D-Link DSA-5100 User Manual

AirSpot Gateway

DSA-5100

4-Port AirSpot Gateway

With 2 WAN Ports for Double Internet Bandwidth

The DSA-5100 AirSpot Gateway is a cost-effective device for business and public organizations such as schools, hospitals and
conventions to create a wired or wireless hot spot. This Public/Private Hot Spot Gateway is an Ethernet-based gateway
designed to provide free or fee-based broadband connection to the public users while at the same time providing a separate and
secure private network that shares the same Internet connection. If your business relies on public patronage, you have a way to
give customers access to the Internet, or to networked printers and other resources. If you're a private company that wants to
offer wireless Internet access for your employees, you can do so with the confidence that you're still maintaining a secure
private network that a wireless user will never see. Connect a D-Link wireless access point to the DSA-5100 and you've got a
wireless hot spot. Connect a D-Link switch and your back office computers and printers can share the same broadband
connection.

Double Internet Bandwidth

The DSA-5100 provides 2 WAN ports to double the Internet
connection bandwidth. The WAN ports supports 802.3ad
Link Aggregation industry standard and can be bonded
together into a load-sharing port trunk to eliminate
bottlenecks in heavy Internet access environments. The DSA­5100 provides bandwidth management tools for you to assign
rational bandwidth usage of the 2 WAN ports.

Total Wireless Management Solution

The DSA-5100 Network Access Control System (NACS)
provides functions beyond the AAA standard. Its 4A
management solution supports not only Authentication,
Authorization and Accounting (AAA), but also
Administration for all wireless (and wired) network users.
The gateway has a built-in database of up to 60 customized
access management rules and up to 2,000 user accounts. The
DSA-5100 can support up to 400 users on-line at any single
moment. The gateway also supports POP3, RADIUS, and
LDAP external authentication for larger-scale hot spot
networks. Other features IP plug and play, user bandwidth
control, network policy enforcement, customizable user
timer, login/logout web-page, online traffic monitoring, and
URL redirection provide a number of different ways for your
organization to configure and manage your hot spot as either
as a free or revenue-generating service.

Comprehensive Network Protection

The DSA-5100 includes a built-in DHCP server and a
built-in high-speed routing engine, an easy-to-use web­based graphical user interface (GUI) with SSL protection
to securely and quickly configure the device.
Configuration is also capable through the device's RS-232
console port. To prevent unwanted Internet intruders from
accessing your network, the DSA-5100 has a built-in
Security Firewall with Denial of Service (DoS) prevention.
With IP PnP (Plug and Play) and IP/port redirection
provided by the DSA-5100, users connecting to the hot
spot don't need to re-configure their computer's settings to
send or retrieve e-mail or access the Internet.

Ideal Hot Spot Solution

Capable of serving hundreds of simultaneous, discrete
users, the DSA-5100 gateway is the perfect system for a
mid-size enterprise and organization to provide a wireless
hot spot. In a matter of just a few minutes, your business
or organization can provide a wired or wireless hot spot
while still maintaining a private network that the public
will never see. Whether you're an enterprise, merchants
association, factory, hospital, school, or public library, the
DSA-5100 is your instant hot spot solution.

AirSpot Gateway

Functions & Features

Simplified wireless connection for end users

No extra software required at end-user side
No IP setting change on end-user computers
Friendly end-user connection to login page from web browser
Minimized training cost for hot spot service providers

Beyond the AAA, total wireless management

Satisfies 4 requirements of WLAN management: Authentication, Authorization, Accounting, Administration (4A)
Built-in end-user database with maximum 60 customizable access management rules for different groups
Multiple external authentication systems support: RADIUS, POP3, POP3S, LDAP/AD
Simultaneous support of multiple external authentication hosts
Rational assignment of bandwidth usage through a bandwidth management tools
Wireless Access Point on-line status monitoring through Monitor IP function
Remote system maintenance in safe mode through SSL encryption

