Hewlett Packard Enterprise 55010016-2, 55010016-1 User Manual

Chapter 15: Customizing the public access interface 194

DRAFT

Source code for the internal pages

This section presents commented source code for the default internal pages.

Important: Do not create your own pages by saving a page from within your web browser. The server side code is removed when you do this and the resulting pages will not work. Use the examples in this section or those on the CD in \HTML\Colubris\Internal as the basis for your pages.

<!-- iPass <WISPAccessGatewayParam> <Redirect> <MessageType>100</MessageType> <ResponseCode><% iPassGetRedirectResponseCode(); %></ResponseCode> <AccessProcedure><% iPassGetAccessProcedure(); %></AccessProcedure> <LocationName><% iPassGetLocationName(); %></LocationName> <AccessLocation><% iPassGetAccessLocation(); %></AccessLocation> <LoginURL><% iPassGetLoginUrl(); %></LoginURL> <AbortLoginURL><% iPassGetAbortLoginUrl(); %></AbortLoginURL> </Redirect> </WISPAccessGatewayParam>

-->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd"> <html lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"> <meta http-equiv="Expires" CONTENT="0"> <meta http-equiv="Cache-Control" CONTENT="no-cache"> <meta http-equiv="Pragma" CONTENT="no-cache"> <title>Login</title>

.labels { font-family: verdana, sans-serif; }

#title { font-size: 14px; color: #000000; padding-left: 5px; } #tags { font-size: 10px; color: #000000; } #error { font-size: 12px; color: #CC0000; font-weight: bold; }

#input { font-family: verdana, sans-serif; font-size: 11px;

Chapter 15: Customizing the public access interface 195

width: 120px; color: #003366; }

#submit { font-family: verdana, sans-serif; font-size: 10px; font-weight: bold; color: #003366; }

--> </style> <script language="Javascript"> //Make sure the required information was entered

function setfocus() { if (document.forms[0]) { document.forms[0].elements[0].focus(); } }

//--> </script> </head> <body bgcolor="#FFFFFF" onLoad="setfocus();">

DRAFT

<br>

<table border="0" width="300" cellspacing="0" cellpadding="3" bgcolor="#CC0033"> <tr> <td align="center" valign="middle" colspan="2"> <table border="0" width="300" cellspacing="0" cellpadding="4" bgcolor="#E6E6E6"> <tr> <td align="right"> <span class="labels" ID="tags">Username:</span> </td> <td> <input type="text" name="username" maxlength="30" size="32"> </td> <td> </td> </tr> <tr> <td align="right"> <span class="labels" ID="tags">Password:</span>

Chapter 15: Customizing the public access interface 196

</td> <td> <input type="password" name="password" maxlength="30" size="32"> </td> <td valign="bottom"> <input type="submit" name="login" value="Go >>"> </td> </tr> <tr> <td> <input type="hidden" name="original_url" value=<%GetOriginalUrl();%>> </td> </tr> </table> </td> </tr> </table>

</td></tr> </table>

</form>

</body> </html>

DRAFT

Transport page

<!-- iPass <WISPAccessGatewayParam> <AuthenticationReply> <MessageType>120</MessageType> <ResponseCode><% iPassGetLoginResponseCode(); %></ResponseCode> <ReplyMessage><% GetRadiusReplyMessage(); %></ReplyMessage> <LogoffURL><% iPassGetLogoffUrl(); %></LogoffURL> </AuthenticationReply> </WISPAccessGatewayParam>

-->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"> <meta http-equiv="Expires" CONTENT="0"> <meta http-equiv="Cache-Control" CONTENT="no-cache"> <meta http-equiv="Pragma" CONTENT="no-cache"> <meta http-equiv="refresh" content="1; URL=<%GetWelcomeUrl();%>"> <title>Transport</title>

// Define the size of your remote window in pixels with "width" and "height." remote = window.open("","sessionwin","width=240,height=400,toolbar=0,location=0,directories=0,status=0,me nubar=0,scrollbars=1,resizable=1"); if (remote.blur) remote.focus();

// Put the full url of your remote document where you see "URL". remote.location.href = "<%GetSessionUrl();%>";

Chapter 15: Customizing the public access interface 197

if (remote.opener == null) remote.opener = window; remote.opener.name = "opener"; }

//--> </script>

</head> <body onload="opensessionwin();" bgcolor="#FFFFFF">

<font face="verdana, arial, helvetica" size="2"> <h4>This should take 1 second...</h4>

If you are not redirected within a few seconds, please <a href="<%GetWelcomeUrl();%>">click here</ a>. If you have JavaScript disabled and the session page doesn't appear, please <a href="<%GetSessionUrl();%>">click here</a>.

