Download Print this page

Nomadix AG5800 User Manual

Nomadix AG5800 User Manual

Hide thumbs Also See for AG5800:

User manual (392 pages)

,

User manual (294 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the AG5800 and is the answer not in the manual?

Questions and answers

Summary of Contents for Nomadix AG5800

Page 2 CCESS ATEWAY Access Gateway Copyright © 2015 Nomadix, Inc. All Rights Reserved. This product also includes software developed by: The University of California, Berkeley and its contributors; Carnegie Mellon University, Copyright © 1998 by Carnegie Mellon University All Rights Reserved; Go Ahead Software, Inc., Copyright ©...
Page 3 For technical support information, see the Appendix in this User Guide. Write your product serial number in this box: Patent Information Please see the Nomadix website for a list of US and foreign patents covering this product release. Disclaimer Nomadix, Inc. makes no warranty, either express or implied, including but not limited to any implied warranties of merchantability and fitness for a particular purpose, regarding the product described herein.
Page 4 CCESS ATEWAY CAUTION WARNING Read the instruction manual prior to operation. Risk of electric shock; do not open; no user-serviceable parts inside. ATTENTION AVERTISSEMENT Lire le mode d’emploi avant utilisation. Risque de choc electrique; ne pas ouvrir; ne pas tenter de demontre l’appareil.
Page 5: Table Of Contents
CCESS ATEWAY Table of Contents Chapter 1: Introduction ....................1 About this Guide ........................1 Organization..........................2 Welcome to the Access Gateway....................3 Product Configuration and Licensing ................3 Key Features and Benefits ......................4 Platform Reliability......................4 Local Content and Services ....................4 Transparent Connectivity ....................
Page 6 Secure XML API....................... 24 Session Rate Limiting (SRL)..................... 25 Session Termination Redirect................... 25 Smart Client Support ......................25 SNMP Nomadix Private MIB ................... 25 Static Port Mapping ......................25 Tri-Mode Authentication ....................25 URL Filtering ........................26 Walled Garden ......................... 26 Web Management Interface .....................
Page 7 DHCP Dynamic Enable and Disable ................72 Setting the DNS Options ....................73 Archiving Your Configuration Settings.................. 75 Installing the Nomadix Private MIB..................75 Chapter 3: System Administration................77 Choosing a Remote Connection....................77 Using the Web Management Interface (WMI) ..............78 Using an SNMP Manager....................
Page 8 CCESS ATEWAY Group Bandwidth Limit Policy ..................98 Group Bandwidth Limit Policy – Operation ..............99 Group Bandwidth Limit Policy – Enable ............... 100 Group Bandwidth Limit Policy – Current Table............100 Establishing Billing Records “Mirroring” {Bill Record Mirroring} ......101 Class-Based Queueing ....................
Page 9 CCESS ATEWAY Displaying the IP Statistics {IP}..................184 Viewing IPSec Tunnel Status {IPSec}................185 Viewing NAT IP Address Usage {NAT IP Usage}............185 Displaying the Routing Tables {Routing}..............186 Modifying the Routing Tables {Routing} ............... 187 Displaying the Active IP Connections {Sockets} ............188 Displaying the Static Port Mapping Table {Static Port-Mapping} .......
Page 10 CCESS ATEWAY System Menu ......................... 250 Adding and Deleting ARP Table Entries................ 250 Configurable Gateway ARP Refresh Interval ..............251 Enabling the Bridge Mode Option {Bridge Mode} ............251 Exporting Configuration Settings to the Archive File {Export}........252 Importing the Factory Defaults {Factory} ..............253 Defining the Fail Over Options {Fail Over}..............
Page 11 Authentication-Request ....................318 Authentication-Reply (Accept) ..................318 Accounting-Request ....................... 319 Selected Detailed Descriptions..................320 Nomadix Vendor-Specific RADIUS Attributes .............. 322 Setting Up the SSL Feature....................325 Prerequisites ........................325 Obtain a Private Key File (cakey.pem) ................. 325 Installing Cygwin and OpenSSL on a PC ..............326 Private Key Generation ....................
Page 12 CCESS ATEWAY...
Page 13: Chapter 1: Introduction
The Nomadix Access Gateway hardware is configured and controlled by Nomadix Service Engine (NSE) software. The NSE 7.4 is the last Software Release that supports the AG2300, AG3100, and AG5500. NSE 8.5 series software releases support the AG2400, AG5600, AG5800 and AG5900. Introduction...
Page 14: Organization
Interface. Provides an overview and sample scenario for the Access Gateway’s subscriber interface. It also includes an outline of the authorization and billing processes utilized by the system, and the Nomadix Information and Control Console. Chapter 5 – Quick Reference Guide.
Page 15: Welcome To The Access Gateway
Public-LAN, and Residential segments. Product Configuration and Licensing All Nomadix Access Gateway products are powered by our patented and patent-pending suite of embedded software, called the Nomadix Service Engine™ (NSE). The Access Gateway employs our NSE core software package and comes pre-packaged with the option to purchase additional modules to expand the product’s functionality.
Page 16: Key Features And Benefits
CCESS ATEWAY Key Features and Benefits The Access Gateway is a 1U high, free-standing or rack-mountable device that provides Ethernet ports to interface with the router and the aggregation equipment within the network. It also incorporates an RS232 serial port for connecting to a Property Management System (PMS) and for system management and administration, while maintaining one billing relationship with their chosen provider.
Page 17: Transparent Connectivity
CCESS ATEWAY Offers both pre and post authentication redirects of the user’s browser, providing  maximum flexibility in service branding. Transparent Connectivity Resolving configuration conflicts is difficult and time consuming for network users who are constantly on the move, and costly to the solution provider. In fact, most users are reluctant to make changes to their computer’s network settings and won’t even bother.
Page 18: Billing Enablement
Session Rate Limiting (SRL) feature, and MAC filtering for improved network reliability. 5-Step Service Branding A network enabled with the Nomadix Access Gateway offers a 5-Step service branding methodology for service providers and their partners, comprising: Initial Flash Page branding.
Page 19 CCESS ATEWAY The Information and Control Console (ICC) contains multiple opportunities for an operator to display its branding or the branding of partners during the user’s session. As an alternative to the ICC, a simple pop-up window provides the opportunity to display a single logo.
Page 20: Nse Core Functionality
ATEWAY NSE Core Functionality Powering Nomadix’ family of Access Gateways, the Nomadix Service Engine (NSE) delivers a full range of features needed to successfully deploy public access networks. These “core” features solve issues of connectivity, security, billing, and roaming in a Wi-Fi public access network.
Page 21: Access Control
Secure Socket Layer (SSL)  Secure XML API  Session Rate Limiting (SRL)  Session Termination Redirect  Smart Client Support  SNMP Nomadix Private MIB  Static Port Mapping  Tri-Mode Authentication  URL Filtering  Walled Garden ...
Page 22: Bandwidth Management
With the Nomadix ICC feature enabled, subscribers can increase or decrease their own bandwidth and pricing plans for their service dynamically.
Page 23: Bridge Mode
“remove” your product from the network without physically disconnecting the unit. Class-Based Queueing The Nomadix Class-Based Queueing feature provides the ability to define multiple groups (classes) of users. You can prioritized groups and guarantee minimum bandwidth on a per- group basis.
Page 24 CCESS ATEWAY Use Case: Property has 100 Mbps WAN Link In this scenario, a property wishes to provide guaranteed minimum bandwidth and prioritize traffic across three groups: Conference, Guest Room, Public Areas. The property can configure class-based queuing according to the following table. User Bandwidth Class Priority...
Page 25 CCESS ATEWAY When only Lobby class subscribers are on the network, all available bandwidth is  allocated to Lobby class subscribers. As VIP Guests join the network, bandwidth is allocated from Lobby class to VIP  Guests, until the Lobby bandwidth drops to its minimum guarantee of 40Mbps. As Meeting Room subscribers join the network, the Lobby bandwidth is already at its ...
Page 26: Command Line Interface
The Command Line Interface (CLI) is a character-based user interface that can be accessed remotely or via a direct cable connection. Until your Nomadix product is up and running on the network, the CLI is the Network Administrator’s window to the system. Software upgrades can only be performed from the CLI.
Page 27: End User Licensee Count
“Contact Information” on page 349. Facebook Authentication NSE 8.5 provides the option of Facebook authentication for facility guests. Login with Facebook is a 2-step process. A user must first click the New User button on the Nomadix splash screen: Introduction...
Page 28 CCESS ATEWAY Then the user must click the “Log in with Facebook” button: Several configuration steps are required to support Facebook authentication. See the following sections for specific instructions: “Defining the AAA Services {AAA}” on page 80  “Assigning Passthrough Addresses {Passthrough Addresses}” on page 135 ...
Page 29: Inat
See also, “Portal Page Redirect” on page iNAT™ Nomadix invented a new way of intelligently supporting multiple VPN connections to the same termination at the same time (iNAT™), thus solving a key problem of many public access networks.
Page 30: Information And Control Console
ATEWAY Information and Control Console The Nomadix ICC is a HTML-based pop-up window that is presented to subscribers with their Web browser. The ICC allows subscribers to select their bandwidth and billing options quickly and efficiently from a simple pull-down menu. For credit card accounts, the ICC displays a dynamic “time”...
Page 31: International Language Support
CCESS ATEWAY See also: 5-Step Service Branding.  International Language Support.  International Language Support The NSE allows you to define the text displayed to your users by the IWS without any HTML or ASP knowledge. The language you select determines the language encoding that the IWS instructs the browser to use.
Page 32: Load Balancing
“Information and Control Console” on page MAC Filtering MAC Filtering enhances Nomadix' access control technology by allowing system administrators to block malicious users based on their MAC address. Up to 50 MAC addresses can be blocked at any one time. See also, “Session Rate Limiting (SRL)”...
Page 33: Portal Page Redirect
Once configured, this methodology can also be effectively used to centrally manage configuration profiles for all Nomadix devices in the public access network.
Page 34: Radius Client
“Defining Automatic Configuration Settings {Auto Configuration}” on page RADIUS Client Nomadix offers an integrated RADIUS (Remote Authentication Dial-In User Service) client with the NSE allowing service providers to track or bill users based on the number of connections, location of the connection, bytes sent and received, connect time, etc. The customer database can exist in a central RADIUS server, along with associated attributes for each user.
Page 35: Remember Me And Radius Re-Authentication
NSE’s standards-driven, peer-to-peer IPSec tunneling with strong data encryption. Establishing the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on...
Page 36: Secure Socket Layer (Ssl)
XML enables solution providers to customize and enhance their product installations. This feature allows the operator to use Nomadix' popular XML API using the built-in SSL certificate functionality in the NSE so that parameters passed between the Gateway and the centralized Web server are secured via SSL.
Page 37: Session Rate Limiting (Srl)
The NSE supports authentication mechanisms used by Smart Clients by companies such as Adjungo Networks, Boingo Wireless, GRIC and iPass. SNMP Nomadix Private MIB Nomadix’ Access Gateways can be easily managed over the Internet with an SNMP client manager (for example, HP OpenView or Castle Rock). See Using an SNMP Manager.
Page 38: Url Filtering
“Walled Garden” within the Internet where unauthenticated users can be granted or denied access to sites of your choosing. Web Management Interface Nomadix’ Access Gateways can be managed remotely via the built-in Web Management Interface where various levels of administration can be established. See also, “Using the Web Management Interface (WMI)”...
Page 39 CCESS ATEWAY Example Scenario Your facility has a 150 Mbps internet connection. You have 100 subscribers with a basic plan with 1M up/down bandwidth limits, and 100 subscribers with a premium plan with 2M up/ down speeds At full capacity, your 200 subscribers will consume 300 Mbps. However, the total available bandwidth is only 150 Mbps.
Page 40: Optional Nse Modules
CCESS ATEWAY Optional NSE Modules Load Balancing Load Balancing requires an optional NSE product license With the Load Balancing Module, Internet traffic is balanced across multiple WAN/ISP connections to ensure that traffic is distributed based on the capability of each connection. For example, organizations may wish to balance traffic between a low-cost DSL WAN/ISP and one high-performance, high-capacity WAN/ISP.
Page 41: Pms Integration
The optional High Availability Module offers enhanced network uptime and service availability when delivering high-quality Wi-Fi service by providing Fail-Over functionality. This module allows a secondary Nomadix Access Gateway to be placed in the network that can take over if the primary device fails, ensuring Wi-Fi service remains uninterrupted.
Page 42: Network Architecture (Sample)
CCESS ATEWAY Network Architecture (Sample) The Access Gateway can be deployed effectively in a variety of wireless and wired broadband environments where there are many users—usually mobile—who need high speed access to the Internet. The following example shows a potential Hospitality application: Introduction...
Page 43: Multiple Unit Clustering
In the recent past, it was necessary to segment the network to serve a number of subscribers that exceed the user count on a Nomadix gateway. Now with clustering all subscribers can be on the same segment, as the subscribers are distributed across multiple gateways. A large number of subscribers can be distributed to as many as 250 gateways, thus providing a design capacity of 1 million subscribers being served.
Page 44 CCESS ATEWAY The following graphic illustrates a clustering scenario with 12,000 users and three gateways. Introduction...
Page 45: Load Balancing And Link Failover
Load Balancing and Link Failover The NSE supports individual configuration of multiple WANs on an Access Gateway (supported on AG2400, AG5600, and AG5800 hardware). Hotels can use this capability in a number of ways, including load balancing, failure protection, and subscriber allocation.
Page 46 The alternative is to use random ISP selection, whereby the load balancer or NSE selects the ISP to be used according to the current load conditions. The Nomadix NSE uses random ISP selection by default.
Page 47 In this case it may be desirable to aggregate multiple lower-cost, lower-speed lines together. The Nomadix AG2400 and AG5600 can aggregate services from up to three ISP links, and the AG5800 can handle up to five links.
Page 48: Load Balancing Across Multiple Low Speed Links
6. It may be desirable to have certain users connected to a particular ISP link, and other users connected to a different ISP link. The Nomadix NSE provides a “preferred WAN” radius attribute (VSA). For example, paying users may be connected to an expensive high-quality link, with free users connected to a lower-quality link, with link failover still available if the preferred link fails.
Page 49: Separate Guest Hsia And Admin Isp Links, With Failover Between Each Isp Link
The organization only wishes for this link to be used when the main ISP circuit is not available. The Nomadix NSE is configured for failover only from the WAN to port Eth2 on the NSE. Separate Guest HSIA and Admin ISP Links, with Failover Between Each ISP Link In this scenario, the hotel has separate HSIA and Hotel Admin ISP circuits.