Complete security features

Multi-layer traffic control from L2 to L4 with 802.1x standard integration
End-user account information protection through SSL encryption at login
Customizable packet filtering rules through group policies to manage end-users' access
End-user access time control through login schedules management
Multiple protection mechanisms against DoS attacks

Integrated accounting engine

Multiple accounting mechanisms
RADIUS and local-based account records support

Technical Specifications

Hardware

Device Ports

- 2 WAN ports (10/100BASE-TX Ethernet) with 802.3ad
LACP Link Aggregation support

- 1 private LAN port (10/100BASE-TX Ethernet) with 802.1q
VLAN tag support

- 1 public LAN port (10/100BASE-TX Ethernet)
with 802.1x authentication support

- 1 RS-232 console port

- 1 RS-232 auxiliary port (reserved for thermal printer connection)

System Performance

- Maximum concurrent users supported: 400 users

- Maximum network throughput: 90Mbps

Dynamic Memory (RAM Buffer)

128MB

Flash Memory (Firmware)

64MB

LED Indicators

- Power (per device)

- Status (per device)

- Link/Activity (per WAN/LAN port)

Software Features

Networking

- NAT, router and bridge modes

- NAT Plug and-Play

- Static IP, DHCP client and PPPoE client on WAN1 interface

- Static IP, DHCP client and 802.3ad (under static IP) on WAN2 interface

- Built-in DHCP server

- DHCP relay

- Built-in NTP client

- HTTP proxy

- Destination IP/port redirect

- Inter-IP-segment roaming

- IPSec (ESP), PPTP and H.323 pass-through (under NAT)

- Virtual Server Mapping

- DMZ Server Mapping

- Static Route Mapping

User Management

- Maximum local user accounts in built-in database: 2,000 accounts

- Optional MAC address locking with local user database

- Maximum guest accounts: 10 accounts

- MAC ACL

- Maximum number of on-line users: 400 users

- Maximum number of authentication/authorization policies: 5 policies

- External authentication database support: POP3, POP3S, RADIUS, LDAP,
Windows domain

- Allow/disallow multiple login

- User login schedule control

- Customizable logout timer

- Customizable guest session time control

- MAC/ IP address pass-through

- GRIC roaming in

- Customizable Black List

- Local/RADIUS accounting

Security Policy

- Secure HTML login page (SSL)

- 64-bit, 128-bit WEP encryption

- 802.1x user authentication (EAP, MD-5, EAP-TLS)

- Maximum 802.1q VLAN (for LAN ports): 32 VLANs

- VLAN tag range from 2 to 4094

- Machine/Subnet DoS protection

- Customizable packet filter rules by group

- Customizable Walled Garden (free surfing area)

DSA-5100

Technical Specifications

Administration

- On-line status monitoring/traffic data history

- SSL protected administration/user authentication interface

- IP monitoring

- Customizable user login/logout web interface

- Targeted URL redirect after successful login

- Console administration interface

- Web-based administration interface

- SSH remote administration interface

- SNMP v.2 management standard

- External SYSLOG server

- User bandwidth control

- Remote firmware update

- Configuration data backup/restore

Software Specifications

Networking

WAN Fail Condition Handling

- WAN fail condition detection using ICMP echo mechanism to ping
default gateway and DNS periodically

- 2 configurable options prior to WAN failure:
Display error message and block all access
Allow free access without control

Policy Routing Profiles

- 6 sets of policy routing rules

- 10 rules for each policy routing set

NAT/Router Dual Mode Operation

Each VLAN/LAN port separately configurable to different modes of operation

Destination IP/Port Redirection

Maximum 40 definable IP/port redirection rules to force data packets to be
redirected from one destination to another destination

Non-Authentication Private LAN Port

(For connection to desktops and servers)
Hosts on Private LAN still under control of firewall rules

