GemTek Technology AP930621G User Manual

Download

54Mb Hotspot-in-a-Box

P-560

User’s Guide

Revision 1.2 March 3, 2004

www.gemtek-systems.com

Federal Communication Commission Interference Statement

Gemtek Systems declares that P-560 ( FCC ID: MXF-AP930621G ) is limited in CH1~CH11 by specified  firmware controlled in U.S.A.

This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:

- Reorient or relocate the receiving antenna.

- Increase the separation between the equipment and receiver.

- Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

- Consult the dealer or an experienced radio/TV technician for help.

FCC Caution: To assure continued compliance, any changes or modifications not expressly

approved by the party responsible for compliance could void the user’s authority to operate this equipment.

This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.

IMPORTANT NOTE:

FCC Radiation Exposure Statement:

This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20cm between the radiator & your body. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.

This user’s guide and the software described in it are copyrighted with all rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form by any means without the written permission of Gemtek Systems Holding BV.

Notice

Gemtek Systems reserves the right to change specifications without prior notice.

While the information in this manual has been compiled with great care, it may not be deemed an assurance of product characteristics. Gemtek Systems shall be liable only to the degree specified in the terms of sale and delivery.

The reproduction and distribution of the documentation and software supplied with this product and the use of its contents is subject to written authorization from Gemtek Systems.

Trademarks

The product described in this book is a licensed product of Gemtek Systems Holding BV.

Microsoft, Windows 95, Windows 98, Windows Millennium, Windows NT, Windows 2000, Windows XP, and MS-DOS are registered trademarks of the Microsoft Corporation.

Novell is a registered trademark of Novell, Inc.

MacOS is a registered trademark of Apple Computer, Inc.

Java is a trademark of Sun Microsystems, Inc.

Wi-Fi is a registered trademark of Wi-Fi Alliance.

All other brand and product names are trademarks or registered trademarks of their respective holders.

Gemtek Systems Page 3

User’s Guide Contents

Contents

Copyright .............................................................................................................................................3

Notice ..................................................................................................................................................3

Trademarks .........................................................................................................................................3

CONTENTS ............................................................................................................................................4

ABOUT THIS GUIDE..............................................................................................................................7

Purpose ............................................................................................................................................... 7

Prerequisite Skills and Knowledge......................................................................................................7

Conventions Used in this Document ...................................................................................................7

Help Us to Improve this Document! ....................................................................................................7

Gemtek Systems Technical Support...................................................................................................7

CHAPTER 1 – INTRODUCTION ............................................................................................................8

Product Overview ................................................................................................................................8

Management Options .......................................................................................................................... 9

Access Controller Features ................................................................................................................. 9

INSTALLATION.................................................................................................................................... 11

The Product Package........................................................................................................................11

Hardware Introduction ....................................................................................................................... 12

General Overview ..........................................................................................................................12

Back Panel.....................................................................................................................................13

LEDs ..............................................................................................................................................13

Connectors.....................................................................................................................................14

Connecting the Access Controller..................................................................................................... 15

Initialization........................................................................................................................................ 16

Software Introduction: KickStart ....................................................................................................16

Access Your P-560 ........................................................................................................................16

Step by Step Setup ...........................................................................................................................19

CHAPTER 3 – UNIVERSAL ADDRESS TRANSLATION ................................................................... 22

CHAPTER 4 – USER PAGES ..............................................................................................................24

User Pages Overview........................................................................................................................25

Welcome Page...............................................................................................................................25

Login Page.....................................................................................................................................25

Logout Page...................................................................................................................................26

Help Page ......................................................................................................................................27

Unauthorized Page ........................................................................................................................27

Changing User Pages ....................................................................................................................... 28

Example for External Pages ..........................................................................................................28

Example for Internal Pages ...........................................................................................................30

Extended UAM .................................................................................................................................. 33

Parameters Sent to WAS...............................................................................................................35

CHAPTER 5 – COMMAND LINE INTERFACE....................................................................................39

Introduction........................................................................................................................................ 39

Get Connection to CLI.......................................................................................................................39

Telnet Connection..........................................................................................................................39

SSH Connection ............................................................................................................................40

Login.................................................................................................................................................. 40

Connection ........................................................................................................................................40

Gemtek Systems Page 4

User’s Guide Contents

Network .............................................................................................................................................41

Wireless............................................................................................................................................. 43

User ................................................................................................................................................... 44

Status ................................................................................................................................................45

System...............................................................................................................................................45

Telnet.................................................................................................................................................46

Reboot............................................................................................................................................... 46

Reset ................................................................................................................................................. 46

Exit.....................................................................................................................................................46

CHAPTER 6 – SNMP MANAGEMENT ................................................................................................ 47

Introduction........................................................................................................................................ 47

SNMP Versions .................................................................................................................................47

SNMP Agent...................................................................................................................................... 48

SNMP Community Strings.................................................................................................................48

Use SNMP to Access MIB.................................................................................................................49

Gemtek Private MIB .......................................................................................................................... 49

CHAPTER 7 – REFERENCE MANUAL............................................................................................... 50

Web Interface ....................................................................................................................................50

Network Interface .............................................................................................................................. 52

Network Interface | Configuration | Interface Configuration...........................................................52

Network Interface | Configuration | VLAN......................................................................................54

Network Interface | Configuration | Route......................................................................................55

Network Interface | Configuration | Port Forwarding .....................................................................56

Network Interface | Configuration | Management Subnet..............................................................57

Network Interface | DNS ................................................................................................................58

Network Interface | DHCP .............................................................................................................59

Network Interface | RADIUS ..........................................................................................................62

Network Interface | RADIUS | RADIUS Settings ...........................................................................63

Network Interface | RADIUS | RADIUS Servers............................................................................65

Network Interface | RADIUS | WISP..............................................................................................67

Network Interface | RADIUS | Proxy..............................................................................................67

Network Interface | RADIUS | Accounting Backup ........................................................................69

Network Interface | Tunnels...........................................................................................................70

Network Interface | Tunnels | PPPoE/PPTP/GRE.........................................................................70

Network Interface | Tunnels | PPTP Client for VPN ......................................................................71

Network Interface | Tunnels | GRE Client for VPN ........................................................................72

Network Interface | Wireless..........................................................................................................75

Network Interface | Wireless | Basic ..............................................................................................75

Network Interface | Wireless | Advanced.......................................................................................77

Network Interface | Wireless | Security..........................................................................................77

Network Interface | Wireless | ACL................................................................................................78

Network Interface | Wireless | WDS ..............................................................................................80

User Interface.................................................................................................................................... 82

User Interface | Configuration | Pages...........................................................................................82

User Interface | Configuration | Upload .........................................................................................83

User Interface | Configuration | Headers .......................................................................................83

User Interface | Configuration | Remote Authentication ................................................................84

User Interface | Configuration | One-Click Roaming .....................................................................85

User Interface | Administrator ........................................................................................................86

User Interface | Start Page ............................................................................................................87

User Interface | Walled Garden .....................................................................................................87

User Interface | Web Proxy............................................................................................................89

System...............................................................................................................................................90

System | Configuration | Syslog.....................................................................................................90

System | Configuration | Trace System .........................................................................................91

System | Configuration | Clock ......................................................................................................91

Gemtek Systems Page 5

User’s Guide Contents

System | Configuration | NTP ........................................................................................................92

System | Configuration | Certificate ...............................................................................................93

System | Configuration | Save and Restore...................................................................................94

System | Configuration | Pronto.....................................................................................................95

System | Access | Access Control .................................................................................................96

System | Access | Telnet ...............................................................................................................97

System | Access | AAA ..................................................................................................................98

System | Access | UAT ..................................................................................................................99

System | Access | Isolation ..........................................................................................................100

System | Access | NAV ................................................................................................................100

System | Access | SNMP .............................................................................................................101

System | Status............................................................................................................................104

System | Reset.............................................................................................................................107

System | Update ..........................................................................................................................108

Connection ......................................................................................................................................110

Connection | Users ......................................................................................................................110

Connection | E-mail Redirection ..................................................................................................112

Connection | Station Supervision.................................................................................................112

APPENDIX.......................................................................................................................................... 113

A) Access Controller Specification ..................................................................................................113

Technical Data.............................................................................................................................113

B) Factory Defaults for the Access Controller ................................................................................. 115

C) Regulatory Domain/Channels ....................................................................................................122

D) CLI Commands and Parameters................................................................................................ 123

Network Commands ....................................................................................................................123

Wireless Commands....................................................................................................................127

User Commands..........................................................................................................................128

System Commands .....................................................................................................................129

Status Commands .......................................................................................................................131

Connection Commands ...............................................................................................................131

E) Standard RADIUS Attributes ...................................................................................................... 133

Vendor Specific Attributes ...........................................................................................................134

F) Location ID and ISO Country Codes ..........................................................................................136

G) User Pages Templates Syntax................................................................................................... 140

GLOSSARY ........................................................................................................................................145

INDEX .................................................................................................................................................150

Gemtek Systems Page 6

User’s Guide About this Guide

About this Guide

Purpose

This document provides information and procedures on hardware installation, setup, configuration, and management of the Gemtek Systems high performance 56Mb Hotspot-in-a-Box model P-560. The P-560 is a highly integrated Access Controller for public access areas. We will call it AC later in the manual.

Prerequisite Skills and Knowledge

To use this document effectively, you should have a working knowledge of Local Area Networking (LAN) concepts and wireless Internet access infrastructures. In addition, you should be familiar with the following:

 Hardware installers should have a working knowledge of basic electronics and mechanical

assembly, and should understand related local building codes.

 Network administrators should have a solid understanding of software installation procedures for

network operating systems under Microsoft Windows 95, 98, Millennium, 2000, NT, and Windows XP and general networking operations and troubleshooting knowledge.

Conventions Used in this Document

The following typographic conventions and symbols are used throughout this document:

Very important information. Failure to observe this may result in damage.

Important information that should be observed.

bold

code

<value>

[value]

Additional information that may be helpful but which is not required.

Menu commands, buttons and input fields are displayed in bold

File names, directory names, form names, and system-generated output such as error messages are displayed in constant-width type

Placeholder for certain values, e.g. user inputs

Input field format, limitations, and/or restrictions.

Help Us to Improve this Document!

If you should encounter mistakes in this document or want to provide comments to improve the manual please send e-mail directly to:

manuals@gemtek-systems.com

Gemtek Systems Technical Support

If you encounter problems when installing or using this product, please consult the Gemtek Systems website at www.gemtek-systems.com for:

 Direct contact to the Gemtek Systems support centers.  Frequently Asked Questions (FAQ).  Download area for the latest software, user documentation and product updates.

Gemtek Systems Page 7

User’s Guide Chapter 1 – Introduction

Chapter 1 – Introduction

Thank you for choosing the Gemtek Systems 54 Mb High Performance Hotspot-in-a-Box.

The Gemtek Systems P-560 is a high performance and highly integrated Access Controller for public access networks. It combines a high-speed wireless LAN Access Point, an IP Router, a 4-port LAN Switch and a complete Access Controller for Wi-Fi Hotspots in one box. One single P-560 can serve up to 100 simultaneous users (depending on SW license), takes control over authentication, accounting and routing to the Internet as well as to the operator’s central.

Product Overview

Scalable With Customer Needs

The P-560 Access Controller can be ordered with three different software licenses allowing operators to extend functionality as their business grows. The basic “Bronze” license already supports all required functions to operate a public access network for up to 20 simultaneous subscribers. The “Silver” license is an upgrade for unlimited users (up to 100) and multiple WISP support whereas the “Gold” software enables wireless LAN switching and remote AP management to the network.

Authentication, Authorization & Accounting

The P-560 supports multiple secure authentication methods from standard web browser login (Universal Access Method), MAC authentication, to 802.1x/EAP with passwords, certificates or SIM cards. The integrated real-time accounting system is based on standard RADIUS/EAP and supports various billing plans from prepaid, pay-per-time, per-volume, per-use or flat rate. Integration into existing OSS/BSS systems can be done with ease.

Service Differentiation

The integrated Web server of the P-560 allows flexible interaction with common web application servers, facilitating the provisioning of differentiated services with bandwidth management, location based and personalized services. Inter-Provider roaming and multi-OSS support is guaranteed by the persistent usage of standardized protocols and interfaces like RADIUS, HTTPS and XML. As all Gemtek Systems Access Controllers P-560 is compliant with the recommendations of the Wi-Fi Alliance WISP roaming group.

Remote Control

The P-560 Hotspot-in-a-Box is placed at the edge of a broadband access network and allows operators to provide cost effective public Wi-Fi services, by managing per user access control, device configuration, and radio performance centrally from the operations centre. HTTPs, telnet, SSH or SNMP over VPN can be used for secure remote management.

Privacy

P-560 supports different levels of security and data encryption. Client stations can be separated on link layer (Layer2 User Isolation), preventing intruders from accessing the hard discs of other users. User credentials (passwords) are protected by SSL or EAP-based authentication methods. User traffic can be encrypted either by VPNs (pass-through) by Wi-Fi Protected Access (WPA). Operators and service providers can make use of the integrated VPN/tunneling protocols to protect AAA and management traffic.

Gemtek Systems Page 8

User’s Guide Chapter 1 – Introduction

Management Options

You can use the Access Controller management systems through the following interfaces:

 Web-browser interface  Command Line interface (CLI)  Simple Network Management Protocol (SNMP v1, v2, v3)

The AC management system pages are organized the same way for the web-browser interface and the CLI. This user manual provides detailed description of each management option.

Access Controller Features

WLAN

 802.11b+g compliant, 1-54Mbps with auto-fallback  Wi-Fi compliant  Concurrent 802.11b and 802.11g access  WDS support (concurrent bridge and AP mode)  WPA support  Antenna diversity  SMA connectors for external antennas  Adjustable RF output power  High receiver sensivity (up to -90 dBm@1Mbps, 8%PER)

AAA

 Multiple authentication methods: UAM, 802.1x/EAP, RADIUS, MAC, Smart Client (e.g. iPass)  WISPr compliant  Internal and external accounting backups  Internal or external web server  Remote user login, logout, session status control via https/XML  AAA proxy server (for simultaneous EAP and UAM)  Per user bandwidth management  Web proxy support

IP Router and IP address management

 Static IP routing table  NAT/NAPT (IP masquerading)  Port-forwarding  Transparent VPN client pass-through (PPTP, IPsec ESP)  Selective source routing (in preparation)  PPPoE client  PPTP client  DHCP server, relay gateway (suboptions), DHCP client  Multiple IP pools per user group  UAT (Universal Address Translation)  SMTP redirection (e-mail)

VPN

 PPTP VPN client, max. 16 tunnels  MPPE (40, 56, 128 bit encryption)  GRE VPN client, max. 16 tunnels  IPsec client (in preparation)

Gemtek Systems Page 9

User’s Guide Chapter 1 – Introduction

LAN switch

 Managed 4-port switch 10/100Mb, auto-sensing  802.1q/p tagged VLAN support (in preparation)

Management

 Secure management via https, SSH, SNMP  SNMP proxy  SNMPv3 (incl. authentication and encryption)  Management subnet for remote AP and switch management  Remote firmware update

Gemtek Systems Page 10

User’s Guide Installation

Installation

This chapter provides installation instructions for the hardware and software components of the Access Controller P-560. It also includes the procedures for the following tasks:

 Hardware Introduction (LEDs, Connectors)  Connecting the Access Controller  First Configuration  Step-by-Step Setup

The Product Package

The Access Controller comes with the following:

 54Mb High Performance Hotspot-in-a-Box (model: P-560)  Detachable Antennas (SMA type, 2 units)  Power Cord for EU (1 unit)  Power Adapter (5V, 2.5A, 1 unit)  Ethernet Patch Cable (STP, 1.8 m length, 2 units)  Mounting Kit, included tool to remove AP from wall mounting (1 unit)  Installation CD containing:

 P-560 User Guide in PDF format  User Pages Templates Samples  KickStart Utility  Product Firmware  Release Notes  Adobe Acrobat Readers

 Printed Warranty Note

If any of these items are missing or damaged, please contact your reseller or Gemtek System sales representative.