Page 50: Guest Hsia Failover Only, To Admin Network
Admin network. The hotel wants the Admin network to be available as a back-up link in case the Guest HSIA ISP link fails. There is no back-up for the Admin ISP network. The Nomadix NSE is configured with link failover between the WAN port and port ETH2, which is connected to the hotel Admin network router.
Page 51: Sharing Guest Hsia Network And Hotel Admin Network Among Multiple Isp Links
Sharing Guest HSIA Network and Hotel Admin Network Among Multiple ISP Links In this scenario, multiple ISP links are connected to the Nomadix NSE, in a similar method to the first scenario, but both the guest HSIA network and the Hotel Admin network are connected to the NSE and share the aggregate bandwidth of the combined ISP links.
Page 52: Load Balancing With Users Connected To A Preferred Isp Link
CCESS ATEWAY Load Balancing With Users Connected to a Preferred ISP Link In this scenario the hotel has purchased 2 x ISP links for guest HSIA. One is a high-quality, high-cost "business grade" ISP circuit, and the other is a low-cost, lower-grade domestic service provided by the local cable TV operator.
Page 53 CCESS ATEWAY Introduction...
Page 54: Online Help (Webhelp)
CCESS ATEWAY Online Help (WebHelp) The Access Gateway incorporates an online Help system called “WebHelp” which is accessible through the Web Management Interface (when a remote Internet connection is established following a successful installation). WebHelp can be viewed on any platform (for example, Windows, Macintosh, or UNIX-based platforms) using either Internet Explorer or Netscape Navigator (see note).
Page 55: Chapter 2: Installing The Access Gateway
If you ever experience problems with the system, your archived settings can be restored at any time. See “Archiving Your Configuration Settings” on page Nomadix Access Gateway Installation Workflow The following flowchart illustrates the steps that are required to install and configure your Access Gateway successfully.
Page 56 When prompted, accept to the Nomadix End User License Agreement (EULA). You must accept the EULA before the AG can connect with the Nomadix License Key Server. When the key is successfully received from the server, your AG will reboot.
Page 57: Powering Up The System
If you have any problems, please contact our technical support team at +1.818.575.2590, or email: support@nomadix.com. This quick start document provides instructions and reference material for getting started with the Nomadix Access Gateway products, specifically the AG 2400 and AG 5800. Installing the Access Gateway...
Page 58: Accessory Box Contents
2 – Rack Mount Brackets 1 – Bumper and Screw Kit Start Here Unpack the Nomadix Access Gateway and place the product on a flat and stable work surface. Register the gateway for support services by completing and returning the Nomadix Gateway Registration Form;...
Page 59 CCESS ATEWAY Start a HyperTerminal (or equivalent) session to communicate with the AG via the product’s console interface. Use the following configuration settings for your session: Bits per Second Data Bits Parity Stop Bits Flow Control 9600 None None Subscriber-side Ethernet Connection: ...
Page 60: Configuration
IN ORDER TO PROCEED WITH INSTALLATION. SEE USER'S GUIDE FOR LICENSE KEY INFORMATION. INSTALLATION WILL NOW TRY TO CONTACT THE NOMADIX LICENSE KEY SERVER. IN ORDER TO PROCEED, THE NSE MUST BE ABLE TO CONNECT TO THE INTERNET. DO YOU WANT TO CONFIGURE THE NSE'S IP AND DNS SETTINGS? [yes/no]: y...
Page 61 Gateway IP [10.0.0.1 ] : Your gateway IP address WAN 802.1Q tagging [Disabled ] : VLAN ID [1 ] : DNS Domain Name [nomadix.com ] : DNS Server 1 [0.0.0.2 ] : Your primary DNS IP DNS Server 2 [0.0.0.0 ] : DNS Server 3 [0.0.0.0 ] :...
Page 62: Step 1B: Dhcp Client Configuration
CCESS ATEWAY Step 1b: DHCP Client Configuration Type (d)hcp for the configuration mode as shown in Figure 4. Configuring minimal WAN interface connectivity parameters: Configuration Mode [static ] (static, dhcp, pppoe) : d WAN 802.1Q tagging [Disabled ] : VLAN ID [1 ] : DNS Server 3 [0.0.0.0 ] : Figure 4: Selecting DHCP Client for WAN configuration.
Page 63: Step 1C: Pppoe Dynamic Ip Client Configuration
PPP Maximum TCP MSS [1452 ] : WAN 802.1Q tagging [Disabled ] : VLAN ID [1 ] : DNS Domain Name [nomadix.com ] : DNS Server 3 [0.0.0.0 ] : Figure 6: Selecting PPPoE with dynamic IP configuration. A WAN port summary page will then be displayed as shown in Figure 7.
Page 64: Step 1D: Pppoe Static Ip Client Configuration
CCESS ATEWAY DNS Server 1 : Your dns server IP address DNS Server 2 : 0.0.0.0 DNS Server 3 : 0.0.0.0 Additional NAT IP addresses : Disabled show all - Show all WAN Interface configuration show interface <name> - Show a single WAN Interface configuration modify interface <name>...
Page 65: Step 3: Retrieving Your License Key
PLEASE READ THE NOMADIX END USER LICENSE AGREEMENT ('AGREEMENT') INCLUDED WITH THE NOMADIX PRODUCT. BY USING THIS SOFTWARE, YOU INDICATE YOUR ACCEPTANCE OF THE AGREEMENT. I AGREE TO THE TERMS AND CONDITIONS OF THE NOMADIX END USER LICENSE AGREEMENT. (Y)ES (N)O The system will now try to contact the Nomadix License Key Server.
Page 66: Step 5: Configuring Ag Dhcp Server Settings
CCESS ATEWAY Before you can log into the AG and use the graphical Web Management Interface (WMI), you must disable subscriber-side HTTP: Log in to the AG Navigate to Configuration -> Access Control -> Interface Press Enter until you reach Subscriber-side HTTP Enter disabled You can now use the graphical Web Management Interface (WMI) to configure the product’s features.
Page 67: The Management Interfaces (Cli And Web)
CCESS ATEWAY DHCP Parameter Your Settings Default Values DHCP Pool End IP Address 10.0.0.72 DHCP Lease Minutes 1440 An example of a basic network including an AG is shown below. The Management Interfaces (CLI and Web) The Access Gateway supports various methods for managing the system remotely.
Page 68: Making Menu Selections And Inputting Data With The Cli
CCESS ATEWAY Network Info  Port-location  Subscribers  System  Although the basic functional elements are the same, the CLI and the WMI have some minor content and organizational differences. For example, in the WMI the “subscribers” menu is divided into “Subscriber Administration” and “Subscriber Interface.”...
Page 69 CCESS ATEWAY Note: Your browser preferences or Internet options should be set to compare loaded pages with cached pages. Installing the Access Gateway...
Page 70: Inputting Data - Maximum Character Lengths
CCESS ATEWAY Inputting Data – Maximum Character Lengths The following table details the maximum allowable character lengths when inputting data: Data Field Max. Characters All Messages (billing options) All Messages (subscriber error messages) All Messages (subscriber login UI) All Messages (subscriber “other” messages) Description of Service (billing options Plan) Home Page URL Host Name and Domain Name (DNS settings)
Page 71: Online Documentation And Help
Click here to access the online Help system Other online documentation resources, available from our corporate Web site (www.nomadix.com/support), include a full PDF version of this User Guide (viewable with Acrobat™ Reader), README files, white papers, technical notes, and business cases. Quick Reference Guide This section provides information to help you navigate and use the management interfaces (CLI and Web) quickly and efficiently.
Page 72: Establishing The Start Up Configuration
CCESS ATEWAY Establishing the Start Up Configuration The CLI allows you to administer the Access Gateway’s start-up configuration settings. When establishing the start-up configuration for a new installation, you are connected to the Access Gateway via a direct serial connection (you do not have remote access capability because the Access Gateway is not yet configured or connected to a network).
Page 73: Assigning Login User Names And Passwords
CCESS ATEWAY Assigning the Location Information and IP Addresses:  Assigning the Network Interface IP Address - This is the public IP  address that allows administrators and subscribers to see the Access Gateway on the network. Use this address when you need to make a network connection with the Access Gateway.
Page 74: Setting The Snmp Parameters (Optional)
If you enabled the SNMP daemon, you must reboot the system for your changes to take effect. In this case, enter (yes) to reboot your Access Gateway. Sample Screen Response: Configuration>sn Enable the SNMP Daemon? [Yes]: Enter new system contact: newname@domainname.com [Nomadix, Newbury Park, CA] Installing the Access Gateway...
Page 75: Configuring The Wan Interface
A summary of the WAN port settings is now displayed; if they are correct, type “b” again. You will now see the Nomadix location configuration page. Enter contact data and agree to the Nomadix End User License Agreement. Your license will be retrieved when you enter “y”.
Page 76: Enabling The Logging Options (Recommended)
CCESS ATEWAY Enabling the Logging Options (recommended) System logging creates log files and error messages generated at the system level. AAA logging creates activity log files for the AAA (Authentication, Authorization, and Accounting) functions. You can enable either of these options. Although the AAA and billing logs can go to the same server, we recommend that they have their own unique server ID number assigned (between 0 and 7).
Page 77 CCESS ATEWAY When logging is enabled, log files and error messages are sent to these servers for future retrieval. To see sample reports, go to “Sample SYSLOG Report” on page 314 “Sample AAA Log” on page 313. Sample Screen Response: Configuration>log Enable/disable System Log [disabled...
Page 78 CCESS ATEWAY 2: Critical 3: Error 4: Warning 5: Notice 6: Info 7: Debug Select an option from above [6]: 7 Enter RADIUS History Log Server IP [255.255.255.255]: 10.10.10.10 Enable/disable RADIUS History Log Save to file [disabled ]: enable Enable/disable System Report Log [disabled ]: enable Enter System Report Log Number (0-7) [0...
Page 79: Logging Out And Powering Down The System
CCESS ATEWAY Tracking Log Enabled Tracking Log Number Tracking Log Server IP 10.10.10.10 Tracking Log Save to file Disabled Tracking Name Reporting Enabled Tracking Port Reporting Enabled Tracking Location Reporting Enabled Tracking Report every 500th packet Enabled WARNING: Communication between the gateway and the syslog server may need to be secured to comply with local laws.
Page 80: Setting The Dhcp Options
CCESS ATEWAY Setting the DHCP Options – DHCP (Dynamic Host Configuration Protocol) allows  you to assign IP addresses automatically (to subscribers who are DHCP enabled). The Access Gateway can “relay” the service through an external DHCP server or it can be configured to act as its own DHCP server.
Page 81: Dhcp Options From Rfc 2132
CCESS ATEWAY Sample Screen Response: Configuration>dh Enable/Disable IP Upsell [disabled Enable/Disable DHCP Relay [disabled Enable/Disable DHCP Server [enabled Enable/Disable Subnet-based DHCP Service [disabled Enable/Disable Forwarded DHCP Clients [disabled IP Upsell Disabled DHCP Relay Disabled External DHCP Server IP 0.0.0.0 DHCP Relay Agent IP 0.0.0.0 DHCP Server Enabled...
Page 82 CCESS ATEWAY The following DHCP option codes are supported: Option Description Option Code Single IP address 16, 28, 32 List of one or more IP addresses 3-5, 7-11, 41-42, 44-45, 48-49, 65, 69-76 List of zero or more IP addresses List of one or more pairs of IP addresses (or 21, 33 address/mask pairs)
Page 83 CCESS ATEWAY The following screens illustrate adding additional DHCP options to a DHCP Pool. Installing the Access Gateway...
Page 84: Dhcp Dynamic Enable And Disable
CCESS ATEWAY DHCP Dynamic Enable and Disable Click -> . Click the . Note that Configuration DHCP Server-IP Enable this DHCP Pool DHCP enable/disable is dynamic, no reboot required. Click -> . A new column under existing DHCP Pools table for DHCP Configuration DHCP pool enable is introduced.
Page 85: Setting The Dns Options
CCESS ATEWAY Click Subscriber Administration->DHCP Leases. The DHCP leases Page displays all the current DHCP leases on the NSE. Setting the DNS Options DNS allows subscribers to enter meaningful URLs into their browsers (instead of complicated numeric IP addresses) by automatically converting the URLs into the correct IP addresses. You Installing the Access Gateway...
Page 86 Enter (dns) at the Configuration menu. The system displays the current domain (the default is “nomadix”). Enter a valid domain name (the Internet domain that DNS requests will utilize). Enter the host name (the DNS name of the Access Gateway). The host name must not contain any spaces.
Page 87: Archiving Your Configuration Settings
The Nomadix Private Management Information Base (MIB) allows you to view and manage SNMP objects on your Access Gateway. To use the MIB, you must obtain the appropriate nomadix.mib file for your Access Gateway. This file is available in the Support area of the Nomadix web site.
Page 88 Access Gateway (available on the Access Gateway’s CLI or Web Management Interface, under the Configuration menu – snmp All variables defined by Nomadix start with the following prefix: iso.org.dod.internet.private.enterprises.nomadix You should now be able to define queries and set the SNMP values on your Access Gateway.
Page 89: Chapter 3: System Administration
CCESS ATEWAY System Administration This section provides all the instructions and procedures necessary for system administrators to manage the Access Gateway on the customer’s network (after a successful installation). The system administration procedures in this section are organized as they are listed under their respective Web Management Interface (WMI) menus: “Configuration Menu”...
Page 90: Using The Web Management Interface (Wmi)
CCESS ATEWAY Using the Web Management Interface (WMI) The Web Management Interface (WMI) is a “graphical” version of the Command Line Interface, comprised of HTML files. The HTML files are embedded in the Access Gateway and are dynamically linked to the system’s functional command sets. You can access the WMI from any Web browser.
Page 91: Using An Snmp Manager
Information Base (MIB). SNMP enables managers and agents to communicate with each other for the purpose of accessing these MIBs and retrieving data. See also, “Installing the Nomadix Private MIB” on page The following example shows a (partial) SNMP screen response.
Page 92: Logging In
Some features included in this section will not be available to you unless you have purchased the appropriate product license from Nomadix. In this case, the following statement will appear either immediately below the section heading or when the feature is mentioned in the body text: Your product license may not support this feature.
Page 93 CCESS ATEWAY Enable or disable . If you enable AAA Services, go to Step 3, otherwise this AAA Services feature is disabled and you can exit the procedure. Select a Logout IP address from the drop-down list. The list contains IP address that can be used as the logout IP address.
Page 94 CCESS ATEWAY Enable or disable , as required. This feature enables NSE to Print Billing Command support Driverless Print servers. If this feature is enabled, you must enable the XML interface and enter the IP address for the XML interface (Step 3 and Step 4). With Print Billing enabled, print servers can bill subscribers’...