</font>

</body> </html>

DRAFT

Session page

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"> <meta http-equiv="Expires" CONTENT="0"> <meta http-equiv="Cache-Control" CONTENT="no-cache"> <meta http-equiv="Pragma" CONTENT="no-cache"> <% SetSessionRefreshInterval("20");%> <title>Session</title> </head> <body bgcolor="#FFFFFF">

<table border="0" cellpadding="0" cellspacing="5" align="center" style="border:1px dotted #CC0000"> <tr> <td colspan="2" align="center"> <img src="/logo.gif" alt="" width="125" height="50" border="0"></td> </tr> <tr> <td colspan="2"> <font face="verdana" size="3"><b>Session</b></font> </td> </tr> <tr> <td colspan="2" align="center"> <hr noshade size="1" color="#CCCCCC"> <font face="verdana" size="1" color="#FF0000"> Please bookmark this page for logout </font> <hr noshade size="1" color="#CCCCCC"> </td> </tr> <tr> <td align="right"><font face="verdana" size="1">Status:</font></td> <td><font face="verdana" size="1"><b><% GetSessionStateMessage(); %></b></font></td> </tr> <tr> <td align="right"><font face="verdana" size="1">Session Time (Cur/Left/Max):</font></td>

Chapter 15: Customizing the public access interface 198

<td><font face="verdana" size="1"><b><% GetSessionTime(); %> / <% GetSessionRemainingTime(); %> / <% GetMaxSessionTime(); %></b></font></td> </tr> <tr> <td align="right"><font face="verdana" size="1">Idle time (Cur/Left/Max):</font></td> <td><font face="verdana" size="1"><b><% GetSessionIdleTime(); %> / <% GetSessionRemainingIdleTime(); %> / <% GetMaxSessionIdleTime(); %></b></font></ td> </tr> <tr> <td align="right"><font face="verdana" size="1">Received Packets (Cur/Left/Max):</font></td> <td><font face="verdana" size="1"><b><% GetSessionInputPackets(); %> / <% GetSessionRemainingInputPackets(); %> / <% GetMaxSessionInputPackets(); %></ b></font></td> </tr> <tr> <td align="right"><font face="verdana" size="1">Received Octets (Cur/Left/Max):</font></td> <td><font face="verdana" size="1"><b><% GetSessionInputOctets(); %> / <% GetSessionRemainingInputOctets(); %> / <% GetMaxSessionInputOctets(); %></b></ font></td> </tr> <tr> <td align="right"><font face="verdana" size="1">Transmit Packets (Cur/Left/Max):</font></td> <td><font face="verdana" size="1"><b><% GetSessionOutputPackets(); %> / <% GetSessionRemainingOutputPackets(); %> / <% GetMaxSessionOutputPackets(); %></ b></font></td> </tr> <tr> <td align="right"><font face="verdana" size="1">Transmit Octets (Cur/Left/Max):</font></td> <td><font face="verdana" size="1"><b><% GetSessionOutputOctets(); %> / <% GetSessionRemainingOutputOctets(); %> / <% GetMaxSessionOutputOctets(); %></ b></font></td> </tr> <tr> <td colspan="2" align="right" valign="bottom"> <form action="/goform/HtmlLogout" method="post" > <input type="submit" name="logoutsession" value="Logout"> </form> </td> </tr> </table>

DRAFT

Fail page

</body> </html>

<!-- iPass <WISPAccessGatewayParam> <LogoffReply> <MessageType>130</MessageType> <ResponseCode><% iPassGetLogoutResponseCode(); %></ResponseCode> </LogoffReply> </WISPAccessGatewayParam>

-->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <meta http-equiv="Expires" CONTENT="0"> <meta http-equiv="Cache-Control" CONTENT="no-cache"> <meta http-equiv="Pragma" CONTENT="no-cache">

Chapter 15: Customizing the public access interface 199

<title>Window</title> </head> <body bgcolor="#FFFFFF">

</body> </html>

DRAFT

Chapter 15: Customizing the public access interface 200

DRAFT

Source code for the external pages

Sample external pages are provided on the CD in the folder \HTML\Colubris\External. Three versions are included for each page: HTML, ASP, and PHP.

Welcome page

HTML

<!-This file remains on your webserver and is fully customisable by you. You also have access to the CGI variables which are defined in the URL that calls this page.

For example, in this file the calling welcome-url is: welcome-url=https://207.35.116.198:8888/colubris-php/ welcome.php?site=%s&user=%u&wantedurl=%o

-->

<title>Welcome</title> </head> <body>

Welcome

</body> </html>

ASP

<!-This file remains on your webserver and is fully customisable by you. You also have access to the CGI variables which are defined in the URL that calls this page.

For example, in this file the calling welcome-url is: welcome-url=https://207.35.116.198:8888/colubris-php/ welcome.php?site=%s&user=%u&wantedurl=%o

-->

<%@ Language=VBScript %> <%

site = Request("site")

user = Request("user")

wantedurl = Request("wantedurl") %> <html> <head>

<title>Welcome</title> </head> <body>

Welcome <%=user%>, to <%=site%> <br> The URL you were trying to access was <a href="<%=wantedurl%>"><%=wantedurl%></a>.

</body> </html>

Chapter 15: Customizing the public access interface 201

DRAFT

PHP

<!-This file remains on your webserver and is fully customisable by you. You also have access to the CGI variables which are defined in the URL that calls this page.

For example, in this file the calling welcome-url is: welcome-url=https://207.35.116.198:8888/colubris-php/ welcome.php?site=%s&user=%u&wantedurl=%o

-->

<? /*

PHP makes QUERY STRING variables immediatly available to any

PHP scripts you embed in your file. */ ?>

<title>Welcome</title> </head> <body>

Welcome <? echo $user; ?>, to <? echo $site; ?> <br> The URL you were trying to access was <a href="<? echo $wantedurl; ?>"><? echo $wantedurl; ?></ a>.

