and reporting. 2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [Access Gateway v51.4.126] DHCP: ndxDHCPInit: 0021 DHCP initialized 2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [Access Gateway v51.4.126]...

  • Page 346: Sample History Log

    CCESS ATEWAY Sample History Log A history log is generated by the Access Gateway which includes the system’s activity (Access, Reboot and Uptime). More listings ... Quick Reference Guide...

  • Page 347: Keyboard Shortcuts

    CCESS ATEWAY Keyboard Shortcuts The following table shows the most common keyboard shortcuts. Action Keyboard Shortcut Cut selected data and place it on the clipboard. Ctrl + X Copy selected data to the clipboard. Ctrl + C Paste data from the clipboard into a document (at Ctrl + V the insertion point).

  • Page 348: Radius Attributes

    All subscribers attempting to gain access to the network are validated by RADIUS. When a subscriber attempts to access the service provider's network, the Access Gateway delivers a Web page to the subscriber asking for a login name and password. This information (password) is encrypted and sent across the network to the ISP's RADIUS server.

  • Page 349: Authentication-Request

    CCESS ATEWAY The Nomadix Access Gateway RADIUS functionality can be broken down into the following categories: Authentication-Request  Authentication-Reply (Accept)  Accounting-Request  Selected Detailed Descriptions  Nomadix Vendor Specific Attributes  Authentication-Request Username  Password  Service-Type  NAS-Port (port number) ...

  • Page 350: Accounting-Request

    CCESS ATEWAY Class  Session-Timeout  Idle-Timeout  EAP-Packet (used for 802.1x)  Message-Authenticator (used for 802.1x)  Acct-Interim-Interval  Nomadix VSAs:  Nomadix-Bw-Up  Nomadix-Bw-Down  Nomadix-URL-Redirection  Nomadix-IP-Upsell  Nomadix-MaxBytesUp  Nomadix-MaxBytesDown  Nomadix-Net-VLAN  Nomadix-Session-Terminate-End-Of-Day  Nomadix-Subnet ...

  • Page 351: Selected Detailed Descriptions

    Access-Request and the Accounting-Request. Session Timeout There is currently no default session timeout that you can set in the Access Gateway Web Management Interface (WMI). If the Radius server does not send a Session-Timeout, the Access Gateway will set the subscriber expiration time to 0, which means access forever.

  • Page 352: Nomadix Vendor Specific Attributes

    Radius Accounting Interim message for the specific subscriber. If this attribute is not present or equal to 0, no Interim message is sent. The precision is 2 minutes. The Access Gateway will not send Interim messages more frequently than every 2 minutes.
  • Page 353 CCESS ATEWAY Nomadix-Bw-Down This attribute value (in Kbps) restricts the speed at which downloads are performed. Nomadix-URL-Redirection This attribute allows the administrator to redirect the user to a page of the administrators choice each time the user logs in. Nomadix-IP-Upsell This attribute allows the user to receive a public address from a DHCP pool when the Access Gateway has the IP-Upsell feature enabled.

  • Page 354: Setting Up The Ssl Feature

    CCESS ATEWAY Setting Up the SSL Feature This section describes how to set up the Access Gateway’s SSL feature. Prerequisites You should be a business that is qualified to obtain an SSL secure server ID from  different Certificate Authorities (CAs), such as VeriSign. The Certificate Authority sets this qualification criterion.

  • Page 355: Installing Cygwin And Openssl On A Pc

    CCESS ATEWAY Installing Cygwin and OpenSSL on a PC The example in this document is based on downloading the software with Netscape 4.75. The procedure starts from the Cygwin Net Release Setup Program screen: Click on the button. Next The following screen appears: Click on the Next button to display the next setup screen.
  • Page 356 CCESS ATEWAY Click on the button to display the next setup screen. Next Click on the button to display the next setup screen. Next Click on the button to display the next setup screen. Next Quick Reference Guide...
  • Page 357 Select a location and click on the Next button. For the purposes of this document, Nomadix used: ftp://planetmirror.com. In the following screens, please skip all packages except “cygwin” and “openssl,” then click on the Next when you are done. At the time of this writing, there are more than 70 packages to install. Please ensure that you “skip”...

  • Page 358: Private Key Generation

    CCESS ATEWAY Click on the button to start the “download” process. Wait for the download process to Next complete. Click on the button to start the “install” process. Wait for the install process to complete. Next There will be a pop-up dialog to inform you that the installation process is completed. At the pop-up dialog, click on the button.
  • Page 359 CCESS ATEWAY Run the “command” prompt from Windows, then click on the button. Go to the c:\cygwin\bin\ directory and run the following command: >openssl genrsa -rand file1:file2:file3:file4:file5 1024 > cakey.pem The following table provides an explanation of the command elements: Quick Reference Guide...
  • Page 360 However, if you are saving them as different names, you must change the names back to “cakey.pem” when trying to FTP to the Access Gateway. Do not include “-des3” option to keep the private key in an unencrypted form.