Page 95 CCESS ATEWAY Enable or disable the 802.1x Authentication Support feature, as required. Both AAA and RADIUS Authentication must be enabled for 802.1x Authentication support. Enable or disable the Origin Server (OS) parameter encoding for Portal Page and EWS feature, as required. You can choose to Enable failover to Internal Web Server Authentication if Portal by placing a check in that box.
Page 96 CCESS ATEWAY the subscriber). The login page served by the EWS reflects the “look and feel” of the solution provider’s network and presents more login options. Enabling AAA Services with the Internal Web Server You are here because you want to enable the AAA Services with the Access Gateway’s Internal Web Server.
Page 97 CCESS ATEWAY Enable or disable the feature, as required. If you enable SSL Support, you SSL Support must provide a valid Certificate DNS Name For more information about setting up SSL, go to “Setting Up the SSL Feature” on page 325.
Page 98 Adding SSL support to the Access Gateway requires service providers to obtain digital certificates from VeriSign™ to create HTTPS pages. Instructions for obtaining certificates are provided by Nomadix. To enable SSL Support, your Access Gateway’s flash must include the server.pem, cakey.pem, and cacert.pem certificate files (the “cacert.pem”...
Page 99 (for billing purposes). The Access Gateway is configured to use Authorize.net. You will need to open a merchant account with Authorize.net or Datacenter (Luxembourg) before this feature can be used. Please contact Nomadix Technical Support for assistance. Refer to “Contact Information” on page 349.
Page 100 CCESS ATEWAY enter the key in the box, then re-enter the key in the Change Transaction Key Verify Transaction Key box. The SIM Compliant option refers to Authorize.net's Simple Integration Method. Enable or disable , as required. Smart Client Support You can assign a session idle timeout parameter for subscribers (see following note).
Page 101 CCESS ATEWAY Enter the (The Access Gateway and the external authorization server must use Secret Key the same secret key). The Secret Key ensures that the response the Access Gateway gets from the External Web Server is valid. DNS must be configured if you want to enter meaningful URLs instead of numeric IP addresses into any of the Access Gateway’s configuration screens (for example, the External login page URL in the following step).
Page 102 CCESS ATEWAY access. This capability eliminates a vulnerability that was previously exploited to gain unauthorized Internet access at charge-for-use sites. The signing feature can create a cryptographically strong signature that protects the sensitive portions of a URL redirection string (i.e., NSE ID, MAC address of the subscriber, etc), while letting the EWS/Portal Page verify that the URL string has not been tampered or forged by the subscriber.
Page 103: Establishing Secure Administration {Access Control
In order to utilize the parameter signing feature, the EWS or Portal Page Server used must be configured to correctly parse and verify the signing information. Documentation that includes guidelines for configuring a server to support signing can be obtained by contacting Nomadix Technical Support.
Page 104 CCESS ATEWAY From the Web Management Interface, click on , then Configuration Access Control. Access Control screen appears. , enter a and an Configurable Ports Telnet Port HTTP Port Enable or disable administrator access to any of the following interfaces: System Administration...
Page 105 SNMP. Enabling the blocking of all interfaces and disabling SNMP will completely block access to the Access Gateway administration interface. For assistance, contact Nomadix Technical Support. Enable or disable subscriber-side interface blocking for any of the following interfaces enables/disables blocking of Telnet access from the subscriber-side to Telnet Access: ...
Page 106: Defining Automatic Configuration Settings {Auto Configuration
CLI to disable the Access Control feature, or change the range of allowed IP addresses to access the management interfaces. If you have changed the serial port to act as a PMS interface, please contact Nomadix technical support. In this case, refer to “Contact Information” on page 349.
Page 107 As shown in the diagram below, two subsequent events drive the automatic configuration of Nomadix devices: A flow of RADIUS Authentication Request and Reply messages between the Nomadix gateway and the centralized RADIUS server that specifies the location of the meta...
Page 108 Administrative Steps to Enable Auto-Config for the NOC Administrator: Add NAS IP address. Add Nomadix Auto-Config VSA to the Nomadix dictionary file on the RADIUS server. Create a RADIUS profile with the configuration VSA. Create an FTP server with the configuration files.
Page 109: Setting Up Bandwidth Management {Bandwidth Management
The following diagram shows a sample RADIUS configuration file, meta file and illustration of the FTP server setup. The Nomadix device will automatically initiate one reboot to enable the new settings. Configuration updates for network maintenance can be accomplished by simply enabling the Auto-Configuration option and rebooting the device (for example, using SNMP).
Page 110: Group Bandwidth Limit Policy
The Group Bandwidth Limit Policy allows the you to assign a common bandwidth rate limiting policy to a group of subscriber devices. All devices within the group share the total bandwidth allocated to the policy. The Group Bandwidth Limit Policy feature defines the following vendor-specific attributes (VSAs): Nomadix Name Role/Value VSA # GROUP_BW_POLICY_ID Defines the ID the for the group policy.
Page 111: Group Bandwidth Limit Policy - Operation
CCESS ATEWAY GROUP_BW_MAX_UP Defines the total upstream bandwidth allowed for the group in Kilobits per second. Integer value. 0 is interpreted as unlimited. GROUP_BW_MAX_DOWN Defines the total downstream bandwidth allowed for the group in Kilobits per second. Integer value. 0 is interpreted as unlimited. Group Bandwidth Limit Policy –...
Page 112: Group Bandwidth Limit Policy - Enable
CCESS ATEWAY The NSE can concurrently support some subscribers as part of a group and some others with limits set on a per-subscriber basis. However, a single subscriber cannot be assigned group membership and individual limits at the same time. Group Bandwidth Limit Policy –...
Page 113: Establishing Billing Records "Mirroring" {Bill Record Mirroring
CCESS ATEWAY Establishing Billing Records “Mirroring” {Bill Record Mirroring} The Access Gateway can send copies of credit card transaction and PMS billing records to external servers that have been previously defined by system administrators. The Access Gateway assumes control of billing transmissions and saving billing records. By “mirroring” the billing data, theAccess Gateway can also send copies of billing records to predefined “carbon copy”...
Page 114: Class-Based Queueing
Class-Based Queueing Nomadix Class-Based Queueing provides a flexible way to control the bandwidth provided to individual groups of users (classes). Classes have both maximum and minimum bandwidth specifications.
Page 115 CCESS ATEWAY To Enable and Configure Class-Based Queueing Click Configuration > Class Based Queueing The Class Based Queueing screen appears. Click and then to enable Class-Based Queueing. Enable Submit Click to add a class. Class names are case-sensitive. “Dot” notation (e.g., Add Class <top-level class>.<subclass>) is used to associate top-level classes and subclasses.
Page 116 CCESS ATEWAY Click on a class name to change the class name or modify the attributes of a class. Click to evaluate traffic scenarios. Given different loads per class, Throughput Estimator the interface provides the estimated effective throughput. You can use this tool to preview how bandwidth will be assigned,, based on Class-Based Queueing structure and priority settings.
Page 117: Clustering {Clustering
Subscribers can be assigned to a specific class/sub-class using Radius VSA. Subscribers with no class membership are assigned a priority of 8. ATTRIBUTE Nomadix-Bw-Class-Name 27 string For example, when a subscriber logs in and this attribute is defined as follows, the subscriber gets assigned to the class priority1.Subclass.
Page 118: Configuring Destination Http Redirection {Destination Http Redirection
Subscribers requesting a website at that DNS will obtain a DNS response that contains a “magic” IP address (which is the same value obtained when the subscriber queries the DNS string “logout.nomadix.com”). The NSE will process HTTP requests for that “magic” IP address (configurable on the AAA page), and will reply with an HTTP redirection (which may include a number of signed redirection parameters) to a configured URL.
Page 119 CCESS ATEWAY User External Server DNS query: www.example.com? portal1.myhotel.com/ * DNS response: 1.1.1.1 GET / HTTP/1.1… Magic IP Address ** Redirect Message Host:www.example.com *** OK Accept Message ** HTTP/1.0 302 RD Location: TS=..&NO portal1.myhotel.com/details?OS=..&UI=..&MA=..&RN=..&PORT=..&SIP=..& NCE=..&SIGN=..&SIGNED=..&METHOD=.. … GET details?OS=..& TS=..&NONCE=..&SIGN=..& UI=..&MA=..&RN=..&PORT=..&SIP=..& SIGNED=..&METHOD=.. HTTP/1.1 Host: portal1.myhotel.com *** HTTP/1.1 200 OK … The figure above illustrates destination HTTP redirection, assuming a DNS query string for www.example.com, a magic IP address of 1.1.1.1, and a portal page URL of portal1.myhotel.com.
Page 120 CCESS ATEWAY After successful redirection occurs the list of signed parameters and signature  methods are passed to the portal page. HTTP/1.0 302 RD http://portal1.myhotel.com/details?OS=<Original Server>&UI=<NSE’s ID>&MA=<subscriber’s MAC>&RN=<Room name>&PORT=<VLAN>&SIP=<subscriber’s IP>&TS=<timestamp>&NONCE=<16 chars>&SIGN=<signature>& SIGNED=<list of signed parameters>& METHOD=<signature method> From the Web Management Interface, click on , then Configuration Destination HTTP...
Page 121: Managing The Dhcp Service Options {Dhcp
CCESS ATEWAY To enable parameter passing, click on the Parameter Passing Enable check box. Select the Parameter Signing Method  , or (select one method). None HASH-CRC32 HMAC-MD5  Parameters , and (select all applicable parameters). PORT To enable Set Shared Secret, click on the check box.
Page 122 CCESS ATEWAY Nomadix’ patented Dynamic Address Translation (DAT) functionality is automatically configured to facilitate “plug-and-play” access to subscribers who are misconfigured with static (permanent) IP addresses, or subscribers that do not have DHCP capability on their computers. DAT allows all users to obtain network access, regardless of their computer’s network settings.
Page 123 CCESS ATEWAY The DHCP Relay Agent allows the Access Gateway to request a specific range of IP addresses from different IP pools from the DHCP Server. Leaving these fields blank forces the system to use the IP pool that contains IP addresses that are on the same subnet as the Access Gateway.
Page 124 CCESS ATEWAY If you want to add a new DHCP Pool, click on the button. The Add DHCP Pools screen appears: Enter a valid address for the DHCP server. DHCP Server IP Enter the DHCP Server Netmask Enter the starting and ending IP addresses for the DHCP address pool you want to use: DHCP Pool Start IP ...
Page 125: Enabling Dnssec Support
CCESS ATEWAY Optional, if the gateway router for the DHCP Pool is other than that of the DHCP Server IP, select and enter the IP address of the gateway router of choice. Specify When finished establishing your DHCP Pools, click on the Back to Main DHCP to return to the previous page.
Page 126: Managing The Dns Options {Dns
CCESS ATEWAY Managing the DNS Options {DNS} DNS allows subscribers to enter meaningful URLs into their browsers (instead of complicated numeric IP addresses) by automatically converting the URLs into the correct IP addresses. You can assign a primary, secondary, or tertiary (third) DNS server. The Access Gateway utilizes whichever server is currently available.
Page 127 CCESS ATEWAY From the Web Management Interface, click Configuration , then Dynamic DNS . The Dynamic DNS Configuration screen appears: Check the checkbox to enable Dynamic DNS (DDNS) functionality. The default Enable setting is disabled. Enter the Provider Info Select the provider protocol from the menu.
Page 128: Ethernet Ports/Wan
“Product Specifications” on page 298 for these details. The NSE can now support up to five (AG5800) WAN interfaces at once, using completely independent network settings for each. Each WAN port has independent Mode, IP, DNS, iNAT, Monitoring, Additional NAT ...
Page 129 CCESS ATEWAY To view and configure WAN interfaces, select Configuration > Ethernet Ports/WAN . The Current Interfaces Settings screen appears, which summarizes all WAN connections. System Administration...
Page 130: Setting The Home Page Redirection Options {Home Page Redirect
CCESS ATEWAY Click any individual interface name to view and set details of the individual WAN. Setting the Home Page Redirection Options {Home Page Redirect} This procedure shows you how to redirect the subscriber’s browser to a specified home page. Subscribers may also be redirected to a page specified by the solution provider, without any interaction with the authentication process.
Page 131: Enabling Intelligent Address Translation (Inat™)
Enabling Intelligent Address Translation (iNAT™) The Nomadix patented iNAT™ feature contains an advanced, real-time translation engine that analyzes all data packets being communicated between the private and public address domains. The Nomadix iNAT™ engine performs a defined mode of network address translation based on packet type and protocol (for example, IKE etc…).
Page 132 CCESS ATEWAY Each of the displayed ports has individual iNAT / Subscriber tunnel settings  accessible by clicking on that port’s link. The interface allows easy deletion of any iNAT address range.  iNAT settings are configured individually for each interface. From the Web Management Interface, click on , then Configuration...
Page 133: Defining Ipsec Tunnel Settings {Ipsec
CCESS ATEWAY PPTP CALL ID  IPSEC  Click on the button to save your options. Submit Use the iNAT Start iNAT End fields to enter an IP address or range of IP addresses (up to 50), then click on the button to add the IP address(es), or click on the Remove button to delete the IP address(es) from the database.
Page 134 CCESS ATEWAY Click to save the setting. Submit To add or modify IPsec tunnel peers, see “Managing IPSec Tunnel Peers” on page 122. To add or modify IPsec security policies, see “Managing IPSec Security Policies” on page 123. Managing IPSec Tunnel Peers You can add a new IPSec tunnel peer or modify the settings of an existing IPSec tunnel peer from the IPSec Tunnel Settings screen.
Page 135 CCESS ATEWAY Authenticate via X.509 Certificate –  Enter the filename of the private certificate in the field.  Private Key Filename Enter the filename of the public certificate in the Certificate Filename field.  Note that the files must exist on flash first. In the section, select the following settings: IKE Channel Security Parameters...
Page 136 CCESS ATEWAY Adding a New IPSec Security Policy In the table, click the button to add an entry. The IPsec IPSec Security Policies Tunnel Security Policy Settings screen opens. Select the tunnel peer IP address for which you would like to add a security policy from Tunnel peer IP address menu.
Page 137 CCESS ATEWAY Next you will define selectors of the Security Policy. All selectors must match for the policy to be applied. Define the following selectors for the Remote End – Enter the IP address of the remote network secured by the IPSec ...
Page 138 CCESS ATEWAY – See “Setting joint ESP and AH parameters” on page 126 to set  parameters that pertain to both ESP and AH policies. Setting joint ESP and AH parameters These parameters affect both ESP and AH policies. Select all the by putting a check in the ...
Page 139: Load Balancing
CCESS ATEWAY Load Balancing Load Balancing is an optional licensed feature. For an overview of Nomadixload balancing and common use cases, see “Load Balancing and Link Failover” on page The NSE can balance subscriber assignment between all active WAN interfaces when Load Balancing mode is enabled.