Gemtek Systems Page 11

User’s Guide Installation

Hardware Introduction

General Overview

Figure 1 – P-560 Access Controller General View

The front panel of the Access Controller contains:

 A series of indicator lights (LEDs) that help describe the state of various networking and

connection operations.

The reverse panel of the Access Controller contains:

 Connectors which enable you to make different network connections for the controller  Reset button enables you to reboot or reset the device configuration to the factory defaults

Press the Reset button for less than 5 seconds to reboot the controller.

Press the Reset button for more than 5 seconds to set the controller to factory defaults.

Gemtek Systems Page 12

User’s Guide Installation

Back Panel

Figure 2 – Back Panel of the P-560

The back panel of the Access Controller contains:

 Model and device name (see item 1 in figure above). The official device name is 54Mb Hotspot-

in-a-Box, model P-560.

 MAC address of the device. The label (item 2 in figure above) shows the WLAN interface MAC

address of the device. You can determine the WAN and LAN interfaces’ MAC addresses by a simple calculation:

 LAN interface MAC = WLAN MAC + 1  WAN interface MAC = WLAN MAC + 2

LEDs

The Access Controller has several LEDs located on the front panel:

1 234 5

Figure 3 – LEDs of the P-560

Gemtek Systems Page 13

User’s Guide Installation

The various states of the LEDs indicate different networking and connection operations as follows:

Item LED Color Status Indication

1 Power

On P-560 is active/working Green

Blink P-560 is booting

Orange On Writing to FLASH memory

2 Online Green

PPPoE/PPTP/GRE tunnel for DSL is active on P-560

Off

No active PPPoE/PPTP/GRE tunnel for DSL on P-560

3 WAN Orange On WAN active/working

4 WLAN Orange On WLAN active/working

Green On 100 Mbps network connection exists 5 LAN (1, 2, 3, 4)

Orange On 10 Mbps network connection exists

Connectors

The Access Controller has several connectors on the rear panel:

1 2 3 4

Power

Figure 4 – Connectors

Reset

LAN 4321

Internet

Descriptions of the connectors are given in the following table:

Item Connector Description

1 Power For power supply

2 Reset

3 LAN (1, 2, 3, 4)

4 Internet For Internet connection

Reboot or reset to factory defaults.

Press the reset button for less than 5 seconds to reboot the controller. Press the reset button for more than 5 seconds to set the controller to factory defaults

For enterprise applications use this port to connect your company LAN, Intranet or to hotspot access points

Gemtek Systems Page 14

User’s Guide Installation

Connecting the Access Controller

Use the following procedure to prepare your network connection to the Access Controller.

Use the enclosed power adapter and power cord for power supply of your Access Controller.

Step 1 Place the Access Controller on a flat work surface.

Step 2 Connect one Ethernet patch cable to the LAN port of the Access Controller and to

a free hub port on your local network.

Step 3 Connect one Ethernet patch cable to the WAN port of the Access Controller and to

an Ethernet port of a broadband Internet modem or router.

Step 4 Connect the power cord to your power adapter. Connect power adapter to the

Access Controller.

Step 6 Wait 30 seconds until the boot process is finished and check to ensure that at least

the following LEDs are ON:

 Status LED (steady On)

 WAN LED

 LAN LED

 WLAN link LED

Gemtek Systems Page 15

User’s Guide Installation

Initialization

There are two choices for the first web browser connection to your Access Controller: either you enter your access controller's IP address and subnet (default networks settings) into the browser or you launch the KickStart utility that is provided with your product CD.

The default network settings for your new access controller are:

LAN port: IP 192.168.3.1 subnet 255.255.255.0

WAN port: IP 192.168.2.66 subnet 255.255.255.0

WLAN port: IP 192.168.4.1 subnet 255.255.255.0

DHCP Server: enabled for LAN and WLAN ports

For other management methods: SNMP and command line interface (CLI) please

Software Introduction: KickStart

The Gemtek Systems KickStart is a software utility that is included on the Installation CD.

refer to their respective chapters.

The utility automatically detects access points and access controllers installed on your network, regardless of its host IP address and lets you configure each unit’s IP settings. The feature list for the KickStart utility is listed below:

 Scanning your subnet for all connected APs, ACs  Quick access to your AC via HTTPS, telnet, SSH  Setting new IP address of your AC  Reset to factory default settings  Default access (in case of lost administrator password)  Firmware updates

To install the KickStart utility insert the Installation CD into your CD-ROM drive. Find and install the utility from the product CD into the computer.

If the Installation CD does not start automatically, please run “autorun.exe” manually from the root directory of the installation CD.

Access Your P-560

There are two choices for the first Web browser connection to your access point:

 Use the Web browser.  Launch the KickStart utility that is provided with your product CD.

If first method is preferred follow these instructions:

Step 1 Configure your PC with a static IP address on the 192.168.2.0 subnet with mask

255.255.255.0. Connect the P-560 in to the same physical network as your PC. Open the Web browser and type the default IP address of the P-560:

https://192.168.2.66/a.rg

Step 2 Enter the P-560 administrator login details to access the Web management.

Gemtek Systems Page 16

User’s Guide Installation

The default administrator log on settings for all access point interfaces are: User Name: admin Password: admin01

Step 3 After successful administrator log on you will see the main page of the access

controller’s Web interface:

If second method is prefered follow the instuctions:

Step 1 Install the KickStart utility from the Installation CD. Click Start > Programs > GSI

> KickStart to launch the application. If the P-560 device is connected to your

network, the utility will automatically find your AC:

Gemtek Systems Page 17

User’s Guide Installation

Step 2 Select your controller and right click. Select Open WEB item to launch the web

management interface through the secure https connection:

Step 3 Enter the Access Controller administrator login settings to access the web

management interface.

The default administrator log on settings for all controller interfaces are:

Step 4 After successful administrator log on you will see the controller web interface. The

Now you are enabled to perform the initial controller configuration. Follow the next section for step-bystep setup instruction to configure the device according to your needs.

User name: admin Password: admin01

controller system statistics page is displayed by default:

If you cannot connect to the device via your web browser because of TCP/IP misconfiguration, you can reset the product to the factory default. Press the reset button for more than 5 seconds.

Gemtek Systems Page 18

User’s Guide Installation

Step by Step Setup

Step 1. Interface Set-Up

In the network interface | configuration menu you can set the TCP/IP settings. Eth0 is preconfigured as the WLAN port of your Access Controller, Ixp1 is the WAN port, and Ixp0 is the LAN port. You can modify these settings according to your local network requirements. Make sure that IP subnets do not overlap.

Figure 5 – Interface Configuration Settings

If DHCP client, PPPoE, or PPTP is selected as a dial-up protocol for the WAN interface the WAN settings of this table will be overwritten by the values retrieved from the Internet Provider.

Step 2. DNS Set-Up

In the network interface | DNS menu you can specify your local domain name server or enter the DNS server provided by your ISP (Internet Service Provider).

Figure 6 – DNS Redirection

DNS is set automatically if provided by the ISP dynamically via DHCP, PPPoE or

Step 3. IP Address Management

For automatic IP assignments to client stations, set the DHCP settings in the network interface | DHCP menu according to your TCP/IP configuration from step 1. Only use address ranges within the

corresponding IP subnet of the LAN interface. In addition you can switch on the Universal Address Translation function in the system | access | UAT menu. With UAT users do not need to change their local TCP/IP settings to log on to the Access Controller. The Access Controller will translate fixed IP numbers used in private networks transparently for the user.

PPTP.

Please refer to Chapter 3 – Universal Address Translation for further details to avoid IP conflicts.

Step 4. RADIUS Set-Up

In the network interface | RADIUS settings menu you can first define the local settings of the integrated RADIUS client of the Access Controller. For example you can modify timeouts and the NAS server ID (name of the RADIUS client):

Gemtek Systems Page 19

User’s Guide Installation

Figure 7 – RADIUS Settings

On the second page: network interface | RADIUS servers you can specify up to 32 different RADIUS servers for authentication and accounting (see Figure 8 – RADIUS Servers). The first line of

this table is the default server (can be configured as default). Thus, if a user cannot be associated to any specific service provider by his login name, the Access Controller will send authentication and accounting messages to the first RADIUS server on the list.

Figure 8 – RADIUS Servers

Make sure that the RADIUS server is up and running and is able to receive authentication requests from the Access Controller.

On the download pages at www.gemtek-systems.com

Step 5. Welcome/Login/Start pages

The most popular authentication method for public users is the UAM (Universal Access Method). UAM can be enabled using the system | access | AAA menu. With UAM users can log-on to the

Access Controller using their web browser. As an operator of a wireless access service you can provide a custom set of web pages to your subscribers.

 welcome page (default = on) - the first page that is presented when users start their web

browser.

 login page (default = on) – the page containing the log-on fields for user name and

password. This page is presented as default when the welcome page is disabled.

 logout page (default = on) - the page that pops up after successful authentication. It includes

information about the online session such as online time and transferred data.

 help page (default = on) - the page with online help information for log-on.  start page (default = on) - the default-page that will be presented to the user after successful

log-on.

 unauthorized page (default = on) - the page which appears if web login method is disabled.

guides for common RADIUS servers.

you will find quick installation

Gemtek Systems Page 20

User’s Guide Installation

The default user login page looks like the picture below:

Figure 9 – Example of a Simple Login Page

You have full flexibility to modify and adapt all these pages to your needs and personal designs. For initial set up and testing we recommend you use the default configuration, which will present a simple login window with input fields for user name and password.

Enter any start page you like in the user interface | start page menu. In addition you can define a number of free web sites in the walled garden table on the user interface menu.

For more information on how to build your own user pages please refer to Chapter

Step 6. Change Administrator Password

Before saving your initial configuration don’t forget to change the administrator password in the user interface | administrator menu.

Step 7. E-mail Redirection

If you have a SMTP mail server available for your subscribers enter its IP address and SMTP port number in the connection menu under the item e-mail redirection. All outgoing e-mail passing through the Access Controller will be redirected to this server.

Step 8. Save Configuration and Restart

Make sure you have saved your changes from each of the first seven steps and then press the restart button on the lower side of the web management screen. After 10-15 seconds you can reload the admin pages or start to log on to the Access Controller as a user.

Users connected to the LAN port of the Access Controller can type in any URL in their browser and they will be redirected to your defined welcome (if enabled) and login pages. Administrators can monitor connected users via the connection | users menu.

4 – User Pages.

Gemtek Systems Page 21

User’s Guide Chapter 3 – Universal Address Translation

Chapter 3 – Universal Address Translation

Universal Address Translation (UAT) allows Hotspot operators to offer true Plug&Play access for their subscribers.

With UAT enabled, the Access Controller will automatically and transparently translate fixed IP settings (IP address, gateway, DNS, proxy server) on a user’s PC enabling him to connect to the broadband Internet service.

Without UAT public access, subscribers are forced to switch their TCP/IP settings to DHCP (automatic IP address assignment), potentially losing any fixed IP address settings they previously entered.

When using UAT operators have to be aware of some principal limitations:

IP: 10.1.1.1/16

IP: 192.168.2.100

IP: 192.168.2.66/24

IP Conflict

Conflict: Subscribers cannot access WAN services if their IP address overlaps the IP subnet of the WAN port.

Work-around: Use a public IP address or a seldom-used private IP address (range) for the WAN port.

IP Conflict

IP: 10.1.1.1

IP: 10.1.1.1/16

IP: 192.168.2.66/24

Conflict: Subscriber’s IP address must not be identical to the LAN IP address of the Access Controller.

Work-around: Use a seldom-used IP address range for the LAN port.

Gemtek Systems Page 22

User’s Guide Chapter 3 – Universal Address Translation

Conflict: Two subscribers connected to one Access Controller cannot use the same IP address. For instance, this situation can happen when DHCP and UAT are used in parallel.

Work-around: Enable the DHCP service.

The subscriber’s IP address and gateway address must be in the same subnet (a real network configuration).

IP: 10.11.11.11

IP Conflict

IP: 10.1.1.1/16

IP: 10.11.11.11

IP: 192.168.2.66/24

IP: 10.11.11.11 Subnet: 255.255.0.0 Gateway: 10.11.1.254

Gemtek Systems Page 23

User’s Guide Chapter 4 – User Pages

Chapter 4 – User Pages

This chapter describes what the user pages are and how to manage them. Detailed instructions on how to change and upload new user pages are given below.

When launching his/her web browser the user's initial HTTP request will be redirected to an operator defined set of web pages, further called the "user pages". User pages are:

 Welcome page– the first page presented to the user.  Login page– subscriber authentication page, allows the user to login to the network.  Logout page– small pop-up window for logged-on user statistics and log-out function.  Help page – get help with the login process.  Unauthorized page – this page is displayed when web login or EAP login methods are disabled

on the Access Controller for subscribers.

 One Click page – the additional pop-up pages, displayed when one click roaming for the third

party WLAN operators are preconfigured.

All further presented user pages are factory default. The Hotspot operator can upload new templates for all user pages.

Gemtek Systems Page 24

User’s Guide Chapter 4 – User Pages

User Pages Overview

Welcome Page

Welcome page is the first page a Hotspot subscriber receives when he starts his web browser and enters any URL. By default it’s a very simple page and provides only a link to the login page.

Figure 10 – Welcome Page

The Hotspot operator can change the welcome page according its needs. See

The subscriber gets to the login page after clicking the link on the welcome page. The login page is loaded from the Access Controller. To get access to the network, the user should enter his authentication settings: login name and password and click the login button:

more details in section: Changing User Pages.

Figure 11 – Simple Login Page

The login name and password can be obtained from your Hotspot Operator. Login

The login page also displays subscriber’s logical and physical network addresses (IP and MAC). Once authenticated, a start page appears. In addition, a smaller logout window (page) pops up.

format available for P-560:

 username@WISPdomain  WISPdomain/username

The Hotspot operator can change the login page according to its needs. See more details in section: Changing User Pages.

Gemtek Systems Page 25

User’s Guide Chapter 4 – User Pages

Logout Page

Make sure the JavaScript is enabled on your Web browser; otherwise you will not

The Logout page contains the detailed subscriber’s session information and provides function for logging out of the network:

receive the logout page.

Figure 12 – Logout Page

Detailed AC subscriber’s session information includes:

User – subscriber’s login name.

User IP – subscriber’s logical network name (IP address).

MAC Address – subscriber’s physical network address.

Session time – subscriber’s session time from client log on in format: [hours: minutes: seconds].

Input/Output bytes – subscriber’s session input and output statistics in bytes.

Input/Output bytes left – session input and output bytes left for subscriber limited from RADIUS [in

B, KB, MB, GB and unlimited].

Total bytes left – session total (input and output) bytes left for subscriber limited form RADIUS [in B, KB, MB, GB and unlimited].

Session time left – session time left in format: [hours: minutes: seconds].

Bandwidth downstream/upstream – available upstream and downstream bandwidth for subscriber

limited from RADIUS [in bps].

Logout button – click the button to logout from the network. The log-out pop-up window closes.

Refresh button – click the button to refresh the subscriber session information.

The Hotspot operator can change the logout page interface according to its needs. See more details in section: Changing User Pages. All session details are further accessible via the operator XML interface.