  • Page 361: Create A Certificate Signing Request (Csr) File

    CCESS ATEWAY Here is the output of cakey.pem: Create a Certificate Signing Request (CSR) File Run the following command to generate the certificate signing request: >openssl req -new -key cakey.pem > server.csr Quick Reference Guide...

  • Page 362: Create A Public Key File (Server.pem)

    The “Common Name” is the name used in the Access Gateway->AAA->SSL Certificate Domain Name. The Common Name in the Public Key must match the SSL Certificate Domain Name in the Web Management Interface of the Access Gateway (refer to the Access Gateway setup information later in this document).
  • Page 363 CCESS ATEWAY This is the procedure to get a 40-bit encryption or 128-bit Public Key from VeriSign. With IE or Netscape, go to www.verisign.com/products/site/index.html. Select for Secure Site Service. Quick Reference Guide...
  • Page 364 Some older versions of popular browsers only support 40-bit or 56-bit encryption. Since it impossible to forecast the browsers that may be used in a visitor-based network, Nomadix recommends implementing a 40-bit Public Key. During the process, VeriSign will ask for your business information and verification. There are several ways to proof the existence of your business.

  • Page 365: Setting Up Access Gateway For Ssl Secure Login

    You have now finished the process of obtaining a public key. Setting Up Access Gateway for SSL Secure Login FTP the “cakey.pem” and “server.pem” files into the Access Gateway platform's flash directory. FTP to the Access Gateway by Netscape: ftp://username:password@[Access Gateway Network IP]/flash Drag and drop the “cakey.pem”...

  • Page 366: Setting Up The Portal Page

    CCESS ATEWAY Setting Up the Portal Page System administrators can create login button(s) on the Portal Page, and can setup “http” links for regular logins, secure logins, or both. When subscribers enter the Portal Page, they can then choose either a regular login or a secure login. To setup the Portal Page, add the following: For Regular Logins: http://Access Gateway_ip:1111/usg/login?OS=http://after_login_finished_page.html For Secure Logins:...

  • Page 367: Mirroring Billing Records

    ATEWAY Mirroring Billing Records Multiple Access Gateway units can send copies of credit card billing records to a number of external servers that have been previously defined by system administrators. The Access Gateway assumes control of billing transmissions and saving billing records. By effectively “mirroring”...

  • Page 368: Xml Interface

    XML Interface XML for the External Server The Access Gateway sends a string of XML commands according to specifications. HTTP headers are added to the XML packets that are built, as the billing “mirroring” information is Content-length has also been sent to the external server in HTTP compliant XML format.
  • Page 369 The Access Gateway accepts a single line of XML text in the specified format. The XML string is a command sent by the External Server to the Access Gateway product. In this case, the acknowledgement received from the External Server forms the command. The Access...
  • Page 370 RESULT_VALUE:OK or ERROR IP:Standard IP format (123.123.123.123) ERROR_CODE1 for OK, or any other number Please contact Nomadix Technical Support for the complete XML DTD. Refer to “Contact Information” on page 365. For more information about Billing Records Mirroring, see also: “Billing Records Mirroring”...

  • Page 371: Chapter 6: Troubleshooting

     General Hints and Tips The Access Gateway is both a hardware device and a powerful software utility. As a hardware computing device, the Access Gateway requires careful handling. It should be positioned in a dust-free and temperature-controlled environment. Never block the unit’s ventilation holes, and do not stack with other equipment (unless correctly mounted in a rack).

  • Page 372: Management Interface Error Messages

    CCESS ATEWAY Management Interface Error Messages The following table contains the error messages associated with the Management Interface (CLI and Web). All messages are listed alphabetically. Error Message Cause AAA must be enabled before adding a You are attempting to add a subscriber profile subscriber to the profile database.
  • Page 373 When upgrading the software, the system FTP a valid boot image to the flash. needs the new boot image file. You must FTP the file from NOMADIX™ to your local hard drive. Warning: no DHCP services are available to This message is displayed because you have subscribers.

  • Page 374: Common Problems

    CCESS ATEWAY Common Problems If you are having problems, you may find the answers here. Problem Possible Cause Solution When using the internal AAA The internal AAA login server Enable communications with login Web server, you cannot communicates with Authorize.Net on port 1111. communicate with Authorize.Net on a specified Authorize.Net.
  • Page 375 (if different). DNS is misconfigured in the Check the DNS settings (host, Access Gateway. domain, and the primary, secondary, and tertiary DNS). Troubleshooting...
  • Page 376 CCESS ATEWAY This page intentionally left blank. Troubleshooting...