Page 140: Establishing Your Location {Location
CCESS ATEWAY When either Interface Monitoring or link status is used, WAN ports will be characterized as either Available or Unavailable. If Load Balancing is configured to use Interface Monitoring but Monitoring itself is not configured, the status will be Unknown. Using Link state will provide a faster response, but using Interface Monitoring will assure that there is internet access through that port before assigning subscribers to it.
Page 141: Managing The Log Options {Logging
CCESS ATEWAY Enter your location information in the following fields: Company Name  Site Name  Address (Line 1 and Line 2)  City, State, Zip, and Country  E-mail Address  ISO Country Code  Phone Country Code  Calling Area Code ...
Page 142 CCESS ATEWAY From the Web Management Interface, click on , then The Log Configuration Logging. Settings screen appears: System Administration...
Page 143 CCESS ATEWAY If required, click on the check box for System Log to enable system logging. When system logging is enabled, the standard SYSLOG protocol (UDP) is used to send all message logs generated by the Access Gateway to the specified SYSLOG server. Enter a unique number (between 0 and 7) in the field.
Page 144 CCESS ATEWAY Subscriber Tracking Log Enabling this checkbox enables the Subscriber Tracking log. Use this to track the network usage of specific Subscribers on the network by receiving a syslog of every Session that is opened by each subscriber. Each new DAT session that is created for subscribers is logged in these syslogs.
Page 145 CCESS ATEWAY PageFaults are stored in the file named “lograw.txt” in the /flash directory and is not viewable on the web management interface. Check the option to enable or disable the Subscriber Subscriber Tracking Log tracking log. Note: NTP must be enabled on the NSE for Subscriber tracking log to be enabled.
Page 146: Enabling Mac Authentication {Mac Authentication
CCESS ATEWAY Check the option to save the syslogs locally to Subscriber Tracking Log save to file the NSE flash. Note: Not recommended. Check the option to include the first 25 characters of Include User Name Reporting the username in the Syslog. Check the option and Port Location: Include Port Reporting...
Page 147: Assigning Passthrough Addresses {Passthrough Addresses
CCESS ATEWAY RADIUS server must use the same format. The options are: aa-bb-cc-dd-ee-ff , or . The default setting is aa:bb:cc:dd:ee:ff aabbccddeeff aa-bb-cc-dd-ee-ff Select the . This setting specifies, in the MAC addresses Case of Hex-Alpha Characters in RADIUS username and password attributes, whether the hex-alpha characters A-F will be uppercase or lower case.
Page 148: Assigning A Pms Service {Pms
IP address or DNS name of the pass-through you want to add or remove from the system. The system only accepts route DNS names (for example, www.nomadix.com). Do not include protocol, port, or path information. If adding this pass-through, click on the...
Page 149 Micros POS system. This functionality allows hotels to seamlessly deploy wireless networks (or alternatively use low-cost wired access concentration equipment) that either do not support port-ID or do so in a proprietary format that Nomadix does not currently support— and still be able to bill directly to the room.
Page 150 Xeta Virtual XL  For Micros Fidelio FIAS, Nomadix also supports a serial Redirector Service, which provides a means to send FIAS command messages through the NSE XML interface. Nomadix offers the following standards-based interfaces, generally used to establish an...
Page 151 CCESS ATEWAY From the Web Management Interface, click on Configuration , then PMS. The Property Management System Settings screen appears: 8.1 and Later Only You have the option of disabling PMS services by clicking on the PMS services disabled radio button, then clicking on the button to save your choice.
Page 152 Match Last Name Only  Skip First Char in Last Name  OnQ Compliant (Enable this option if you want to use Nomadix Micros POS  emulation to query & post to Hilton Corporation's OnQ PMS system). In the group, you may enable phonetic name matching for WFB, Miscellaneous Settings FOSSE, MICROS, and MICROS Fidelio.
Page 153 CCESS ATEWAY Post-paid PMS only: If you selected a Post-paid PMS option, you can define an Idle (in minutes) and an (in bytes). These selections determine Timeout Idle Data Threshold the thresholds when a “post-paid” hotel guest will be automatically disconnected from the service.
Page 154: Setting Up Port Locations {Port-Location
Reset Based on the HOBIC interface standards, Nomadix, Inc. has also certified interoperability with a number of other PMS and call accounting solutions such as Ramesys’ ImagInn, Xeta Virtual XL, and Hilton’s proprietary standard OnQ.
Page 155 CCESS ATEWAY From the Web Management Interface, click on Configuration , then Port-Location. Port-Location Settings screen appears: System Administration...
Page 156 CCESS ATEWAY System administrators can set the properties for each room from the subscriber side of the Access Gateway. The system automatically detects which port number the administrator is using and allows them to enter the fields for the room corresponding to the port they are using.
Page 157 CCESS ATEWAY These options enable an SNMP query to “ask” the access concentration device which card, slot, or port the information is coming from. The information can then be “sent to” and “billed by” the PMS. You must enter the (not name), IP address SNMP community...
Page 158 CCESS ATEWAY In Room Port Mapping This section shows In Room Port Mapping from the subscriber side, when the In Room Port Mapping feature is enabled. Access Gateway multiple VLAN tagged systems can use the same tags and be placed on different Subscriber ports. Although it is technically possible to place two different VLAN tagged switches (one on each Subscriber side) that have the same VLAN tags designated, this configuration can cause problems.
Page 159 CCESS ATEWAY Enter your user name and password, then click on the button. The In Room Port Mapping screen appears: Enter the room number and a description for this room. Select the access mode you want to assign to this room: Room Free Access ...
Page 160: Setting Up Quality Of Service {Qos
CCESS ATEWAY Setting up Quality of Service {QoS} The Quality of Service feature allows subscriber traffic to be classified so that it can then be acted upon by devices that support QoS prioritization or other QoS capabilities. This requires the use of 802.1q-based VLANS on the network, as it is based on 802.1p Class of Service (CoS) marking.
Page 161: Defining The Radius Client Settings {Radius Client
The “Usernames” function must be enabled for a RADIUS login. See also, “Configuration Menu” on page Nomadix offers an integrated RADIUS client, allowing service providers to track or bill users based on the number of connections, location of the connection, bytes sent and received, connect time, etc.
Page 162 CCESS ATEWAY client authenticates the customer with the RADIUS server, applies associated attributes stored in that customer's profile, and logs their activity (including bytes transferred, connect time, etc.). The Access Gateway's RADIUS implementation also handles vendor specific attributes (VSAs), required by WISPs that want to enable more advanced services and billing schemes, such as a per device/per month connectivity fee.
Page 163 CCESS ATEWAY For additional RADIUS information, see also: “Defining the RADIUS Proxy Settings {RADIUS Proxy}” on page 154  “Defining the Realm-Based Routing Settings {Realm-Based Routing}” on page 158  “RADIUS Attributes” on page 317  From the Web Management Interface, click on , then Configuration RADIUS Client.
Page 164 CCESS ATEWAY Select whether . This will allow a secondary form of Later Login Supersedes Previous authentication to override MAC authentication if necessary, and use the credentials of the last login to succeed. Miscellaneous Options. Miscellaneous Options In the “Miscellaneous Options” category, Enter a value for the time (in seconds) in the field.
Page 165 The following VSAs are used for implementation of volume- and time-based Radius termination action: VSA Name Value Termination-Action Session-Timeout Nomadix-MaxBytesDown 3000000 Nomadix-MaxBytesUp 3000000 If required, check the box for Enable Session-Terminate-End-Of-Day When Authorized (to allow business policies that want to terminate the session at midnight of every day).
Page 166: Defining The Radius Proxy Settings {Radius Proxy
CCESS ATEWAY If required, check the box for (if you want to allocate a Enable RADIUS Subnet Attribute specific subnet to a user). If required, check the box for (if you want the system to display a Enable Goodbye URL post session “goodbye”...
Page 167 CCESS ATEWAY From the Web Management Interface, click on Configuration , then RADIUS Proxy. RADIUS Proxy Settings screen appears: Enable or disable , as required, by clicking on the appropriate RADIUS Proxy Services check box. If you enabled RADIUS Proxy Services, you must provide the Authentication Server Port and the references.
Page 168 CCESS ATEWAY Adding an Upstream RADIUS NAS If you want to add a new Upstream RADIUS NAS (for example, an 802.11 Access Point on the subscriber side of the Access Gateway), click on the button. The Add Upstream RADIUS NAS screen appears: To make this entry the “active”...
Page 169 CCESS ATEWAY Place a check in the box of the Nomadix VSAs to be enforced by the Proxy for this entry : The Radius VSA for Bandwidth-Up will be passed on  Enforce Bandwidth-Up VSA to the Upstream NAS when enabled.
Page 170: Defining The Realm-Based Routing Settings {Realm-Based Routing
CCESS ATEWAY The Upstream RADIUS NAS definition you just added appears in the list. You can add up to 10 definitions. Repeat Steps 5 through 11 to add more Upstream RADIUS NAS definitions, as required. To view your configured RADIUS Service Profiles and Realm Routing Policies, click on the link: Click here to see configured RADIUS service profiles and Realm Routing Policies...
Page 171 CCESS ATEWAY “Setting Up the SSL Feature” on page 325  From the Web Management Interface, click on Configuration , then Realm-Based Routing. The Realm-Based Routing Settings screen appears: Define RADIUS Service Profiles RADIUS service profiles are used to direct username access requests for both plain RADIUS users and users who supply realm/domain in their username.
Page 172 CCESS ATEWAY To add a RADIUS Service Profile, click on the appropriate button. The Add RADIUS Service Profile screen appears: Enter a name of your choice for this service profile in the field. Unique Name Authentication This category requires input for enabling RADIUS authentication and requires you to define IP addresses, ports, and secret keys for the primary and secondary RADIUS servers (the secondary server is optional).
Page 173 CCESS ATEWAY keys must match for communication between the server and the client to continue. The secret key is a valuable and necessary security measure. The Access Gateway and the RADIUS servers must use the same secret key. Repeat Steps 2 through 4 for the secondary RADIUS authentication server (if used). Accounting This category requires input for enabling the RADIUS accounting service, and also requires the necessary IP addresses, ports and secret keys for the primary and secondary RADIUS...
Page 174 CCESS ATEWAY routing policy will reference either a RADIUS service profile or a tunnel profile. Many different realm routing policies can reference the same RADIUS service or tunnel profile. This policy references a RADIUS service profile so a realm match will result in an access request being sent to the RADIUS server(s) specified in the RADIUS service profile.
Page 175 CCESS ATEWAY Click on the button to add this Realm Routing Policy. When you have completed the definition of your Realm Routing Policy, you can return to the previous screen (Realm-Based Routing Settings) by clicking on the Back to Main link.
Page 176 CCESS ATEWAY The following screen shows a realm routing policy that handles suffix-based usernames using a tunnel profile. This differences in this example are that the realm name is “tcisp.com”, “Suffix match only” is enabled (the delimiter in this case is “@”), and a tunnel profile, “LNSOne”, is selected instead of a RADIUS service profile.
Page 177 CCESS ATEWAY The “Local hostname” field is also blank is this example which means that the NSE will use the default value of “usg_lac” during tunnel negotiation. Configure RADIUS Client The NSE RADIUS client must be setup for realm-based routing mode since realm information will be used by the NSE’s L2TP tunnel feature to determine how to handle usernames that contain realm information.
Page 178: Managing Smtp Redirection {Smtp
CCESS ATEWAY Managing SMTP Redirection {SMTP} When SMTP redirection is enabled (for misconfigured or properly configured subscribers), the Access Gateway redirects the subscriber’s E-mail through a dedicated SMTP server, including SMTP servers which support login authentication. To the subscriber, sending and receiving E- mail is as easy as it’s always been.
Page 179: Managing The Snmp Communities {Snmp
CCESS ATEWAY Managing the SNMP Communities {SNMP} You can address the Access Gateway using an SNMP client manager (for example, HP OpenView). SNMP is the standard protocol that regulates network management over the Internet. To do this, you must set up the SNMP communities and identifiers. For more information about SNMP, see “Using an SNMP Manager”...
Page 180: Enabling Dynamic Multiple Subnet Support (Subnets)
You can now use your SNMP client to manage the Access Gateway via the Internet. Enabling Dynamic Multiple Subnet Support (Subnets) Nomadix’ dynamic multiple subnet support allows you to create flexible and cost-effective IP pool solutions to meet the demands of complex networks in large residential and public access networks.
Page 181: Displaying Your Configuration Settings {Summary
For additional information about the multiple subnet feature, go to “Contact Information” on page 349 for Nomadix Technical Support. Displaying Your Configuration Settings {Summary} You can display a summary listing of all your current Configuration settings. To view the summary listing, go to the Web Management Interface, click on...
Page 182: Setting The System Date And Time {Time
CCESS ATEWAY The Summary of Configuration Settings screen appears (partial screen shown here): More listings... Setting the System Date and Time {Time} This procedure shows you how to set the system date and time. System Administration...
Page 183 CCESS ATEWAY From the Web Management Interface, click on Configuration , then Time. The Set Date and Time screen appears: if you Select to use the local hardware time or select Internal Time External Time Server want to use NTP instead of the internal clock of the NSE If you select , enter the new date and time parameters in the relevant fields Internal Time...
Page 184: Setting Up Traffic Descriptors
CCESS ATEWAY If you select External Time In the field, enter the number of seconds before the NSE gives up on  Server Timeout receiving a time response from the NTP server. In the fields, enter up to 4 different NTP servers to query for the ...
Page 185: Setting Up Url Filtering {Url Filtering
CCESS ATEWAY Select to create a new Traffic Descriptor, or select a link to an existing descriptor to modify it. The Add Traffic Descriptor screen appears. Enter a name for the descriptor in the field. Unique Name Enter a brief summary about the descriptor in the field.
Page 186: Selecting User Agent Filtering Settings
CCESS ATEWAY DNS domain name (for example, *.yahoo.com, meaning all sites under the  yahoo.com hierarchy, such as finance.yahoo.com, sports.yahoo.com, etc.). The system administrator can dynamically add or remove specific IP addresses and domain names to be filtered for each property. From the Web Management Interface, click on , then Configuration...
Page 187: Zone Migration
CCESS ATEWAY From the Web Management Interface, click on Configuration , then User Agent Filtering. The User Agent Filtering Settings screen appears: Enable to use the filtering capabilities for the User-Agents. User-Agent Filtering Add the names of the different User-Agents that you want to filter to the HTTP User- Agent name field.
Page 188 CCESS ATEWAY From the Web Management Interface, click on , then Configuration Zone Migration. Zone Migration Settings screen appears: Select to enable the Zone Migration feature. Relogin after migration Add a new Zone In the section, new zones can be added and initially configured, using Zone-Based Migration the following parameter fields: –...