Gemtek Systems Page 26

User’s Guide Chapter 4 – User Pages

Help Page

Click on the get help link in the login page for help tips related to network registration. A page appears similar to the following:

Figure 13 – Help Page

The Hotspot operator can change the help page according to its needs. See more details in section: Changing User Pages.

Unauthorized Page

If web log-on method (UAM) or EAP-based authentication methods are disabled on the AC and the subscriber attempts to login to the network, he will receive the following page:

Figure 14 – Unauthorized Page

The Hotspot operator can change the unauthorized page according to its needs. See more details in section: Changing User Pages.

Gemtek Systems Page 27

User’s Guide Chapter 4 – User Pages

Changing User Pages

As the Hotspot operator you can modify the user pages freely according to your personal needs and preferences. User Page templates can be either stored locally on the AC or on an external web server.

See the Appendix: G) User Pages Templates Syntax to find the syntax and

Use the user interface | configuration menu to modify user pages. There are two ways to change and store new user page templates:

 External – linking new user page templates from an external server.  Internal – upload new templates to local memory.

Supported user pages template formats:

 XSL (Extensible Style sheet Language) for welcome/login/logout/one click pages.  HTML (Hypertext Markup Language for help/unauthorized pages.

The following image formats are supported for new templates. Other formats are not accepted:

 PNG  GIF  JPG

The following examples demonstrate the use of internal and external user pages.

comments of all user pages.

User Pages templates samples can be found in the Installation CD delivered to you with the product.

Example for External Pages

Step 1 Prepare your new user pages template for each user page:

welcome/login/logout/help/unauthorized/oneclick.

Step 2 Under the user interface | configuration | pages menu select the user page you

want to change (e.g. login)

Step 3 Choose the external option under the use column:

Gemtek Systems Page 28

User’s Guide Chapter 4 – User Pages

Step 4 Specify the new user page location in the location field

(http://servername/filelocation

Do not try to upload other than supported formats. Such uploaded pages will not be

Step 5 Save entered changes with the apply changes button:

Step 6 Check for new uploaded user page (e.g. login):

displayed properly.

If at anytime you wish to restore factory default user pages, click the reset button under the system | reset menu.

Gemtek Systems Page 29

User’s Guide Chapter 4 – User Pages

Example for Internal Pages

We will use the user pages templates from the Installation CD to show the example how to upload the internal pages. Follow the steps below:

Step 1 Ensure that internal option is selected for all user pages you want to change. By

default internal option is defined for all pages:

Step 2 Under the user interface | configuration | upload menu click the upload button

to upload new prepared user pages:

The memory space in the AC for internal user pages is limited to 1 MB.

Step 3 Specify the location (Examples directory if you use the Installation CD) of new

user page templates by clicking the browse button or enter the location manually.

Specify the location for the additional files of new user page templates: images and

a cascading style sheet file (css) by clicking the browse button or enter the location manually:

Gemtek Systems Page 30

User’s Guide Chapter 4 – User Pages

Step 4 Click the upload button to upload specified templates and files.

You do not need to upload all additional files at once. You can repeat the upload

Step 5 Check for the newly uploaded user pages and images to ensure that everything is

Click the here link or enter the link directly:

process a number of times until all necessary images are uploaded.

uploaded and displayed correctly. Go to the link:

https://<device-IP-address>/ to get to the new user welcome page:

https://<device-IP-address>/login.user to get to the new user login

page:

Gemtek Systems Page 31

User’s Guide Chapter 4 – User Pages

If at anytime you wish to restore the factory default user pages, click the reset button under the system | reset menu.

Gemtek Systems Page 32

User’s Guide Chapter 4 – User Pages

Extended UAM

The Extensions feature (user interface | configuration menu) allows an external Web Application Server (WAS) to intercept/take part in the user authentication process externally log on and log off the user as necessary. It provides means to query user session information as well.

See the following schemes to understand how the remote client authentication works.

Scheme 1:

Figure 15 – Client Remote Authentication Scheme (1)

Client

1. Initial Request

3. Renders HTML

his/her login and

authenticated or

4. Direct client

communication

with WAS

5. Client sends

password

9. WAS reports client status:

not

2. Fetch XSL

6. WAS tries to authenticate

7. AC sends request to

RADIUS

client

WAS RADIUS Server

8. RADIUS reply authenticated or

not

Client initiates (1) authentication process. AC intercepts any access to the Internet via HTTP and redirects the client to the welcome, or login URL on AC. In order to render the custom login screen HTML page, the AC must be configured to (2) fetch .XSL script from a remote server, which in this case is a Web Application Server (WAS), or have custom .XSL uploaded on the AC. There is the ability to enable caching of .XSL scripts (see: User Interface | Configuration | Pages), thus avoiding fetching of the same document every time a client requests authentication.

The AC (3) uses .XSL script to render HTML output, which is done by feeding a XML document to a parsed and prepared for rendering .XSL script. The latter XML document contains all needed information for Web Application Server like user name, password (if there was entered), user IP address, MAC address and NAS-Id. Custom .XSL script must generate initial welcome/login screen so that it embeds all the needed information in a HTML FORM element as hidden elements and POST data not back to the AC, but to the Web Application Server (5). Thereafter the client communicates directly with the Web Application Server.

Find more details on how to prepare the .XSL templates to renter the HTML in Appendix: G) User Pages Templates Syntax.

Gemtek Systems Page 33

User’s Guide Chapter 4 – User Pages

When the Web Application server has all needed data from the client, it must try to authenticate (6) the client. Authentication is done by the RADIUS server but through the AC. At this step the shared secret is used to make the connection between the WAS and the AC. The AC re-sends the authentication request to the RADIUS server (7). Depending on the status, appropriate authentication status must be returned back to the WAS but through the AC (8). In step (9), the Web Application Server knows the client authentication status and reports success or failure back to the client.

The Web Application Server (WAS) must be configured as a free site in the Walled

There is an ability to skip the rendering initial user pages from the .XSL. See the following scheme when the user initial request is redirected to the specified location.

Scheme 2:

Garden area.

Client

1. Initial Request

his/her login and

authenticated or

2. Replay with HTTP redirect

3. Direct client

communication

with WAS

4. Client sends

password

8. WAS reports client status:

not

WAS RADIUS Server

5. WAS tries to authenticate

client

6. AC sends request to

RADIUS

7. RADIUS replay authenticated or

not

Figure 16 – Client Remote Authentication Scheme (2)

The initial client request (1) can be redirected to the specified location, as redirection URL on the Web Application server. In such case the client who wants to authenticate gets the redirection from AC (2). In other words the AC intercepts any access to the Internet via HTTP and redirects the client to the defined welcome, or login URL on WAS (also see: User Interface | Configuration | Pages). The further actions are the same as described in the Scheme 1 (Figure 15 – Client Remote Authentication Scheme (1)).

The WAS location URL under welcome page redirect must be configured as a free site in the Walled Garden area.

To define such redirection URL use the user interface | configuration | pages menu. Enable welcome page, set the redirect setting and specify the redirect location for such authentication process (also see: User Interface | Configuration | Pages).

Gemtek Systems Page 34

User’s Guide Chapter 4 – User Pages

Parameters Sent to WAS

Parameters that are sent to the WAS for user authentication pages redirection:

parameter description

nasid

nasip

cientip Client IP address. Cannot be defined manually.

mac Client MAC address. Cannot be defined manually.

ourl

sslport HTTPS port number of AC (by default: 443). Not configurable.

lang Parameter "accept-language" from client browser request (optional).

In order to logon, log-off or get user status WAS submits POST request to the following URLs:

1. Remote user logon

 Script name: pplogon.user  Parameters (all parameters are required):

 secret shared secret, to protect page from accidental use  ip IP address of user to be logged on.  username Username of the user to be logged on.  password Password of the user to be logged on.

Script call example:

https://P560/pplogon.user?secret=sharedSecret&ip=<user_IP_address>&username =userName&password=UserPassword

NAS server ID value. Can be changed or specified under the network interface | RADIUS | RADIUS settings menu

P-560 WAN IP address. Can be changed or specified under the network interface | configuration | interface configuration menu.

Initial URL where not authorized client enter to his/her browser and tries to browse. After authentication the user is redirected in this URL (optional).

Script produces XML output:

<logon> <status>Ok</status> <error>0</error> <description>User logged on.</description> <replymessage>Hello user!</replymessage> </logon>

Response status and error codes:

status error description

OK 0 User is logged on.

Not checked 100 Logon information not checked.

No IP 101 No user IP address supplied.

No username 102 No username supplied.

Disabled 103 Remote authentication is disabled.

Bad secret 104 Incorrect shared secret supplied.

No password 105 No user password.

OK 110 User already logged on.

Failed to authorize 111 Failed to authorize user.

Bad password 112 Incorrect username or/and password.

Gemtek Systems Page 35

User’s Guide Chapter 4 – User Pages

Network failed 113 Network connection failed.

Accounting error 114 Accounting error.

Too many users 115 Too many users connected.

Unknown authorization error 120 Unknown authorization error.

<replymessage> is RADIUS Reply-Message attribute value. If RADIUS responds with ReplyMessage(s), they are added to logon response. If RADIUS does not responds with Reply-Message, <replymessage> attribute is not added to output XML.

See the Appendix: E) Standard RADIUS Attributes for all supported RADIUS

2. Remote user log-off

 Script name: pplogoff.user  Parameters:

 secret shared secret, to protect page from accidental use  ip IP address of user to be logged off.  username Username of the user to be logged off.  mac AC address of the user to be logged off.

All parameters are required, except the IP and MAC. At least one of IP and MAC addresses should be supplied. If supplied only IP, user is checked and logged off by username and IP. If IP and MAC addresses are supplied, then user is checked and logged off by username, IP and MAC addresses.

attributes.

Script call example:

https://P560/pplogoff.user?secret=sharedSecret&username=UserName&ip=<user_I P_address>

Script produces XML output:

<description>User logged off.</description>

</logoff>

Response statuses and error codes:

status error Description

OK 0 User is logged off.

Not checked 100 Logoff information not checked.

No username 102 No username supplied.

Disabled 103 Remote authentication is disabled.

Bad secret 104 Incorrect shared secret supplied.

No IP/MAC 106

No user by MAC 121

No user by IP 122

No user by IP and MAC 123

No user IP and/or MAC address supplied.

User with supplied MAC address not found.

User with supplied IP address and username not found.

User with supplied IP, MAC addresses and username not found.

Gemtek Systems Page 36

User’s Guide Chapter 4 – User Pages

Failed to logoff 131 Failed to logoff user.

Cannot resolve IP 132 Cannot resolve user IP.

Unknown logoff error 140 Unknown logoff error.

3. Remote user status

 Script name: ppstatus.user  Parameters:

 secret shared secret, to protect page from accidental use  ip IP address of user to get status.  username Username of the user to get status.

All parameters are required.

Script call example:

https://P560/ppstatus.user?secret=sharedSecret&username=UserName&ip=<user_I P_address>

Script produces XML output:

 XML output, when some error occurs:

<description>User with supplied IP address not found.</description>

</ppstatus>

Response statuses and error codes:

status error description

OK 0 User status is ok.

Not checked 100 Status information not checked.

No IP 101 No user IP address supplied.

No username 102 No username supplied.

Disabled 103 Remote authentication is disabled.

Bad secret 104 Incorrect shared secret supplied

No user by IP 122

No user by IP and username 141

 XML output when no errors and user statistics got successfully: <ppstatus>

User with supplied IP address not found.

User with supplied IP address and username not found.

<description>Got user status.</description>

Gemtek Systems Page 37

User’s Guide Chapter 4 – User Pages

<entry id="7">0 bytes</entry>

<entry id="8">0 bytes</entry>

<entry id="9">testlab</entry>

<entry id="10">unlimited</entry>

<entry id="11">unlimited</entry>

<entry id="12">unlimited</entry>

</ppstatus>

Status detailed information by ID:

id description

1 User name

2 User IP address

3 User MAC address

4 Session time

5 Session ID

6 User idle time

7 Output bytes

8 Input bytes

9 User WISP name

10 Remaining bytes

11 Remaining output bytes

12 Remaining input bytes

13 Bandwidth upstream

14 Bandwidth downstream

15 Remaining session time

16 Authentication method

Gemtek Systems Page 38

User’s Guide Chapter 5 – Command Line Interface

Chapter 5 – Command Line Interface

Introduction

The CLI (Command Line Interface) software is a configuration shell for the Access Controller. Using the CLI system operator can configure:

 User interface  Network interface  Wireless interface  System

Using the CLI system operator can check:

 Status (device, network, service)  Connection

All available key combinations in CLI mode are listed in the table below:

Key and/or Combination Function

? Get context-sensitive help

<TAB> Complete the current keyword or list all the options

<CTRL> <D> Break out the sub-shell

<CTRL> <A> Jump to the beginning of the line

<CTRL> <E> Jump to the end of the line

<CursUP>/<CursDOWN> Scroll through the history of commands

Figure 17 – Key Combinations in the CLI

Get Connection to CLI

There are three different ways to get a connection to the CLI of the Access Controller, via the:

 Telnet  SSH client

Telnet Connection

Make sure that default access status is allowed and telnet function is enabled on

Connect the Access Controller via LAN or WAN ports using the enclosed UTP cable and start a telnet session (using a telnet application). For example, connect your device via the WAN port, and then make a telnet connection as the following:

telnet 192.168.2.66

where 192.168.2.66 is the default WAN interface IP. Login to CLI mode and the prompt will be displayed automatically. Enter the administrator login settings (refer to the Login section for details).

the AC before trying to connect via telnet. Otherwise, no telnet connection will be available.

Gemtek Systems Page 39

User’s Guide Chapter 5 – Command Line Interface

SSH Connection

Make sure that default access status is enabled on the AC before attempting to

Connect the Access Controller via LAN or WAN ports using the enclosed UTP cable and start a SSH session (using an application as PuTTY). For example connect your device via the WAN port and then make a SSH connection to host IP: 192.168.2.66 (default WAN interface IP).

Login to CLI mode prompt will be displayed automatically. Enter the administrator login settings (refer to the next section for details).

connect via SSH. Otherwise no SSH connection will be available.

Enter the administrator login settings in the displayed CLI command prompt.

The default administrator login settings:

Figure 18 – CLI Login

After a successful login command prompt is displayed, the CLI is ready for commands. Press ‘?’ to get a list of main commands:

Figure 19 – Main CLI Commands

Password: admin01

‘?’ will not appear on the screen. While pressing this character, the display changes to the desired help page. To enter ‘?’ as character type ‘\?’.

Connection

Connection is a category of command that is related to the user’s connection with the device.

A full list of all available connection commands/subcommands and its parameters

In general, connection usage is as follows:

connection <command> <value>

To get a list of all available commands in the connection category type:

Gemtek Systems Page 40

is available in the Appendix section: D) CLI Commands and Parameters.

User’s Guide Chapter 5 – Command Line Interface

connection ?

Figure 20 – Connection Commands

Network

Network is a category of commands that configures controller interface settings, DNS, DHCP, UAT and RADIUS settings.

A full list of all available network commands/subcommands and its parameters is

The network commands themselves contain several subcommands and the subcommands again contain several parameters. In general, network command usage is as follows:

network <command> <subcommand1> <subcommand2> [-parameter] <value>

To get a list of all available commands in the configure category, type:

network ?

available in the Appendix section D) CLI Commands and Parameters.

Figure 21 – Network Commands List

To get a list of all-available subcommands for a specific command, type:

network <command> ?, (e.g. network radius ?)

All available subcommands for radius are displayed:

Figure 22 – Configure Network (1)

Specific command contains several subcommands:

network <command> <subcommand1> ?, (e.g. network radius servers ?)