Bridge Mode

- DSA-5100 can be set up as a bridge for easier network integration

- Limitations in bridge mode:
All device interfaces are bridged; VLANs are disabled
Available only when WAN port is set to static IP address

First WAN Port Connection Methods

- Static IP address

- DHCP client

- PPPoE client

Second WAN Port Connection Methods

- Static IP address

- DHCP client

Built-In DHCP Server

- Each LAN port independently configurable/enabled

- Configurable functions: IP pool, leasing time, WINS, DHCP relay, DNS
(per port, primary, secondary)

- Default IP of Public LAN: 192.168.1.40

- Default IP of Private LAN: 192.168.0.40

NAT Application Protocol Pass-Through

When client is under NAT segment, following protocols can be passed through:
IPSEC (ESP), PPTP/L2TP, H.323

HTTP Proxy

Maximum 10 sets of external proxy servers

Inter-Segment Roaming

Authenticated users can roam between VLAN segments without changing their
network settings or re-login to system

Static Route Mapping

- Maximum 6 sets of policy routing rules

- Maximum 10 rules per policy routing set

AirSpot Gateway

Virtual Server Mapping

Maximum 40 configurable mapping rules

DMZ Server Mapping

Maximum 40 configurable DMZ server mapping rules

IP Plug-and-Play Support

Clients can use their existing pre-configured IP address to access Public
LAN or Private LAN port without changing their IP settings *

* This function (1) not supported in bridge mode, (2) does not allow any L3 switch between clients
and DSA-5100.

User Management

Access Control to LAN Port

Users must login first to gain network access

Group

- Maximum 6 user groups (1 guest group, 5 definable user groups)

- Each group configurable to have own name, filter rules, routing,
bandwidth control and schedule control

MAC Address Control

Maximum 40 sets of MAC addresses

External User Database Failure Condition Handling

Displays error message with administrator's contact information

Logout Method

- Manual logout (password & ID key-in required)

- By closing logout window (once user-friendly logout enabled)

Login Method

- Automatic login through user's cached login information

- Customizable maximum remembrance of user ID

Multiple User Databases

Simultaneous support of multiple internal/external user databases for
authentication

Guest User Configuration

Maximum 10 predefined guest accounts configurable as active or inactive

Local User Accounts

- Maximum 2000 user accounts

- User accounts configurable to associate with individual MAC addresses

- Case-insensitive user IDs

RADIUS Authentication

- Primary/secondary RADIUS servers support for
fault-tolerant user authentication

- RADIUS authentication protocols supported: PAP, CHAP

- RADIUS attributes supported: Session Timeout, Idle Timeout

LDAP User Database

- Microsoft Active Directory support

- Configurable fields: LDAP server IP, port number, Base DN

POP3 Authentication

Primary/secondary POP3 mail server support

DSA-5100

Software Specifications

POP3S Authentication

Primary/secondary POP3 mail server with SSL support

Windows Domain Authentication

Microsoft NT domain controller support

Transparent Windows Domain Login

Automatic login to DSA-5100 upon user's successful login to Windows
domain *

* Windows 2000 domain controller support only

GRIC Roaming

GRIC users can use DSA-5100 UAM to login to controlled network

Definable Guest Permission

Maximum 10 definable filter rules

Black List

Maximum 5 Black Lists to disallow up to 50 pre-defined user accounts
from network access

User Login Schedule Profile

Maximum 5 schedules to control matrixes by the hour

Guest Session Time Control

1 to 12 hours' limit (default: no limit)

Local/RADIUS Accounting

- Local accounting mode generated CDR-liked recorder containing fields:
Start time
End time
User ID
User MAC
User IP
Packets In
Bytes In
Packets Out
Bytes Out

- RADIUS accounting mode accounting attributes: *
User-Name
Calling-Station-ID
Framed-IP-Address
Acct-Terminate-Cause
Acct-Input-Octets
Acct-Output-Octets
Acct-Input-Packets
Acct-Output-Packets

* Generated using standardized RADIUS accounting protocols and put on RADIUS server

Firewall

Firewall Profiles

- 6 sets of IP filtering rules (50 rules for the Global set, 10 rules for
each set of other IP filters)

- Following fields can be applied to machines and subnets controlled
by DSA-5100:
Protocol
Port/port range
Source MAC
Source/destination interface
Source/destination IP address/segment

Walled Garden

IP/IP segments defined in Walled Garden can be visited prior to user login

Machine/Subnet DoS Protection

- NMAP FIN/URG/PSH

- Xmas Tree

- SYN/RST

- Ping of Death

- Null Scan

- SYN/FIN

Administration

Customizable User Login/Logout Page

- Uploaded login/logout page may include images

- Image size for all uploaded images limited to 512KB

- Login/logout pages can be enabled/disabled through 128-bit SSL

AirSpot Gateway

Home Page Support

- System administrator can customize home page

- 2 firmware versions for different regions using different default
home pages

- Default homepage for USA: www.dlink.com

- Default homepage for other areas: www.dlink.co.uk

Authentication Policy

- 5 sets of management types (including 1 default management type)
distinguished by postfix

- Postfix of default group can be omitted for users in default group

- Each management type can be associated with a Black List and
an authentication database

- Users in a management type can belong to different user
groups according to various pre-defined attribute-matching rules

Online User Monitoring

- Real-time monitoring tool containing following fields:
User ID
IP
MAC address
Packets In/Bytes In
Packets Out/Bytes Out
Idle time in seconds

- System administrator can logout online users individually
from monitoring function

Off-line Usage History

- History file contains following fields:
Start/End Time
User ID
IP
MAC Address
Packets In/Bytes In
Packets Out/Bytes Out

- History log file can be periodically sent to system administrators in
pre-defined time interval from 1 hour to 24 hours through email system

- Generated history log files can be kept maximum 4 days

- Customizable received administrator mail account and received
history mail account

- History log accessible from specific IP address

- Local time display on history log

Web-Based Administration

SSL protected

Serial Console Management Functions

- Restore to factory default

- Change administrator's password

- Network debug utilities

- Device service status check

SSH Remote Management Functions

- Restore to factory default

- Change administrator's password

- Network debug utilities

- Device service status check

Remote Firmware Upgrade

Via a web-based administration UI

External SYSLOG

External SYSLOG server can store log data for DSA-5100.

Monitor IP List

- Using ICMP echo mechanism, DSA-5100 checks accessibility for
all devices configured in Monitor IP List

- Maximum 40 sets of IP can be defined in Monitor IP List

- If any device in this list loses contact, DSA-5100 will send an
alarm message to its system administrators via e-mail

SNMP Support

SNMP v.2c read-only access (basic MIBs only)

Welcome E-Mail Message

- Contains guidance to access DSA-5100

- This message will be sent when users try to receive e-mail
before actually logged into DSA-5100 *

* Supports POP3 protocol

DSA-5100

Technical Specifications

MAC/IP Pass-Through

Provides 100 sets of IP addresses and 100 sets of MAC addresses,
which can bypass login procedure but still have all general user
permissions applied

Idle Timeout

Provides different idle timeouts for guest groups

Sorry Page

- Mechanism to detect abnormal status of Internet connection and
backend systems

- Displayed when WAN or external user database fails

- Sorry page will replace login page until abnormal status is recovered

Max Bandwidth Control

- Configurable bandwidth control to limit all groups

- Bandwidth control customizable by group in KB/MB per second
(64KB, 128KB, 256KB, 512KB, 1MB, 2MB, 5MB, 10MB, unlimited)

Wizard Support

Setup wizard for easy system configuration

Specific User Account Support

- Provides manager account

- Can only access specific pages (e.g. Authentication Policies, Group
Configuration, Black List Configuration, Guest User Configuration,
Roaming Configuration, User Control, Upload File)

- If access to other pages attempted, system will display alarm message

AirSpot Gateway

Certificate to Upload

Provides upload customer key page and upload customer certificate
page for user upload certificate

API Support

Provides API following attributes:

- Package size translated (in bytes)

- Timeout control

- Kick off users

Physical & Environmental

Power

110 to 240 VAC 50/60Hz
Internal universal power supply

Dimensions

425 mm (W) x 240 mm (D) x 44 mm (H) (device only)
19-inch rack-mount width, 1 U height

Weight

3.3kg (device only)

Operating Temperature

5 to 45 C

Storage Temperature

-25 to 55 C

Operating Humidity

5% to 95% non-condensing

EMI Certification

- FCC Class A

- CE Class A

Safety Approval

UL

Ordering Information

DSA-5100 4-Port AirSpot Ticket Printer

Specifications subject to change
without prior notice.
D-Link is a registered trademarks of
D-Link Corporation/D-Link System Inc.
All other trademarks belong to their
proprietors.

Rev. 01 (Sep. 2004)

U.S.A
Canada
Europe
Germany
France
Netherlands
Belgium
Italy
Iberia
Sweden
Norway
Denmark
Finland
Singapore
Australia
China
India
Middle East (Dubai)
Turkey
Egypt
Israel

Latin America

Brasil
South Africa
Russia
Taiwan
D-Link Corp.

TEL: 1-714-885-6000
TEL: 1-905-8295033
TEL: 44-20-8731-5555
TEL: 49-6196-77990
TEL: 33-1-30238688
TEL: 31-10-282-1445
TEL: 32(0)2-517-7111
TEL: 39-2-2900-0676
TEL: 34-93-4090770
TEL: 46- 0 8564-61900
TEL: 47-23-897189
TEL: 45-43-969040
TEL: 358-9-2707-5080
TEL: 65-6774-6233
TEL: 61-2-8899-1800
TEL: 86-10-5863-5800
TEL: 91-022-2652-6696
TEL: 9714-3916480
TEL: 90-212-335-2553
TEL: 202-414-4295
TEL: 972-9-9715700
TEL: 56-2-232-3185
TEL: 55-11-55039320
TEL: 27-1266-52165
TEL: 7-095-744-0099
TEL: 886-2-2910-2626
TEL: 886-2-2916-1600

()

FAX: 1-866-743-4905
FAX: 1-905-8295223
FAX: 44-20-8731-5511
FAX: 49-6196-7799300
FAX: 33-1-30238689
FAX: 31-10-282-1331
FAX: 32(0)2-517-6500
FAX: 39-2-2900-1723
FAX: 34-93-4910795

()

FAX: 46-0 8564-61901
FAX: 47-22-309085
FAX: 45-43-424347
FAX: 358-9-2707-5081
FAX: 65-6774-6322
FAX: 61-2-8899-1868
FAX: 86-10-5863-5799
FAX: 91-022-2652-8914
FAX: 9714-3908881
FAX: 90-212-335-2500
FAX: 202-415-6704
FAX: 972-9-9715601
FAX: 56-2-232-0923
FAX: 55-11-55039322

-

FAX: 27 1266-52186
FAX: 7-095-744-0099#350
FAX: 886-2-2910-1515
FAX: 886-2-2914-6299

DSA-5100

Technical Specifications

DRS-200

RADIUS
Authentication
Server
F/W Profiles
QoS Profiles
Login Schedules

AirSpot Gateway

Cable/DSL Modem

Router

Authentication
Server
RADIUS
LDAP/AD
POP3
POP3S

File
Server

Wired Clients

POP3 Authentication Server
F/W Profiles
QoS Profiles
Login Schedules

To cost-effectively double your Internet bandwidth, you can (1) connect both
WAN ports of your AirSpot Gateway to two separate lower rate/lower charge
broadband lines, then (2) allocate your users/servers' traffic to different WAN
ports to create an even load balance.