Page 189: Defining Ipsec Tunnel Settings
NSE’s standards-driven, peer-to-peer IPSec tunneling with strong data encryption. Establishing the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on...
Page 190 CCESS ATEWAY Two subsequent events drive the secure management function of the Nomadix gateway and the devices behind it: Establishing an IPSec tunnel to a centralized IPSec termination server (for example, Nortel Contivity). As part of the session establishment process, key tunnel parameters are exchanged (for example, Hash Algorithm, Security Association Lifetimes, etc.).
Page 191: Network Info Menu
CCESS ATEWAY Network Info Menu Displaying ARP Table Entries {ARP} You can display a table that shows the current status of the ARP (Address Resolution Protocol) assignments. ARP is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address.
Page 192: Displaying The Host Table {Hosts
CCESS ATEWAY The DAT Session Table screen appears: Click on the button to clear all current subscriber sessions. Delete all sessions Deleting DAT sessions will cause all misconfigured subscribers to lose their Internet connection for a short period of time. Displaying the Host Table {Hosts} You can display a table which lists the hosts that are currently configured.
Page 193: Displaying Icmp Statistics {Icmp
CCESS ATEWAY Displaying ICMP Statistics {ICMP} You can display the current ICMP (Internet Control Message Protocol) statistics. ICMP is a standard Internet protocol that delivers error and control messages from hosts to message requesters. These statistics are presented as a listing which details the current status of each ICMP transmission element.
Page 194 CCESS ATEWAY The Network Interfaces screen appears: System Administration...
Page 195: Interface Monitoring
CCESS ATEWAY Interface Monitoring As a complementary feature to Load Balancing, you can actively monitor each WAN connection to assure that full network functionality exists. Interface Monitoring must be enabled; it is off by default. It is set separately for each configured WAN interface.
Page 196: Displaying The Ip Statistics {Ip
CCESS ATEWAY Click on any interface name to configure individual interface settings: Displaying the IP Statistics {IP} You can display the IP (Internet Protocol) statistics which are presented as a detailed listing of all IP elements and their current status. With IP transmissions, data is broken up into packets which are then sent over the network.
Page 197: Viewing Ipsec Tunnel Status {Ipsec
CCESS ATEWAY The IP Statistics screen appears: Viewing IPSec Tunnel Status {IPSec} To view the current IPSec Tunnel Status, go to the Web Management Interface, click on Network Info , then click on IPSec. Viewing NAT IP Address Usage {NAT IP Usage} To view the current NAT IP Address Usage, go to the Web Management Interface, click on , then click on Network Info...
Page 198: Displaying The Routing Tables {Routing
CCESS ATEWAY Displaying the Routing Tables {Routing} You can display the current Routing Tables, including any dynamically generated routes, unreachable routes, or wildcard routes. To view the Routing Tables, select Network Info> Routing System Administration...
Page 199: Modifying The Routing Tables {Routing
CCESS ATEWAY The Routing Tables screen appears: Modifying the Routing Tables {Routing} An active routing tables view is available at > . The Routing Tables screen System Routing appears. You can make routing configuration additions and deletions from this screen. This screen includes;...
Page 200: Displaying The Active Ip Connections {Sockets
CCESS ATEWAY Static/Persistent Routing Table, grouped in a separate section for easy reference and  modification. Add a New Static or Persistent Route  Displaying the Active IP Connections {Sockets} You can display a table which provides a detailed listing of all currently active IP (Internet Protocol) connections.
Page 201: Displaying The Static Port Mapping Table {Static Port-Mapping
CCESS ATEWAY The Socket Table screen appears: Displaying the Static Port Mapping Table {Static Port-Mapping} You can display a table which provides a detailed listing of the currently active static port mapping scheme. To view the Static Port-Mapping Table, go to the Web Management Interface, click on , then click on Network Info Static Port-Mapping.
Page 202: Displaying Tcp Statistics {Tcp
CCESS ATEWAY Displaying TCP Statistics {TCP} You can display the TCP (Transmission Control Protocol) statistics which are presented as a detailed listing of all TCP elements and their current status. TCP is a standard protocol that manages data transmissions across networks. To view the TCP Statistics, go to the Web Management Interface, click on Network Info , then...
Page 203: Displaying Udp Statistics {Udp
CCESS ATEWAY Displaying UDP Statistics {UDP} You can display the UDP (User Datagram Protocol) statistics which are presented as a detailed listing of all UDP elements and their current status. UDP is an Internet standard transport layer protocol. It is a connectionless protocol which adds a level of reliability and multiplexing to the Internet Protocol (IP).
Page 204: Adding And Updating Port-Location Assignments {Add
CCESS ATEWAY Adding and Updating Port-Location Assignments {Add} Port-locations can be assigned at any level (for example, a specific room in a hotel or apartment building, a floor number, wing, or building). There may even be multiple ports assigned to a single room or location. The Access Gateway uses a port-location authorization table to manage the assigned ports and ensure accurate billing for the services used by a particular port.
Page 205 CCESS ATEWAY Adding a Port-Location Assignment This procedure shows you how to add a port-location assignment. If you want to update an existing assignment, go to Updating a Port-Location Assignment. From the Web Management Interface, click on Port-Location , then .
Page 206 CCESS ATEWAY All alpha characters (used for locations and descriptions) are case-sensitive. In the Port field, enter the port (the VLAN ID when using 802.1Q 2-way). In the field, enter a meaningful description for this port-location assignment. Description “Provide DHCP Service” is selected by default. De-select this option if you wish to disable subscriber-side DHCP for this port location.
Page 207: Exporting Port-Location Assignments {Export
CCESS ATEWAY PMS billing for a port is enabled only if PMS Services is globally enabled AND the  per-port enable PMS billing parameter is set. Facebook authentication for a port is enabled only if Port-Based Policies is enabled  and that port allows Facebook as an authentication type.
Page 208: Finding Port-Location Assignments By Description {Find By Description
CCESS ATEWAY From the Web Management Interface, click on , then The Export Port-Location Export. Port-Location Assignments screen appears: Click on the button to export port-location assignment to the /flash/location.txt. Export file. Finding Port-Location Assignments by Description {Find by Description} This procedure shows you how to find a port-location assignment, based on its description.
Page 209: Finding Port-Location Assignments By Location {Find By Location
CCESS ATEWAY Finding Port-Location Assignments by Location {Find by Location} This procedure shows you how to find a port-location assignment, based on its location. This procedure is useful if you want to review the details of a specific port-location. You can also find port-locations based on their description or port.
Page 210: Finding Port-Location Assignments By Port {Find By Port
CCESS ATEWAY Finding Port-Location Assignments by Port {Find by Port} This procedure shows you how to find a port-location assignment, based on its port. This procedure is useful if you want to review the details of a specific port-location. You can also find port-locations based on their description or location.
Page 211: Importing Port-Location Assignments {Import
CCESS ATEWAY Importing Port-Location Assignments {Import} This procedure shows you how to import port-location assignments from the “location.txt” file. The location.txt file is stored in: /flash/location.txt (resident in the Access Gateway’s flash memory). If you have never exported port-location assignments (since installing the Access Gateway at this site), the location.txt is empty.
Page 212 CCESS ATEWAY Creating a “location.txt” File You can create your own “location.txt” file and upload the file to the Access Gateway’s flash memory at [IP address]/flash/location.txt. Use the following format when creating the file: “1”,1,00:00:00:00:00:00,0.0.0.0,0, “Room 101” The 4 (four) fields used in the format represent the standard format for port-location assignments (location, port, modem MAC address for RiverDelta, subnet, state, description).
Page 213: Displaying The Port-Location Mappings {List
CCESS ATEWAY Displaying the Port-Location Mappings {List} You can display a listing of all port-locations assigned to this system. To view the listing of port-location assignments, select Port-Location > List. The List Port- Location Assignments screen appears: Deleting Port-Location Assignments To delete port-location assignments: From the Web Management Interface, select >...
Page 214: Subscriber Intra-Port Communication
CCESS ATEWAY Check Enable Facebook Login. Subscriber Intra-Port Communication If enabled, subscribers on a same port location (for example, a conference room) can communicate with each other without NSE intervention. System Administration...
Page 215: Subscriber Administration Menu
CCESS ATEWAY Subscribers can communicate with each other when on the same VLAN and the same IP subnet. The NSE will not respond to any ARP requests from the subscriber for other subscribers (or hosts) that are on the same port-location subnet. Subscriber Side Network Side Subscribers in same port/location...
Page 216 CCESS ATEWAY “Authorization and Billing” on page 272  “Subscriber Management” on page 278  “Subscriber Management Models” on page 278  “Configuring the Subscriber Management Models” on page 279  Adding a Subscriber Type Profile From the Web Management Interface, click on , then Subscriber Administration Add.
Page 217 CCESS ATEWAY If you have chosen to manage this subscriber by user name only, you do not need to enter a MAC address (but you must enter a user name). Enter the of the subscriber. IP Address Enter a valid address for this subscriber.
Page 218 CCESS ATEWAY Adding a Device Type Profile From the Web Management Interface, click on , then Subscriber Administration Add. The Add a Subscriber Profile to the Database screen appears: Choose the account type for this profile. Device If required, enable the feature.
Page 219 CCESS ATEWAY Define the Min Downstream Bandwidth Max Downstream Bandwidth range for this device (in Kbps). If using Class-Based Queuing, enter the primary and subclass for this device in the Class field. Enter these values in the format: <top-level class>.<subclass> (top-level class and subclass separated by a period).
Page 220 CCESS ATEWAY From the Web Management Interface, click on , then Subscriber Administration Add. The Add a Subscriber Profile to the Database screen appears: Choose the Group Account t ype for this profile. Set the Account valid until field to set an expiration date for the group account. Define the DHCP Address Type: (only used when the IP Upsell feature Public...
Page 221: Displaying Current Subscriber Connections {Current
CCESS ATEWAY In the Expiration Time field, define the duration (in hours and minutes) for the subscriber’s authorized access time. When the assigned time expires, the subscriber must “re-subscribe” to the service. Enter an amount in the field. Paid The next two fields ( ) are optional.
Page 222: Deleting Subscriber Profiles By Mac Address {Delete By Mac
CCESS ATEWAY Click to view the associated subscriber In the State field, “Valid” denotes that the subscriber has been authenticated. “Pending” indicates that the subscriber is still waiting for authentication. To view individual subscribers, click on the linked MAC address. ou can select specific fields to display, and can sort the Current Subscribers table on any field.
Page 223: Deleting Subscriber Profiles By User Name {Delete By User
CCESS ATEWAY From the Web Management Interface, click on Subscriber Administration , then Delete The Delete a Subscriber Profile (by MAC) screen appears: by MAC. In the field, enter the MAC address of the profile you want to delete. Enter MAC Address Click on the button to delete this subscriber profile, or click on the button if...
Page 224: Displaying The Currently Allocated Dhcp Leases {Dhcp Leases
CCESS ATEWAY Displaying the Currently Allocated DHCP Leases {DHCP Leases} You can display a listing of the DHCP (Dynamic Host Configuration Protocol) leases that are currently active on the system’s DHCP server. DHCP is a standard method for assigning IP addresses automatically to network devices.
Page 225: Finding Subscriber Profiles By Mac Address {Find By Mac
CCESS ATEWAY From the Web Management Interface, click on Subscriber Administration , then Expired. The Remove Expired Profiles screen appears: Click on the button to remove all expired profiles. Finding Subscriber Profiles by MAC Address {Find by MAC} This procedure shows you how to find a subscriber profile from the Access Gateway’s database of authorized subscribers, based on the profile’s MAC address.
Page 226: Finding Subscriber Profiles By User Name {Find By User
CCESS ATEWAY Finding Subscriber Profiles by User Name {Find by User} This procedure shows you how to find a subscriber profile from the Access Gateway’s database of authorized subscribers, based on the profile’s user name. Use this procedure when you want to see the statistics corresponding to the user name.
Page 227 CCESS ATEWAY The Authorized Subscriber Profiles screen appears: Click on a link to view the associated subscriber -1 indicates a subscriber added by Admin or XML useradd with no associated plans. System Administration...
Page 228: Viewing Radius Proxy Accounting Logs {Radius Session History
CCESS ATEWAY Viewing RADIUS Proxy Accounting Logs {RADIUS Session History} These settings are available under Subscriber Administration/RADIUS Session History menu. Enable Logfile checkbox When this setting is enabled any RADIUS proxy accounting messages sent or received by the RADIUS proxy application are logged into a file named “RADHIST.RAD” in the /flash directory.
Page 229: Displaying Current Profiles And Connections {Statistics
CCESS ATEWAY Displaying Current Profiles and Connections {Statistics} You can view the total number of profiles and connections currently stored in the Access Gateway’s database of authorized subscribers. The displayed list includes the number of subscribers currently in the database (Current Table) and a numerical breakdown of how the subscribers can utilize the system (for example, free access, credit card, etc.).
Page 230  charge. In addition to credit card billing, Property Management Systems used by hotels are also supported along with the internal data base of the Access Gateway and billing via Nomadix' secure XML API. See also, “Assigning a PMS Service {PMS}” on page 136 (see following note).
Page 231 CCESS ATEWAY From the Web Management Interface, click on Subscriber Interface , then Billing . The Internal Billing Options Setup screen appears: Options Review the billing plans (normal plans and X over Y plans) that are currently active. To view or edit a billing plan, click the button opposite the corresponding View/Edit/Delete plan.
Page 232 CCESS ATEWAY The Internal Billing Options Plan Setup or Internal Billing Options XoverY Plan Setup screen appears for the billing plan (and type) you selected. System Administration...
Page 233 CCESS ATEWAY Sample of Internal Billing Options XoverY Plan Setup Screen Depending on the type of plan you want to set up, go to: “Setting Up a “Normal” Billing Plan” on page 221.  “Setting Up an X over Y Billing Plan” on page 223.
Page 234 CCESS ATEWAY Enter a description for this billing plan in the field. Description of Service If desired, enable Facebook Login and specify a plan duration. Define the schemes for this billing plan (rate per minute, per hour, per day, per Pricing week, and per month).
Page 235 CCESS ATEWAY Define the messages you want to present to subscribers, including: Introduction Message  Offer Message  Policy Message  Define the (Minute, Hour, Day, Week, or Month) you want to make Units of Access available to subscribers. If you want to allow free access to subscribers, you can define the following free billing options: Default Free Access Time (in days) ...
Page 236: Setting Up The Information And Control Console {Icc Setup
(previous) screen. Setting Up the Information and Control Console {ICC Setup} The Nomadix ICC is a HTML pop-up window that is presented to subscribers, allowing them to select their bandwidth and billing plan options quickly and efficiently, and displays a dynamic “time”...