All available subcommands are displayed:

Gemtek Systems Page 41

User’s Guide Chapter 5 – Command Line Interface

Figure 23 – Configure Network (2)

To get a list for available parameters on selected subcommand, type:

network <command> <subcommand1> <subcommand2> ?, (e.g. network radius servers accounting ?)

All available parameters on entered subcommand are displayed:

Figure 24 – Configure Network (3)

To configure the desired controller interface setting, type all required parameters with values and subcommands:

network <command> <subcommand1> <subcommand2> [-parameter] <value>

(e.g. network radius servers accounting 1 –a 127.0.0.2 –p 1814 –s testing111), where parameters are as follows:

-a – RADIUS server IP address used for RADIUS accounting

-p – RADIUS server port number used for RADIUS accounting

-s – Shared secret key for accounting.

Figure 25 – Configure Network (4)

If successful, a message regarding the successful completion is displayed; otherwise, an error message is displayed.

In some cases, entered commands without parameters display current controller configuration or settings:

network <command> <subcommad1> <subcommad2>, (e.g. radius servers accounting), displays available RADIUS servers and its settings list (in this case, the RADIUS

accounting server which is already updated):

Figure 26 – Configure Network (5)

Gemtek Systems Page 42

User’s Guide Chapter 5 – Command Line Interface

Wireless

Wireless is a category of commands that configures controller basic and advanced wireless interface settings, access control list (ACL) and WDS.

A full list of all available wireless commands/subcommands and its parameters is

The wireless commands themselves contain several subcommands and the subcommands again contain several parameters. In general, wireless command usage is as follows:

wireless <command> <subcommand1> [-parameter] <value>

To get a list of all available commands in the configure category, type:

wireless ?

Figure 27 –Wireless Commands List

available in the Appendix section: D) CLI Commands and Parameters.

To get a list of all-available subcommands for a specific command, type:

wireless <command> ?, (e.g. wireless basic ?)

All available subcommands for radius are displayed:

Figure 28 – Configure Wireless Basic

To configure the desired controller interface setting, type all required parameters with values and subcommands. Use the samples from previous section.

Gemtek Systems Page 43

User’s Guide Chapter 5 – Command Line Interface

User

User is a category of commands that configures controller interface settings, affecting the user’s interface: redirection URL, free sites (walled garden), system management access, administrator login/password.

A full list of all available user commands/subcommands and their parameters is

In general, the user command usage is as follows:

user <command> <subcommand1> <subcommand2> [-parameter] <value>

To get the full list of the user commands, type:

user ?

available in the Appendix section: D) CLI Commands and Parameters.

Figure 29 – User Commands List

To get a list of all-available subcommands for a specific command, type:

user <command> ?, (e.g. user walled_garden ?)

All available subcommands for walled garden (free sites) are displayed:

Figure 30 – Configure User Interface (1)

To configure selected user interface settings, type:

User <command> <subcommand1> <subcommand2> [-parameter] <value>,

(e.g. user walled_garden url A -u www.gemtek.system.com -s gemtek system site), where parameters are as follows:

A – action: add URL

-u – define URL address

-s – define URL description, visible for user:

Figure 31 – Configure User Interface (2)

If successful, a message regarding the successful completion is displayed; otherwise, an error message is displayed.

Gemtek Systems Page 44

User’s Guide Chapter 5 – Command Line Interface

Status

Status is a category of commands that’s displays:

 General devices status (model, firmware version, uptime, memory)  All interface network settings (IP address/netmask, MAC address, gateway, RX/TX statistics)  Currently running services (DHCP, routes, port forward, telnet, SNMP, UAT, ..).

A full list of all available status commands/subcommands and their parameters is

In general the status command usage is as follows:

Status <command>

To get the full list of the status commands, type:

status ?

available in the Appendix section: D) CLI Commands and Parameters.

Figure 32 – System Status Commands List

To get the general device status information, type:

status device :

Figure 33 – Device Status

Here you can find the current firmware version of your AC. This is important information for support requests and for preparing firmware uploads.

System

System is a category of commands that configures access to controller (telnet, AAA methods, L2 isolation, SNMP, UAT) and configuration: clock, NTP, syslog, trace.

A list of all available system commands/subcommands and their parameters are

In general, the system command usage is as follows:

system <command> <subcommand1> <subcommand2> [-parameter] <value>

To get the full list of the system commands, type:

system ?

available in the Appendix section: D) CLI Commands and Parameters.

Gemtek Systems Page 45

User’s Guide Chapter 5 – Command Line Interface

Figure 34 – System Commands List

Telnet

To make a telnet connection, type the telnet command in the command line:

telnet

Figure 35 – Telnet Command

The telnet client is activated and ready for a telnet session.

Figure 36 – Telnet Session

Quit the telnet to return to CLI interface.

Reboot

To stop the controller and reboot the device, type the reboot command in the command line. No configuration changes are done. The last saved configuration is applied to the rebooted controller.

Reset

To reset the controller to factory defaults, type the reset command. The device is restarted and defaults values are set.

Please note, that even the administrator password will be set back to the factory default. Refer to Appendix section: B) Factory Defaults for the Access Controller.

Exit

To leave the CLI mode, type the Exit command in the command line.

Gemtek Systems Page 46

User’s Guide Chapter 6 – SNMP Management

Chapter 6 – SNMP Management

Introduction

Another way to configure and monitor the Access Controller (P-560) via a TCP/IP network is SNMP (Simple Network Management Protocol).

SNMP is an application layer protocol that facilitates the exchange of management information between network devices. It is part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth.

The SNMP agent and management information base (MIB) reside on the Access Controller. To configure SNMP on the controller, you define the relationship between the Network Management System (NMS) and the SNMP agent (our AC). The SNMP agent contains MIB and Gemtek Systems private MIB variables whose values the SNMP manager can request or change. A NMS can get a value from an agent or store a value into the agent. The agent gathers data from the MIB, the repository for information about device parameters and network data. The agent can also respond to a manager’s requests to get or set data.

In order to manage the device you have to provide your Network Management System software with adequate MIB files. Please consult your management software manuals on how to do that.

SNMP Versions

Access Controller supports the following versions of SNMP:

 SNMPv1—The Simple Network Management Protocol: A Full Internet Standard, defined in RFC

1157. (RFC 1157 replaces the earlier versions that were published as RFC 1067 and RFC 1098.) Security is based on community strings.

 SNMPv2c—The community-string based Administrative Framework for SNMPv2. SNMPv2c (the

"C" stands for "community") is an Experimental Internet Protocol defined in RFC 1901, RFC 1905, and RFC 1906. SNMPv2c is an update of the protocol operations and data types of SNMPv2p (SNMPv2 Classic), and uses the community-based security model of SNMPv1.

 SNMPv3 – SNMP v3 is based on version 2 with added security features. It addresses security

requirements through encryption, authentication, and access control rules.

Both SNMPv1 and SNMPv2c use a community-based form of security. The community of managers able to access the agent's MIB is defined by an IP address access control list and password.

The Access Controller implementation of SNMP supports all MIB II variables (as described in RFC

1213) and defines all traps using the guidelines described in RFC 1215.The traps described in this RFC are:

coldStart

A coldStart trap signifies that the SNMP entity, acting in an agent role, is reinitializing itself and that its configuration may have been altered.

WarmStart

A WarmStart trap signifies that the SNMP entity, acting in an agent role, is reinitializing itself

Gemtek Systems Page 47

User’s Guide Chapter 6 – SNMP Management

and that its configuration is unaltered.

authenticationFailure

An authenticationFailure trap signifies that the SNMP entity, acting in an agent role, has received a protocol message that is not properly authenticated.

linkDown

A linkDown trap signifies that the SNMP entity, acting in an agent role, recognizes a failure in one of the communication links represented in the agent's configuration.

linkUp

A linkUp trap signifies that the SNMP entity, acting in an agent role, recognizes that one of the communication links represented in the agent's configuration has come up.

SNMP Agent

The SNMP agent responds to SNMP manager requests as follows:

 Get a MIB variable—The SNMP agent begins this function in response to a request from the

SNMP manager. The agent retrieves the value of the requested MIB variable and responds to the manager with that value.

 Set a MIB variable—The SNMP agent begins this function in response to a message from the

SNMP manager. The SNMP agent changes the value of the MIB variable to the value requested by the manager.

The SNMP agent also sends unsolicited trap messages to notify an SNMP manager that a significant event has occurred (e.g. authentication failures) on the agent.

SNMP Community Strings

SNMP community strings authenticate access to MIB objects and function as embedded passwords. In order for the SNMP manager to access the controller, the community string must match one of the two community string definitions on the controller. A community string can be as follows:

 Read-only—Gives read access to authorized management stations to all objects in the MIB

except the community strings, but does not allow write access.

 Read-write—Gives read and write access to authorized management stations to all objects in the

MIB, but does not allow access to the community strings.

Gemtek Systems Page 48

User’s Guide Chapter 6 – SNMP Management

Use SNMP to Access MIB

As shown in the picture Figure 37 – SNMP Network SNMP agent gathers data from the MIB. The agent can send traps (notification of certain events) to the SNMP manager, which receives and processes the traps. Traps are messages alerting the SNMP manager to a condition on the network such as improper user authentication, restarts, link status (up or down), MAC address tracking, and so forth. The SNMP agent also responds to MIB-related queries sent by the SNMP manager in get- request, get-next-request, and set-request format.

MIB SNMP Agent

P-560

get-request, get-next-reguest, get-bulk, set-request

get-response, traps

SNMP Manager

Figure 37 – SNMP Network

Gemtek Private MIB

In addition to standard SNMP MIBs, Gemtek P560 supports private Gemtek MIB. The private MIBs are enterprise specific and serve to extend the functionality of the standard MIBs. Private MIB identifies manageable objects and their properties that are specific to the managed device. MIBs let you manage device not only by using WEB or Command Line Interface but also using SNMP protocol. The descriptions and brief explanations of managed objects are available in the MIB file. The MIB file is a specially formatted text file. It is using the so-called ASN.1 standard syntax.

Gemtek Systems Page 49

User’s Guide Chapter 7 – Reference Manual

Chapter 7 – Reference Manual

This chapter contains Hotspot-in-a-Box web management reference information.

The web management main menu consists of the following sub menus:

 Network Interface – device configuration settings affecting networking.  User Interface – device configuration settings affecting the user interface.  System – device system configuration settings directly applicable to the controller.  Connection– device settings related to user’s connection with the P560.  Exit – click exit and leave the web management then close your web-browser window.

Web Interface

The main web management menu is displayed at the top of the page after successfully logging into the system (see the figure below). From this menu all essential configuration pages are accessed.

Figure 38 – Main Configuration Management Menu

By default the system | status menu is activated and the current AC system status is displayed. The active menu is displayed in a different color.

The web management menu has the following structure:

Network Interface

Configuration – configuration page for all controller network interfaces

Interface configuration – network interfaces configuration VLAN – define VLAN on your controller Route – define new static route on the controller interface Port forwarding – port-forwarding rules Management subnet – access points (APs) management

DNS – define DNS server settings DHCP – Dynamic Host Configuration Protocol services configuration RADIUS – configuration set for RADIUS servers, includes menu:

RADIUS settings – NAS server ID, hotspot operator name and other settings RADIUS servers – accounting, authentication RADIUS servers IP, port and other settings WISP – add new WISP on the system. Proxy –configure the AC to act as RADIUS server proxy. Accounting backup – backup authentication logs in the remote or external server

Tunnels – set tunnels:

PPPoE/PPTP/GRE for DSL – connect to ISP via the PPPoE, PPTP or GRE tunnel PPTP client for VPN – configure PPTP client for Virtual Private Networks GRE client for VPN –set the GRE (Generic Routing Encapsulation) tunnel for the P560

Wireless – wireless interface configuration

Basic – SSID, regulatory domain, WEP keys Advanced – channel selection, layer 2 client isolation and other settings Security – WEP and WPA ACL –access control default policy, static ACL, access control by MAC address WDS – access point and WDS modes

User Interface

Configuration –Welcome/Login/Logout/Help page customization

Gemtek Systems Page 50

User’s Guide Chapter 7 – Reference Manual

Pages – configure and upload user pages Upload – upload new internal user pages Headers – define http headers encoding and language Remote Authentication – allow external Web Application Server intercept/take part in user

authentication process

One Click – configure One Click roaming

Administrator – administrator login and password change Start page – define start page URL Walled Garden – free web site list Web Proxy – web proxy settings for clients

System

Configuration – system configuration utilities:

Syslog – specify address where to send system log file Trace system – trace such controller services as PPTP and PPPoE Clock – system clock settings NTP – get time from network time protocol service Certificate– upload new certificates into the local controller memory Save and restore – save current device configuration for backup Pronto - Pronto compatibility agent configuration

Access – configure access to your controller:

Access Control – set default access to your AC Telnet – enable/disable telnet connections AAA – define different AAA methods UAT – enable/disable universal address translation Isolation – restricts clients from communicating along Level 2 separation NAV – NAT, authentication and visitor access control SNMP – SNMP service and proxies

Status – AC system status Reset – reset configuration to factory defaults values and/or reboot Update – find out current software version and update with new firmware

Connection

Users – connected users’ statistics list and log-out user function E-Mail Redirection – outgoing mail (SMTP) redirection settings Station Supervision – monitor station availability with ARP-pings settings

In the following sections, short references for all menu items are presented.

Gemtek Systems Page 51

User’s Guide Chapter 7 – Reference Manual

Network Interface

Network Interface | Configuration | Interface Configuration

The interfaces eth0 and ixp0 on 2.21 firmware are bridged therefore they will be

The Hotspot-in-a-Box contains up to three multi-purpose network interfaces: eth0, ixp0 and ixp1.

These interfaces can be configured to work as either local area network (LAN) or wide area network (WAN) interfaces for Access Points. LAN is used to connect hubs, switches, Access Points and subscribers. The WAN port connects to the Internet or the service provider’s backbone network.

All these interfaces are listed in the interface configuration page. All network interfaces available in the Hotspot-in-a-Box are shown in the following table:

Figure 39 – Interface Configuration Table

displayed as one eth0. The screen shots in this manual will not match with ones on your device.

To change network interface configuration properties click the edit button in the action column. The status can be changed now:

Figure 40 – Edit Interface Configuration Settings part.1

Interface - standard interface name. This name cannot be edited and is assigned by the operating system during startup. Interface name cannot be changed because the hardware drivers define it.

Status – select the status of interface: [enabled/disabled].

Do not disable the interface through which you are connected to the P-560. Disabling such interface will lose your connection to the device.

Type – network type cannot be changed. There are two possible networking types:

LAN – interface is used as local area network (LAN) gateway, and is connected to a LAN; WAN – interface is used to access the ISP network;

Change status or leave in the default state if no editing is necessary and click the continue button. Then the following parameters can be changed:

Figure 41 – Edit Interface Configuration Settings part.2

IP Address – specify new interface IP address [in digits and dots notation, e.g. 192.168.5.1].

Gemtek Systems Page 52

User’s Guide Chapter 7 – Reference Manual

IP address of each interface should be from a different subnet; otherwise, you will

Netmask – specify the subnet mask [[0-255].[0-255].[0-255].[0-255]].These numbers are a binary mask of the IP address, which defines IP address order and the number of IP addresses in the subnet.

Gateway – interface gateway. For LAN type interfaces, the gateway can only be defined as WAN interface gateway. The gateway of the WAN interface is usually the gateway router of the ISP or other WAN network. [Default gateway is marked with ‘*’].

Update – update old values with entered ones.

Figure 42 – Apply or Discard Interface Configuration Changes

receive an error message.

The DHCP server settings will be automatically adjusted to match the new network settings.

Apply changes – to save all changes made in the interface configuration table at once.

Discard changes – restore all previous values.