  • Page 377: Appendix A: Technical Support

    (if the problem is related to the Access Gateway). Additionally, you should check with your network documentation to verify that the network components are functioning correctly.
  • Page 378 CCESS ATEWAY This page intentionally left blank.

  • Page 379: Appendix B: Glossary Of Terms

    10/100 Ethernet See Ethernet. (Authentication, Authorization, and Accounting) A combination of commands used by Nomadix Gateways to authenticate, authorize, and subsequently bill subscribers for their use of the customer’s network. When a subscriber logs into the system, their unique MAC address is placed into an authorization table. The system then authenticates the subscriber’s MAC address and billing information before allowing them to access the Internet and make online...
  • Page 380 (ACKnowledgment) If all the transmitted data is present and correct, the receiving device sends an ACK signal, which acts as a request for the next data packet. Adaptive Configuration Technology A Nomadix, Inc. patented technology that enables Dynamic Address Translation. See also, DAT. ad-hoc mode 802.11x networking framework in which devices or stations communicate directly with each other, without the use of an Access Point (AP).
  • Page 381 (permanent) IP addresses, or subscribers that do not have DHCP functionality on their computers. DAT is a Nomadix, Inc. patented technology that allows all users to obtain network access, regardless of their computer’s network settings. See also, DHCP.
  • Page 382 CCESS ATEWAY Dynamic IP Address A temporary IP address that is assigned by the DHCP server to a device. Devices retain dynamic IP addresses only for the duration of their networking session. When a device disconnects from the network, the IP address is recaptured by the DHCP server and becomes available for reassignment to another device.
  • Page 383 For example, if a user in California accesses a computer in New York, the computer in New York is considered the host. (Home Page Redirection) Nomadix Gateways enable solution providers to redirect subscribers to a “portal” home page of their choice. This allows the solution provider to generate online advertising revenues and increase business Home Page.
  • Page 384 In particular, the IEEE 802 standards for Local Area Networks are widely followed. iNAT™ (Intelligent Network Address Translation) Nomadix’ iNAT™ feature creates an intelligent mapping of IP addresses and their associated tunnels allowing multiple tunnels to be established to the same server—creating a...
  • Page 385 Whenever a subscriber logs on, your Nomadix Gateway automatically translates their computer’s network settings to provide them with seamless access to the broadband network. Subscribers no longer need to alter their computer’s settings. See also,...
  • Page 386 Misconfigured User A Nomadix, Inc. term used to describe users who have IP address configurations that are different from the current network. For example, if the current network is 123.45.67.89 but the user’s IP address is 10.10.10.15, then this user is considered to be “misconfigured.”...
  • Page 387 CCESS ATEWAY Packet Switching Network Refers to protocols in which messages are divided into packets before they are sent. Each packet is then transmitted individually and can even follow different routes to its destination. Once all the packets forming a message arrive at its destination, they are recompiled into the original message.
  • Page 388 CCESS ATEWAY Protocol A standard process consisting of a set of rules and conditions that regulates data transmissions between computing devices. Some examples of protocols include HTTP (HyperText Transfer Protocol), FTP (File Transfer Protocol), TCP/IP (Transmission Control Protocol/Internet Protocol), and POP (Post Office Protocol). All these protocols are responsible for regulating the transmission of their specific data file types.
  • Page 389 Normally, a solution provider is offering a solution that isn’t readily available on the open market. For example, NOMADIX™ is a solution provider to its customers (broadband network service providers), and those customers are solution providers to their end users (network subscribers).
  • Page 390 CCESS ATEWAY Subnet Address The subnet portion of an IP address that is dedicated to the subnet. In a subnetted network, the host portion of an IP IP Address address is split into a subnet portion and a host portion using an address (subnet) mask. See also, Subnet.
  • Page 391 CCESS ATEWAY Tunneling A technology that enables one network to send its data via another network's connections. Tunneling works by encapsulating a network protocol within packets carried by the second network. For example, Microsoft's PPTP technology enables organizations to use the Internet to transmit data across a Virtual Private Network (VPN). It does TCP/IP this by embedding its own network protocol within the TCP/IP packets carried by the Internet.
  • Page 392 HTML. For example, XML supports links that point to multiple documents, as opposed to HTML links, which can reference just one destination each. For all Nomadix Gateways, XML is used by the subscriber management module for port location and user administration. Enabling the XML interface allows your Nomadix Gateway to accept and process XML commands from an external source.

This manual is also suitable for:

Ag2400Ag5600Ag5800Ag 3100Ag 5500Ag 2300

Table of Contents