Page 237 CCESS ATEWAY (described above). The pop-up Logout Console offers the opportunity to display the elapsed/ count-down time and one logo for intra-session service branding. Featured Logout Console This procedure allows you to set up how the ICC is displayed to subscribers. For more information about the ICC, go to “Information and Control Console (ICC)”...
Page 238 CCESS ATEWAY From the Web Management Interface, click on , then Subscriber Interface ICC Setup The ICC Setup screen appears: System Administration...
Page 239 If you enabled either of the ICC pop-up options, you can choose a unique name for the console. Simply type a meaningful name in the field. Title Define the physical location where you want the Nomadix Logout Console to appear on the subscriber’s screen. Choose one of the following options: Upper Left Corner ...
Page 240 CCESS ATEWAY – The name of the button and the mouse-over text. The mouse-over text is  Name/Text the text that appears in the ICC’s Message Bar when your mouse pointer “rolls” over a button image. Message – Where subscribers are sent when they click on the button. Target URL ...
Page 241 CCESS ATEWAY Assigning Banners From the Subscriber Console (Information and Control Console - ICC) Setup screen, click on the link. The Subscriber Console (Information and Control Configure Banners Console - ICC) Banners Setup screen appears: Click here to return to the previous screen You can display up to 5 banners, but they must be defined here.
Page 242 CCESS ATEWAY Define the parameters for your banner(s): Name/Text  Target URL  Image Name (see following note)  Duration (secs)  Start Time (Optional)  Stop Time (Optional)  If you assign (or change) button images or banner images, the Access Gateway must be rebooted for your changes to take effect.
Page 243: Defining Languages {Language Support
CCESS ATEWAY Banner (373 x 32 pixels) Small Buttons (45 x 26 pixels) ISP Button (98 x 26 pixels) Time Formats Use the following formats when defining times: Duration for Banners – 1 through 9999, or more  Start or Stop times for Banners –...
Page 244 CCESS ATEWAY Japanese (Shift_JIS)  Spanish  Other, with drop-down menu (see note)  You can also change the language of the Web Management Interface. See “Selecting the language of the Web Management Interface” on page From the Web Management Interface, click on Subscriber Interface , then Language...
Page 245: Enable Serving Of Local Web Pages {Local Web Server
CCESS ATEWAY Select the language you want to use (see notes). There are currently 6 (six) “pre-translated” language options. If you want to have the ICC pre-translated into Japanese and enter and display Japanese characters on the Web Management Interface and the subscriber’s portal page, choose the Japanese (Shift_JIS) option.
Page 246 CCESS ATEWAY Upload the required pages and images to the /flash/web directory using FTP. Total file size of all pages and images cannot exceed 200 KB. File names should be labeled using the 8.3 format. Go to WMI>Subscriber Interface>Local Web Server and add the names of the HTML or image files that were uploaded to the /flash/web directory.
Page 247: Defining The Subscriber's Login Ui {Login Ui
CCESS ATEWAY Image File Name This text box lets you add or remove the names of the image files that you intend to server to the end users. Note: The name of the image file has to be added in order for it to be served to the end users.
Page 248 CCESS ATEWAY From the Web Management Interface, click on , then Subscriber Interface Login UI. Subscriber Login User Interface Settings screen appears: Define the messages you want subscribers to see when they log in. Keep messages brief and to the point. Available message categories include: Service Selection Message ...
Page 249 CCESS ATEWAY Existing Username Message  New Username Message  Contact Message  PMS Username Message  If any of your devices do not support Java™ scripts, you have the option of disabling the Access Gateway’s JavaScript™ support (JavaScript support is enabled by default). If necessary (and if JavaScript support is already enabled), click on the check box for Enable to disable this feature.
Page 250 CCESS ATEWAY Take care when mixing font and background colors. You may want to experiment before establishing these settings to ensure that your chosen color scheme is both presentable and readable to subscribers (see notes). You must reboot the Access Gateway for the “Image File Name” or “Partner Image File Name”...
Page 251: Defining The Post Session User Interface (Post Session Ui)
CCESS ATEWAY Subscriber Login Screen (Sample) The following sample shows a subscriber login screen: Defining the Post Session User Interface (Post Session UI) The Post Session UI (Goodbye Page) can be defined either as a RADIUS VSA or be driven by the Access Gateway’s Internal Web Server (IWS).
Page 252 CCESS ATEWAY Freely configurable hypertext link (in case the ISP wants to link the user back to a  sign-up/help page). Sample of Post Session UI (Goodbye Page) System Administration...
Page 253 CCESS ATEWAY From the Web Management Interface, click on Subscriber Interface , then Post Session The Subscriber Post Session User Interface Settings screen appears: System Administration...
Page 254: Defining Subscriber Ui Buttons {Subscriber Buttons
CCESS ATEWAY Click on the check box to enable (or disable) the IWS Enable IWS Goodbye Page Goodbye Page, as required. If you enabled the IWS Goodbye Page, select your preferred display options by checking the corresponding boxes: Display IP Address ...
Page 255: Defining Subscriber Ui Labels {Subscriber Labels
CCESS ATEWAY From the Web Management Interface, click on Subscriber Interface , then Subscriber The Subscriber Page -- Control Button Definitions screen appears: Buttons. Caution Enter the definitions you want for each control button in the corresponding fields. Only the Login button should be named “Login.” Do not assign this name to any other button.
Page 256 CCESS ATEWAY From the Web Management Interface, click on , then Subscriber Interface Subscriber The Subscriber Page -- Field Label Definitions screen appears: Labels. Enter the definitions you want for each label in the corresponding fields. Click on the button to save your changes, or click on the button if you want Submit Reset...
Page 257: Defining Subscriber Error Messages {Subscriber Errors
CCESS ATEWAY Defining Subscriber Error Messages {Subscriber Errors} This procedure allows you to define how error messages are displayed to subscribers. There are 2 (two) pages of error messages available. From the Web Management Interface, click on , then Subscriber Interface Subscriber Errors, 1 of 2.
Page 258 CCESS ATEWAY If you want to reset all field values to their default state, click on the button. Revert Repeat Steps 1 – 3 for page 2 of 2 (see following screen): System Administration...
Page 259: Defining Subscriber Messages {Subscriber Messages
CCESS ATEWAY Defining Subscriber Messages {Subscriber Messages} This procedure allows you to define how “other” subscriber messages are displayed. There are 3 (three) pages of subscriber messages available. From the Web Management Interface, click on , then Subscriber Interface Subscriber The Subscriber Page -- Other Message Definitions, 1 of 3 screen Messages, 1 of 3.
Page 260 CCESS ATEWAY Enter the definitions you want for each subscriber message in the corresponding fields. Click on the button to save your changes, or click on the button if you want Submit Reset to reset all the values to their previous state. If you want to reset all field values to their default state, click on the button.
Page 261 CCESS ATEWAY Repeat Steps 1 – 3 for page 3 of 3 (see following screen): System Administration...
Page 262: System Menu
CCESS ATEWAY System Menu Adding and Deleting ARP Table Entries ARP (Address Resolution Protocol) is used to dynamically bind a high level IP address to a low level physical hardware (MAC) address. ARP is limited to a single physical network that supports hardware broadcasting.
Page 263: Configurable Gateway Arp Refresh Interval
CCESS ATEWAY Configurable Gateway ARP Refresh Interval The NSE will periodically refresh its ARP cache entry for the gateway IP. When gateway redundancy is implemented via the use of multiple gateway devices with the same IP address, the periodic refresh enables the NSE to quickly discover the new MAC address of the gateway. You can set the refresh frequency on the Location page.
Page 264: Exporting Configuration Settings To The Archive File {Export
CCESS ATEWAY network as it allows administrators to effectively “remove” the Access Gateway from the network without physically disconnecting the unit. You can still manage the Access Gateway when Bridge Mode is enabled, but you have no other functionality. If you enable the Bridge Mode option and then plug the Access Gateway into a network, all you need to do is assign it routable IP addresses.
Page 265: Importing The Factory Defaults {Factory
CCESS ATEWAY From the Web Management Interface, click on System , then Export. The Export Configuration screen appears: Click here to view the Click here to view the “archive.txt” file “current.txt” file Click on the button to export the current authentication settings to the archive.txt file. Importing the Factory Defaults {Factory} This procedure shows you how to replace the current authentication settings with the settings that were established at the factory.
Page 266: Defining The Fail Over Options {Fail Over
Many large scale networks require fail-over support for all devices in the public access network. The Fail Over Options feature allows two Nomadix Gateways to act as siblings, where one device will take up the users should the other device become disconnected from the network.
Page 267: Viewing The History Log {History
Secondary will wait while not receiving messages from the Primary before it takes over. Click on the check box for Reboot after changes are saved? If you are using RADIUS, it is recommended to add both Nomadix gateways to the RADIUS server. Click on the...
Page 268: Establishing Icmp Blocking Parameters {Icmp
CCESS ATEWAY To view the history log, go to the Web Management Interface and click on , then System The Uptime and Access/Reboot History screen appears: History. Uptime Indicator More listings... The “Uptime” field displays the time (in days, hours, minutes, and seconds) that the system has been up and running.
Page 269: Importing Configuration Settings From The Archive File {Import
CCESS ATEWAY (walled garden) list. The default setting for this option is “disabled” because ICMP pass- through is a useful end-user troubleshooting feature and is also required by certain smart clients (for example, GRIC). From the Web Management Interface, click on , then The ICMP screen System...
Page 270: Establishing Login Access Levels {Login
CCESS ATEWAY From the Web Management Interface, click on , then The Import System Import. Configuration screen appears: Click here to view the Click here to view the “archive.txt” file “current.txt” file Click on the button to replace the current system configuration settings with the settings contained in the archive.txt file (see notes above).
Page 271 CCESS ATEWAY Telnet  Command Line Interface (CLI) – serial  Web Management Interface (WMI)  FTP and SFTP (no operator access allowed)  SSH Shell Access   Only managers can assign a username and password for the remote RADIUS testing login option.
Page 272 RADIUS server—following the same basic rules as if the request was from a user. The URL for the test page is http://<Nomadix Access Gateway IP>/radtest/testradius.htm and can be accessed from the network side of the Access Gateway. You must open a separate browser to utilize this feature.
Page 273: Defining The Mac Filtering Options {Mac Filtering
Reset Defining the MAC Filtering Options {MAC Filtering} MAC Address filtering enhances Nomadix' access control technology by allowing System Administrators to block malicious users based on their MAC address. Up to 600 MAC addresses can be blocked at any one time (see caution).
Page 274: Utilizing Packet Capturing {Packet Capture
CCESS ATEWAY From the Web Management Interface, click on , then The MAC System MAC Filtering. Filtering screen appears: Click on the check box for MAC Filtering to enable (or disable) this feature, as required. Enter a MAC address in the field, then click on the button to add this address to the “blocked”...
Page 275 CCESS ATEWAY From the Web Management Interface, click on System, then Packet Capture. The Packet Capture Settings screen appears: To initiate a capture on a given interface, click that interface’s associated Start button. The button label will change to Stop, indicating that a capture is in progress. Click the button again to stop the capture.
Page 276: Rebooting The System {Reboot
CCESS ATEWAY Rebooting the System {Reboot} This procedure shows you how to reboot the Access Gateway. The “reboot” procedure outlined on this page allows you to decide when to reboot (if you are making multiple changes to different menu functions and you want to reboot just one time after completing all your changes).
Page 277 CCESS ATEWAY To view the routing tables, choose System > Routing . The Routing Tables screen appears. You can view the routes associated with each physical NSE port by clicking on the tab for the port. In the screen shot above, only the WAN port is in use. Adding a Route On the Routing Tables screen, scroll to Add a New Static or Persistent Route...
Page 278: Establishing Session Rate Limiting {Session Limit
CCESS ATEWAY Enter the address of the route you want to add to the routing Destination IP/Prefix Length table. This is the Destination IP or Subnet that the Route is trying to reach, with the prefix length to determine how large the subnet might be. Enter the address for the Route being added so that the NSE knows what to Gateway IP...
Page 279: Adding/Deleting Static Ports {Static Port-Mapping
CCESS ATEWAY Mean Rate  Burst Size  (in seconds)  Time Interval Click on the button to save your changes. Submit For advanced security, see also “Defining the MAC Filtering Options {MAC Filtering}” on page 261. Adding/Deleting Static Ports {Static Port-Mapping} Static Port-Mapping allows the network administrator to setup a port mapping scheme that forwards packets received on a specific port to a particular static IP (typically private and mis- configured) and port number on the subscriber side of the Access Gateway.
Page 280 CCESS ATEWAY To add static ports From the Web Management Interface, click on , then System Static Port-Mapping. Static Port-Mapping screen appears: Enter the Internal IP Address Ensure that the device with the Internal IP Address has been added to the subscriber’s table.
Page 281: Updating The Access Gateway Firmware {Upgrade
“Displaying the Static Port Mapping Table {Static Port-Mapping}” on page 189  Updating the Access Gateway Firmware {Upgrade} Upgrading the Access Gateway firmware is performed from the Access Gateway’s Command Line Interface (CLI) only. Refer to the Firmware Upgrade Procedure (separate document available from Nomadix Technical Support). System Administration...
Page 282 CCESS ATEWAY System Administration...
Page 283: Chapter 4: The Subscriber Interface
CCESS ATEWAY The Subscriber Interface This chapter provides an overview of the Access Gateway’s Subscriber Interface and sections outlining the authorization and billing processes, subscriber management models, and the Information and Control Console (ICC). Overview The Subscriber Interface is the window to the solution provider’s Web site, and much more than that.
Page 284: Authorization And Billing
CCESS ATEWAY customer (the subscriber). The Access Gateway’s role in this customer/supplier relationship is effectively “invisible” to subscribers. Subscriber Broadband Network Subscriber Gateway Portal AAA Module Internet Billing Authorization and Billing As a gateway device, the Access Gateway enables plug-and-play access to broadband networks.
Page 285: The Aaa Structure
CCESS ATEWAY Subscriber Launch browser Enter credit card details Network access Billing mirror server Authorize this subscriber External Web server system bank account Solution Provider The AAA Structure The Access Gateway’s Authentication, Authorization, and Accounting (AAA) module enables the solution provider to provision, track, and bill new or returning subscribers. This includes: Allowing the solution provider (for example, a hotel) to bill its guests for the high ...
Page 286 CCESS ATEWAY Subscriber Login Subscriber Management Internal Web Server External Web Server Internal Web Management Interface (on flash for login pages) (for login & portal pages) Authentication Internal User Database Authorization Table Internal User Database Credit Card Server PMS System Internal Accounting Log (AAA) Accounting Billing Mirror Server(s)
Page 287 CCESS ATEWAY The initial login page can be presented in various ways, depending on the system’s configuration. The Access Gateway supports any of the following methods and tools: Internal and external Web pages.  External “portal” page for redirection.  User name and MAC-based logins (simultaneous or stand-alone).