For such general changes as interface settings change, the Hotspot-in-a-Box server needs to be restarted. Request for restart server appears:

Figure 43 – Restart Server

Restart – Click the button to restart the server and apply the changes.

Gemtek Systems Page 53

User’s Guide Chapter 7 – Reference Manual

Network Interface | Configuration | VLAN

Up to 4094 VLANs can be created in the system.

Virtual Local Area Networks (VLANs) are logical groupings of network resources. You can create your own VLANs on your AC using the network interface | configuration | VLAN menu. By default no VLANS are defined on the system:

Figure 44 – VLAN

To create a VLAN on the AC click the new button and enter following parameters:

Figure 45 – Create New VLAN

Interface – select interface for your VLAN network [eth0/ixp0].

Status – non-editable, by default is disabled.

ID – assign ID for your VLAN network [1 to 4094]. Client devices that associate using the ID are

grouped into this VLAN.

Other VLAN settings cannot be changed. Click on the disabled link to continue specifying settings for your VLAN. The network interface configuration page is opened and VLAN settings are ready for editing:

Figure 46 – Configure VLAN

Status – enable/disable your VLAN network. Select [enable] and click the continue button to configure the VLAN settings:

Figure 47 – Configure VLAN

Type – cannot be edited, depends on selected interface for VLAN [ixp0/eth0].

IP Address – enter the network address of your VLAN [format: digits and dots].

Netmask – enter the netmask for your VLAN network [format: digits and dots].

Gateway – select gateway for VLAN network [default: ixp1].

Gemtek Systems Page 54

User’s Guide Chapter 7 – Reference Manual

Click the update and restart and apply changes to save your new VLAN. Check the interface | configuration | VLAN menu for new created VLAN:

Figure 48 – Enable New VLAN

Network Interface | Configuration | Route

Under the network interface | configuration | route menu, static routes for the Ethernet interfaces can be set. By default no static routes are defined on the system:

Figure 49 – Route

A routing rule is defined by the target subnet (target IP address and subnet mask), interface and/or gateway where to route the target traffic. A data packet that is directed to the target network is routed

to the specified AC interface or to another gateway router. To add a new static route for the system, click the new button under the action column and specify the following parameters:

Figure 50 – Add New Route

Status – set new static route status: [enabled/disabled].

Interface – choose device interface for the route: [eth0/ixp0/ixp1/vlan[n]].

Gateway – enter the gateway address for the route. 0.0.0.0 stands for the default gateway of the

selected interface [IP address].

Target IP Address – enter network address or host IP to be routed to [IP address].

Netmask – enter the target network netmask [dots and digits].

Save – save the new route.

Cancel – restore all previous values.

Figure 51 – Save New Route

Up to 255 static routes can be set between each interface.

Gemtek Systems Page 55

User’s Guide Chapter 7 – Reference Manual

Network Interface | Configuration | Port Forwarding

Port Forwarding is required when NAT is configured. NAT translates all internal addresses to one official IP address (WAN IP address). With port forwarding enabled it is possible to access internal services and workstations from the WAN interface.

Port forwarding forwards TCP or UDP traffic trough the P560 controller’s local port to the specified remote port. Use the network interface | configuration | port forwarding menu to specify such a port forwarding rule. By default no port forwards are defined on the controller:

Figure 52 – Port Forwarding Rules

Click the new button to add a port-forwarding rule:

Figure 53 – Add Port Forwarding Rule.

Status – select status: [enabled/disabled].

Type – select type of forwarding traffic: [TCP/UDP].

Local IP Address – P560 device interface address from which the selected traffic should be

forwarded.

Local Port – P560 device interface port from which the selected traffic should be forwarded.

Remote IP Address/Port – internal IP address and port no (LAN ports) to which the selected traffic

shall be forwarded.

Example:

Create rule as follow:

Type = TCP, local IP address/port = 192.168.2.248:8080 remote IP address/port = 1.2.3.4:8080.

With such a rule all traffic coming to port 8080 on the P560 interface local address 192.168.2.248 will be forwarded to port 8080 on the server (host) 1.2.3.4.

Port forwarding is limited to 255 rules.

Gemtek Systems Page 56

User’s Guide Chapter 7 – Reference Manual

Network Interface | Configuration | Management Subnet

Each network interface can have a management subnet. Use the network interface | configuration | management subnet menu to configure this feature on selected interface.

When management subnet is enabled, port forwarding will NOT WORK when

The administrator can enable or disable management subnet for each interface. By default no management subnet is enabled on the controller:

Figure 54 – Management Subnet

To specify new subnet management click the edit button on the selected interface:

connecting from IP addresses that are in the management subnet's remote administrator's network. This is because the management subnet allows connecting to the client computer without using port forwarding.

Figure 55 – Add Management Subnet

IP Address and Netmask – specify the IP address and netmask of the management subnet. IP address will be set on the network interface as an alias, so you can connect to the P560 using this

address. This IP address should be used on access points as the gateway address.

Remote Network and Netmask –specify the remote network that is allowed to access the local management subnet. Only addresses that are from the remote network will be accepted [dots and digits].

If you do not specify any remote network all stations with IP addresses from the management LAN are routed to the WAN port even without being authenticated.

Clients using an IP address from the management subnet can browse the Internet without authorization, and no accounting will be done. Thus, it is strongly recommended to allow traffic only from the administrative remote network (no 0.0.0.0/0.0.0.0 in remote specification).

Example:

Interface configuration for ixp0:

type: LAN IP address: 192.168.3.1 netmask: 255.255.255.0 gateway: ixp1

Management subnet on ixp0:

IP address: 10.0.0.1 netmask: 255.255.255.0 remote network: 10.10.0.1 remote netmask: 255.255.255.0

Gemtek Systems Page 57

User’s Guide Chapter 7 – Reference Manual

With these settings applied, the administrator will be able to connect to devices behind the P560 on interface ixp0, if these devices use address in the range: 10.0.0.2 ... 10.0.0.254. The administrator is connecting via the Internet (from ixp1 interface).

The administrator’s computer can have an address from 10.10.0.1 to 10.10.0.254.

The P560 interface eth0 has two IP addresses – 192.168.3.1 and 10.0.0.1.

Please note that devices which are using 10.0.0.2. – 10.0.0.254 addresses have

In this example, the administrative network uses the reserved IP address (10.x.x.x) – they are not routed in the Internet, so the administrator should setup routers in a path between the P560 and the administrator's computer to recognize 10.x.x.x addresses and route them correctly. This is not comfortable and sometimes it is impossible. There is a solution – the administrator can use “PPTP client for VPN“ (or GRE tunnel) (see: Network Interface | Tunnels) to setup a tunnel between the administrator's computer and the P560. The only addresses visible on the Internet will be the P560 WAN IP address and the administrator's computer (or router) IP address.

access to the administrative network too!

Network Interface | DNS

DNS (Domain Name Service) service allows AC subscribers to enter URLs instead of IP addresses into their browser to reach the desired web site.

Figure 56 –- DNS Settings Configuration

To enter hostname and domain click the edit button in the action column and type required value:

Figure 57 – Hostname Settings

Hostname – specify the Hostname. By default hostname is not specified.

Domain – specify the Domain name. By default domain name is not specified.

Save – save modified settings.

When user is redirected to device welcome/login page, redirection will be done to:

 WAN-IP, if no hostname defined;  hostname, if hostname defined, but domain empty;  hostname.domain, if hostname and domain defined.

You can enter the primary and secondary DNS servers settings under the network interface | DNS menu:

Gemtek Systems Page 58

User’s Guide Chapter 7 – Reference Manual

Figure 58 – DNS Redirection Settings

The DNS server or DNS address can be obtained dynamically if DHCP, PPPoE and/or PPTP (for DSL) service is enabled. To add DNS server manually click the edit button in the action column and type in the DNS server’s IP address:

Figure 59 – Edit DNS Redirection Settings

IP address – enter the primary or secondary DNS server’s IP address [in digits and dots notation].

Save – click to save the new DNS server’s settings.

Network Interface | DHCP

The P560 controller can act as a DHCP server and/or as a DHCP relay gateway. The DHCP (Dynamic Host Configuration Protocol) service is supported on the LAN interfaces [eth0/ixp0/vlan[n]]. This service enables clients on the LAN to request configuration information, such as an IP address, from a server. This service can be viewed in the following table:

Figure 60 – DHCP Configuration

By default the AC is configured to act as a DHCP server.

Each LAN interface runs a different instance of the DHCP service. This service is configured by defining an IP address range and WINS address for client workstations. Other settings, such as the default gateway and DNS server address are configured automatically according to the interface settings.

To see the complete DHCP service configuration, click the details button in the action column:

Figure 61 – DHCP Settings Details

Gemtek Systems Page 59

User’s Guide Chapter 7 – Reference Manual

To edit the DHCP service configuration [DHCP server/DHCP relay], click the edit button in the action column:

Figure 62 – Edit DHCP Configuration Settings

Status – select status from drop-down menu:

Disabled – disable the DHCP service on the selected interface DHCP Server – enabled by default DHCP Relay – to route DHCP through the external server, enable relay service

Case 1 Configure the DHCP server

Select the interface on which you want to configure the DHCP service [eth0/ixp0/vlan[n]]. Select the DHCP server and click the update button specify the DHCP server parameters:

Figure 63 – Edit DHCP Server Settings

IP Address from/IP Address to – specify the IP address range supported for the DHCP service [mandatory fields].

WINS Address (Windows Internet Naming Service) – specify service IP address if it is available on the network [dots and digits].

Lease Time – specify the IP address renewal in seconds [1-1000000].

Domain – specify DHCP domain name [optional, 1-128 sting].

DNS address – specify the DNS server’s IP address [in digits and dots notation].

DNS secondary address – specify the secondary DNS server’s IP address [in digits and dots

notation].

Case 2 Configure the DHCP relay

Select the interface on which you want to configure the DHCP service [eth0/ixp0/vlan[n]]. Select the DHCP relay and click the update button specify the DHCP relay parameters:

Gemtek Systems Page 60

User’s Guide Chapter 7 – Reference Manual

Figure 64 – Edit DHCP Relay Settings

Circuit ID – the unique DHCP relay parameter [optional, by default the MAC address of the device WAN interface is used].

If DHCP relay service is selected, the default WAN gateway is used automatically.

Update – to update entered values, the following screen appears:

Figure 65 – Apply or Discard DHCP Server Settings

Apply Changes – to save entered new DHCP settings.

Discard Changes – to restore previous values.

Gemtek Systems Page 61

User’s Guide Chapter 7 – Reference Manual

Network Interface | RADIUS

RADIUS is an authentication and accounting system used by many Internet Service Providers (ISP). RADIUS enables ISPs to maintain a very large database of users. By using RADIUS, service

providers can implement policy-based management of their subscribers’ base. RADIUS also helps ISPs to collect statistical data about their subscribers (e.g. amount of time, amount of transferred bytes, and session time).

Use the RADIUS (Remote Authentication Dial In User Service) menu to set-up the following RADIUS settings:

 RADIUS Settings – general RADIUS settings configuration (e.g. NAS server ID, servers

timeouts)

 RADIUS Servers – up to 32 different RADIUS servers’ configuration (accounting and

authentication servers)

 WISP (Wireless Internet Service Provider) – specify WISP domain for RADIUS server  Proxy – configure the P560 to act as RADIUS proxy server.  Accounting Backup – backup the RADIUS subscribers accounting information.

In the Appendix tables: E) Standard RADIUS Attributes and Vendor Specific Attributes Hotspot operators will find the required standard RADIUS attributes for

setting up the RADIUS system.

Gemtek Systems Page 62

User’s Guide Chapter 7 – Reference Manual

Network Interface | RADIUS | RADIUS Settings

General RADIUS settings are configured using the RADIUS settings menu under the network interface:

Figure 66 – RADIUS Settings Configuration

RADIUS Retries – retry count of sending RADIUS packets before giving up.

RADIUS Timeout – maximum amount of time before retrying RADIUS packets [sec].

NAS Server ID – name of the RADIUS client.

User Session Timeout - amount of time from the user side (no network carrier) before closing the

connection [sec].

User Accounting Update - period after which server should update accounting information [sec].

User Accounting Update Retry – retry time period in which server should try to update accounting

information before giving up [sec].

User Idle Timeout - amount of user inactivity time, before automatically disconnecting user from the network [sec].

Location ISO Country code – location ID attribute, country code according ISO standards [string].

Location E.164 Country code – location ID attribute, country code according E.164 specification.

Location E.164 Area code – location ID attribute, area code according E.164 specification.

See the Location ID and ISO Country codes for your country in the Appendix: F)

Location Network – location ID attribute, network name [string].

Hotspot Operator Name – location name attribute, operator’s name [string].

Location – location name attribute, textual description of the location [string].

Location ID and ISO Country Codes.

Bandwidth Up – maximum bandwidth up at which corresponding user is allowed to transmit [bps].

Bandwidth Down – maximum bandwidth down at which corresponding user is allowed to receive

[bps].

User can check its available bandwidth in the logout page statistics.

Gemtek Systems Page 63

User’s Guide Chapter 7 – Reference Manual

Each setting in this table can be edited. Select RADIUS setting you need to update, click the edit next to the selected setting and change the value:

Figure 67 – Edit RADIUS Settings

Use the update button to update to an entered value. Now select another RADIUS setting to edit, or apply changes and restart the server if the server configuration is finished:

Figure 68 – Apply or Discard RADIUS Settings

Apply Changes – click if RADIUS settings configuration is finished.

Discard Changes – restore all previous values.

Gemtek Systems Page 64

User’s Guide Chapter 7 – Reference Manual

Network Interface | RADIUS | RADIUS Servers

Up to 32 different RADIUS servers can be configured under the RADIUS servers

By default, one RADIUS server is specified for the system:

Figure 69 – RADIUS Servers Settings

New – add new RADIUS server.

Details – click on details to get more information about RADIUS server settings.

Edit – edit selected RADIUS server settings.

Delete – remove selected RADIUS server.

To view complete RADIUS server settings, click the details button in the action column:

menu.

Figure 70 – RADIUS Server's Details

To edit RADIUS server click the edit button:

Gemtek Systems Page 65

User’s Guide Chapter 7 – Reference Manual

Figure 71 – Add New RADIUS Server

Name – specify the new RADIUS server name.

Default – check the check box to make the selected RADIUS the default server.

Authentication IP – authentication RADIUS server IP address [dots and digits].

Authentication Port – specify the network port used to communicate with RADIUS [1-65535].

The port default value of 1812 is based on RFC 2138 "Remote Authentication Dial-

Authentication Secret – shared secret string that is used to encrypt data frames used for authentication server.

Accounting IP – accounting RADIUS server IP address [dots and digits].

Accounting Port – specify the network port used to communicate with RADIUS [1-65535].

Accounting Secret – shared secret string that is used to encrypt data frames used for accounting

server.

Backup IP – backup RADIUS server IP address [dots and digits].

Backup Port – specify the network port used to communicate with RADIUS [1-65535].

in User Service (RADIUS)".

Backup Secret – shared secret string that is used to encrypt data frames used for backup server.

Shared secret must be the same on RADIUS server and RADIUS client.

Reverse Accounting – [enabled/disabled]. The RADIUS accounting request contains Acc-Input- Octets and Acc-Output-Octets attributes. The interpretation of these attributes according the

RFC2866 is relative to the point of view. If this point is at the AC - Acct-Input* attributes should contain the bytes/packets received at AC port from the client and Acct-Output* attributes should contain bytes/packets sent from AC port to the client. If we move this point to the client - we will get the reversing of Acct-Input* and Acct-Output* attributes values. The Acct-Input* then should contain bytes/packets received from AC, what is bytes/packets that AC sent to the user in AC point of view and what was Acct-Output*.