Goodbye page

</body> </html>

HTML

<!-This file remains on your webserver and is fully customisable by you. For example, in this file the calling goodbye-url is: goodbye-url=https://207.35.116.198:8888/colubris-php/goodbye.php?site=%s&user=%u

-->

<title>Logout</title> </head> <body>

Thank you.

</body> </html>

ASP

<!-This file remains on your webserver and is fully customisable by you.

For example, in this file the calling goodbye-url is: goodbye-url=https://207.35.116.198:8888/colubris-php/goodbye.php?site=%s&user=%u

-->

<%@ Language=VBScript %> <%

site = Request("site")

user = Request("user")

Chapter 15: Customizing the public access interface 202

wantedURL = Request("wantedURL") %> <html> <head>

<title>Logout</title> </head> <body>

Thank you <%=user%>

</body> </html>

DRAFT

PHP

<!-This file remains on your webserver and is fully customisable by you.

You also have access to the CGI variables which are defined in the URL that calls this page.

For example, in this file the calling goodbye-url is: goodbye-url=https://207.35.116.198:8888/colubris-php/goodbye.php?site=%s&user=%u

-->

<? /*

PHP makes QUERY STRING variables immediatly available to any

PHP scripts you embed in your file.

*/ ?>

<title>Logout</title> </head> <body>

Thank you <? echo $user; ?>.

</body> </html>

HTML

<!-This file remains on your webserver and is fully customisable by you. You also have access to the CGI variables which are defined in the URL that calls this page.

For example, in this file the calling login-err-url is: login-err-url=https://207.35.116.198:8888/colubris-php/login-error.php?site=%s&user=%u

-->

<title>Login Error</title> </head> <body>

There has been a login error.

Chapter 15: Customizing the public access interface 203

</body> </html>

DRAFT

ASP

<!-This file remains on your webserver and is fully customisable by you. You also have access to the CGI variables which are defined in the URL that calls this page.

For example, in this file the calling login-err-rl is: login-err-url=https://207.35.116.198:8888/colubris-php/login-error.php?site=%s&user=%u

-->

<%@ Language=VBScript %> <%

site = Request("site")

user = Request("user")

wantedurl = Request("wantedurl") %> <html> <head>

<title>Login Error</title> </head> <body> Sorry <%=user%><br> There has been a login error.

</body> </html>

PHP

<!-This file remains on your webserver and is fully customisable by you.

You also have access to the CGI variables which are defined in the URL that calls this page.

For example, in this file the calling login-err-url is: login-err-url=https://207.35.116.198:8888/colubris-php/login-error.php?site=%s&user=%u

-->

<? /*

PHP makes QUERY STRING variables immediately available to any

PHP scripts you embed in your file.

*/ ?>

<title>Login Error</title> </head> <body> Sorry <? echo $user; ?>.<br> There has been a login error.

</body> </html>

Chapter 15: Customizing the public access interface 204

DRAFT

Remote login page

.labels { font-family: verdana, sans-serif; }

#title { font-size: 14px; color: #000000; padding-left: 5px; } #tags { font-size: 10px; color: #000000; } #error { font-size: 12px; color: #CC0000; font-weight: bold; }

#input { font-family: verdana, sans-serif; font-size: 11px; width: 120px; color: #003366; }

#submit { font-family: verdana, sans-serif; font-size: 10px; font-weight: bold; color: #003366; }

--> </style> <script language="Javascript"> //Make sure the required information was entered

function setfocus() { if (document.forms[0]) { document.forms[0].elements[0].focus(); } }

//--> </script> </head> <body bgcolor="#FFFFFF" onLoad="setfocus();">

Chapter 15: Customizing the public access interface 205

<br>

DRAFT

</td></tr> </table>

</form>

</body> </html>

Chapter 15: Customizing the public access interface 206

DRAFT

Chapter 16: Customizing CN3200 and customer settings 207

Chapter 16: Customizing CN3200 and customer settings

DRAFT

Chapter 16

Customizing CN3200 and customer settings

This chapter presents a summary of the configuration settings you can define to customize the operation of your public access network and customer accounts.

Chapter 16: Customizing CN3200 and customer settings 208

DRAFT

Overview

The CN3200 uses a third-party RADIUS server to store configuration settings for customer accounts, accounting data, as well as certain operating settings for the public access network. The configuration settings are stored in profiles, which you must create before the public access interface can be used.

The minimum setup you must define is as follows:

• Define RADIUS client settings for the CN3200

Any device that uses the authentication services of a RADIUS server is called a RADIUS client. Therefore, each CN3200 is considered to be a RADIUS client and you must define client settings for each one that you intend to install.

See page 213 for details.

• Create a RADIUS profile for the CN3200

Before it can activate the public access interface, the CN3200 must log into a RADIUS server and retrieve certain operating settings which you must define. Therefore, you must create at least one RADIUS profile for use by the CN3200. If you have multiple CN3200s, they can all be associated with a single RADIUS profile.

See page 214 for details.

• Create a RADIUS profile for one or more customers

The customer profile is used to authenticate customers when they login. It contains settings that define the characteristics of their account.

Chapter 16: Customizing CN3200 and customer settings 209

DRAFT

RADIUS attributes

Attributes are configuration parameters that you can attach to a RADIUS profile. The CN3200 supports standard RADIUS attributes and a Colubris Networks vendor-specific attribute.

Standard RADIUS attributes

The CN3200 supports the following RADIUS attributes. (Attributes starting with MS are Microsoft and are not standard.)

Access Request

• Acct-Session-Id

• NAS-Port

• NAS-Port-Type

• User-Name

• Calling-Station-Id

• Called-Station-Id

• User-Password

• CHAP-Password

• CHAP-Challenge

• MSCHAP-Challenge

• MSCHAP-Response

• MSCHAPv2-Response

• EAP-Message

• State

• NAS-Identifier

• NAS-Ip-Address

• Framed-MTU

• Connect-Info

• Service-Type

• Message-Authenticator

Access Accept

• MS-MPPE-Recv-Key

• MS-MPPE-Send-Key

• Service-Type

• EAP-Message

• Class

• Idle-Timeout

• Session-Timeout

• Acct-Interim-Interval

• Tunnel-type

• Tunnel-meduim-type

• Tunnel-private-group

Access Reject

• MSCHAP-Error

• Reply-Message

• EAP-Message

Access Challenge

• EAP-Message

• State

Accounting Request

•User-Name

• NAS-Port

• NAS-Port-Type

• NAS-Identifier

• NAS-Ip-Address

• Acct-Status-Type

• Calling-Station-Id

• Called-Station-Id

• Acct-Event-Timestamp

• Acct-Delay-Time

• Acct-Session-Id

• Acct-Authentic

• Acct-Session-Time

• Acct-Input-Octets

• Acct-Input-Gigawords

• Acct-Input-Packets

• Acct-Output-Octets

• Acct-Output-Gigawords

• Acct-Output-Packets

• Acct-Terminate-Cause

• Class

• Framed-Ip-Address

Accounting Response

• No attribute

Interim accounting updates

To enable interim accounting updates for each customer you must define a value for the RADIUS attribute Acct-Interim-Interval. This sets the frequency with which the CN3200 will send accounting information to the RADIUS server.

Chapter 16: Customizing CN3200 and customer settings 210

DRAFT

Colubris Networks vendor-specific attributes

In certain cases, the set of standard RADIUS attributes needs to be extended to specify custom settings for specific types of equipment. These are called vendorspecific attributes. Colubris Networks has defined two vendor-specific attributes to support special features on the CN3200, such as the customization of the web interface and the security certificate. This attribute are:

• Colubris-AVPair

• Colubris-Intercept

These attributes conform to RADIUS RFC 2865.

You may need to define these attributes on your RADIUS server if they are not already present. In this case, you need to specify the following:

Colubris-AVPair

• SMI network management private enterprise code = 8744

• Vendor-specific attribute type number = 0

• Attribute type = string

Colubris-Intercept

• SMI network management private enterprise code = 8744

• Vendor-specific attribute type number = 1

• Attribute type = integer

Attribute value summary

The following values are permitted for the Colubris-AVPair attribute. These values are described in greater detail later in this chapter and in Chapter 15.

Important: It is important to specify the attribute values exactly as shown below. Adding extra spaces between options will result in errors.

CN3200 profile

access-list= name,action,protocol,address,port,[account,[interval]] use-access-list=usename white-list=protocol,address,[port] ssl-certificate=URL [%s] [%n] configuration-file=URL [%s] [%n] mac-address=address[,username[,password]] default-user-idle-timeout=seconds

default-user-smtp-redirect=hostname:port

default-user-session-timeout=seconds login-page= URL_of_page transport-page= URL_of_page session-page= URL_of_page fail-page= URL_of_page logo= URL_of_gif_file messages= URL_of_text_file welcome-url= URL_of_page [placeholder] goodbye-url= URL_of_page [placeholder] login-err-url= URL_of_page [placeholder] login-url= URL_of_the_page [placeholder] ssl-noc-certificate= URL_of_the_Certificate ssl-noc-ca-certificate= URL_of_the_certificate

Customer profile

smtp-redirect=hostname:port use-access-list=usename one-to-one-nat=value max-input-packets=value max-output-packets=value max-input-octets=value max-output-octets=value welcome-url= URL_of_page [placeholder] goodbye-url= URL_of_page [placeholder] login-err-url= URL_of_page [placeholder] group=value essid=value

Chapter 16: Customizing CN3200 and customer settings 211

DRAFT

RADIUS limitations

The maximum number of attributes the CN3200 can receive in one request is limited by the maximum packet size of the UDP protocol which is 64K. Some networks may drop fragmented UDP packets which may leave you with less than the maximum size.

Chapter 16: Customizing CN3200 and customer settings 212

DRAFT

Terminate-AcctCause values

Terminate Acct Cause values are supported as follows:

ID Cause Notes

1 User Request Supported. Indicates that the customer logged

out.

2 Lost Carrier Supported. Indicates that the client station is no

longer alive.

4 Idle Timeout Supported. Customer exceeded the idle timeout

value defind for the session.

5 Session Timeout Supported. Customer exceeded maximum time

defined for the session.

6 Admin Reset Supported. Customer session was terminated by

the CN3200 administrator via SNMP or the management tool.

7 Admin Reboot Not Supported. (not applicable)

8 Port Error Supported. If two customers are detected using

the same IP address, both are logged out with this error. Another cause is if an error is encountered in an access list definition. For example, an invalid host was specified.

9 NAS Error Not Supported. (not applicable)

10 NAS Request Not Supported. (not applicable)

11 NAS Reboot Supported. Customer was logged out because

the CN3200 was restarted.

12 Port Unneeded Not Supported. (not applicable)

13 Port Preempted Not Supported. (not applicable)

14 Port Suspended Not Supported. (not applicable)

15 Service

Unavailable

16 Callback Not Supported. (not applicable)

17 User Error Supported. An 801.1x client initiated a second

18 Host Request Not Supported. (not applicable)

0x8744

(34628 decimal)

Termination Colubris-specific termination cause. See page

Not Supported. (not applicable)

authentication request for a customer, and this request was refused.

229 for details.

Chapter 16: Customizing CN3200 and customer settings 213

DRAFT

Creating a RADIUS client entry for the CN3200

Any device that uses the authentication services of a RADIUS server is called a RADIUS client (or RAS client on some systems). Therefore, each CN3200 is considered to be a RADIUS client and you must define client settings for each one that you intend to install.

Configuration settings

Managing shared secrets

You may need to supply the following information when setting up a RADIUS client entry:

• Client IP address: This is the IP address assigned to the CN3200’s Internet

port. If the CN3200 is using a PPTP connection to communicate with the RADIUS server, then this is the address assigned to the CN3200 by the PPTP server.

• Shared secret: Secret the CN3200 will use to authenticate the packets it

receives from the RADIUS server.

If you are using a PPPoE, DHCP, or PPTP VPN connection when communicating with the RADIUS server, make sure that the shared secret for each CN3200 is the same. Also, ensure that all possible IP addresses have been configured on the RADIUS server.

The username and password assigned to each CN3200 can be different, enabling you to differentiate between devices.

Chapter 16: Customizing CN3200 and customer settings 214

DRAFT

Creating a profile for the CN3200 on the RADIUS server

Before it can activate the public access interface, the CN3200 must log into a RADIUS server and retrieve certain operating settings that you must define. Therefore, you must create at least one RADIUS profile for use by the CN3200. If you have multiple CN3200s, they can all be associated with a single RADIUS profile.

Supported standard RADIUS attributes

This section presents all standard RADIUS attributes that are supported by a CN3200 profile.

Note: In the following definitions, strings are defined as 1 to 253 characters in length.

Access request

• Acct-Session-Id (32-bit unsigned integer): Random value generated per

authentication by the CN3200.

• NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the

RADIUS profile being used.

• NAS-Ip-Address 32-bit unsigned integer): The IP address of the port the

CN3200 is using to communicate with the RADIUS server.

• NAS-Port (32-bit unsigned integer): Always 0.

• NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents

WIRELESS_802_11.

• Calling-Station-Id (string): The MAC address of the CN3200’s LAN port in IEEE

format. For example: 00-02-03-5E-32-1A.

• Called-Station-Id (string): The MAC address of the CN3200’s LAN port in IEEE

format. For example: 00-02-03-5E-32-1A.

• User-Name (string): The username assigned to the CN3200 on the Security >

Authentication page.

• User-Password (string): The password assigned to the CN3200 on the

Security > Authentication page. Encoded as defined in RFC 2865. Only present when the authentication method for the RADIUS profile is set to PAP.

• CHAP-Password (string): The password assigned to the CN3200 on the

Security > Authentication page. Encoded as defined in RFC 2865. Only present when the authentication method for the RADIUS profile is set to CHAP.

• CHAP-Challenge (string): Randomly generated by the product. As defined in

RFC 2865. Only present when the authentication method for the RADIUS profile is set to CHAP. Length = 19 bytes.

• MSCHAP-Challenge (string): As defined in RFC 2433. Only present when the

authentication method for the RADIUS profile is set to MSCHAPv1 or MSCHAPv2. Length = 8 bytes.

• MSCHAP-Response (string): As defined in RFC 2433. Only present when the

authentication method for the RADIUS profile is set to MSCHAPv1. Length = 49 bytes.

• MSCHAPv2-Response (string): As defined in RFC 2759. Only present when

the authentication method for the RADIUS profile is set to MSCHAPv2. Length = 49 bytes.

• EAP-Message (string): As defined in RFC 2869. Only present when the

authentication method for the RADIUS profile is set to EAP-MD5.

Chapter 16: Customizing CN3200 and customer settings 215

• State (string): As defined in RFC 2865.

• Framed-MTU (32-bit unsigned integer): Hard-coded to 1496.

• Connect-Info (string): The string "HTTPS".

• Service-Type (32-bit unsigned integer): As defined in the config.cfg file. Token

name = service-type-device.

• Message-Authenticator (string): As defined in RFC 2869. Always present even

when not doing an EAP authentication. length = 16 bytes.

• Colubris-AVPair: See the description in the section that follows.

DRAFT

Access accept

• Acct-Interim-Interval (32-bit unsigned integer): When present, it enables the

transmission of RADIUS accounting requests of the Interim Update type. Specify the number of seconds between each transmission.

• Session-Timeout (32-bit unsigned integer): Maximum time a session can be

active. The CN3200 re-authenticates itself when this timer expires. Omitting this attribute or specifying 0 will disable the feature. (Note that the authentication interval is also configurable on the Security > Authentication page.

• Idle-Timeout (32-bit unsigned integer): Not supported.

• Class (string): As defined in RFC 2865.

• EAP-Message (string): Only supported when authentication is EAP-MD5. Note

that the content will not be read as the RADIUS Access Accept is overriding whatever indication contained inside this packet.

• Colubris-AVPair: See the description in the section that follows.

Access reject

None.

Access challenge

None.

Accounting request

Accounting information is generated by default. To disable accounting support, open the Security > Authentication -> Advanced Settings page.

• Acct-Session-Id (32-bit unsigned integer): Random value generated by the

CN3200.

• NAS-Identifier (string): The NAS ID set on the Security > RADIUS page for the

profile being used.

• NAS-Ip-Address (32-bit unsigned integer): The IP address of the port the

CN3200 is using to communicate with the RADIUS server.

• NAS-Port (32-bit unsigned integer): Always 0.

• NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents

WIRELESS_802_11.

• Calling-Station-Id (string): The MAC address of the CN3200’s LAN port in IEEE

format. For example: 00-02-03-5E-32-1A.

• Called-Station-Id (string): The MAC address of the CN3200’s LAN port in IEEE

format. For example: 00-02-03-5E-32-1A.

Chapter 16: Customizing CN3200 and customer settings 216

• User-Name (string): The RADIUS username assigned to the CN3200 on the

Security > Authentication page.

• Class (string). As defined in RFC 2865.

• Framed-IP-Address (32-bit unsigned integer): IP Address of the CN3200’s LAN

port.

• Acct-Status-Type (32-bit unsigned integer): Supported values are Accounting-

On (7) and Accounting-Off (8).

• Acct-Event-Timestamp (32-bit unsigned integer): As defined in RFC 2869.

• Acct-Delay-Time (32-bit unsigned integer): As defined in RFC 2869.

• Acct-Authentic (32-bit unsigned integer): Always set to 1 which means

RADIUS.

DRAFT

Accounting response

None.

Colubris-AVPair attribute

For each CN3200 profile you can specify one or more instances of a ColubrisAVPair attribute that will be returned upon successful authentication (RADIUS Accept). Possible values for all instance are grouped into the following

categories:

Feature Description

Custom HTML pages and URLs, and supporting files

Access list Enables you to create one or more access

White list The white list defines the set of network

Custom security certificate Enables you to replace the Colubris Networks

Configuration file Enables you to store a configuration file at a

MAC authentication Enables you to authenticate devices based on

Enables you to customize the public access interface. See Chapter 15 for details.

groups which define the set of network resources that are available to authenticated customers.

resources that are available to customers before they are authenticated.

certificate with your own.

central location to automatically update all your CN3200s.

their MAC addresses.

Access lists

Default user idle timeout Default idle timeout for all customers.

Default user session timeout Default session timeout for all customers.

Default SMTP server Default SMTP server to use for email redirection.

The value of a Colubris-AVPair attribute is always a string. These strings are always of the form: <item>=<value>

Access lists enable you to create public areas on your network that all customers can browse, and protected areas that are restricted to specific customer accounts or groups.

Chapter 16: Customizing CN3200 and customer settings 217

DRAFT

Each access list is a set of rules that governs how the CN3200 controls access to network resources. You can create multiple access lists, each with multiple rules to manage the traffic on your public access network.

Default setting

By default no access lists are defined. This means that:

• Unauthenticated customers cannot reach any network resources other than

the CN3200 login page.

• Authenticated customer have access to any network resource connected to the

CN3200’s Internet port.

How access lists work

Each customer and each access point can be associated with its own access list. Incoming traffic cascades through the currently active lists. Traffic that is accepted or denied by a list is not available to the list that follows it. Traffic that passes through all lists without being accepted or denied is dropped.

Customer session

Site Profile Access List

DENY

Unauthenticated

Customer Profile Access List

DENY

How traffic flows through the access lists.

NO MATCH ACCEPT

White List

NO MATCH ACCEPT

Authenticated and no user access list exists

Authenticated and an access list exists

NO MATCH ACCEPT

Internet portDropped

Note: The white list is a less-powerful version of the access list that is maintained for compatibility with previous releases. Its functionality is completely superseded by the access list feature. The access list feature should be used in its place.

Chapter 16: Customizing CN3200 and customer settings 218

DRAFT

Within each access list, traffic cascades through the list rules in a similar manner.

Incoming traffic

Rule 1

DENY

Rule 2

DENY

Rule 3

DENY

NO MATCH

DENY

How traffic flows through the access list rules.

NO MATCH ACCEPT

Rules are numbered according to the order in which they are added. Only data that is not accepted or denied by a rule is available to the next rule in the list.

Accounting support

Each rule in an access list can be configured with an account name for billing purposes. The CN3200 will send billing information based on the amount of traffic matched by the rule.

This lets you create rules to track and bill traffic to particular destinations.

Tips on using the access list

With certificates

• If you replaced the default SSL certificate on the CN3200 with one signed by a

well-known CA, you should define the access list to permit access to the CA certificate for all non-authenticated customers. This enables the customer’s browser to verify that the certificate is valid without displaying any warning messages.

• Customers may have configured their web browsers to check all SSL

certificates against the Certificate Revocation List (CRL) maintained by the CA that issued the certificate. The location of the CRL may be configured in the browser, or embedded in the certificate. The access list should be configured to permit access to the CRL, otherwise the customer’s browser will time out before displaying the login page.

Remote login page

If you are using the remote login page feature, make sure that access to the web server hosting the page must is granted to all unauthenticated customers.

SMTP redirect

If an unauthenticated customer establishes a connection to their email server, the SMTP redirect feature will not work once the customer logs in. The customer’s email will still be sent to the original email server.

To avoid this, do not use an access list to open TCP port 25 for unauthenticated customers.

Chapter 16: Customizing CN3200 and customer settings 219

DRAFT

Defining and activating access lists

Access lists are defined by adding the following Colubris-AVPair value string to the RADIUS profile for a CN3200.

access-list=value

Access lists are activated by adding the following Colubris-AVPair value string to the RADIUS profile for a CN3200 or a customer.

use-access-list=value

You can define up to 32 access lists. Only one list can be active per profile.

The access list is applied before the white list.

Colubris-AVPair value string

access-list= name,action,protocol,address,port,[account,[interval]]

use-access-list=usename

Where:

Parameter Description

name

usename

action

protocol

address

port

Specify a name (up to 32 characters long) to identify the access list this rule applies to. If a list with this name does not exist, a new list is created. If a list with this name exists, the rule is added to it.

Specify the name of an existing access list. This list is activated for the current profile. Lists are checked in the order they are activated.

Specify what action the rule takes when it matches incoming traffic. Two options are available:

• ACCEPT - Allow traffic matching this rule.

• DENY - Reject traffic matching this rule.

Specify the protocol to check: tcp, udp, icmp, all

Specify one of the following:

• IP address or domain name (up to 107 characters in length)

• Subnet address. Include the network mask as follows: address/subnet mask For example: 192.168.30.0/24

• Use the keyword all to match any address.

• Use the keyword none if the protocol does not take an address range (ICMP for example).

Specify a specific port to check or a port range as follows:

• none - Used with ICMP (since it has no ports).

• all - Check all ports.

• 1-65535[:1-65535] - Specify a specific port or port range.

account

interval

Specify the name of the customer account the CN3200 will send billing information to for this rule. Account names must be unique and can be up to 32 characters in length.

Specify time between interim accounting updates. If you do not enable this option, accounting information is only sent when a customer connection is terminated. Range: 5-99999 seconds in 15 second increments.

Chapter 16: Customizing CN3200 and customer settings 220

DRAFT

Note: Spaces can be used instead of commas as separators.

Example

This topology shows wireless deployment for a fictitious university campus.

The RADIUS profile for the CN3200 contains:

access-list=everyone,ACCEPT,tcp,192.168.50.2,80

access-list=students,ACCEPT,tcp,192.168.50.1,80,students_reg,500 access-list=students,ACCEPT,all,192.168.40.0/24,all access-list=students,DENY,all,192.168.20.0/24,all access-list=students,DENY,all,192.168.30.0/24,all access-list=students,ACCEPT,all,all.all,student_internet_use,5000

access-list=faculty,ACCEPT,tcp,192.168.50.1,80,faculty_reg,500 access-list=faculty,ACCEPT,all,192.168.30.0/24,all access-list=faculty,DENY,all,192.168.20.0/24,all access-list=faculty,DENY,all,192.168.40.0/24,all access-list=faculty,ACCEPT,all,all.all,faculty_internet_use,5000

use-access-list=everyone

The RADIUS profile for the students contains:

use-access-list=students

The RADIUS profile for the faculty contains:

use-access-list=faculty

This definition creates three access lists: everyone, students, and faculty.

Everyone

This list applies to all users (students, teachers, guests), whether they are authenticated or not. This is because the list is active on the CN3200, which is accomplished with the entry:

use-access-list=everyone

It enables everyone to access the public web server.

Students

This list applies to authenticated students only. It is composed of the following entries:

access-list=students,ACCEPT,tcp,192.168.50.1,80,students_reg,500

Enables web traffic to the registration web server. Accounting data is recorded in the account students_reg.

access-list=students,ACCEPT,all,192.168.40.0/24,all

Enables traffic to reach the student segment.

access-list=students,DENY,all,192.168.20.0/24,all access-list=students,DENY,all,192.168.30.0/24,all

These two entries deny access to the faculty subnet and the NOC.

access-list=students,ACCEPT,all,all.all,student_internet_use,5000

Enables all other traffic to reach the Internet (via routers on the backbone LAN and the router in the NOC). If this last rule did not exist, this traffic would be dropped.

Chapter 16: Customizing CN3200 and customer settings 221

Faculty

This list applies to authenticated faculty members only. It is composed of the following entries:

access-list=faculty,ACCEPT,tcp,192.168.50.1,80,faculty_reg,500

Enables web traffic to the registration web server. Accounting data is recorded in the account faculty_reg.

access-list=faculty,ACCEPT,all,192.168.30.0/24,all

Enables traffic to reach the faculty segment.

access-list=faculty,DENY,all,192.168.20.0/24,all access-list=faculty,DENY,all,192.168.40.0/24,all

These two entries deny access to the student subnet and the NOC.

access-list=faculty,ACCEPT,all,all.all,faculty_internet_use,5000

Enables all other traffic to reach the Internet (via routers on the backbone LAN and the router in the NOC). If this last rule did not exist, this traffic would be dropped.

DRAFT

White list

A white list enables you to specify the set of network resources that an unauthenticated customer has access to. You can define a specific white list for each CN3200. These definitions are automatically implemented by the CN3200 by adding the appropriate rules to the firewall.

Note: The white list has been superseded by the access list feature. However, the white list remains supported for backwards compatibility.

Colubris-AVPair value string

white-list=protocol,address,[port]

Where:

Parameter Description

protocol

address

port1

Specify the protocol to allow traffic on: tcp, udp, icmp, all.

Specify the IP address or domain name of a host, or the IP address of a subnet. Use the keyword all to match any address. When specifying an IP subnet you must include the network mask in the following format:

address/subnet mask

Specify the specific port to allow traffic on, or a range. Not valid if the all option is used for protocol. Use the following syntax to specify a range:

1-65535[:1-65535]

A range must be suppled for tcp or udp. A single port must be specified for icmp.

Note: Spaces can be used instead of commas as separators.

The white list applies to the CN3200 itself, and all client stations connected to it. This means that if you are using customized URLs for the public access interface, the URLs for the Login Error and Goodbye pages must specify hosts that are included in the white list.

You can specify up to 128 Colubris-AVPair values containing white list definitions.

Chapter 16: Customizing CN3200 and customer settings 222

DRAFT

Examples

white-list=all,192.168.1.10 white-list=tcp,adm.colubris.com,80:90 white-list=udp,192.168.1.0/255.255.255.0,8090:8090 white-list=tcp,192.168.1.0/24,443

Custom SSL certificate

The CN3200 can retrieve a custom SLL security certificate to replace the Colubris Networks certificate that is included by default. For more information on certificates, see Chapter 14.

Colubris-AVPair value string

ssl-certificate=URL [%s] [%n]

Where:

Parameter Description

URL

By using the following placeholder, you can customize the URL for each CN3200. This is useful when you need to update multiple units.

Placeholder Description

%s The login name assigned to the CN3200.

The certificate is encoded using PKCS#12 format, and will contain:

• the private key of the web server

• the certificate of the web server

The file is locked using a password.

Specify the URL that points to the new certificate.

The NAS ID assigned to the CN3200.

Configuration file

Example

ssl-certificate=http://www.colubris.com/%s_certificate

The CN3200 can retrieve and load a new configuration file automatically, based on an URL you specify.

Colubris-AVPair value string

configuration-file=URL [%s] [%n]

Where:

Parameter Description

URL

By using the following placeholder, you can customize the URL for each CN3200. This is useful when you need to update multiple units.

Placeholder Description

%s The login name assigned to the CN3200.

Specify the URL that points to the new configuration file.

The NAS ID assigned to the CN3200.

Example

configuration-file=http://www.colubris.com/%s_configfile

Chapter 16: Customizing CN3200 and customer settings 223

DRAFT

MAC authentication

The CN3200 can authenticate devices based on their MAC address. This is useful for authenticating devices that do not have a web browser (cash registers, for example). It can also be used to authenticate the CN300.

To make use of this feature you need to define a RADIUS user account for each device as follows:

• username: Set this to the username you specified in the mac-address value string. If no username is specified, set the account name to the MAC address of the device. Use dashes to separate characters in the address. For example: 00-20-E0-6B-4B-44.

• password: Set this to the password you specified in the mac-address value string. If no password is specified, set this to the same password that is used for the user account you defined for the CN3200 on the Security >

Authentication page.

Important: The username and password are not encrypted for transmission so it

is important that the link with the RADIUS server is secure.

Colubris-AVPair value string

mac-address=address[,username[,password]]

Where:

Parameter Description

address

Specify the MAC address of the device to authenticate. Use dashes to separate characters in the address. Do not use colons (:). For example: 00-20-E0-6B-4B-44.

Default user idle timeout

username

password

Specify the username to associate with this MAC address. Maximum 253 alphanumeric characters. The username field cannot contain a comma.

Specify the password to associate with this MAC address. Maximum 253 alphanumeric characters. The password field cannot contain a comma.

Example

Consider the scenario where several CN300s are installed with a CN3200. If the CN300s are going to perform firmware upgrades from a remote web or FTP server, they will need to log in to the public access network. By using MAC-based authentication, this can easily be accomplished. (This also requires that the access list on the CN3200 permits access to the web or FTP server.)

Use this to set the default idle timeout for all customers whose RADIUS profile does not contain a value for the RADIUS attribute idle-timeout.

Colubris-AVPair value string

default-user-idle-timeout=seconds

Where:

Parameter Description

seconds

Specify the maximum amount of time a customer session can be idle. Once this time expires, the session is automatically terminated. A value of 0 means no timeout.

+ 149 hidden pages