Page 288: Process Flow (Aaa)
CCESS ATEWAY Process Flow (AAA) The following flowchart outlines the AAA and billing process. All actions depicted in the chart are administered and tracked by the Access Gateway. AG detects connection and verifies user against authorization table New User Existing Subscriber Login Page Specify lease time Lease time...
Page 289: Internal And External Web Servers
CCESS ATEWAY Internal and External Web Servers The Access Gateway supports both internal and external Web servers which act as a login interface between subscribers and the solution provider’s network, including the Internet. The internal Web server is “flashed” into the system’s memory and the login page is served directly from the Access Gateway.
Page 290: Subscriber Management
CCESS ATEWAY Subscriber Management The Access Gateway provides several subscriber management models, including: Free access (for example, no AAA functionality)  MAC address  Port-Location ID (for example, by room or unit number)  User name and password  Credit card ...
Page 291: Configuring The Subscriber Management Models
CCESS ATEWAY Configuring the Subscriber Management Models Model What You Need To Do Free access Disable the AAA services. MAC address Enable the AAA services and add a subscriber profile to the database for each MAC address you want to enable. User Name and Password Enable the AAA services and Usernames.
Page 292: Information And Control Console (Icc)
CCESS ATEWAY Information and Control Console (ICC) The ICC is a HTML pop-up window that is presented to subscribers, allowing them to select their bandwidth and billing options quickly and efficiently, and displays a dynamic “time” field to inform them of the time remaining on their account. The ICC also offers service providers an opportunity to display advertising banners and provide a choice of redirection options.
Page 293: Logout Console
CCESS ATEWAY Logout Console The Access Gateway allows System Administrators to define a simple HTML-based pop-up window for explicit logout that can be used as an alternative to the more fully featured ICC. The pop-up Logout Console can display the elapsed/count-down time and one logo for intra- session service branding.
Page 294 CCESS ATEWAY The Subscriber Interface...
Page 295: Chapter 5: Quick Reference Guide
CCESS ATEWAY Quick Reference Guide This chapter contains product reference information, organized by topic. Use this chapter to locate the information you need quickly and efficiently. Web Management Interface (WMI) Menus The following tables contain a listing and brief explanation of all menus and menu items contained in the Access Gateway’s Web Management Interface (WMI), listed as they appear on screen.
Page 296: Configuration Menu Items
(IP address) of administrator logins. A login is permitted only if a match is made with the master list contained on the Nomadix Access Gateway. If a match is not made, the login is denied, even if a correct login name and password are supplied.
Page 297 CCESS ATEWAY Item Description Home Page Redirect Redirects the subscriber’s browser to a specified home page. iNAT™ Enables Intelligent Address Translation for Transparent VPN Access. Interface Monitoring The ability to actively monitor each WAN/ISP/ and VLAN connection to assure that full network functionality exists IPSec IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.
Page 298 Fi wholesale model. This functionality allows users to interact only with their chosen provider in a seamless and transparent manner. Routed Subscribers Allows Routed network hops on the Subscriber side of the Nomadix. SMTP Enables the SMTP (E-mail) redirection functions. SNMP Establishes the SNMP parameters.
Page 299: Network Info Menu Items
CCESS ATEWAY Network Info Menu Items Item Description Displays the ARP table, including the destination IP address and the gateway MAC address. Displays the DAT session table. DNSSEC DNSSEC support adds authentication and integrity capability to DNS systems. The DNSSEC feature in the NSE allows DNSSEC queries and responses to traverse the NSE between subscribers and the NSE's configured DNS servers.
Page 300 CCESS ATEWAY Item Description NAT IP Interface A new separate iNAT interface page shows the settings for each port in either WAN or OOS modes. Ports in SUB mode are not shown. Each of the displayed ports has individual iNAT / Subscriber tunnel settings accessible by clicking on that port's link.
Page 301: Port-Location Menu Items
CCESS ATEWAY Port-Location Menu Items Items Description Adds or updates port-location assignments. Delete All Deletes all port-location assignments. Use this command with caution. Export Exports specified port-location assignments to the location.txt file. Find by Description Finds a port-location assignment, based on a unique description.
Page 302 CCESS ATEWAY Items Description List Profiles Displays a list of authorized subscriber profiles. RADIUS Session History These logs record RADIUS proxy accounting messages sent or received by the RADIUS proxy. Statistics Displays the current subscriber profile statistics (for example, how many profiles are currently in the database). Quick Reference Guide...
Page 303: Subscriber Interface Menu Items
CCESS ATEWAY Subscriber Interface Menu Items Items Description Billing Options Establishes the various billing plans and rates (schemes), including messages and appearance. ICC Setup Sets up the Information and Control Console (ICC) for subscribers. Language Support Defines the language to be displayed on the Web Management Interface and the subscriber’s portal page.
Page 304: System Menu Items
Factory Imports the factory default settings. Fail Over Sets up a “sibling” Nomadix Gateway, allowing one device to take up the users should the other device become disconnected from the network. History Displays a history log of the system’s activity, including Access, Reboot and Uptime.
Page 305 ATEWAY Items Description Subscriber Blocks subscriber interfaces. Interfaces Syslog Displays syslog history. System Utilization Displays system utilization information. Upgrade Obtain the latest Firmware Upgrade Procedure from Nomadix Technical Support. User Settings Blocks IPPROTO traffic from misconfigured subscribers. Quick Reference Guide...
Page 306: Alphabetical Listing Of Menu Items (Wmi)
CCESS ATEWAY Alphabetical Listing of Menu Items (WMI) The menu items listed here are for a fully featured Nomadix Access Gateway (with all optional modules included). Refer to “About Your Product License” on page Item Description Menu AAA ........Set AAA options..............Configuration Access Control ......Enables secure administration of the Access Gateway ..Configuration...
Page 307 CCESS ATEWAY Reboot ........Reboot the operating system ..........System Route Add......Add a route to the routing table ..........System Route Delete ......Delete a route from the routing table ........System Routing ......... Display routing performance statistics and tables ....Network Info Session Limit......
Page 308: Default (Factory) Configuration Settings
For more information, go to “Importing the Factory Defaults {Factory}” on page 253. Function Default Setting Version Nomadix Access Gateway v5.4.xxx (depends on firmware Nomadix Access Gateway ID version) Network Interface MAC AG3100 Subscriber Interface MAC MAC address is unique for each product...
Page 309 CCESS ATEWAY Function Default Setting AAA Logging Disabled AAA Log Server Number AAA Log Server IP 0.0.0.0 SYSLOG (System Logging) Disabled SYSLOG Server Number SYSLOG Server IP 0.0.0.0 AAA Services Disabled Internal Authorization Enabled New Subscribers Enabled Credit Card Service Enabled Parameter Passing Disabled...
Page 310: Product Specifications
CCESS ATEWAY Product Specifications AG2400 Specifications NSE M VAILABLE ODULES AG 2400 Hospitality Module AG 2400 High Availability Module ERFORMANCE 200 concurrent users or devices Throughput up to 230 Mbps as defined by RFC 1242, Section 3.17 LATFORM Intel based System NTERFACE 1-RJ 45 - WAN 3-RJ 45 - ETH...
Page 311 CCESS ATEWAY AG2400 Specifications IMENSIONS 215.5 W x 44 H x 190mm D 1U Rack Mountable EIGHT 1.2 kg NVIRONMENTAL ARAMETERS Temperature Ambient Operating / Storage: 0~40° / -20~70° C Humidity (RH) Ambient Operating / Ambient Non-Operating: 5~90% non-condensing / 5~95% non-condensing EGULATORY FCC Class A UL, UL (US and Canada)
Page 312 CCESS ATEWAY AG2400 Specifications ILLING NABLEMENT ADIUS LIENT Radius (AAA) Proxy Port-Based Policies Port Mapping Local Databases Credit Card Interface PMS Advanced XML Interface Bill Mirroring RANDING ESTABLISHMENT Parameter Passing enabling branding ETWORK ANAGEMENT Web Management Interface (WMI) Command Line Interface (CLI) Integrated VPN Client for Management Radius-Driven Configuration Multi-Level Admin Support...
Page 313 CCESS ATEWAY AG2400 Specifications IP A DDRESS ANAGEMENT IEEE 802.3/3u/3eb IEEE 802.1d DHCP Server DHCP Relay Multiple Subnet Support IP UPsell DHCP Client PPPoe Client NTELLIGENT OAMING Realm-Based Routing Zone Migration ERVICE ROVISIONING Home Page Redirect HTTP-Redirect HTTPS-Redirect Portal Page Redirect Session Termination Redirect Information and Control console Pop-up (explicit) logout button...
Page 314 CCESS ATEWAY AG5600 Specifications NSE M VAILABLE ODULES High Availability - Fail Over Hospitality Module - Property Management Interface (PMS) ERFORMANCE User Support: Up to 2000 users concurrently Throughput: up to 750Mbits/s* *As defined by RFC1242, Section 3.18 HYSICAL 1U rack space in a 19” rack 17.24”(L) x 11.53”(W) x 1.73”(H) 438mm (L) x 292.0mm (W) x 44mm (H) Weight: 8.8 lbs.
Page 315 CCESS ATEWAY AG5600 Specifications OMPLIANCE UL (US and Canada) FCC Class A EN 55022: 2006 + A1: 2007 EN 55024: 1998 + A1: 2001 + A2: 2003 IEC 61000-4-2: 1995 +A1: 1998 + A2: 2000 IEC 61000-4-3: 2006 IEC 61000-4-4: 2004 IEC 61000-4-5: 2005 IEC 61000-4-6: 2007 IEC 61000-4-8: 1993 : A1: 2000...
Page 316 CCESS ATEWAY AG5600 Specifications ETWORKING IEEE 802.3/ 3u/ 3ab IEEE 802.1d DHCP Server DHCP Relay RADIUS Client (MD-5, PAP, CHAP, MS-CHAPv1, v2) Quick Reference Guide...
Page 317 CCESS ATEWAY AG5800 Specifications LUG AND Dynamic Address Translation (DAT) Dynamic Transparent Proxy ERVICE PROVISIONING Home Page Redirect HTTP - Redirect Portal Page Redirect Session Termination Redirect Information and Control console Pop-up (Explicit) Logout Button International Language Support External Web Server Mode...
Page 318 CCESS ATEWAY AG5800 Specifications CCESS ONTROL AND UTHENTICATION Authorization, Authentication and Accounting (AAA) Walled Garden Group Accounts Tri Mode Authentication Universal Access Method over SSL IEEE 802.1x Smart Client Support (Boingo, iPass) MAC Authentication Remember Me Log-in DVANCED ECURITY iNAT...
Page 319 CCESS ATEWAY AG5800 Specifications RANDING Parameter Passing-enabled branding ETWORK ANAGEMENT Web Management Interface (WMI) Command Line Interface (CLI) Integrated VPN Client for Management RADIUS-Driven Configuration Multi-level Admin Support Centralized Radius Authentication SMTP Redirection Access Control Bridge Mode SNMPv2c Syslog/AAALog EDIA...
Page 320 CCESS ATEWAY AG5800 Specifications EGULATORY FCC Class A UL, UL (US and Canada) EN 55022: 2010 Class A, EN 61000-3-2:2006/A1:2009/A2:2009, EN 61000-3- 3:2008, EN55024:2010 (IEC 61000-4-2:2008, IEC 61000-4-3:2006/A1:2007/ A2:2010, IEC 6100-4-4:2004/A1:2010, IEC 6100-4-5:2006, IEC 61000-4-6:2008, IEC 61000-4-8:2009, IEC 6100-4-11:2004), Australian Standard AZ/NZS CISPR 22:2009 Class A CB Scheme HYSICAL 1U rack space in a 19”...
Page 321 CCESS ATEWAY AG5900 Specifications LUG AND Dynamic Address Translation (DAT) Dynamic Transparent Proxy ERVICE PROVISIONING Home Page Redirect HTTP - Redirect HTTPS - Redirect Portal Page Redirect Session Termination Redirect Information and Control Console Pop-Up (Explicit) Logout Button International Language Support External Web Server Mode Internal Web Server Mode Secure XML API over SSL...
Page 322 CCESS ATEWAY AG5900 Specifications CCESS ONTROL AND UTHENTICATION Authorization, Authentication and Accounting (AAA) Walled Garden Group Accounts Tri Mode Authentication Universal Access Method over SSL IEEE 802.1x Smart Client Support (Boingo, iPass) MAC Authentication Remember Me Log-in DVANCED ECURITY iNAT IPSec Support PPTP Support Session Rate Limiting (SRL)
Page 323 CCESS ATEWAY AG5900 Specifications RANDING Parameter Passing-enabled branding ETWORK ANAGEMENT Web Management Interface (WMI) Command Line Interface (CLI) Integrated VPN Client for Management RADIUS-Driven Configuration Multi-level Admin Support Centralized Radius Authentication SMTP Redirection Access Control Bridge Mode SNMPv2c Syslog/AAA Log EDIA CCESS ONTROL...
Page 324 CCESS ATEWAY AG5900 Specifications EGULATORY FCC Class A UL, UL (US and Canada) CE EN 55022: 2010 Class A, EN 61000-3-2:2006/A1:2009/A2:2009, EN 61000-3- 3:2008 EN55024:2010 (IEC 61000-4-2:2008, IEC 61000-4-3:2006/A1:2007/A2:2010, IEC 6100-4-4:2004/A1:2010, IEC 6100-4-5:2006, IEC 61000-4-6:2008, IEC 61000-4- 8:2009, IEC 6100-4-11:2004), Australian Standard AZ/NZS CISPR 22:2009 Class A CB Scheme HYSICAL 1U rack space in a 19”...
Page 325: Sample Aaa Log
Date Time Gateway Log Message ration Code Name Data Address Time 18:23:10 nomad237 INFO AAA: AAA_Authentication 00:00:0E:32:2 2 hrs .nomadix 4207 Successful C:BC 1 min .com 18:23:26 nomad237 INFO AAA: AAA_Authentication 00:10:5A:61:40 12 hrs .nomadix 4207 Successful 0 min .com...
Page 326: Sample Syslog Report
CCESS ATEWAY Message Definition AAA_Authentication Subscriber profile was not added to the Access Unsuccessful_Error Gateway authorization table because the credit card server did not recognize the transaction. AAA_lookup Subscriber profile has been recognized and the Added_in_memory_table_pending Access Gateway is waiting to authenticate the user. AAA_Interface Subscriber profile was manually added to the Added_by_administrator...