The AC implementation of RADIUS accounting request is at the client point of view

The value "disabled" means that Acct-Input* RADIUS attributes will contain bytes/packets sent to the client and Acct-Output* RADIUS attributes will contain bytes/packets received from the client during the curse of service being provided.

The value "enabled" means that info in the Acct-Input* and Acct-Output* RADIUS attributes will be swapped (reversed). That is the Acct-Input* will contain bytes/packets received from the client and the Acct-Output* will contain bytes/packets sent to the client.

(reverse accounting is disabled).

Strip WISP – [enabled/disabled] select ‘enabled' if you want to strip WISP domain name before sending it to the RADIUS server. Stripping means removing everything before the “/” character including character itself for such user name login format like: “WISPdomain/username”.

Select “disabled” if you need to send the user login name to RADIUS server unmodified. Some RADIUS servers can be configured in such way that requires full-unmodified user name to be sent.

UAM authentication method – select authentication method from drop-down menu:

PAP – Password Authentication Protocol CHAP – Challenge Handshake Authentication Protocol MSCHAP1 – Microsoft Challenge Handshake Authentication Protocol version 1 MSCHAP2 – Microsoft Challenge Handshake Authentication Protocol version 2

Gemtek Systems Page 66

User’s Guide Chapter 7 – Reference Manual

Update – add new specified RADIUS server.

Cancel – restore all previous values.

After adding a new RADIUS server or editing an existing one, the following controls appears:

Apply Changes – save changed configuration.

Discard Changes – discard all changes.

Restart – after applying changes to the system, you should restart the controller to make applied

changes work.

Network Interface | RADIUS | WISP

Up to 32 WISP entries can be defined using the network interface | RADIUS |

Different WISPs (Wireless Internet Service Providers) can be associated with appropriate RADIUS servers and device interfaces using the network interface | RADIUS | WISP menu:

Figure 72 – WISP Menu

WISP menu.

Hotspot subscribers user name format from WISP table is as follows:

New – click to define WISP for RADIUS server.

Figure 73 – Define New WISP

Name – new WISP domain name [string, up to 256 symbols, no space, dot or dash allowed].

RADIUS Name – select RADIUS for new WISP from list box [non editable].

Bound To – select the WISP binder interface [none/eixp0/ixp1/ixp2/vlan[n]]. The WISP can be

associated with appropriate device interface.

Update – system with new WISP.

Cancel – restore all previous values.

 username@WISPdomain  WISPdomain/username

Network Interface | RADIUS | Proxy

The P560 (AC) can forward the RADIUS authentication and accounting requests from Access Point (AP) to the real RADIUS server. To configure the RADIUS proxy, follow the steps:

Step 1 Connect the Access Point to any LAN port available on the Access Controller

(P560). The AP should be in the bridge mode.

Step 2 Using the network interface | RADIUS | proxy menu configure the RADIUS proxy

parameters: RADIUS authentication port (UDP), RADIUS accounting port (UDP) different from authentication port and Accounting detection timeout:

Gemtek Systems Page 67

User’s Guide Chapter 7 – Reference Manual

Figure 74 – RADIUS Proxy Settings

RADIUS Proxy Status – select [enabled] to enable the RADIUS proxy feature [enabled/disabled].

Authentication Port – specify the port on AC for listening the RADIUS authentication packets. The

AC RADIUS proxy authentication port will accept only RADIUS authentication packets [1-65535, default: 1812].

Accounting Port – specify the port on AC for listening the RADIUS accounting packets. The AC RADIUS proxy accounting port will accept only RADIUS accounting packets [1-65535, default: 1813].

Detection Timeout – specify the RADIUS proxy accounting detection timeout in seconds. The AC will wait the specified period for accounting packet after the authentication request was got [0-3600].

The authentication RADIUS proxy port should differ from the accounting port.

Step 3 Configure the AP to send the RADIUS authentication and accounting packets to

the AC LAN IP address and UDP ports which are configured on AC RADIUS proxy configuration.

Step 4 The RADIUS secrets on AC should be set to value, which is good at the real

RADIUS server for which the following packet will be forwarded.

Such preconfigured AC will act as RADIUS proxy and will forward the RADIUS authentication and accounting packets from AP according WISP and RADIUS server settings in the AC configuration without any modification.

Gemtek Systems Page 68

User’s Guide Chapter 7 – Reference Manual

Network Interface | RADIUS | Accounting Backup

The administrator can backup the hotspot subscribers’ RADIUS accounting information in two ways:

 Via syslog protocol to the specified host  Download to the selected location (e.g. on your PC)

Use the network interface | RADIUS | accounting backup menu:

Figure 75 – Accounting Backup

Backup via syslog – enable this type to send the RADIUS accounting information via syslog protocol to the specified host [enable/disable] and note that the Host IP specification is obligatory.

Host – enter host IP address where to send accounting backup messages.

Backup to local file – enable this option, and the download button appears:

Download – click the button to download the accounting information file to your selected location.

Both types of accounting backup can be enabled.

Gemtek Systems Page 69

User’s Guide Chapter 7 – Reference Manual

Network Interface | Tunnels

This chapter describes the configuration of VPN tunnels. VPN tunnels can be used to secure management and AAA traffic between the hotspot network and the network operation center of the operator.

The Gemtek Systems Access Controllers support PPTP and GRE tunnels. Furthermore PPP (Pointto-Point Protocol) can be use to authenticate the AC to a authentication server and to assign IP settings to the WAN port of the AC.

Network Interface | Tunnels | PPPoE/PPTP/GRE

Use the network interface | tunnels | PPPoE/PPTP/GRE menu to connect to ISP via PPTP, PPPoE or GRE tunnel. All traffic will be sent via this tunnel.

Default gateway specified in network interface | configuration page will not be used, because all Internet traffic will be sent/received via the specified PPTP, PPPoE or GRE server (tunnel).

By default no services are available on the controller:

Figure 76 – PPPoE/PPTP/GRE for DSL

To specify PPTP tunnel for your controller click the edit button and enter the following:

Figure 77 – Specify PPTP Tunnel

Service – select service PPTP.

Username – enter username to connect to the server [text string, can not be empty].

The same username should be configured on the PPTP server.

Password – enter password by which user should be authenticated [text string, can not be empty].

Encryption – enables use of MPPE encryption.

Server IP – PPTP server IP address.

To specify PPPoE tunnel for your controller click the edit button and enter the following:

Figure 78 – Specify PPPoE Tunnel

Service – select service PPPoE.

Username – enter username to connect to the server [text string, can not be empty].

The same username should be configured on the PPPoE server.

Password – enter password by which user should be authenticated [text string, can not be empty].

Gemtek Systems Page 70

User’s Guide Chapter 7 – Reference Manual

Encryption – enables use of MPPE encryption.

When PPPoE tunnel is used, then no server IP is required - broadcast address will be used.

To specify GRE tunnel for your controller click the edit button and enter the following:

Figure 79 – Specify GRE Tunnel

Service – select service GRE.

Remote IP – IP address of GRE tunnel endpoint [IP address].

Interface IP – enter the IP address of GRE interface [IP address].

Interface Netmask – enter the netmask of GRE interface [netmask].

Network Interface | Tunnels | PPTP Client for VPN

PPTP Client for Virtual Private Network (VPN) is designed to secure the management and AAA traffic as well as to establish a VPN tunnel connection to the network operation center, for example when the administrator needs to reach access points behind the P560 from his workstation.

Should be used with Management Subnet feature, otherwise the firewall will not be enabled to reach anything behind the P560.

Only specific traffic will be sent to the tunnel with everything else sent using the default gateway specified on network interface | configuration page.

By default no PPTP clients are defined for the controller:

Figure 80 – PPTP Client for VPN

To specify new tunnel for your AC, click the new button:

Figure 81 – Add PPTP Client

Channel Name – enter free form string for tunnel identification (for user only).

Server IP Address - IP address [can not be empty].

Username – enter username to connect to the PPTP server [text string, can not be empty].

Password – enter password by which user should be authenticated [text string, can not be empty].

Encryption – enables use of MPPE encryption.

Network/Netmask – enter remote network settings [format: dots and digits].

Up to 16 VPN entries can be set.

Gemtek Systems Page 71

User’s Guide Chapter 7 – Reference Manual

Network Interface | Tunnels | GRE Client for VPN

GRE (Generic Routing Encapsulation) tunnel is one of the solutions for tunneling private network over the TCP/IP connection (e.g. PPTP, L2TP, PPPoE). GRE tunnel does not use encryption. It only encapsulates data and sends it over the Internet. So the administrator should take care that no unencrypted private information is going through the GRE tunnel. By default the GRE tunnel is disabled on the AC:

Figure 82 – GRE Tunnel

See the following example to understand GRE settings.

Example:

NMS: IP: 192.168.82.137 Router: 192.168.82.16

Net B

WLAN:

192.168.3.0/24

Net A

192.168.82.0/24

LAN:

192.168.82.16 WAN:

GRE Serve

GRE Tunnel

211.139.210.123

Internet

GRE Device IP:

211.139.210.168

P-560

Figure 83 – GRE Tunnel

For example, there are 2 internal networks: network A and B, and intermediate network - Internet.

Gemtek Systems Page 72

User’s Guide Chapter 7 – Reference Manual

Network A (administrator's computer with Network Management System); we shall call this network (192.168.82.0/24) “Net A”.

Network: 192.168.82.0 Netmask: 255.255.255.0 Router: 192.168.82.16

GRE server has two interfaces, LAN and WAN:

LAN IP: 192.168.82.16 WAN IP: 211.139.210.123

Settings in GRE tunnel page:

GRE Remote Host: 211.139.210.123 GRE Route: 192.168.82.0/24

Network B has subscribers on wireless P-560 interface (eth0) we shall call this network (192.168.3.0/24) “Net B”:

Network: 192.168.3.0 Netmask: 255.255.255.0 Router: 192.168.3.1

Where GRE interface (WAN IP of AC) is 211.139.210.168.

Settings in GRE tunnel page:

GRE Device IP: 211.139.210.168 GRE Device Netmask: 255.255.255.0

Settings in Management Subnet page on eth0 interface (network interface | configuration | management subnet menu) of AC:

IP Address: 192.168.3.1 Netmask: 255.255.255.0 Remote Network: 192.168.82.1 Remote Netmask: 255.255.255.0

Figure 84 – Management Subnet Settings

As far as the Internet is concerned, we assume that it will pass any packet sent from A to B and vice versa.

With settings from above, the administrator from Net A will be able to access clients on Net B through the GRE tunnel between the GRE server and the GRE interface of AC.

Use the edit button next to a setting to change its value:

Figure 85 – GRE Settings

GRE Status – select one: [enabled or disabled].

Remote Host – IP address of GRE tunnel endpoint [IP address].

GRE Interface IP – enter the IP address of GRE interface [IP address].

Gemtek Systems Page 73

User’s Guide Chapter 7 – Reference Manual

GRE Interface Netmask – enter the netmask of GRE interface [dots and digits].

GRE interface IP/Netmask settings is important when configuring the GRE server.

GRE Route – this is the destination network for the GRE tunnel in the combined node/subnet format [IP address/N].

The /N stands for the number of bits that are in the network address. There are 32 bits, so we have 32-N bits left that are part of our network. The first N bits of x.x.x.x correspond to x.0.0.0 when N=8, our network address, and the netmask is 255.0.0.0 (when N=8).

bits netmask

/32

/31 255.255.255.252

/30 255.255.255.248

… …

/26 255.255.255.192

/25 255.255.255.128

/24 255.255.255.0

… …

/16 255.255.0.0

… …

/8 255.0.0.0

… …

/0 0.0.0.0

255.255.255.255

Gemtek Systems Page 74

User’s Guide Chapter 7 – Reference Manual

Network Interface | Wireless

The Hotspot-in-a-Box has the wireless interface (eth0) and can act as the Access Point. Using the network interface | wireless menu, the system administrator can create a wireless network infrastructure (WDS), set the wireless basic settings (SSID, network mode: 802.11b/802.11g, regulatory domain/channel), set the advanced settings (layer 2 isolation, SSID broadcasting), select the security methods (WEP/WPA) or create the access control list (ACL).

Network Interface | Wireless | Basic

Use the network interface | wireless | basic menu to configure such wireless settings as SSID, network mode or regulatory domain/channel. Click the edit button on the setting you need to change:

Figure 86 – Basic Wireless Settings

Primary SSID – is a unique name for your wireless network. It is case sensitive and must not exceed 126 characters. The default SSID is "P560" but you should change this to a personal wireless network name. The SSID is important for clients when connecting to the access point. All client stations must have their client SSID settings configured and must use the same SSID.

Wireless Network Mode – select wireless network mode for optimal performance, from the drop down list. Each wireless network mode includes basic and supported rates.

Wireless Network Mode

B only

G (Wi-Fi)*

B (Wi-Fi)

Mixed/G (Wi-Fi)

Mixed

Mixed (Wi-Fi)

Basic Rates (Mbps)

1, 2, 5.5, 11 -

1, 2, 5.5 6, 11, 12, 24

1, 2 5.5, 11

1, 2, 5.5, 11

1, 2, 6, 12, 24

1, 2, 5.5, 6, 11, 12, 24

Supported Rates (Mbps)

9, 18, 36, 48, 54

6, 9, 12, 18, 24, 36, 48, 54

5.5, 9, 11 18, 36, 48, 54

9, 18, 36, 48, 54

Preamble Settings

Dynamic Dynamic Long

Dynamic Dynamic Dynamic 15

Dynamic Dynamic Long

Dynamic Dynamic Dynamic 15

Non ERP Protection

Slot Settings

CWmin

* This mode enforces rejection of non-ERP capable clients.

Data Rates – the range of data transmission rates supported by a device and they are measured in megabits per second (Mbps).

Basic Rates – are the list of rates that are mandatory for another radio to communicate with. These rates are used for packets such as, control packets and broadcast packets.

Supported Rates – are the list of rates that the radio is capable of running.

Preamble Settings – indicates Dynamic mode that allows mixing Long Preamble only clients

with Short Preamble capable clients. If both 802.11g clients and Long Preamble only clients are

Gemtek Systems Page 75

User’s Guide Chapter 7 – Reference Manual

associated, the Access Point sets the Short Preamble capability bit to 0 and Long Preamble is used. In all other cases, the Short Preamble capability bit is set to 1 and Short Preamble is used.

CWmin – indicates contention window size minimum.

NonERP Protection – indicates Dynamic mode what means that NonERP protection bit is set to 0 or 1 whether NonERP BSSs or stations are associated to AP or not.

Slot Settings – indicates Dynamic or Long mode:

 Dynamic mode allows mixing 802.11b only clients with Short Slot capable clients. If only

802.11g Short Slot capable clients are associated, 802.11a slot timing is used and the Short Slot capability bit is set. If any non-802.11g/Short Slot capable clients are associated, the access point switches back to 802.11b slot timing and clears the Short Slot capability bit.

 Long mode indicates that the access point never sets the Short Slot capability bit in the

Beacons, Probes and Association Responses. Clients should therefore not use it.

Regulatory Domain – select the domain according to your country.

The full frequency range of the 2.4 GHz ISM band is not permitted for use in all countries. Depending on your selection of regulatory domains, the available frequency channels will vary.

Before changing radio settings manually verify that your settings comply with government regulations. At all times, it will be the responsibility of the end-user to ensure that the installation complies with local radio regulations. Refer to the Appendix: C) Regulatory Domain/Channels.

Default Channel – select the default channel. Channels list will vary depending on selected regulatory domain.

Multiple frequency channels are used to avoid interference between nearby access points. If you wish to operate more than one access point in overlapping coverage areas, we recommend a distance of at least four channels between the chosen channels. For example, for three Access Points in close proximity choose channels 1, 6 and 11.

Gemtek Systems Page 76

User’s Guide Chapter 7 – Reference Manual

Network Interface | Wireless | Advanced

Use the network interface | wireless | advanced menu to configure the layer 2 client isolation, SSID broadcasting or threshold values or wireless card output power:

Figure 87 – Advanced Wireless Setting

Layer 2 Isolation – Layer 2 wireless client separation. Connected clients with user isolation function enabled cannot access each other directly. The clients are isolated from each other using their MAC addresses [enabled/disabled].

SSID Broadcasting – when enabled, your AP’s SSID is visible in the networks list while scanning the available networks for wireless client. When disabled, the AP’s SSID is not visible in the available network list (SSID is not broadcasted with its Beacons) [enabled/disabled]. By default the SSID broadcasting is enabled.

Fragmentation Threshold –the fragmentation threshold, specified in bytes, determines whether packets will be fragmented and at what size. On an 802.11 wireless LAN, packets exceeding the fragmentation threshold are fragmented, i.e., split into, smaller units suitable for the circuit size. Packets smaller than the specified fragmentation threshold value are not fragmented [[256-2346] default: 2346 (2346 means that fragmentation is disabled)].

RTS Threshold – when set, this setting specifies the maximum packet size beyond which the Wireless LAN Card invokes its RTS/CTS mechanism. Packets that exceed the specified RTS threshold trigger the RTS/CTS mechanism. The NIC transmits packets smaller than this threshold without using RTS/CTS [[0-2347] default: 2347 (2347 means that RTS is disabled)].

Output Power – the wireless card transmission output power in dBm [0-31].

Antenna Gain (dBi)– is the gain of the connected antenna in relation to an isotropic radiated power.

Total output power (wireless output power plus antenna gain) should comply with local radio regulations. Refer to the Appendix: C) Regulatory Domain/Channels.

Network Interface | Wireless | Security

Secure your wireless network use one of the available encryption methods:

 WEP (Wired Equivalent Privacy) with 64-bit/128-bit encryption  WPA (Wi-Fi Protected Access) with pre shared key or with RADIUS server

The WPA is a far stronger protocol and fixes the weaknesses in WEP. To enable the WPA security for your WLAN you will need:

 An access point that has WPA support (e.g. Gemtek Systems P-560)  A wireless network card that has WPA drivers available  A mobile client that supports WPA and your operating system

To configure the WPA with pre-shared key security on the P-560 use the network interface | wireless | security menu, select the WPA with pre-shared key security method and enter the pre-

shared key:

Gemtek Systems Page 77

User’s Guide Chapter 7 – Reference Manual

Figure 88 – WPA with Pre-shared Key Security Settings

Pre-shared Key – specify the pre-shared key for WPA security [8-64 characters].

The encryption pre-shared key must also be entered into the WLAN card

Update – click the button to apply security setting to your wireless network.

WPA with RADIUS server makes use of external AAA (RADIUS) server to generate and exchange dynamic WPA keys between P-560 and user station. To configure the WPA with RADIUS server security on the P-560 use the network interface | wireless | security menu and select the WPA with RADIUS server security method:

configuration of the mobile clients.

Figure 89 – WPA with RADIUS Server Security Settings

To configure the WEP encryption, select the WEP key algorithm and enter the pre-shared key:

Figure 90 – WEP Security Settings

WEP keys are entered as a series of colon-separated HEX (0-9, A-F, and a-f) pairs:

5 pairs for 64-bit (e.g. 00:AC:01:35:FF) 13 pairs for 128-bit (e.g. 00:11:22:33:44:55:66:77:88:99:AA:BB:CC)

The encryption pre-shared key must also be entered into the WLAN card configuration of the mobile clients.

Network Interface | Wireless | ACL

Use the ACL service to control the default access to the wireless interface (eth0) of the AC or define special access rules for mobile clients. Configure the ACL using the network interface | wireless | ACL menu:

Gemtek Systems Page 78

User’s Guide Chapter 7 – Reference Manual

Figure 91 – ACL Service

ACL service – click the edit button to enable or disable the access control service on device. By default the ACL service is disabled and all mobile clients connections to the AC are allowed (no ACL rules are applied to the mobile clients).

Default ACL policy – click the edit button to change the default ACL policy [allow/deny]. Select allow to allow all mobile clients to access this access point or deny to prevent all mobile clients from accessing your access point. Clients may also be subject to rules in the MAC addresses and policies table.

You can create your own access list if you need to define special access rules for specific network devices. The access control list is based on the network device's MAC address. In the MAC addresses and policies table, you need only specify the network device MAC address and its access policy (accept/deny) with the new rule. Click the new button to define the ACL rule:

Figure 92 – Add ACL Rule

MAC Address – enter the physical address of the network device you need to (MAC address) The format is a list of colon separated hexadecimal numbers (for example: 00:AA:A2:5C:89:56).

Policy – select the permission of the rule to determine whether the specified network device should be allowed or denied as an access point client [allow/deny].

The special ACL rule policy should differ from the default ACL policy otherwise the ACL rule does not work.

Update – click the button to add new ACL rule.

Gemtek Systems Page 79

User’s Guide Chapter 7 – Reference Manual

Network Interface | Wireless | WDS

A WDS (Wireless Distribution System) allows you to create a wireless network infrastructure. Normally, the access points must be connected with a wire (LAN), which is generally an Ethernet connection in business applications. Once connected, these access points create wireless cells allowing a wireless connection. The WDS feature allows the access points to be wirelessly connected to another access point, eliminating the need to the wired connection between them:

WDS Link

P-560

Wired LAN

Figure 93 – WDS Link

The WDS mode is configured by entering the WDS link peer access points (AP e.g. P-560) MAC address in each other’s AP configuration e.g. Web interface. As a result APs that relay data received from a wireless station to another access points (and vice versa) have to receive and send each packet over the same channel. Hence the overall throughput will be reduced for each relay link.

The radio channel in all WDS link peer APs must be the same.

P-560

Wired LAN

To configure the WDS links use the network interface | wireless | WDS menu, click the edit button and enter the peer access point MAC addresses:

Gemtek Systems Page 80

User’s Guide Chapter 7 – Reference Manual

Figure 94 – Add WDS Link

MAC for Per AP [1-8] – enter wireless interface (eth0) MAC address of the peer AP for the WDS link [6-HEX pairs separated by colon [1-9] [A-F] [a-f]].

You can discover the wireless interface (eth0) MAC address of your P-560 in the

system | status page.

Update – click the button to update you system with WDS links.

Gemtek Systems Page 81

User’s Guide Chapter 7 – Reference Manual

User Interface

Use the user interface menu to configure device settings affecting the user interface. If you need to configure the: welcome/login/logout/help/unauthorized pages, administrator settings, start page or free sites, use the user interface menu.

Figure 95 – User Interface Menu

User Interface | Configuration | Pages

Detailed description about user page customization is given in the Chapter 4 –

The welcome/login/logout/help pages can be easily changed to user defined pages by choosing the

configuration menu. The pages configuration menu is displayed by default:

User Pages.

Figure 96 – Available User Pages for Configuration

Login/Logout/Help/Unauthorized pages settings detailed description is given in the Chapter 4. Only Welcome page settings reference is provided here.

Welcome – first page the user gets when he/she opens its browser and enters the URL.

Internal – choose this option when using the internal user pages templates. External – choose this option when uploading your own user pages templates. Redirect – choose this option when using the Extended UAM function (see Chapter 4, section: Extended UAM).

Status – choose enable/disable welcome page status. Note that redirect option with status ‘disabled’

would work. Location – enter location for external templates or redirect (e.g. WAS IP address).

Figure 97 – Redirect User Pages

Gemtek Systems Page 82

User’s Guide Chapter 7 – Reference Manual

Welcome page with redirect option selected redirects the user authentication process to the specified location. The user welcome/login/logout page can be implemented as simple HTML (not required to use the .XSL or default user pages templates) in such case.

The redirect location URL should be specified as Walled Garden URL, otherwise the redirect would NOT WORK.

Figure 98 – Caching Option

Caching option can be used for caching the external uploaded user pages (available choice: enabled/disabled)

Clear – click the button to clear cached user pages.

Controller cache is also cleared after device reboot/reset.

User Interface | Configuration | Upload

Look for the user pages template samples in the Installation CD delivered to you

Figure 99 – Upload Page

Delete – click the button to delete earlier uploaded files from Hotspot-in-a-Box memory.

Upload – click the button to select and upload new user pages.

with the product.

How to upload user pages see in the Chapter 4 – User Pages.

User Interface | Configuration | Headers

System administrator can set HTML headers encoding and language settings for AC web management interface and new uploaded user pages. Select user interface | configuration | headers menu:

Figure 100 – HTTP Headers Settings

Gemtek Systems Page 83

User’s Guide Chapter 7 – Reference Manual

P560 device supports some http META tags. Syntax of such META tags:

Currently P560 supports Content-Type and Content-Language tags:

 Content-Type is used to define document char set (used, when text has non-Latin letters, like

language letters).

 Content-Language may be used to declare the natural language of the document.

P560 automatically adds defined content-type and content-language to generated XML. Then user pages (.XSL) templates will use these parameters to generate the output HTML.

Click the change button to define new headers of the web management interface on user pages templates. The default HTML encoding is ISO-8859-1, language = English. Enable the HTTP header status and default values appear:

Figure 101 – Set HTTP Headers

The system administrator can set his own header encoding and language settings.

Use the HTML 4.01 specification to define the header encoding and language.

User Interface | Configuration | Remote Authentication

Read more about extensions feature in Chapter 4, section: Extended UAM.

The Remote Authentication feature under the user interface | configuration menu allows an external Web Application Server (WAS) to intercept/take part in the user authentication process, externally log on and log off the user as necessary. It provides means to query user session information as well. By default such remote authentication is disabled:

Figure 102 – Remote Authentication

Click the edit button next to appropriate settings to specify remote authentication parameters:

Figure 103 – Enable Remote Authentication

Remote Authentication – select status: [enabled/disabled].

Shared Secret – enter password for WAS to communicate with AC [sting (4-32), no spaces allowed].

Gemtek Systems Page 84

User’s Guide Chapter 7 – Reference Manual

User Interface | Configuration | One-Click Roaming

One-Click roaming is the ability of T-mobile customers to use the T-mobile Hotspot service in Third Part Hotspots, while the authentication and billing is entirely realized through T-mobile. The Third Part Hotspot only provides the access to the T-mobile WLAN platform. Use the network interface | configuration | one click menu to configure this feature. By default One-Click roaming is disabled. Click the edit button to change roaming status.

Figure 104 – One-click Roaming Settings

To add a new One-Click partner, click the new button:

Figure 105 – Add new One-Click partner

Name – enter One-Click roaming partner’s name.

Status – select status: [enabled/disabled].

Username – enter username that is valid user name on RADIUS server [text string, can not be

empty].

Password – enter password by which user should be authenticated [text string, can not be empty].

Portal URL – enter T-mobile portal URL to redirect user when One-Click roaming is enabled (optional

parameter).

Type – choose source routing policy: clients’ traffic can be either routed directly via secondary router or via PPTP tunnel. Choose gateway to route clients’ traffic via specified router’s IP address. Or choose PPTP- [name] tunnel that was created for t-mobile users’ traffic to route through.

IP address – enter One-Click roaming gateway IP address that is reachable via WAN interface [can not be empty if gateway type is selected].

Update – click to update One-Click roaming settings.

Welcome Pages are stored on Portal. Every user, even T-mobile and Netcheckin

See the following diagram to understand One-Click roaming:

will see Welcome pages loaded from Portal server. The Welcome page with portal URL should be entered on network interface | configuration | page.

Gemtek Systems Page 85

User’s Guide Chapter 7 – Reference Manual

Client

Welcome page is loaded

Select T-Mobile

Open popup

Enable source routing

Open window / redirect to T-Mobile portal

Cancel source routing

Redirect routing to Welcome page

Welcome page

Logout use

Figure 106 – One-Click Roaming diagram

T-Mobile Portal

Authentication

RADIUS Server

Logout use

When T-mobile user attempt connect to internet it is redirected to ‘Welcome Page’ on access controller. Then client selects T-mobile, AC internally authenticates client with a provided username and password. AC opens a new browser window and which in turns open popup window. Latter popup window will allow canceling source routing policy at any time and returning to a welcome page.

User Interface | Administrator

The system administrator also can be the RADIUS user with corresponding

The administrator menu is for changing the administrator’s settings: user name and password:

Figure 107 – Administrators Settings

attributes.

Default administrator logon settings are:

User Name: admin

Password: admin01

Gemtek Systems Page 86

User’s Guide Chapter 7 – Reference Manual

To edit or change the administrator settings simply click the edit button:

Figure 108 – Change Administrator Settings

Username – administrator username for access to Access Controller (e.g. web interface, CLI mode) [1-32 symbols, spaces not allowed].

Idle Timeout – amount of administrator inactivity time, before automatically disconnecting administrator from the web interface [300-3600 seconds]. The default idle time: 10minutes (600 seconds).

Old Password – old password value.

New Password –new password value used for user authentication in the system [4-32 symbols,

spaces not allowed].

Confirm Password – re-enter the new password to verify its accuracy.

Save – click to save new administrator settings.

User Interface | Start Page

The start page is the default web page where users will be redirected after log-on. This value will be overwritten by the WISP RADIUS attribute no.4 "Redirection-URL" if provided in the authentication response message. Use the user interface | start page menu to view or change the start page URL:

Figure 109 – Start Page

The administrator can change the start page by clicking the edit button. The value entry field will change into an editable field:

Figure 110 – Edit Start Page

Value – enter new redirection URL of start page in valid format [http://www.startpageurl.com].

Save – to save new settings.

Cancel – restores all previous values.

User Interface | Walled Garden

The walled garden is an environment that controls the user's access to Web content and services. This feature gives the ability to define a free, restricted service set for a user not yet logged into the system. Use the user interface | walled garden menu to view or change the free URLs or hosts:

Gemtek Systems Page 87

User’s Guide Chapter 7 – Reference Manual

Figure 111 – Walled Garden

Edit – edit the selected URL or host. All settings become available for editing.

Delete – delete the selected URL or host.

New URL – click the new URL button and enter the new URL and its description. Save entered information by clicking the update button:

Figure 112 – Add New URL part 1

URL for User – define full URL address [www.gemtek-systems.com].

String to Display – site description visible to user as link on the welcome and login page:

Figure 113 – Walled Garden link in the Welcome Page

New Host – If you need to define hosts (web servers) for walled garden, specify hosts by clicking the new host button and click the update button:

Figure 114 – Walled Garden Host

Type –select the data traffic protocol for host server [TCP/UDP].

Host – Web server address [IP address or host name].

Netmask – enter the network mask to specify the host servers network.

Port – network port, which is used to reach the host [1-65535]. For standard protocols use the default

ports:

Protocol

HTTP 80

HTTPS 443

FTP 21

Port

Gemtek Systems Page 88

User’s Guide Chapter 7 – Reference Manual

User Interface | Web Proxy

The enabled web proxy allows any clients’ connections with configured proxy settings on their browsers. The AC accepts any client proxy configurations and grants the access to the Internet. The system administrator should list only ports the AC is listening on for proxy requests.

Figure 115 – Web Proxy

Web proxy is enabled by default and the port numbers are: 3128 and 8080.

To add more port number for web proxy, click the new button:

Figure 116 – Add Web Proxy Port

Port – add port number for web proxy to listen to [1-65535].

Save – click the button to save new proxy port number.