Page 327: Sample History Log
CCESS ATEWAY Sample History Log A history log is generated by the Access Gateway which includes the system’s activity (Access, Reboot and Uptime). More listings ... Quick Reference Guide...
Page 328: Keyboard Shortcuts
CCESS ATEWAY Keyboard Shortcuts The following table shows the most common keyboard shortcuts. Action Keyboard Shortcut Cut selected data and place it on the clipboard. Ctrl + X Copy selected data to the clipboard. Ctrl + C Paste data from the clipboard into a document (at Ctrl + V the insertion point).
Page 329: Radius Attributes
CCESS ATEWAY RADIUS Attributes RADIUS (Remote Authentication Dial-In User Service) was originally created to allow remote authentication to the dial-in networks of corporations and dial-up ISPs. It is defined and standardized by the IETF (Internet Engineering Task Force) and several RADIUS server packages exist in both the public domain and for commercial sale.
Page 330: Authentication-Request
CCESS ATEWAY The Nomadix Access Gateway RADIUS functionality can be broken down into the following categories: Authentication-Request  Authentication-Reply (Accept)  Accounting-Request  Selected Detailed Descriptions  Nomadix Vendor-Specific RADIUS Attributes  Authentication-Request Username  Password  Service-Type  NAS-Port (port number) ...
Page 331: Accounting-Request
CCESS ATEWAY Class  Session-Timeout  Idle-Timeout  EAP-Packet (used for 802.1x)  Message-Authenticator (used for 802.1x)  Acct-Interim-Interval  Nomadix VSAs:  Nomadix-Bw-Up  Nomadix-Bw-Down  Nomadix-URL-Redirection  Nomadix-IP-Upsell  Nomadix-MaxBytesUp  Nomadix-MaxBytesDown  Nomadix-Net-VLAN  Nomadix-Session-Terminate-End-Of-Day  Nomadix-Subnet ...
Page 332: Selected Detailed Descriptions
CCESS ATEWAY Acct-Session-Time (Stop)  Terminate-Cause (Stop)  NAS ID  NAS-IP Address  NAS-Port-Type  NAS-Port  Framed-IP Address  Acct-Delay-Time  Called-Station-ID  Calling-Station-ID  MaxBytesTotal  MaxGigawordsTotal  Selected Detailed Descriptions Acct-Session-ID The Acct-Session-ID is created when the RADIUS authentication request is built. It is transmitted in both the Access-Request and the Accounting-Request.
Page 333 CCESS ATEWAY MaxGigawordsTotal Number of total gigabytes, to support volume-based billing for total of upstream and downstream traffic. Note that MaxGigawordsTotal is an integer value; use with MaxBytesTotal if you need volume granularity of more than 4 gigabytes. Idle Timeout The WMI allows the setting of a default timeout.
Page 334: Nomadix Vendor-Specific Radius Attributes
Octets and Acct-Input-Octets. If you plan to implement RADIUS, go to “Contact Information” on page 349 Nomadix Technical Support. Nomadix Vendor-Specific RADIUS Attributes Nomadix provides the following vendor-specific RADIUS attributes. This list may vary depending on your configuration. Integer Attribute Description...
Page 335 CCESS ATEWAY Integer Attribute Description Value Nomadix-MaxBytesUp When the number of bytes sent exceeds this value, the user will be logged out of their Radius session. To continue their Internet access the user would have to log in again. Nomadix-MaxBytesDown...
Page 336 CCESS ATEWAY Integer Attribute Description Value Nomadix-Centralized-Mgmt Sets the access for users to the Web Management Interface, Telnet/CLI interface, FTP and the Remote Radius Login test page. Nomadix-Group-Bw-Policy-ID The ID for the bandwidth group. Nomadix-Group-Max-Up Value (in Kbps) restricts the...
Page 337: Setting Up The Ssl Feature
VeriSign). These files are put in as file1:file2:file3:file4:file5 in the key generation command. Downloading Cygwin There are several sources for obtaining “Cygwin” to install OpenSSL. One popular source is: http://sources.redhat.com/cygwin/. Nomadix used Cygwin version 1.3.2 for generating this section of the User Guide. Quick Reference Guide...
Page 338: Installing Cygwin And Openssl On A Pc
CCESS ATEWAY Installing Cygwin and OpenSSL on a PC The example in this document is based on downloading the software with Netscape 4.75. The procedure starts from the Cygwin Net Release Setup Program screen: Click on the Next button. The following screen appears: Click on the button to display the next setup screen.
Page 339 CCESS ATEWAY Click on the Next button to display the next setup screen. Click on the button to display the next setup screen. Next Click on the Next button to display the next setup screen. Quick Reference Guide...
Page 340 Select a location and click on the button. Next For the purposes of this document, Nomadix used: ftp://planetmirror.com. In the following screens, please skip all packages except “cygwin” and “openssl,” then click on the Next when you are done. At the time of this writing, there are more than 70 packages to install. Please ensure that you “skip”...
Page 341: Private Key Generation
CCESS ATEWAY Click on the Next button to start the “download” process. Wait for the download process to complete. Click on the button to start the “install” process. Wait for the install process to complete. Next There will be a pop-up dialog to inform you that the installation process is completed. At the pop-up dialog, click on the button.
Page 342 CCESS ATEWAY Run the “command” prompt from Windows, then click on the button. Go to the c:\cygwin\bin\ directory and run the following command: >openssl genrsa -rand file1:file2:file3:file4:file5 1024 > cakey.pem The following table provides an explanation of the command elements: Quick Reference Guide...
Page 343 CCESS ATEWAY openssl “openssl” command. genrsa A parameter for “openssl” to generate an RSA key. Rand A parameter for “openssl” to generate a random number from the files list. file1:file2…:file5 These five large random files are residing on the workstation (large compressed log files recommended by VeriSign).
Page 344: Create A Certificate Signing Request (Csr) File
CCESS ATEWAY Here is the output of cakey.pem: Create a Certificate Signing Request (CSR) File Run the following command to generate the certificate signing request: >openssl req -new -key cakey.pem > server.csr Quick Reference Guide...
Page 345: Create A Public Key File (Server.pem)
CCESS ATEWAY The following table provides an explanation of the command elements: openssl “openssl” command A parameter for creating a request Defining a “new” request … … from private key > Output to … server.csr … the output file Fill in your company information. If “States” or “Province” names do not exist in your country, please repeat the “Locality Name.”...
Page 346 CCESS ATEWAY This is the procedure to get a 40-bit encryption or 128-bit Public Key from VeriSign. With IE or Netscape, go to www.verisign.com/products/site/index.html. Select for Secure Site Service. Quick Reference Guide...
Page 347 Some older versions of popular browsers only support 40-bit or 56-bit encryption. Since it impossible to forecast the browsers that may be used in a visitor-based network, Nomadix recommends implementing a 40-bit Public Key. During the process, VeriSign will ask for your business information and verification. There are several ways to proof the existence of your business.
Page 348: Setting Up Access Gateway For Ssl Secure Login
CCESS ATEWAY The file, “server.pem” will look like this: You have now finished the process of obtaining a public key. Setting Up Access Gateway for SSL Secure Login FTP the “cakey.pem” and “server.pem” files into the Access Gateway platform's flash directory.
Page 349: Setting Up The Portal Page
CCESS ATEWAY Setting Up the Portal Page System administrators can create login button(s) on the Portal Page, and can setup “http” links for regular logins, secure logins, or both. When subscribers enter the Portal Page, they can then choose either a regular login or a secure login. To setup the Portal Page, add the following: For Regular Logins: http://Access Gateway_ip:1111/usg/login?OS=http://after_login_finished_page.html For Secure Logins:...
Page 350: Mirroring Billing Records
CCESS ATEWAY Mirroring Billing Records Multiple Access Gateway units can send copies of credit card billing records to a number of external servers that have been previously defined by system administrators. The Access Gateway assumes control of billing transmissions and saving billing records. By effectively “mirroring”...
Page 351: Xml Interface
CCESS ATEWAY XML Interface XML for the External Server The Access Gateway sends a string of XML commands according to specifications. HTTP headers are added to the XML packets that are built, as the billing “mirroring” information is Content-length has also been sent to the external server in HTTP compliant XML format.
Page 352 CCESS ATEWAY The packet after the HTTP headers added looks like this: XML to Access Gateway The Access Gateway accepts a single line of XML text in the specified format. The XML string is a command sent by the External Server to the Access Gateway product. In this case, the acknowledgement received from the External Server forms the command.
Page 353 RESULT_VALUE:OK or ERROR IP:Standard IP format (123.123.123.123) ERROR_CODE1 for OK, or any other number Please contact Nomadix Technical Support for the complete XML DTD. Refer to “Contact Information” on page 349. For more information about Billing Records Mirroring, see also: “Billing Records Mirroring”...
Page 354 CCESS ATEWAY Quick Reference Guide...
Page 355: Chapter 6: Troubleshooting
CCESS ATEWAY Troubleshooting This chapter provides information to help you resolve common hardware and software problems. It also contains a list of known error messages associated with the Management Interface. General Hints and Tips  Management Interface Error Messages  Common Problems ...
Page 356: Management Interface Error Messages
CCESS ATEWAY Management Interface Error Messages The following table contains the error messages associated with the Management Interface (CLI and Web). All messages are listed alphabetically. Error Message Cause AAA must be enabled before adding a You are attempting to add a subscriber profile subscriber to the profile database.
Page 357 When upgrading the software, the system FTP a valid boot image to the flash. needs the new boot image file. You must FTP the file from NOMADIX™ to your local hard drive. Warning: no DHCP services are available to This message is displayed because you have subscribers.
Page 358: Common Problems
CCESS ATEWAY Common Problems If you are having problems, you may find the answers here. Problem Possible Cause Solution When using the internal AAA The internal AAA login server Enable communications with login Web server, you cannot communicates with Authorize.Net on port 1111. communicate with Authorize.Net on a specified Authorize.Net.
Page 359 CCESS ATEWAY Problem Possible Cause Solution When a subscriber logs in for Home page redirection is not Enable home page the first time, their browser is enabled in the Access redirection. not redirected to the specified Gateway. home page. The home page URL was Re-enter the correct URL.
Page 360 CCESS ATEWAY This page intentionally left blank. Troubleshooting...
Page 361: Appendix A: Technical Support
The serial number is located on the bottom panel of your Access Gateway. Contact Information You can contact us by Email, fax, telephone, or regular mail. Telephone ++1.818.575.2590 E-mail support@nomadix.com ++1.818.597.1502 Address Nomadix, Inc. 30851 Agoura Rd, Suite 102 Agoura Hills, CA 91301 Attn: Technical Support...
Page 362 CCESS ATEWAY This page intentionally left blank.
Page 363: Appendix B: Glossary Of Terms
10/100 Ethernet See Ethernet. (Authentication, Authorization, and Accounting) A combination of commands used by Nomadix Gateways to authenticate, authorize, and subsequently bill subscribers for their use of the customer’s network. When a subscriber logs into the system, their unique MAC address is placed into an authorization table. The system then authenticates the subscriber’s MAC address and billing information before allowing them to access the Internet and make online...
Page 364 (ACKnowledgment) If all the transmitted data is present and correct, the receiving device sends an ACK signal, which acts as a request for the next data packet. Adaptive Configuration Technology A Nomadix, Inc. patented technology that enables Dynamic Address Translation. See also, DAT. ad-hoc mode 802.11x networking framework in which devices or stations communicate directly with each other, without the use of an Access Point (AP).
Page 365 (permanent) IP addresses, or subscribers that do not have DHCP functionality on their computers. DAT is a Nomadix, Inc. patented technology that allows all users to obtain network access, regardless of their computer’s network settings. See also, DHCP.
Page 366 CCESS ATEWAY Dynamic IP Address A temporary IP address that is assigned by the DHCP server to a device. Devices retain dynamic IP addresses only for the duration of their networking session. When a device disconnects from the network, the IP address is recaptured by the DHCP server and becomes available for reassignment to another device.
Page 367 For example, if a user in California accesses a computer in New York, the computer in New York is considered the host. (Home Page Redirection) Nomadix Gateways enable solution providers to redirect subscribers to a “portal” home page of their choice. This allows the solution provider to generate online advertising revenues and increase business Home Page.
Page 368 In particular, the IEEE 802 standards for Local Area Networks are widely followed. iNAT™ (Intelligent Network Address Translation) Nomadix’ iNAT™ feature creates an intelligent mapping of IP addresses and their associated tunnels allowing multiple tunnels to be established to the same server—creating a...
Page 369 Whenever a subscriber logs on, your Nomadix Gateway automatically translates their computer’s network settings to provide them with seamless access to the broadband network. Subscribers no longer need to alter their computer’s settings. See also,...
Page 370 Misconfigured User A Nomadix, Inc. term used to describe users who have IP address configurations that are different from the current network. For example, if the current network is 123.45.67.89 but the user’s IP address is 10.10.10.15, then this user is considered to be “misconfigured.”...
Page 371 CCESS ATEWAY Packet Switching Network Refers to protocols in which messages are divided into packets before they are sent. Each packet is then transmitted individually and can even follow different routes to its destination. Once all the packets forming a message arrive at its destination, they are recompiled into the original message.
Page 372 CCESS ATEWAY Protocol A standard process consisting of a set of rules and conditions that regulates data transmissions between computing devices. Some examples of protocols include HTTP (HyperText Transfer Protocol), FTP (File Transfer Protocol), TCP/IP (Transmission Control Protocol/Internet Protocol), and POP (Post Office Protocol). All these protocols are responsible for regulating the transmission of their specific data file types.
Page 373 Normally, a solution provider is offering a solution that isn’t readily available on the open market. For example, NOMADIX™ is a solution provider to its customers (broadband network service providers), and those customers are solution providers to their end users (network subscribers).
Page 374 CCESS ATEWAY Subnet Address The subnet portion of an IP address that is dedicated to the subnet. In a subnetted network, the host portion of an IP IP Address address is split into a subnet portion and a host portion using an address (subnet) mask. See also, Subnet.
Page 375 CCESS ATEWAY Tunneling A technology that enables one network to send its data via another network's connections. Tunneling works by encapsulating a network protocol within packets carried by the second network. For example, Microsoft's PPTP technology enables organizations to use the Internet to transmit data across a Virtual Private Network (VPN). It does TCP/IP this by embedding its own network protocol within the TCP/IP packets carried by the Internet.
Page 376 HTML. For example, XML supports links that point to multiple documents, as opposed to HTML links, which can reference just one destination each. For all Nomadix Gateways, XML is used by the subscriber management module for port location and user administration. Enabling the XML interface allows your Nomadix Gateway to accept and process XML commands from an external source.

This manual is also suitable for:

Ag5600 Ag2400 Ag5900