Gemtek Systems Page 89

User’s Guide Chapter 7 – Reference Manual

System

Use the system menu to configure such system utilities:

 Syslog – for sending system and debug messages via the syslog protocol.  Trace system – trace such controller services as PPTP and PPPoE.  Clock – manual setting of internal device clock.  NTP – set the Network Time Protocol service on the AC.  Certificates – upload your own SSL certificate and private key files for server.  Save and Restore – save current AC configuration and restore.

Use the system menu to define default access/visitor access to the device via or using:

 Telnet – enable telnet connections to AC.  AAA – enable different AAA methods.  UAT – enable the service.  SNMP – enable/configure SNMP management.

Use the system menu to check the system status, reset the device, or update with new firmware.

Figure 117 – System Menu

System | Configuration | Syslog

You can trace your AC system processes and get the system log messages remotely using the system | configuration | syslog menu (by default the syslog utility is disabled):

Figure 118 – Syslog Settings

To enable the syslog remote sending function, click the edit button and choose the enabled option:

Figure 119 – Configure Syslog Messages

Remote Log Status – choose disable/enable remote log [enabled/disabled].

Host – specify the host IP address where to send the syslog messages [host IP address].

Be sure the remote host is configured properly to receive the syslog protocol messages.

Level – select the messages level you need to trace. The level determines the importance of the message. The levels are, in order of increasing importance:

Debug – debug messages including more important level messages: [info/warning/error/fatal].

Informational – informational messages including [warning/error/fatal]

Warning – warning condition messages including [error/fatal]

Error – error and critical condition messages including [fatal]

Fatal – critical and fatal condition for device messages. Actions should be taken immediately.

Gemtek Systems Page 90

User’s Guide Chapter 7 – Reference Manual

Save – save changes. The syslog messages will be started to send to the specified host.

Cancel – restore the previous values.

System | Configuration | Trace System

The trace system utility debugs system services and protocols if malfunction occur. Trace system works with started services as DHCP, PPTP, PPPoE, telnet and SNMP and shows number of system messages according to the selected history size. The trace system can help operators to locate misconfigurations and system errors. Select system | configuration | trace system menu to view current syslog messages in case of troubleshooting of one of the services:

Figure 120 – Trace System

By default, trace system utility is switched on. The latest messages are displayed at the end of the message list.

History Size – select the message history size to display [102400-512000 bytes].

Level – select the messages level you need to trace. The level determines the importance of the

message. The levels are, in order of increasing importance:

Debug – debug messages including more important level messages: [info/warning/error/fatal].

Informational – informational messages including [warning/error/fatal]

Warning – warning condition messages including [error/fatal]

Error – error and critical condition messages including [fatal]

Fatal – critical and fatal condition for device messages. Actions should be taken immediately.

Change – click the change button to apply new history size or selected message level. Trace system

will start to sort by selected level at once you click the change button.

Clear – delete all displayed messages. Refresh – click to refresh trace system messages.

System | Configuration | Clock

To set the Hotspot-in-a-Box internal clock, use the clock utility, accessed by selecting the system | configuration | clock menu link:

Figure 121 – Clock Utility

Gemtek Systems Page 91

User’s Guide Chapter 7 – Reference Manual

To adjust the clock settings, click the change button:

Figure 122 – Set Clock Settings

Date – specify new date value [year/month/day].

Time – specify time [hours: minutes].

Time Zone – select the time zone [-12.00 – 14.00]. If the NTP service is enabled the selected time

zone will be applied to the clock settings also.

If the NTP server (see the next section for reference) is enabled on the system, no manual clock setting is available except time zone.

Figure 123 – Clock and NTP

Only time zone change is available when NTP server is used.

System | Configuration | NTP

The NTP (Network Time Protocol) is used to synchronize the clock of the AC to a selected time reference. You can synchronize the system clock settings using the system | configuration | NTP menu:

Figure 124 – NTP Service

By default NTP service is disabled. To start the service, click the edit button:

Figure 125 – Enable NTP

Status – select appropriate status for NTP service [enabled/disabled].

Host – specify the trusted NTP server IP on the field. It works only with enabled NTP function.

The NTP synchronize the device clock with GMT + 0 time. If you need to set the time zone, use the system | configuration | clock menu.

You may want to add more than one NTP host, for example, in the case where the first host fails to connect. Click the new button to add additional host settings:

Gemtek Systems Page 92

User’s Guide Chapter 7 – Reference Manual

Figure 126 – Add New NTP Host

Host – add additional NTP service hosts [1-128]. This NTP server will be used, if connection to the first defined NTP server is lost.

System | Configuration | Certificate

You can upload your own SSL certificates files for HTTP connection using the certificate menu under the system | configuration menu:

Figure 127 – Certificate Upload

Only these certificate files are accepted:

Click the upload to upload your own SSL certificates and private key files:

Figure 128 – Upload New Certificate

Certificate File – the PEM-encoded certificate file for the server.

Private Key File – the PEM-encoded private key file for the server.

Upload – upload new certificates.

Depending on the public key infrastructure implementation, the certificate includes the owner's public key, the expiration date of the certificate, the owner's name, and other information about the public key owner. The default certificate implemented in the AC includes the following:

 Server PEM-encoded X.509 certificate file  Server PEM-encoded private key file

Corresponding RSA or DSA private keys SHOULD NOT be included.

Private key SHOULD NOT be encrypted with a password. This private key should correspond to the certificate above.

Gemtek Systems Page 93

User’s Guide Chapter 7 – Reference Manual

Figure 129 – Default Certificate Properties

Flash – upload new certificates into the controller.

Cancel – cancel new certificate upload.

System | Configuration | Save and Restore

You can save your current device configuration file locally using the save and restore menu under the system | configuration menu:

Figure 130 – Save and Restore

Such device configuration is saved in the specific format file (.cfg):

 Network configuration settings (including network interface, VLAN, port forwarding, route,

management subnet, DHCP, DNS, RADIUS, tunnels)

 User interfaces configuration settings (including user pages templates)  System configuration settings (including syslog, NTP configuration, access settings)  Connection settings (including e-mail redirection and station supervision)

Click the download button to start saving the configuration file. You can change or leave the default configuration file description:

Figure 131 – Edit Configuration File Description

Download – click the download once again to save the configuration file under the selected path in your computer. Now the last saved configuration is successfully stored in your local computer.

Cancel – click the cancel button to back to main configuration page.

You can use this file any time you want to restore this configuration to the device by using the upload button (see: Figure 130 – Save and Restore). Select the configuration file and upload it on the device:

Gemtek Systems Page 94

User’s Guide Chapter 7 – Reference Manual

Figure 132 – Upload Configuration File

Flash – click the button to apply configuration setting to the device.

System | Configuration | Pronto

The goal of the pronto-compatible agent program is to ensure that a partner’s hotspot is interoperable with Pronto’s Hotspot OSS. Pronto compatibility agent is used to download and overwrite current configuration (only some parameters which are listed below) from pronto server using WEB proxy. On device boot only these parameters will be overwritten:

 LAN IP.  WLAN (wireless LAN) IP.  LAN DHCP range, DHCP default lease time, max lease time.  WLAN DHCP range, DHCP default lease time, max lease time.  WLAN channel.  WLAN SSID.  WEP key length (64-bit or 128-bit).  WEP key format (HEX).  SMTP server IP and port.  Location name.  Walled garden entries.  Default RADIUS authentication, accounting and accounting backup servers IP.  Default RADIUS authentication, accounting and accounting backup shared secrets.  SNMP Read-Only and Read-Write communities.  SNMP traps host. There will be created 3 traps with different trap types (v1, v2, inform) on the

same host.

By default Pronto feature is disabled:

Figure 133 – Default Pronto Settings

Gold pronto status – select pronto compatibility agent status [enable/disable].

HNS server URL – specify HNS server URL.

Heartbeat interval – specify interval between heartbeat messages in seconds: 1-4 numbers [0-3600],

no spaces allowed. ‘0’ means that heartbeat is disabled. No heartbeat value specified - system will use external server value. Heartbeat messages are sending between the nodes that indicate a node is up and running.

Remote host – specify remote host [IP address or host name].

Remote port – specify remote host port number: 1-5 numbers, no spaces allowed, [1-65535].

Gemtek Systems Page 95

User’s Guide Chapter 7 – Reference Manual

Edit – click to edit required parameter.

Change Pronto status to enable and configure the rest Pronto settings. To configure Pronto settings, click the edit button next to appropriate parameter and specify value. Reboot the device.

Figure 134 – Configure Pronto Settings

Update – click the button to apply pronto agent settings.

Cancel – restore the previous value.

After reboot device’s configuration will be changed automatically.

Note that if Pronto agent is enabled, after reboot existing configuration will be overwritten with Pronto server parameters’ values.

System | Access | Access Control

Use the access control menu to control the access management to your AC and to specific services. Access control to your device includes access to these services:

 Telnet  SSH  SNMP

Thus, the administrator can control the access of a single or every user to the controller via telnet, SSH or SNMP. This can be done by creating the access control list in the AC and checking the incoming user’s IP address.

Default access status is used to deny all connections except the SNMP service to the controller. SNMP service is used to access your device via the KickStart utility.

Figure 135 – Access Control

Edit – click to edit the default access status [allow/deny].

New – click to create new access control rule for specific network to specific service(s) [all/

/ssh/telnet/snmp].

To configure the access control, click the edit button and specify the network address and select services to allow/deny:

Figure 136 –Modify Access Control

Gemtek Systems Page 96

User’s Guide Chapter 7 – Reference Manual

Service – select services that access you need to control [all/ssh/telnet/snmp].

Telnet service should be also enabled in the system | access | telnet to allow the

Network Address – specify the network or host address with netmask in bit format separated by dash.

The /N stands for the number of bits that are in the network address. There are 32 bits, so we have 32-N bits left that are part of the network. The first N bits of x.x.x.x correspond to x.0.0.0 when N=8, our network address, and the netmask is 255.0.0.0 (when N=8).

telnet access to the controller. Otherwise, the client or network will not get telnet access.

bits netmask

/32

/31 255.255.255.252

/30 255.255.255.248

… …

/26 255.255.255.192

/25 255.255.255.128

/24 255.255.255.0

… …

/16 255.255.0.0

… …

/8 255.0.0.0

… …

/0 0.0.0.0

Access – select the access policy: [allow/deny].

Up to 255 different access control rules can be set.

255.255.255.255

System | Access | Telnet

When the telnet function is switched on, telnet connection to the Hotspot-in-a-Box is enabled and the administrator can connect to the CLI interface via telnet.

Make sure that default access status to the administrator PC appears as ‘allow’

By default telnet is disabled:

Figure 137 – Default Telnet Status

To switch the telnet function on, click the edit button and change the status:

Gemtek Systems Page 97

under the system | access | access control menu. Otherwise, you will not be able to connect via telnet, even though the telnet function is enabled.

User’s Guide Chapter 7 – Reference Manual

Figure 138 – Change Telnet Status

Enabled – connection via telnet to AC is enabled.

Disabled – connection via telnet to AC is disabled.

Save – click the button to save the configuration.

Cancel – restore the previous value.

System | Access | AAA

It is recommended to use the Gemtek Systems product Smart Client Manager (S-200) for EAP authentication methods.

Such multimode Authentication, Authorization and Accounting (AAA) methods are supported on the AC:

 UAM – Universal Access Method (web-login) method  EAP/802.1x are:

 EAPMD5 – 802.1x authenticator with MD-5 method  EAPSIM – 802.1x authenticator with SIM authentication method  EAPTLS – 802.1x authenticator with TLS authentication method  EAPTTLS – 802.1x authenticator with TTLS authentication method

 MAC – user is authenticated from RADIUS server by its MAC address and password.

Use the user interface | configuration | AAA menu to enable/disable appropriate authentication method on your controller:

Figure 139 – AAA Settings

If UAM (web-login) method is disabled the subscriber will not be able to login through the web interface.

Status – change status of selected AAA method [enabled/disabled].

For MAC authentication the following settings are required:

Figure 140 – MAC Authentication

Use Password – select [RADIUS secret] or [User defined] password for user authenticating by its MAC address.

Password – enter password with user-defined option selected. Password will be one for all users authenticated by MAC address [string, 4-32 characters, no spaces allowed].

Gemtek Systems Page 98

User’s Guide Chapter 7 – Reference Manual

Current RADIUS secret value is only displayed and CANNOT be changed under the AAA menu. To change the RADIUS secret value use the network interface | RADIUS | servers menu.

System | Access | UAT

With Universal Address Translation (UAT) enabled, the Hotspot-in-a-Box will automatically and transparently translate fixed IP settings (IP address, gateway, DNS, proxy server) on a user’s PC so that he can connect to the broadband Internet service. There is no need for end-users to reset their corporate IP or web settings. Also outgoing subscriber e-mails can be redirected to the operator's email server in order to facilitate e-mail forwarding for foreign subscribers.

Universal address translation works only on LAN and VLAN interfaces with

The Universal Address Translation (UAT) function can be enabled using the system | access |

UAT menu. UAT can be configured separately for each interface. All available interfaces are listed:

authentication setting enabled (see more about these settings in the System | Access | NAV).

Figure 141 – Universal Address Translation Settings

VLAN interface will not appear in list if it is not enabled in Network Interface | Configuration | Interface Configuration page.

To change UAT settings on interface click the edit button in the action column. The status can be changed now:

Figure 142 – Change Universal Address Translation Status

Interface – standard interface name on which UAT can be configured.

UAT Status –universal address translation status [enabled/disabled].

Change status or leave in the default state if no editing is necessary and click the continue button. Then the IP address and Netmask can be changed:

Figure 143 – Change Universal Address Translation Settings

IP address – specify network IP of UAT address pool.

Netmask – specify UAT address pool network mask.

Update – update old values with entered ones.

Gemtek Systems Page 99

User’s Guide Chapter 7 – Reference Manual

IP address and netmask should be combined and used as pool for users on this interface. Note that count of available IP addresses will become maximum user count on this interface - if there will be no free IP addresses, access will be rejected because of lack of IP addresses.

System | Access | Isolation

Isolation mechanism under the system | access | isolation menu increases the security of the AC users.

Figure 144 – Isolation

Bindmac – with bindmac function enabled, the AC binds the user’s MAC and IP addresses together after a successful logon by the wireless client and thereby preventing Internet access to a new user who uses the same client IP address, although be it with a different MAC address [enabled/disabled].

Isolation – enable this function to prevent users on the same LAN to communicate with each other. Users can communicate only through the AC [enabled/disabled].

System | Access | NAV

To change visitor access on different LANs or VLANs, authentication or NAT attributes for AC users, go to the system | access | NAV menu:

Figure 145 – NAT, Authentication and Visitor Access

Interface – interface on which the changes will be done [ixp0, non editable].

IP Address – IP address of interface [non editable].

NAT – network address translation service status [enabled/disabled]. If enabled, users can access the

Internet under its network gateway address.

Authentication – with disabled authentication, the user from his LAN gets access to the Internet without any authentication. If enabled, authentication for Internet access is required for all users [enabled/disabled].

This setting is important when configuring the UAT. See section: System | Access

| UAT for more details.

Visitor Access – client with specific WISPr attribute can reach the LAN with enabled visitor access

[enabled/disabled] (see more details about visitor access below).

Only one selected interface can have the visitor access enabled. Attempting to enable an additional interface for visitor access will disable the previous interface.

Visitor Access

Users can be grouped in two logical groups: employees and visitors. By default, all users belong to the visitors group without access to servers in the LAN. Employees have access to the Intranet (servers that are running in the LAN), meanwhile visitors have access only to the Internet with no way to connect and use services from servers running in the LAN. By default, clients connected on the WLAN and LAN cannot communicate among them-selves. This is prevented by default firewall rules. See the picture below to view the difference between employee and visitor traffic:

Gemtek Systems Page 100

GemTek Technology AP930621G User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual