User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
AMG-2100
Gigabit Access and AP Management Gateway
AMG-2101
Gigabit Access and AP Management Gateway Plus
User’s Manual
V1.0
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
Table of Contents
1. Before You Start..........................................................................................................1
1.1
Preface .............................................................................................................................................1
1.2
Document Conventions..............................................................................................................1
1.3
Package Checklist ........................................................................................................................2
2. System Overview and Getting Start................................................................3
2.1
Introduction of AMG-2100/AMG-2101.................................................................................3
2.1.1
Key Features........................................................................................................................................3
2.1.2
Who Uses AMG-2100/AMG-2101.................................................................................................4
2.2
System Concept ...........................................................................................................................5
2.3
Hardware Description.................................................................................................................9
2.3.1
Front Panel ........................................................................................................................................... 9
2.3.2
Real Panel...........................................................................................................................................10
2.4
Preparation before the Installation .....................................................................................11
2.5
Hardware Installation...............................................................................................................12
2.6
Accessing Web Management Interface..............................................................................14
3. Placing AMG-2100/AMG-2101 in a Network Environment .............16
3.1
Network Requirement ..............................................................................................................16
3.2
Setting up WAN1 Port ..............................................................................................................16
3.2.1
Static IP...............................................................................................................................................17
3.2.2
DHCP (Dynamic IP).........................................................................................................................18
3.2.3
PPPoE....................................................................................................................................................19
3.2.4
PPTP......................................................................................................................................................20
3.3
Configuring WAN2 Port (optional).......................................................................................21
3.4
Other WAN Traffic Settings....................................................................................................24
3.4.1
WAN Failover .....................................................................................................................................25
3.4.2
Load Balance .....................................................................................................................................26
3.4.3
Internet Connection Detection ...................................................................................................27
3.4.4
WAN Bandwidth Control................................................................................................................28
3.5
LAN Partition -- Service Zone ...............................................................................................29
3.5.1
Planning your internal network ..................................................................................................31
3.5.2
Configure Service Zone network ...............................................................................................33
3.5.3
Tag Base and Port Base ................................................................................................................ 35
4. User Authentication and Grouping ................................................................38
4.1
Type of Users...............................................................................................................................38
4.1.1
Local .....................................................................................................................................................40
4.1.2
POP3 .....................................................................................................................................................43
4.1.3
RADIUS................................................................................................................................................44
4.1.4
LDAP ..................................................................................................................................................... 45
4.1.5
NT Domain .........................................................................................................................................47
4.1.6
On-Demand Users ...........................................................................................................................48
4.2
Users Group .................................................................................................................................59
4.2.1
Assign users to a Group ................................................................................................................ 60
4.2.2
Permission in Service Zone.......................................................................................................... 62
4.3
User Login.....................................................................................................................................65
4.3.1
Default Authentication ...................................................................................................................67
4.3.2
Login with postfix ............................................................................................................................67
4.3.3
Disable Authentication in Service Zone................................................................................... 68
5. Managing Wireless Network..............................................................................69
5.1
AMG-2100/AMG-2101 with Multiple Type of AP ............................................................69
5.2
Configure AP Template ............................................................................................................70
5.3
Discovery AP................................................................................................................................73
5.4
AP with Service Zone................................................................................................................75
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
5.5
AP Security...................................................................................................................................77
5.6
Change managed AP settings ...............................................................................................78
5.7
AP Operations from AP List....................................................................................................81
5.7.1
Reboot, Enable, Disable and Delete the AP ........................................................................... 81
5.7.2
Apply Template.................................................................................................................................82
5.7.3
Change Service Zone ..................................................................................................................... 83
5.7.4
AP Background Discovery.............................................................................................................84
5.7.5
Manually add AP............................................................................................................................... 85
5.7.6
Firmware management and upgrade ....................................................................................... 86
6. Policies and Access Control................................................................................87
6.1
Black List.......................................................................................................................................87
6.2
MAC Address Control................................................................................................................89
6.3
Policy...............................................................................................................................................90
6.3.1
Firewall ................................................................................................................................................92
6.3.2
Routing ................................................................................................................................................ 95
6.3.3
Schedule .............................................................................................................................................97
6.3.4
Sessions Limit ...................................................................................................................................98
6.4
QoS Traffic Class and Bandwidth Control.........................................................................99
7. Users’ Login and Logout.....................................................................................100
7.1
Before User Login ....................................................................................................................100
7.1.1
Login with SSL ................................................................................................................................ 100
7.1.2
Internal Domain Name with Certificate.................................................................................101
7.1.3
Administrator Contact Information .........................................................................................103
7.1.4
Walled Garden................................................................................................................................. 104
7.1.5
Walled Garden AD List ................................................................................................................. 105
7.1.6
Mail Message ...................................................................................................................................107
7.2
After User Login........................................................................................................................108
7.2.1
Browse which Home Page after login success.................................................................... 108
7.2.2
Idle Timer .........................................................................................................................................109
7.2.3
Multiple Login .................................................................................................................................. 110
7.2.4
DoS Attacker Denial Time .......................................................................................................... 110
7.2.5
Local Users Change Password Privilege ................................................................................ 111
7.2.6
On-demand Account Creation Privilege ................................................................................ 112
7.2.7
Proxy Server....................................................................................................................................114
8. Networking Features of a Gateway.............................................................119
8.1
DMZ...............................................................................................................................................119
8.2
Virtual Server ............................................................................................................................120
8.3
Privilege List...............................................................................................................................121
8.3.1
Privilege IP .......................................................................................................................................122
8.3.2
Privilege MAC ..................................................................................................................................123
8.4
IP Plug and Play........................................................................................................................124
8.5
Dynamic Domain Name Service.........................................................................................125
8.6
Port and IP Redirect................................................................................................................126
9. System Management and Utilities ...............................................................127
9.1
System Time..............................................................................................................................127
9.1.1
NTP......................................................................................................................................................127
9.1.2
Manual Settings..............................................................................................................................127
9.2
Management IP.........................................................................................................................128
9.3
Access History IP......................................................................................................................129
9.4
SNMP.............................................................................................................................................130
9.5
Three-Level Administration..................................................................................................131
9.6
Change Password.....................................................................................................................133
9.7
Backup / Restore and Reset to Factory Default...........................................................134
9.8
Firmware Upgrade...................................................................................................................135
9.9
Restart..........................................................................................................................................136
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
9.10
Network Utility ..........................................................................................................................137
9.10.1 Wake-on-LAN ..................................................................................................................................138
9.10.2 Ping .....................................................................................................................................................138
9.10.3 Trace Route......................................................................................................................................138
9.10.4 Show ARP Table..............................................................................................................................138
9.11
Monitor IP Link..........................................................................................................................139
9.12
Console Interface.....................................................................................................................140
10. System Status and Reports..............................................................................143
10.1
View the status.........................................................................................................................143
10.1.1 System Status.................................................................................................................................144
10.1.2 Interface Status .............................................................................................................................146
10.1.3 Hardware Information .................................................................................................................148
10.1.4 Routing Table................................................................................................................................... 149
10.1.5 Online Users .................................................................................................................................... 150
10.1.6 User Logs .......................................................................................................................................... 151
10.1.7 Local User Monthly Network Usage ........................................................................................154
10.2
Notification .................................................................................................................................155
10.2.1 E-Mail .................................................................................................................................................156
10.2.2 SYSLOG ............................................................................................................................................. 157
10.2.3 FTP ......................................................................................................................................................157
11. Virtual Private Network (VPN).......................................................................158
11.1
Local VPN ....................................................................................................................................158
11.2
Remote VPN ...............................................................................................................................163
11.3
Site-to-Site VPN .......................................................................................................................164
12. Customization of Portal Pages .......................................................................166
12.1
Customizable Pages................................................................................................................166
12.2
Loading a Customized Login Page.....................................................................................167
12.3
Load a Customized Logout Page........................................................................................171
13. Payment Gateways................................................................................................172
13.1
Payments via Authorize.Net ................................................................................................172
13.2
Payments via PayPal...............................................................................................................176
13.3
Payments via SecurePay.......................................................................................................179
13.4
Payments via World Pay........................................................................................................181
14. Additional Applications.......................................................................................184
14.1
Upload / Download Local Users Accounts ......................................................................184
14.2
Backup and Restore On-demand Users Accounts.......................................................186
14.3
POP3 login with complete name format..........................................................................187
14.4
RADIUS Advance settings.....................................................................................................188
14.5
LDAP Advance settings - Attribute-Group Mapping....................................................189
14.6
NT Transparent Login.............................................................................................................190
14.7
Roaming Out..............................................................................................................................191
14.8
SIP Proxy.....................................................................................................................................192
Appendix A. Network Configuration on PC & User Login........................................194
Appendix B. Policy Priority (Global Policy, Service Zone Policy,
Authentication Policy and User Policy) .............................................................................207
Appendix C. Monitoring 3rd Party AP .................................................................................208
Appendix D. RADIUS Accounting...........................................................................................209
Appendix E. Net Retriever and Port Mapping ................................................................217
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
General Public License
This product incorporates open source code into the software and therefore falls under the
guidelines governed by the General Public License (GPL) agreement.
Adhering to the GPL requirements, the open source code and open source license for the source
code are available for free download at http://global.level1.com.
If you would like a copy of the GPL or other open source code in this software on a physical CD
medium, LevelOne (Digital Data Communications) offers to mail this CD to you upon request, for
a price of US$9.99 plus the cost of shipping.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
1
1. Before You Start
1.1 Preface
This AMG-2100/AMG-2101 User Manual is for WLAN service providers or network administrators to set
up a network environment using the AMG-2100/AMG-2101 system. It contains step-by-step
procedures and graphic examples to guide MIS staff or individuals with basic network system
knowledge to complete the installation.
Besides this document, there is a “Quick Installation Guide” (QIG), which is for starting up
AMG-2100/AMG-2101 quickly. It is recommended to start with the QIG, and then refer to this manual
for further details. Some special topics are addressed separately in the Appendixes.
1.2 Document Conventions
Caution:
Represents essential steps, actions, or messages that should not be ignored.
Note:
Contains related information that corresponds to a topic.
Indicates that clicking this button will apply all of your settings.
Indicates that clicking this button will clear what you have set before the settings are applied.
The red asterisk indicates that information in this field is compulsory.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
2
1.3 Package Checklist
The standard package of AMG-2100/AMG-2101 includes:
AMG-2100/AMG-2101 x 1
CD-ROM (with User’s Manual and QIG) x 1
Quick Installation Guide (QIG) x 1
Console Cable x 1
Crossover Ethernet Cable x 1
Straight-through Ethernet Cable x 1
Power Cord x 1
Rack Mounting Bracket (with Screws) x 1
Caution:
It is highly recommended to use all the supplies in the package instead of substituting any
components by other suppliers to guarantee best performance.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
3
2. System Overview and Getting Start
2.1 Introduction of AMG-2100/AMG-2101
AMG-2100/AMG-2101 is an all-in-one product specially designed for wired and wireless data network
environments in middle scaled WLAN deployments. AMG-2100/AMG-2101 is a high-performance
industrial grade network appliance, capable of supporting the network access management for a larger
user base.
Access and AP Management Gateway products (AMG Series) feature integrated management, secured
data transmission, and enhanced accounting and billing. System administrators can effectively monitor
wired or wireless users, including employees and guest users via its user management interface.
Moreover, administrators can discover, configure, monitor, and upgrade all managed Access Points (APs)
from a single, centralized AP management interface.
2.1.1 Key Features
Like other AMG Series products, AMG-2100/AMG-2101 is designed to be a multi-service network
access controller for enterprise or campus environment; it is also deployed as a hotspot subscriber
gateway often. It is a pre-integrated multi-function network appliance, providing the following key
features:
Standard based user authentications, including Web-based login and 802.1x (RADIUS)
Customizable login portal pages and walled gardens to simplify branding
User groups (roles) and user management
Supports for multiple authentication databases (Local, On-demand, RADIUS, POP3, LDAP, NTDS)
Virtual service zones and policy management
Simple visitor account provisioning and billing plans by time or traffic volume
Payment gateway supports, including PayPal, Authorize.net, and SecurePay
Account roaming across multiple sites (branches)
AP management and wireless roaming across APs
Virtual Private Network (VPN) tunnels.
Converged network for Data, Voice and Video traffics
Dual uplinks (WAN) for better reliability and load balancing
Firewall and Denial of Service (DoS) attack prevention
Monitoring, notification and reporting
Network gateway features, including NAT, DHCP, DMZ, firewall and port forwarding
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
4
2.1.2 Who Uses AMG-2100/AMG-2101
Because of its well integrated rich access management features and high performance, academic
campuses, government agencies or enterprises’ IT departments will find AMG-2100/AMG-2101
is a money and time saver, sparing them from having to integrate multiple applications and multiple
equipments on their own in order to manage and secure the internet/network access for both wired and
wireless clients.
With its billing plan and payment features, WISPs and hospitalities (such as hotels, conventions) will
find AMG-2100/AMG-2101 is an instant revenue generator without requiring hefty equipment
investment or long term outsourcing service supports.
AMG Series products are most affordable, best price-performance appliances, comparing to the similar
equipments in the fields of Network Access Controllers, Wireless Controllers, Clientless VPN
Gateway or Hotspot Subscriber Gateway.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
5
2.2 System Concept
If you have experienced other AMG Series products before and are familiar with its system concept, you
may skip the concept description below. Please proceed to the next section on (Hardware
Description).
AMG-2100/AMG-2101 is capable of managing user authentication, authorization and accounting (AAA).
The user account information is stored in the local database or a specified external database server.
Featured with user authentication and integrated with external payment gateway,
AMG-2100/AMG-2101 allows users to easily pay the fee and enjoy the Internet service using credit
cards through Authorize.net, PayPal, SecurePay, PayPal or WorldPay.
With centralized AP management feature, the administrator does not need to worry about how to
manage multiple wireless access point devices.
Furthermore, AMG-2100/AMG-2101 introduces the concept of Service Zones - multiple virtual
networks, each with its own definable access control profiles. This is very useful for hotspot owners
seeking to provide different customers or staff with different levels of network services.
The following portion of this section explains the basic concepts of AMG-2100/AMG-2101; the same
concepts also apply to the other AMG Series products. With the understanding of these concepts, the
administrator will be able to do more advanced network planning and to manipulate the configurations
of AMG-2100/AMG-2101 to suit his own specific application. It is sufficient for most of administrators to
use the default configuration with minor WAN/DNS address changes for simple deployments.
Gateway is a network node where a small network attaches to a bigger network.
AMG-2100/AMG-2101 is a kind of gateway in a network environment; hence it has those features a
typical gateway has, such as NAT, DHCP, DMZ, Firewall and etc. Conventionally, the bigger network is
referred as the gateway’s WAN side or upstream network, while the small network is referred as the
gateway’s LAN side. The Ethernet ports leading to the WAN side network is called WAN ports. The
Ethernet ports leading to the LAN side network is called LAN ports.
Local User is a type of user with its account credential stored in a database named “Local” within
AMG-2100/AMG-2101. The “Local” database of AMG-2100/AMG-2101 allows local user accounts. A
local user account does not have an expiration date once they are created. If administrator wishes to
terminate the account, he must remove it. A local database can be used as an external RADIUS
database to another AMG Series product for account roaming.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
6
On-demand User is a type of user with its account credential stored in a database named
“On-demand” within AMG-2100/AMG-2101. The “On-demand” database of AMG-2100/AMG-2101
allows on-demand account records. On-demand User is used for short term usage purpose; it has an
expiration period. An on-demand account record will be recycled for creating new on-demand account
if it has expired for over certain days or has been modified by the Administrator/Manager manually.
External Authentication Database is a user account database that is not built inside
AMG-2100/AMG-2101. Besides Local database and On-demand database, AMG-2100/AMG-2101
allows up to three additional External Authentication databases simultaneously. The types of external
Authentication databases supported are RADIUS, POP3, LDAP (including ActiveDirectory), and
NTDomain (Win2K’s NTDS). The database of another AMG Series device can be used as an external
RADIUS database. External Authentication Database is useful for implementing account roaming; for
example, multiple AMG-2100/AMG-2101 devices in multiple campuses can share one common external
database. A user needs only one account in the common database to access the network from different
campuses.
Service Zone is a logic partition of AMG-2100/AMG-2101’s LAN network. The concept of Service Zone
is similar to the concept of virtual LAN (VLAN), which can be used to group the network traffic or
network services for clients on the same VLAN segment, regardless of the clients’ physical locations.
That is, several VLAN segments may be in service at one physical network location while devices
belonging to one VLAN segment may appear in multiple physical locations.
Each Service Zone can also be viewed a virtual machine of AMG-2100/AMG-2101 because each Service
Zone can define its own customized login portal page, and its own gateway properties (such as LAN IP
address, DHCP on/off and address range). The feature of Multiple Service Zone is also useful to service
multiple hotspot franchises in shopping malls or airport terminals by a single AMG-2100/AMG-2101.
A Service Zone is uniquely defined by a VLAN tag id and an associated SSID attribute. When a managed
access point (MAP) is added to a Service Zone through AMG-2100/AMG-2101 by the administrator, the
associated SSID will be activated in the MAP along with the VLAN tag of the Service Zone.
For example, in the following Figure 2, the administrator plans three logical Service Zones for an
academic campus:
The first Service Zone (with SSID=’Student”, and VLAN tag=1) is for students.
The second (with SSID=”Faculty” and VLAN tag=2) for faculties.
The third (SSID=”Guest” and VLAN tag=3) for guests.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
7
A Service Zone may or may not require client authentication, depending on how the administrator sets
it up. If a Service Zone requires user authentication, the client will be prompted for the login in first
before using the network services, no matter the client is connecting to its SSID wirelessly or a switch
port via wired line.
Group is a group of user accounts sharing the same access privileges, QoS properties and network
policies. Each client account belongs to a Group. Each Group may or may not have the access privilege
of a Service Zone, depending on the how the administrator define its policy. If the administrator does
not assign a new account to any specific Group, the account belongs to a catch-all group named
“None” by default.
Policy is for defining rules, privileges or properties for managing users. Each user group is bound by a
Policy within a given Service Zone. The same group may or may not be bound to the same policy in
different Service zones. There are two tiers of Policies. The first tier is a policy named ‘Global-Policy’.
The Global-Policy is a base policy which will be applied all users. The second tier is called ‘Group-Policy’
or simply ‘Policy’, which can be chosen to bound the network behaviors of a Group. The administrator
can define the Firewall Profile, Route Profile, Schedule Profile and Max Sessions in a Policy.
The following Figure 1 depicts an example relationship of Service Zone, Group and Policy. In this
example, Students and faculties logging into Service Zone 1 will be governed by Policy-A. Guests only
have the access of Service Zone 3, and will be bounded by Policy-C. Faculties have the access to both
Service Zone 1 and Service Zone 2 under two different policies.
Figure 1: An example relationship of Service Zone, Group and Policy
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
8
The following Figure 2 depicts an example using AMG-2100/AMG-2101 in managing network/internet
access in an academic campus environment. Imagine the network administrator may wish to set
different privileges and bandwidth limits for staff, students, and guests; he could use several Service
Zones of AMG-2100/AMG-2101 – one for staff, one for students, and one for the guests. He also uses
one zone for some shared servers in the diagram.
The access points at a physically location like the administration building may only allow the access of
faculties; hence the access points there are added only to the second Service Zone, enabling only the
“Faculty” SSID. On the other hand, the access points in the Cafeteria may allow the access of all groups;
hence the APs at Cafeteria are added to all Service Zones, enabling SSID=”Student”, SSID=”Faculty”,
and SSID=”Guest”.
There traffic of students, faculties, and guests will be segregated by the three VLAN segments.
Figure-2: An example of managed network
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
9
2.3 Hardware Description
2.3.1 Front Panel
1. LED Indicators: There are three kinds of LED, Power, Status and Hard-disk, to indicate
different status of the system.
2. Mgmt: For management use only, it always will open WMI (Web Management Interface)
homepage.
3. WAN1/ WAN2: Two WAN ports (10/100/1000 Base-T RJ-45) are connected to the external
network, such as the ADSL Router from your ISP (Internet Service Provider).
4. LAN1/ LAN2: Client machines connect to AMG-2100/AMG-2101 via these LAN ports
(10/100/1000 Base-T RJ-45).
5. Reset:
Press and hold the Reset button for about 5 seconds and status of LED on front panel will start
to blink before restarting the system.
Press and hold the Reset button for more than 10 seconds and status of LED on the front panel
will start to speed up blinking before resetting the system to default configuration.
6. Console: The system can be configured via a serial console port. The administrator can use a
terminal emulation program such as Microsoft’s Hyper Terminal to login to the configuration
console interface to change admin password or monitor system status, etc.
Note:
By default, all LAN ports are set with Port-based Default Service Zone; for Service Zone
configuration, please refer to 3.3 What is Service Zone.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
10
2.3.2 Real Panel
1. Power Supply Socket: Connecting the power cord to the built-in open-frame power supply
(Input: 100~240 VAC, 50/60 Hz ).
2. Power Switch: Power-On (|) & Power-Off ( O ).
3. Device Cooling Fan: Don’t block the cooling fans. Leave enough open space for ventilation.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
11
2.4 Preparation before the Installation
Before you start the installation by either following this User Manual or the Quick Installation Guide,
below is a short preparation list to do.
1) Unpack the AMG-2100/AMG-2101 and go thorough the package checklist.
2) Review the front panel and the back panel and identify each control and network interface that is
described in the previous Hardware Description section.
3) Prepare a couple of CAT5 Ethernet cables with using RJ-45 connectors. The cables are for
connecting IP devices, including this AMG-2100/AMG-2101, IP switches, and your PC.
4) Prepare a PC with Web browser for accessing the Web Management Interface.
5) Identify an upstream device to plug in AMG-2100/AMG-2101 in your network, such as ADSL, CABLE
modem or other edge devices. Collect the DNS server address provided by your ISP.
If you use AMG Series product for the first time, it is recommended that you follow the Quick
Installation Guide to start up the AMG-2100/AMG-2101 in a near default state with minimum
configuration changes (such as WAN settings and admin password), then refer to this manual later
when you want to configure the system for specific application needs.
The recommended general steps for the configuration are:
Set up system’s Time Zone, NTP server, DNS server and WAN1address
Configure LAN address range for at least one Service Zone, and enable its authentication. The
Default Service Zone is enabled by the factory default.
Create user accounts to test the login page via wire line in the enabled Service Zone.
Try to generate on-demand user and test the account.
Configure Wireless environment of Service Zone, then add in AP
Configure more Service Zones base on your application.
Set up Group and Policy (including Firewall rules and Session Limit).
Customize the portal login page and add walled garden Advertisement links if needed.
Set up Payment gateway if you want to use credit card for the on-demand accounts.
Load SSL certificate for the Web Server before operation.
Monitor the status pages and reports generated.
Perform other advanced setting for your specific application.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
12
2.5 Hardware Installation
Please follow the steps below to install the hardware of AMG-2100/AMG-2101:
1) Connect the power cord to the power socket on the rear panel.
2) Turn on ( | ) the power switch on the rear panel. The Power LED should be on to indicate a proper
connection.
3) Connect an Ethernet cable to the WAN1 Port on the front panel. Connect the other end of the
Ethernet cable to an xDSL/cable modem, or a switch/hub of an internal network. The LED of this
port should be on to indicate a proper connection.
4) Connect an Ethernet cable to the Mgmt Port on the front panel. Connect the other end of the
Ethernet cable to an administrator PC for configuring the AMG-2100/AMG-2101 system. Connect an
Ethernet cable to the LAN1 or LAN2 Port on the front panel. Connect the other end of the Ethernet
cable to an AP for extending wireless coverage; a switch for connecting more wired clients; or
directly to a client PC. The LED of port should be on to indicate a proper connection.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
13
Figure 3 below is a simple network diagram for the initial installation and configuration. Start with this
simple network topology to set up AMG-2100/AMG-2101 for the first time; it helps to plan a more
sophisticated network topology to suits your specific application needs later.
Figure 3: A simple network diagram for the initial setup
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
14
2.6 Accessing Web Management Interface
AMG-2100/AMG-2101 supports web-based configuration. Upon the completion of hardware installation,
AMG-2100/AMG-2101 can be configured via web browsers with JavaScript enabled such as Internet
Explorer version 6.0 and above or Firefox.
To access the web management interface, connect a PC to the Mgmt port, and then launch a browse.
Make sure you have set DHCP in TCP/IP of your PC to get an IP address dynamically.
Next, enter the gateway IP address of AMG-2100/AMG-2101 at the address field. The default gateway
IP address from LAN Port is“https://192.168.255.254” (“https” is used for a secured
connection).
For the first time, if AMG-2100/AMG-2101 is not using a trusted SSL certificate, there will be a
“Certificate Error”, because the browser treats AMG-2100/AMG-2101 as an illegal website. Please
press “Continue to this website” to continue. The default user login page will then appear in the
browser.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
15
The administrator login page will appear. Enter “admin”, the default username, and “admin”, the
default password, in the UserName and Password fields. Click LOGIN to log in.
Caution:
If your PC is connecting to the Mgmt port, and you can’t get the Administrator’s login screen, the
reasons may be:
(1) The PC is set incorrectly so that the PC can’t obtain the IP address automatically from the Mgmt
port;
(2) The IP address and the default gateway are not under the same network segment.
Please use default IP address such as 192.168.255.xx in your network and then try it again. For the
configuration on PC, please refer to Appendix A. Network Configuration on PC.
After a successful login, a “Home” page will appear on the screen.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
16
3. Placing AMG-2100/AMG-2101 in a Network
Environment
3.1 Network Requirement
Typically, in a network environment, AMG-2100/AMG-2101 plays the role of a gateway. On a gateway
device, a network port leading upstream to the Internet or the backbone network is called a ‘WAN port’
or an uplink port, while a network port used for branching out to the service the clients downstream is
referred as ‘LAN port’.
AMG-2100/AMG-2101 consists of two WAN ports, which are normally linking up to another routers or
modems leading to ISP. A gateway needs one WAN port only, but if you want dual-homing or
dual-uplink to add reliability and throughput, the second WAN port let you achieve the goal.
AMG-2100/AMG-2101 has two LAN ports. There could be other network bridge devices, such as
Layer-2 switches or VLAN switches, between AMG-2100/AMG-2101’s LAN ports and the client devices.
3.2 Setting up WAN1 Port
AMG-2100/AMG-2101’s two WAN ports are marked as WAN1 and WAN2 on the front panel. WAN1 port
supports four connection types: Static, Dynamic, PPPoE and PPTP. WAN2 port supports 3
connection types: Static, Dynamic and PPPoE. These connection types are enough to support most
ISP.
Depending on ISP or the upstream device the WAN port connects, you only need to select one
connection type for the port. For example, if your ISP is Cable modem issuing Dynamic address, then
you would select Dynamic connection when setting up the WAN ports.
Now, let us begin to configure WAN1 port:
Go to: System >> WAN1
.
On the WAN1 Configuration Web page, you can decide which of the four connection options (Static,
Dynamic, PPPoE and PPTP) to choose from.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
17
3.2.1 Static IP
When the ISP assigns you static IP address, or for other reason, your network requires you to use a
fixed IP address, then you (as the administrator of AMG-2100/AMG-2101) will manually enter the fixed
IP address as AMG-2100/AMG-2101’s WAN address.
Static: Manually specifying the IP address of the WAN Port. The fields with red asterisks are required
to be filled in.
IP Address: The IP address of the WAN1 port.
Subnet Mask: The subnet mask of the WAN1 port.
Default Gateway: The gateway of the WAN1 port.
Preferred DNS Server: The primary DNS server used by the system.
Alternate DNS Server: The substitute DNS server used by the system. This is an optional
field.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
18
3.2.2 DHCP (Dynamic IP)
When the ISP issues dynamic IP addresses or there is a DHCP server upstream for issuing dynamic IP
addresses, then you (as the administrator of AMG-2100/AMG-2101) can configure
AMG-2100/AMG-2101 to receive an IP address dynamically as AMG-2100/AMG-2101’s WAN1 address.
Dynamic: It is only applicable for the network environment where the DHCP server is available on the
upstream network. Click the Renew button to get an IP address automatically.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
19
3.2.3 PPPoE
If the ISP requires you use PPPoE Dialup connection, then the ISP will issue you an account with a
password. You would need to enter the account credential in the WAN configuration page for dialing up
to the ISP. If you are using ADSL/DSL Internet service, most likely, your ISP will require PPPoE
connection.
PPPoE: When selecting PPPoE to connect to the network, please set the “UserName”, “Password”
MTU: Short for Maximum Transmission Unit of a PPPoE frame. The PPPoE protocol allows an
Ethernet frame’s size to be up to 1492 bytes, but some ISP’s network equipments may
support a smaller frame size of than 1492 bytes. In that case, you have to enter a smaller
number MTU number to meet the ISP’s networking requirement.
MSS: Short for Maximum Segment Size for a TCP connection. An end-to-end TCP connection
over PPPoE will consume additional overhead out of each packet. At least 40 bytes are used
for the address. Hence, MSS must be smaller than MTU by at least 40.
Dial on demand function under PPPoE. If this function is enabled, a Maximum Idle Time
will be available for input a value. When the idle time is reached, the system will automatically
disconnect itself.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
20
3.2.4 PPTP
Although not a popular method, PPTP protocol for dialup connections is adapted by some ISPs (in
European Countries). AMG-2100/AMG-2101 offers the PPTP dialup feature for the rare cases. Your PPTP
ISP will issue you an account with a password as well as the PPTP server address.
PPTP: When selecting PPTP to connect to the network, please specify the given PPTP Server IP
Address and enter the “User Name”, “Password”.
Static or DHCP: Select Static to specify the IP address of the PPTP Client manually or select
DHCP to get the IP address automatically.
Dial on demand function under PPTP: If this function is enabled, a Maximum Idle Time will
be available for input a value. When the idle time is reached, the system will automatically
disconnect itself.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
21
3.3 Configuring WAN2 Port (optional)
AMG-2100/AMG-2101 also supports a second WAN port, called WAN2. The second port is for
connecting to a second feeding pipe upstream. When WAN1 is connected to an ISP and WAN2 is
connected to another ISP, the network is referred as ‘dual ISP homing’, or ‘having dual homed Internet
feed’. That is when the first ISP via WAN1 is down, the second ISP via WAN2 still be able to service the
client devices downstream of AMG-2100/AMG-2101.
When WAN2 is enabled, the system can be set up to support more features, such as WAN Failover and
Load Balance (but not a necessity). These two features will discuss in the next section (Other WAN
traffic Settings).
Note:
By default, all Policies of AMG-2100/AMG-2101 use WAN1 as the outgoing gateway; that is, all user
groups’ traffic will use WAN1 as the Internet feed. Administrator can change the Routing Profile of a
Policy to use WAN2 as default gateway; that way, for the groups bounded by the Policy will use
WAN2 as their Internet feed.
If dynamic “WAN Load Balancing” feature is not turned on, using the Policy’s Routing Profile to route
some users’ traffics to WAN2 is considered a way of doing static “Load Balancing”.
The configuration of WAN2 is similar to WAN1’s, except that WAN2 connection can be disabled and
WAN2’s connection type does not have the PPTP choice.
If you only have one Internet feed from one ISP, please leave the WAN2 at its default option - None, so
the WAN2 interface remains disable. If you want to use a second Internet feed (from an ISP or from
your corporate headquarter), select one of the three connection types for your WAN2 port: Static,
Dynamic, and PPPoE.
Now, let us enable and configure WAN2 port (optional):
Go to: System >> WAN2
.
None: The WAN2 Port is disabled.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
22
Static: Manually specifying the IP address of the WAN port. The red asterisks indicate required
fields to be filled in.
IP Address: the IP address of the WAN2 port.
Subnet Mask: the subnet mask of the network WAN2 port connects to.
Default Gateway: a gateway of the network WAN2 port connects to.
Preferred DNS Server: The primary DNS server used by the system.
Alternate DNS Server: The substitute DNS server used by the system. This is an optional
field.
Dynamic: It is only applicable for the network environment where a DHCP server is available. Click
the Renew button to get an IP address.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
23
PPPoE: When selecting PPPoE to connect to the network, please set the “User Name”,
“Password”.
MTU: Short for Maximum Transmission Unit of a PPPoE frame. The PPPoE protocol allows an
Ethernet frame’s size to be up to 1492 bytes, but some ISP’s network equipments may support
a smaller frame size of than 1492 bytes. In that case, you have to enter a smaller number MTU
number to meet the ISP’s networking requirement.
MSS: Short for Maximum Segment Size for a TCP connection. An end-to-end TCP connection
over PPPoE will consume additional overhead out of each packet. At least 40 bytes are used for
the address. Hence, MSS must be smaller than MTU by at least 40.
Dial on demand function under PPPoE. If this function is enabled, a Maximum Idle Time will
be available for input a value. When the idle time is reached, the system will automatically
disconnect itself.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
24
3.4 Other WAN Traffic Settings
It is a good idea to have two Internet feeds to the system, especial from two different ISP; it adds the
service reliability to your clients by turning on WAN-Failover feature. When one feed is out-of-service,
the other feed automatically picks up the responsibly of serving the clients under the feed that goes
outage.
By default, the system assumes there is only one feed to WAN1. All the Policies by default route all
clients’ internet traffic via WAN1, using the Internet pipe at WAN1. When you have two pipes, you
certainly want to set some Policies to utilize the bandwidth of the second pipe at WAN2, rather then just
when the WAN1 pipe fails.
Beside the static load balancing by setting “Policy” route, alternatively, you can use the system’s
dynamic Load-Balancing feature. When the feature is turned on, the system can distribute the load of
the up-going traffics to the two WAN pipes, according to the weight percentage assigned by the
administrator.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
25
3.4.1 WAN Failover
Configure WAN Failover:
Go to: System >> WAN Traffic.
Enable WAN Failover: Normally AMG-2100/AMG-2101 uses WAN1 as it primary WAN interface.
When WAN Failover is enabled and WAN2 is available, WAN1's traffic will be routed to WAN2 when
WAN1 connection is down. On the other hand, a Service Zone’s policy could also use WAN2 as its
interface; in that case, if WAN2 is down, the WAN2's traffic under its policy will also be routed to
WAN1.
Fall back to WAN1 when WAN1 is available again: If WAN Failover is enabled, the traffic will
be routed to WAN2 automatically when WAN1 connection fails. When fall back to WAN1 is
enabled, the routed traffic will be connected back to WAN1 when WAN1 connection is recovered.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
26
3.4.2 Load Balance
Configure Load Balance
:
Go to: System >> WAN Traffic.
Enable Load Balancing: Outbound load balancing is supported by the system. When enabled, the
system will allocate traffic between WAN1 and WAN2 dynamically according to designed algorithms
based on the weight ratio.
WAN1 Weight: The percentage of traffic through WAN1. (Range: 1~99; by default, it is 50)
Base: The weight ratio between WAN1 and WAN2 can be based on Sessions, Packets or Bytes.
Packets and Bytes are based on historic data. New connection sessions will be distributed
between WAN1 and WAN2 by a weight ratio using random number.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
27
3.4.3 Internet Connection Detection
The system will periodically check to see if the Internet (uplink) connection is down by seeing if it can
get responses from three target sites.
The administrator can specify the three target sites:
Go to: System >> WAN Traffic.
Administrator can further specification a warning text, which will be displayed to the client “Login
Success Page”.
Warning of Internet Disconnection: When enabled, there is a text box available for the
administrator to enter a reminding message. This reminding message will appear on clients'
screens when Internet connection is down.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
28
3.4.4 WAN Bandwidth Control
The section is for administrators to configure the control over the entire system’s traffic though the
WAN interface (WAN1 and WAN2 ports).
To configure WAN Bandwidth Limit
:
Go to: System >> WAN Traffic.
These parameters in the raw of Available Bandwidth on WAN Interface are used for matching to
the real bandwidth come from your ISP.
Uplink: It specifies the maximum uplink bandwidth that can be shared by clients of the system.
Downlink: It specifies the maximum downlink bandwidth that can be shared by clients of the
system.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
29
3.5 LAN Partition -- Service Zone
Configure Service Zone, go to: System >> Service Zones.
A Service Zone is a logical network area to cover certain wired and wireless networks in an organization
such as SMB or branch offices. By associating a unique VLAN Tag and SSID with a Service Zone,
administrators can separate wired network and wireless network into different logical zones. Users
attempting to access the resources within the Service Zone will be controlled based on the access
control profile of the Service Zone, such as authentication, security feature, wireless encryption
method, traffic control, and etc.
There are up to nine Service Zones to be utilized; by default, they are named as: Default, SZ1~SZ8,
as shown in the table below.
Port-Base
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
30
Tag-Base
Service Zone Name: Mnemonic name of the Service Zone.
LAN Port Mapping (Port Base only): Choose which port is mapped to which Service Zone.
VLAN Tag (Tag Base only): The VLAN tag number that is mapped to the Service Zone.
SSID: The SSID that is associated with the Service Zone.
WLAN Encryption: Data encryption method for wireless networks within the Service Zone.
Applied Policy: The policy that is applied to the Service Zone.
Default Authen Option: Default authentication method/server that is used within the Service
Zone.
Status: Each Service Zone can be enabled or disabled.
Details: Configurable, detailed settings for each Service Zone.
Click Configure button to configure each Service Zone: Basic Settings, SIP Interface
Configuration, Authentication Settings, Wireless Settings, and Managed AP(s) in this
Service Zone.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
31
3.5.1 Planning your internal network
1. Simple network environment
For most simple internal network, such as there are just only two subnets. Using Port-Based model
is an easy and better way. In Port-Based mode, each LAN port can only serve traffic from one
Service Zone. An example of network application diagram is shown as below: one Service Zone for
Employees and one for Guests.
Caution:
The switches deployed under AMG-2100/AMG-2101 in Port-Based mode must be Layer 2 switches
only.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
32
2. Multi subnet network environment
On the other hand, if the internal network is a multi subnets network environment. Tag-Based model
will satisfy to your conditions. In Tag-Based mode, each LAN port will only serve traffic from Default
Service Zone. So you need a VLAN switch or VLAN AP to take care the VLAN tags carried within the
message frames. An example of network application diagram is shown as below: more than two Service
Zones for different departments.
Caution:
The switch deployed under AMG-2100/AMG-2101 in Tag-Based mode must be a VLAN switch only.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
33
3.5.2 Configure Service Zone network
Configure Service Zone, go to: System >> Service Zones.
Service Zone Status: Each service zone can be enabled or disabled except for the default
service zone.
Service Zone Name: The name of service zone could be input here.
Network Interface:
o VLAN Tag (Tag-Base only): The VLAN tag of this service zone.
o Operation Mode: Contains NAT mode and Router mode. When NAT mode is chosen,
the service zone runs in NAT mode. When Router mode is chosen this service zone runs
in Router mode.
o IP Address: The IP Address of this service zone.
o Subnet Mask: The subnet Mask of this service zone.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
34
DHCP Server: Related information needed on setting up the DHCP Server is listed here.
Please note that when “Enable DHCP Relay” is enabled, the IP address of clients will be
assigned by an external DHCP server. The system will only relay DHCP information from the
external DHCP server to downstream clients of this service zone.
o Start IP Address / End IP Address: A range of IP addresses that built-in DHCP server
will assign to clients. Note: please change the Management IP Address List accordingly
(at System Configuration>> System Information >> Management IP Address List) to
permit the administrator to access the AMG-2100/AMG-2101 admin page after the
default IP address of the network interface is changed.
o Preferred DNS Server: The primary DNS server that is used by this Service Zone.
o Alternate DNS Server: The substitute DNS server that is used by this Service Zone.
o Domain Name: Enter the domain name for this service zone.
o WINS Server: The IP address of the WINS (Windows Internet Naming Service) server
that if WINS server is applicable to this service zone.
o Lease Time: This is the time period that the IP addresses issued from the DHCP server
are valid and available.
o Reserved IP Address List: Each service zone can reserve up to 40 IP addresses from
predefined DHCP range to prevent the system from issuing these IP addresses to
downstream clients. The administrator can reserve a specific IP address for a special
device with certain MAC address.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
35
3.5.3 Tag Base and Port Base
Configure Tag Base or Port Base, go to: System >> LAN Port Mapping.
AMG-2100/AMG-2101 supports multiple Service Zones in either of the two VLAN modes, Port-Based
or Tag-Based, but not concurrently. In Port-Base mode, each LAN port can only serve traffic from
one Service Zone as each Service Zone is identified by physical LAN ports. In Tag-Based mode, each
LAN port can serve traffic from any Service Zone as each Service Zone is identified by VLAN tags carried
within message frames. By default, the system is in Port-Based mode with Default Service
Zone enabled and all LAN ports are mapped to Default Service Zone. Compare the two figures
below to see the differences.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
36
It is recommended that the administrator decides which mode is better for a multiple-service-zone
deployment before proceeding further with the system configuration. Settings for the two VLAN modes
are slightly different, for example, the VLAN Tag setting is required for Tag-Based mode.
Select Service Zone Mode: Select a VLAN mode, either Port-Based or Tag-Based.
Caution:
The switches deployed under AMG-2100/AMG-2101 in Port-Based mode must be Layer2 Switches
only. The switch deployed under AMG-2100/AMG-2101 in Tag-Based mode must be a VLAN switch
only.
Port-Based: When Port-Based mode is selected; traffic from different virtual Service Zones will
be distinguished by physical LAN ports. Each LAN port can be mapped to one Service Zone in the
form of a many-to-one mapping between ports and Service Zones.
o Specify a desired Service Zone for each LAN Port: For each LAN port, select a Service
Zone to which the LAN port is to be mapped from the drop-down list box.
By factory default, all LAN ports are mapped to Default Service Zone; therefore, the
administrator can enter the web management interface via any LAN port upon the first
power up of the system. From the drop-down list box, all disabled Service Zones are
gray-out; to activate any desired Service Zone, please configure the desired Service Zone
under the Service Zone tab and enable its Service Zone Status.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
37
Tag-Based: When the Tag-Based mode is selected, traffic from different virtual Service Zones
will be distinguished by VLAN tagging, instead of by physical LAN ports.
Select Tag-Based and then click Apply to activate the Tag-Based VLAN function. When a
restart message screen appears, do NOT restart the system until you have completed the
configuration under the Service Zones tab first.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
38
4. User Authentication and Grouping
4.1 Type of Users
Configure Authentication, go to: Users >>Authentication.
This section is for administrators to pre-configure authentication servers for the entire system.
Concurrently up to four servers can be selected in the meantime and pre-configured here by
administrators from the five types of authentication databases (LOCAL, POP3, RADIUS, LDAP, and
NTDOMAIN). In addition, there are two optional servers, On-demand User and SIP, which also can be
selected by the system.
Auth Option: There are several authentication options supported by AMG-2100/AMG-2101:
Server 1 to Server 4, On-demand User, and SIP. Click the hyperlink of the respective Server Name
to configure the authentication server.
Auth Database: There are different authentication databases in AMG-2100/AMG-2101: LOCAL,
POP3, RADIUS, LDAP and NTDOMAIN. ONDEMAND and SIP are not depend on Server 1 to
Server4, so these two authentication options always can be enabled in each service zone.
Postfix: A postfix represents the authentication server in a complete username. For example,
user1@local means that this user (user1) will be authenticated against the LOCAL authentication
database.
Group: An authentication option, such as POP3 or NT Domain, can be set as a Group with the same
QoS or Privilege Profile setting.
Note:
Concurrently only one server is allowed to be set as Local or NTDOMAIN authentication method
simultaneously. For example, you can set two RADIUS authentication servers simultaneously.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
39
Authentication Option Configuration
Click on the server name to set the configuration for that particular server. After completing and
clicking Apply to save the settings, go back to the previous page to select a server to be the default
server and enable or disable any server in each service zone. Users can log into the default server
without the postfix to allow faster login process.
Server 1~4: There are 5 authentication methods, Local User, POP3, RADIUS, LDAP and NT
Domain, to select from.
Name: Set a name for the authentication option by using numbers (0~9), alphabets (a~z or A
~Z), dash (-), underline (_), space and dot (.) only. The length of this field is up to 40 characters.
This name is used for the administrator to identify the authentication options easily such as
HQ-RADIUS.
Postfix: A postfix is used to inform the system which authentication option to be used for
authenticating an account (e.g. bob@BostonLdap or tim@TaipeiRadius) when multiple options
are concurrently in use. One of authentication option can be assigned as default. For
authentication assigned as default, the postfix can be omitted. For example, if "BostonLdap" is
the postfix of the default option, Bob can login as "bob" without having to type in
"bob@BostonLdap”. Set a postfix that is easy to distinguish (e.g. Local) and the server numbers
(0~9), alphabets (a~z or A~Z), dash (-), underline (_) and dot (.) within a maximum of 40
characters. All other characters are not allowed.
Black List: There are multiple sets of black lists provided by the system. A user account listed
in the black list is not allowed to log into the system, the client's access will be denied. The
administrator may select one (or None) black list from the drop-down menu and this black list
will be applied to this specific authentication option.
Authentication Database: Click Configure button to enter the configuration page. For
example, select Local from the drop-down list box and then click Configure button to enter the
Local User Database Settings. Then, click the hyperlink of Local User List.
Group: Select one Group from the drop-down list box for this specific authentication option.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
40
4.1.1 Local
Choose “Local” from the Authentication Database field.
Click the button Configure for further configuration.
Local User List: It let the administrator to view, add or delete local user account. The Upload
User button is for importing a list of user account from a text file. The Download User button
is for exporting all local user accounts into a text file. Clicking on each user account leads to a
page for configuring the individual local account. Local user account can be assigned a Group
and applied Local VPN individually.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
41
o Add User: Click this button to enter into the Adding User(s) to the List interface. Fill in
the necessary information such as “Username”, “Password”, “MAC Address”, and
“Remark”. Select a desired Group to classify local users. Check to enable Local VPN in the
Enable Local VPN column. Click Apply to complete adding the user(s). MAC address of a
networking device can be bound with a local user as well. It means this user must login to
system with a networking device (PC) that has this MAC address, so this user can not login
with other networking device.
Search: Enter a keyword of a username to be searched in the text filed and click this button to
perform the search. All usernames matching the keyword will be listed.
Del All: Click on this button to delete all the users at once or click on Delete to delete the user
individually.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
42
Edit User: If editing the content of individual user account is needed, click the username of the
desired user account to enter the User Profile Interface for that particular user, and then
modify or add any desired information such as Username, Password, MAC Address (optional),
Applied Group (optional), Enable Local VPN (optional) and Remark (optional). Click Apply to
complete the modification.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
43
4.1.2 POP3
Choose “POP3” from the Authentication Database field. Except Local authentication, the Local
VPN option in other authentication option only can be enabled or disabled for the entire
Authentication Database.
Click the button of Configure for further configuration. Enter the information for the primary server
and/or the secondary server (the secondary server is not required). The fields with red asterisk are
necessary information. These settings will become effective immediately after clicking the Apply
button.
Username Format: When Complete option is checked, both the username and postfix will be
transferred to the server for authentication. When Only ID option is checked, only the
username will be transferred to the external server for authentication.
Server: The IP address of the external POP3 Server.
Port: The authentication port of the external POP3 Server.
SSL Connection: The system supports POP3S. Check the check box beside to Enable SSL
Connection to POP3.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
44
4.1.3 RADIUS
Choose “RADIUS” from the Authentication Database field. Except Local authentication, the Local
VPN option in other authentication option only can be enabled or disabled for the entire
Authentication Database.
Click the button of Configure for further configuration. The RADIUS server sets the external
authentication for user accounts. Enter the information for the primary server and/or the secondary
server (the secondary server is not required). The fields with red asterisk are necessary information.
These settings will become effective immediately after clicking the Apply button.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
45
4.1.4 LDAP
Choose “LDAP” from the Authentication Database field. Except Local authentication, the Local
VPN option in other authentication option only can be enabled or disabled for the entire
Authentication Database.
Click the button Configure for further configuration. Enter the information for the primary server
and/or the secondary server (the secondary server is not required). The blanks with red asterisk are
necessary information which should be filled in. These settings will become effective immediately after
clicking the Apply button.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
46
Server: The IP address of the external LDAP server.
Port: The authentication port of the external LDAP server.
Service Protocol: The transferring type of service protocol for LDAP authentication with 3
types available: LDAP, LDAPS, and LDAP+StartTLS.
Base DN: The Base DN (Distinguished Name) is the LDAP search base, telling which part of the
external directory tree to search from. Think of the Base DN as the “top” of the directory for your
LDAP users although it may not always be the top of the directory itself. The search base may be
something equivalent to the organization, group, or domain name (AD) of external directory.
Binding Type: This specifies the binding type and search scope for LDAP authentication with 4
binding types available: User Account, Anonymous, Specified DN and Windows AD.
User Account: Use the user account with base DN to authenticate user account/password.
Anonymous: Use anonymous to login LDAP server and use the user account with base DN to
authenticate user account/password.
Specified DN: Use the Admin DN/Bind password to login LDAP server and use the users’ account
with base DN to authenticate users’ account/password.
Windows AD: Add a domain after user account with base DN to authenticate users’
account/password.
Account Attribute: The attribute of LDAP accounts.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
47
4.1.5 NT Domain
Choose “NT Domain” from the Authentication Database field. Except Local authentication, the
Local VPN option in other authentication option only can be enabled or disabled for the entire
Authentication Database.
Click the button Configuration for further configuration. Enter the server IP address and
enable/disable the transparent login function. These settings will become effective immediately after
clicking the Apply button.
Server: The IP address of the external NT Domain Server.
Transparent Login: This function refers to Windows NT Domain single sign-on. When
Transparent Login is enabled, clients will log into the system automatically after they have
logged into the NT domain, which means that clients only need to log in once.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
48
4.1.6 On-Demand Users
On-demand User Server Configuration: The administrator can enable and configure this
authentication method to create on-demand user accounts. This function is designed for hotspot
owners to provide temporary users with free or paid wireless Internet access in the hotspot
environment. Major functions include accounts creation, users monitoring list, billing plan and external
payment gateway support.
1)
General Settings
This is the common setting for the On-demand User authentication option.
Currency: Select the desired specified unit.
WLAN ESSID: It will show the ESSID of Public Zone.
Wireless Key: It will show the wireless key that configured in Public Zone.
Remaining Volume Sync Interval: Enable it and input the count-down minute, system will
remind users that their quota will run out soon when their quota reaches this time. The
reminding message will not show up if the Remaining Reminder time is configured longer than
the quota of billing plans.
Expired Accounts Remain Days: It will delete the expired accounts after the certain days.
Delete All Expired Accounts: It will delete all expired accounts immediately.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
49
2)
Ticket Customization
On-demand account ticket can be customized here and previewed on the screen.
Receipt Header: There are 3 receipt headers supported by the system. The entered content
will be printed on the receipt. These headers are optional.
Receipt Footer: The entered content will be printed on the receipt. These footers are optional.
Background Image: You can choose to customize the ticket by uploading your own
background image for the ticket, or choose none. Click Edit to select the image file and then
click Upload. The background image file size limit is 100 Kbytes. No limit for the dimensions of
the image is set, but a 460x480 image is recommended.
Remark: Enter any additional information that will appear at the bottom of the receipt.
Number of Tickets: Enable this function to print duplicate receipts. Another Remark field will
appear when Number of Ticket is selected to 2 and the content will appear at the bottom of the
2nd duplicate receipt.
Preview: Click Preview button, the ticket will be shown including the information of username
and password with the selected background. Print the ticket here.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
50
3)
Billing Plans
Administrators can configure several billing plans. Click Edit button to enter the page of Editing
Billing Plan. Click Apply to save the plan. Go back to the screen of Billing Plans, check the Enable
checkbox or click Select all button, and then click Apply, the plan(s) will be activated.
Plan: The number of the specific plan.
Type: This is the type of the plan, based on which it defines how the account can be used
including Usage-time, Cut-off, and Duration-time.
Quota: The limit on how On-demand users are allowed to access the network.
Enable: Check the checkbox to activate the plan.
Function: Click the button Edit to add one billing plan.
o Usage-time: The scenario of this type is that a client goes to a cyber café and purchases an
on-demand account. This account will be activated and ok to use once creation, quota will
start to count down while creation and non-stop when logs out, and be expired after a
configured time such as 4 hours or at 22:00 the day. For example, an on-demand account is
created at 2009/6/30 18:00 and its quota is 4 hours. Thus it can become usable at
2009/6/30 18:00 and expired at 2009/6/30 22:00.
Quota is the total period of time (xx days yy hrs zz mins), during which On-demand
users are allowed to access the network. The total maximum quota is “364Days 23hrs
59mins 59secs” even after redeem.
Account Activation is the time for the first login time. If the first login time of this
account is later that this settings. This account will be expired.
Valid Period is the valid time period for using. After this time period, although the quota
is not exhausted, this account still is expired.
Price is the unit price of this plan.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
51
o Cut-off: Cut-off Time is the time of day at which the on-demand account is cut off (made
expired) by the system on that day. Unit is the day periods of this Cut-off billing plan. Please
note that the Grace Period is an additional, short period of time after the account is cut off,
during which a user is allowed to continue to use the on-demand account to access the
Internet without paying additional fee. Unit Price is a daily price of this billing plan.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
52
o Volume: Volume is the maximum Mbytes at which the on-demand account could be used
by the system. Quota is the total Mbytes (1~2000), during which On-demand users are
allowed to access the network.
o Duration-time with Relative Expiration Time: The scenario of this type is that a client
purchases an on-demand account pre-paid card or a gift coupon with certain quota. This
account must be activated before a configured activation time, will be activated and ok to
use since the first login, its quota will be cut down while using only, and will not be expired
unless its quota is used up. For example, an on-demand account is created at 2009/6/30
09:30 and must be activated before 2009/7/1 09:30, its quota is 24 hours, and there is no
expiration time unless its quota is used up. Thus its first login must be done before 2009/7/1
09:30, the account becomes usable once activation when first login, for example, at
2009/7/01 08:00 and will not be expired unless its quota is used up.
Account Activation is the time that the account will be activated for use. It is set to
account creation time of this type.
Relative Expiration Time is the total usage time (xx hrs yy mins), during which
On-demand users are allowed to access the network. The usage time will be cut down
while using only. The account will be expired while usage time is run out.
Price is the unit price of this plan.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
53
o Duration-time with Absolute Expiration Time: The scenario of this type is that a client
goes to an exhibition and purchases an on-demand account. The exhibition is from 09:00
02/Jun/2009 ~ 18:00 07/Jun/2009. This account will be activated since 09:00 02/Jun/2009
and ok to use during the exhibition period, and will be expired after a configured time such
as 18:00 07/Jun/2009.
Account Activation is the time that the account will be activated for use.
Expiration Time is the time that the account will become expired and not able to use
any more.
Price is the unit price of this plan.
4)
External Payment Gateway
This section is for merchants to set up an external payment gateway to accept payments in order to
provide wireless access service to end customers who wish to pay for the service on-line.
The options are Authorize.Net, PayPal, SecurePay, WorldPay or Disable.
5)
On-demand Account Creation
After at least one plan is enabled, the administrator can generate single on-demand user accounts
here. Click this to enter the On-demand Account Creation page. Click on the Create button of the
desired enabled plan to create an on-demand account. The username and password of to be created
on-demand account is configurable. Select Manual created in Username/Password Creation and
then administrator can enter desired username and password for the on-demand account. In
addition, an External ID such as student’s school ID can be entered together with account
creation.
After the account is created, you can click Printout to print a receipt which will contain the
on-demand user’s information, including the username and password to a network printer.
Moreover, you can click Send to POS to print a receipt to a POS device.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
54
Note:
If no Billing plan is enabled, accounts cannot be created by clicking Create button. Please goes back
to Billing Plans to active at least one Billing plan by clicking Edit button and Apply the setting to
activate the plan. The printer used by Print is a pre-configured printer connected to the
administrator’s computer.
Plan: The number of a specific plan.
Type: Show one type of the plan in Usage-time, Duration-time or Cut-off.
Quota: The total time amount or period on how On-demand users are allowed to access the
network.
Price: The unit price of each plan.
Status: Show the status in enabled or disabled.
Function: Press Create button for the desired plan; the Creating an On-demand Account will
appear for creation.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
55
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
56
6)
On-demand Account Batch Creation
After at least one plan is enabled, the administrator can generate multiple on-demand user
accounts once by batch creation. Click this to enter the On-demand Account Batch Creation. Enter
the desired number of accounts of enabled plans to create a batch of on-demand accounts together.
The Number of Accounts field of disabled plans will not be able to enter any number. The sum of all
Number of Accounts will be constrained not to over the available account limits in database. Click
Create button to start batch creation. Next page will show Success or Failed message to indicate
the batch creation status. Once creation is successful, all created accounts can be exported to a text
file for extended usage. Moreover, you can click Send to POS to print a receipt to a POS device via
Serial or Ethernet network. Please notice that it takes time if you create lots of on-demand accounts
by batch creation.
Plan: The number of a specific plan.
Type: Show one type of the plan in Usage-time, Duration-time or Cut-off.
Quota: The total time amount or period on how On-demand users are allowed to access the
network.
Price: The unit price of each plan.
Number of Accounts: The desired numbers to be created of the plan.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
57
7)
On-demand Account List
All created On-demand accounts are listed and related information on is also provided.
Search: Enter a keyword of a username, External ID, or reference, to be searched in the text
filed and click this button to perform the search. All usernames, External ID, or reference,
matching the keyword will be listed.
Username: The login name of the account.
Password: The login password of the account.
Remaining Quota: The remaining time or volume, or the cut-off time that the account can
continue to use to access the network.
Status: The status of the account.
o Normal: the account is not currently in use and also does not exceed the quota limit.
o Online: the account is currently in use.
o Expired: the account is not valid any more, even there is remaining quota to be used.
o Out of Quota: the account has exceeded the quota limit.
o Redeemed: the account has been applied for account renewal.
External ID: This is an additional information field for combined with a unique account only.
Delete All: This will delete all the users at once.
Delete: This will delete the users individually.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
58
Redeem On-demand Accounts
For Usage-time accounts, when the remaining quota is insufficient or if they are almost out of
quota, they can use redeem function to extend their quota. After the user has got, or bought,
a new account, they just need to click the Redeem button in the login success page to enter
Redeem Page, input the new account Username and Password and then click Submit. This
new account’s quota will be extended to the original account.
However, Redeem function must redeem to same billing type account only.
Note:
The total maximum quota is “364Days 23hrs 59mins 59secs” even after redeem. If the redeem
amount exceeds this number, the system will automatically reject the redeem process.
Note:
Duration-time and Cut-off type are support redeem function.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
59
4.2 Users Group
Configure Users Group, go to: Users >> Group.
There are multiple groups for divide users. A Group which can be allowed to access a Service Zone or
not; and it also can be applied with a Policy within a Service Zone. The same Group within different
Service Zones can be applied with different Policies as well as different Authentication Options.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
60
4.2.1 Assign users to a Group
Configure users to a Group, go to: Users >> Authentication.
This section shows how to group users, how to rule each grouped user with different policy as he moves
to different service zone. The following examples will help you better understand this section.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
61
In this example, Group 1 users are allowed to access the internet in 5 places; Service Zone 0,1,4,6, and
8. They must follow policy 1 at Service Zone 1, 6 and 8. They are ruled by Policy 3 at Service Zone 1 and
by Policy 8 at Service Zone 4.
In each authentication option, you can assign a Group with each authentication option. All users login
with same authentication server will belong to same Group.
But there are some exceptions:
In Local Authentication, each user can assign to different Group one by one.
In RADIUS Authentication, the users can assign to different Group by Class-Group Mapping.
In LDAP Authentication, the users can assign to different Group by Attribute-Group Mapping.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
62
4.2.2 Permission in Service Zone
Configure Permission in Service Zone, go to: Users >> Group.
A Group can be allowed to access one Service Zone or multiple Service Zones. Moreover, a Group can
be applied different Policies within different Service Zones. Remote VPN is considered as a zone, where
clients log into the system via remote VPN.
Zone Name: The name of Service Zones and Remote VPN.
Enabled: Select Enabled to allow clients of this Group to log into the selected Service Zones.
For example, the above figure shows that users in Group 1 can access network services via
every Service Zone as well as Remote VPN under constraints of Policy 1.
Policy: Select a Policy that the Group will be applied with when accessing respective Service
Zones.
To Group Permission Configuration: The relation between Group and Service Zone is
many to many; every Group can access network services via more than one Service Zone,
and meanwhile, each Service Zone can serve more than one Group.
Click the hyperlink in the To Group Permission Configuration column to enter the Group
Configuration interface, which is based on the role of Service Zone, to configure the relation
between Group and Service Zone.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
63
o Group Option: The name of Group options available for selection.
o Enabled: Select Enabled to allow clients of the enabled Groups to log in to this Service
Zone under constraints of the selected Policies.
Check Enabled of each individual Group to assign it to the Service Zone listed. For example,
the above figure shows, clients in Group 1~8 can access Service Zone 1, where they are
governed by the individual Policy respectively.
o Policy: Select a Policy that the Group will be applied with when accessing this Service
Zone.
o To Zone Permission Configuration: Click the hyperlink in the To Zone Permission
Configuration column to enter Zone Permission Configuration & Policy Assignment
interface, which is based on the role of Group, to configure the relation between Group and
Zone.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
64
At Service Zone 1, Group 1 user is ruled by Policy 3. Group 2 is by Policy 9 and Group 3 is by Policy 11.
Other Groups are not enabled to access Service Zone 1.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
65
4.3 User Login
An Example of User Login
Normally, users will be authenticated before they get network access through AMG-2100/AMG-2101.
This section presents the basic authentication flow for end users. Please make sure that the
AMG-2100/AMG-2101 is configured properly and network related settings are done.
1. Open an Internet browser and try to connect to any website (in this example, we try to connect to
www.google.com).
a) For the first time, if the AMG-2100/AMG-2101 is not using a trusted SSL certificate (for more
information, please see 4.2.5 Additional Configuration), there will be a “Certificate Error”,
because the browser treats AMG-2100/AMG-2101 as an illegal website.
b) Please press “Continue to this website” to continue.
c) The default user login page will appear in the browser.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
66
2. Enter the username and password (for example, we use a local user account: test@local here) and
then click Submit button. If the Remember Me check box is checked, the browser will remember
this user’s name and password so that he/she can just click Submit next time he/she wants to login.
Check the Remember Me box to store the username and password on the current computer in
order to automatically login to the system at next login. Then, click the Submit button.
The Remaining button on the User Login Page is for on-demand users only, where they can
check their Remaining quota.
3. Successful! The Login Successful page appearing means you are connected to the network and
Internet now!
Note:
When On-demand accounts are used, the system will display more information, as shown below.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
67
4.3.1 Default Authentication
In each Service Zone, there are different types of authentication database (LOCAL, POP3,
RADIUS, LDAP, NTDOMAIN, ONDEMAND, and SIP) that are supported by the entire system.
There are up to six authentication options can be enabled, and one of them can be set as the
Default Authentication– so that users do not have to type in the postfix string while entering
username during login.
A postfix is used to inform the system which authentication option to be used for authenticating
an account (e.g. bob@BostonLdap or tim@TaipeiRadius) when multiple options are concurrently
in use. One of authentication option can be assigned as default. For authentication assigned as
default, the postfix can be omitted. For example, if "BostonLdap" is the postfix of the default
option, Bob can login as "bob" without having to type in "bob@BostonLdap”.
4.3.2 Login with postfix
Set a postfix that is easy to distinguish (e.g. Local) user login with which authentication server.
The acceptable characters are numbers (0~9), alphabets (a~z or A~Z), dash (-), underline (_)
and dot (.) within a maximum of 40 characters. All other characters are not allowed.
Beside the Default Authentication, all other authentication server users login to system, the
username must contain the postfix to identify the user is belong to which authentication server.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
68
4.3.3 Disable Authentication in Service Zone
Configure Authentication in Service Zone, go to: System >> Service Zones.
Authentication Required For the Zone: When it is disabled, users will not need to
authenticate before they get access to the network within this Service Zone.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
69
5. Managing Wireless Network
5.1 AMG-2100/AMG-2101 with Multiple Type of AP
Beside the LAN ports in AMG-2100/AMG-2101, you can connect AP to AMG-2100/AMG-2101 to extent
the network access by wireless. AMG-2100/AMG-2101 can manager multiple types of AP, such as,
WAB-3003 (108M 11g Outdoor PoE AP), WAP-3101 (108M 11g PoE Wireless Access Point), WAP-6002
(150M N Wireless Access Point), WAP-6011 (300M N_Max Wireless Access Point). Most settings of AP
can be configuring from AMG-2100/AMG-2101.
In most environments, more than one APs are needed to fulfill wide-ranged network services such as
Hotspot or many offices. However, in most circumstances, only Indoor AP can be deployed. On the
other hand, many complicated environments combine indoor and outdoor areas. For industrial usage,
it always combines office building and open-air factory areas; for campus usage, it must cover
classrooms, lab, office and many open-air playgrounds. Therefore, both Indoor AP and Outdoor AP are
necessary in deployment at the same time.
For this reason, the management of multiple type of AP is very important. Let us introduce the
management of multiple type of AP.
View AP Overview, go to: Access Points >> Overview.
In the Overview page, all of the supported AP type will list here.
Because AMG-2100/AMG-2101 can manage Single-RF access points and Wall-Jack access points, the
best and easy way to configure a log of APs is by AP Template. You can configure one template, and then
apply this template to all or a log of APs by a simple way. Or when you are adding (discovery) APs to
your network with same configurations, and then you also can apply this template to the discovered
APs very easily.
Note
: The APs man
aged by AMG products must be set in
AP Mode
.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
70
5.2 Configure AP Template
Configure AP Template, go to: Access Points >> Templates.
Template is a model that can be copied to every AP and not necessary to configure the AP individually.
There are three templates provided for each type of AP. Select an AP Type, and click Edit to go on
configuration.
Another easy way to configure the template, it is copy the configuration from an existing AP to the
template. Select a Source AP, and without configuring the template from the beginning,
administrators can also revise some settings for demand.
If copy is not desired, please select NONE. Input the Name and Remark, if you want to change these
to memorize easily. If not, then click the button of Configure to go on configuration.
Template Editing: Here is the section that administrators can configure template name,
template source, and template remark.
Name: The name shown for this particular template will change according to what given
by administrators.
Copy Settings From: Select an existing AP and click Apply to save its settings as the
template settings.
Remark: The remark of this template profile.
Template Configuration
The administrator can set the template configuration manually. Click Configure button to have
detailed configurations.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
71
General Setting: In this section, revise the Subnet Mask and Default Gateway here if
desired. Configure the NTP Servers and Time Zone. Besides, it can enable SYSLOG server to
receive the log from AP and enable SNMP read/write ability.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
72
Wireless:
SSID Broadcast: Select this option to enable the SSID to broadcast in your network.
When configuring the network, it is suggested to enable this function but disable it
when the configuration is complete. With this enabled, someone could easily obtain
the SSID information with the site survey software and get unauthorized access to a
private network. With this disabled, network security is enhanced and can prevent the
SSID from being seen on networked.
Band: There are 3 modes to select, 802.11b (2.4G, 1~11Mbps), 802.11g (2.4G,
54Mbps) and Mix mode (b and g).
Data Rate: The default is Auto. Available range is from 1 to 54Mbps. The rate of data
transmission should be set depending on the speed of the wireless network. Select
from a range of transmission speed or keep the default setting, Auto, to make the
Access Point automatically use the fastest rate possible.
Preamble: The length of the CRC (Cyclic Redundancy Check) block for
communication between the Access Point and roaming wireless adapters. Select either
Short Preamble or Long Preamble.
IAPP: Inter Access-Point Protocol is designed for the enforcement of unique
association throughout a ESS (Extended Service Set) and for secure exchange of
station’s security context between current access point (AP) and new AP during
handoff period.
Wireless Client Isolation: The default value is Disabled. When select “Enabled”,
all the wireless clients will be isolated each other.
Transmit Power: The default is Auto. Select from the range or keep the default
setting, Auto, to make the Access Point use different transmit power as you wish.
Wireless QoS WMM: Select Enabled, the packets with QoS WMM will has higher
priority.
Fragment Threshold: Breaking a packet into smaller units when transmitting over a
network medium that cannot support the original size of the packet.
RTS Threshold: Request To Send. A packet sent when a computer has data to
transmit. The computer will wait for a CTS (Clear To Send) message before sending
data.
Beacon Interval (ms): Enter a value between 20 and 1000 msec. The default value
is 100 milliseconds. The entered time means how often the beacon signal transmission
between the access point and the wireless network.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
73
5.3 Discovery AP
Configure Discovery AP, go to: Access Points >> Discovery.
After AP template configuration is finish, use this function to detect and manage all of the APs in the
network segments. Note that AMG-2100/AMG-2101 can only manage APs that are connected to its LAN
ports. Therefore, the AP discovery function is for adding locally connected APs to its management list.
The administrator must know the local IP addresses of the APs he/she wishes to discover. Or the better
way is reset the AP to default setting for discovery.
To discover AP:
AP Type: Choose the type of AP you wish to discover.
Interface: Set to default.
Admin Settings Used to Discover: Choose from Factory Default or Manual, if the AP is
not using the default IP.
Then click the Scan Now button and the APs match the given settings will show in the list below. If one
of the IP addresses intended is used, a warning message will show up. In this case, please change the
IP range and then click Scan Now again.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
74
Discovery Results: The discovered new APs will be listed here. When the system’s Service Zone is
set to Tag-based mode, service zones also can be assigned here. After clicking Add, the current
management page is directed to AP List, where the newly added APs will show up with a status of
“configuring”. It may take a couple of minutes to see the status of the newly added AP to change
from “configuring” to “online” or “offline”.
AP Type: This is the supported type of APs for centralized management.
IP Address: IP address of the specified AP.
MAC Address: MAC address of the specific AP.
AP Name: Mnemonic name of the specific AP.
Admin Password: Password required for this AP.
Template: The template which will be applied to the added AP.
Channel: The selected channel will be applied to the added AP.
Service Zone: The item is only shown when Tag-Based mode is selected. Select the name
of Service Zone such as Service Zone 1, Guest or Employee.
Add: The administrator can click Add button to register the APs to the List for management.
Input the desired name and password for the AP. Select one template, one channel, check the Add
checkbox and then click Add to add it under the managed list.
When the AP is added, it will show up in the list below and be given a new IP address set here (ex:
192.168.0.1). Check the Add box to add the AP and it will be listed to the AP list.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
75
5.4 AP with Service Zone
Configure AP with Service Zone, go to: System >> Service Zones.
Service Zone Settings – Assigned IP Address for AP Management
Under port-based service zone, each service zone can designate an IP segment for IP address
assignment to the managed AP when the newly discovered AP is added into the service zone. Under
tag-based service zone, only default service zone will designate an IP segment for IP address
assignment to the managed AP when the newly discovered AP is added into the selected service zones.
Service Zone Settings – Managed AP in this Service Zone
All managed APs that belong to this service zone are listed here for reference.
Service Zone Settings – SSID for Service Zone
All managed APs that belong to this service zone have same SSID.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
76
Service Zone Settings – Access Control for Service Zone
All managed APs (VAP) that belong to this service zone have same ACL table. When the status is
Allowed, only these clients whose MAC addresses are listed in this list can be allowed to connect
to the AP; on the other hand, when the status is Denied, the clients whose MAC addresses are
listed in the list will be denied to connect to the AP. When Disabled is selected, any clients can
connect to the AP. The default is Disabled.
o User Limit: Limit the number of users connected to that AP. Not all AP types support this
option.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
77
5.5 AP Security
Configure AP Security, go to: System >> Service Zones.
Security: For each service zone, administrators can set up the wireless security profile,
including Authentication and Encryption.
Authentication: Including Open System, Share Key, WPA, WPA2 or WPA/WPA2
Mixed.
Encryption:
WEP: When Authentication is Open System or Share Key, WEP will be enabled.
WPA: When Authentication is WPA, WPA-PSK or WPA-RADIUS will be the options
of WPA. For WPA-PSK, it also can select Passphrase or HEX.
WPA2: When Authentication is WPA, WPA-PSK or WPA-RADIUS will be the options
of WPA. For WPA-PSK, it also can select Passphrase or HEX.
WPA/WPA2 Mixed: When Authentication is WPA, WPA-PSK or WPA-RADIUS will
be the options of WPA. For WPA-PSK, it also can select Passphrase or HEX.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
78
5.6 Change managed AP settings
Configure AP settings in AP List, go to: Access Points >> List.
All of the APs under the management of AMG-2100/AMG-2101 will be shown in the list. The AP can be
edited by clicking the hyperlink of AP Name and the AP status can be got by clicking the hyperlink of
Status.
AP Name
Click AP Name and enter the interface about related settings. There are four kinds of settings,
General Settings, LAN Interface Setting and Wireless Interface Setting. Click the hyperlink
to go on the configuration.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
79
General Setting: Click the link to enter the General Setting interface. Firmware information
also can be observed here.
LAN Setting: Click the link to enter the LAN Setting interface. Input the data of LAN including
IP address, Subnet Mask and Default Gateway of AP.
Wireless LAN: Click the link to enter the Wireless interface.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
80
Status
After clicking the hyperlink in the Status column, there are two areas of information shown: AP
Status Summary and AP Status Details.
AP Status Summary includes AP Name, AP Type, LAN Interface MAC address, Wireless
Interface MAC address, Report Time, SSID, and Number of Associated Clients. AP Status
Details include System Status, LAN Status, Wireless LAN Status, Associated Client Status
and Local Log Status.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
81
5.7 AP Operations from AP List
Configure AP List, go to: Access Points >> List.
5.7.1 Reboot, Enable, Disable and Delete the AP
Select any AP by the check the checkbox and then click the button below to Reboot, Enable, Disable
and Delete the selected AP if desired.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
82
5.7.2 Apply Template
Select any AP by check the checkbox and then click Apply Template; select one template to apply to
the AP.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
83
5.7.3 Change Service Zone
Select any AP by the check the checkbox and then click Apply Service Zone to select which Service
Zones this AP associates to. For example, if SZ3 and SZ5 are selected for this AP, then these two
Service Zones will be available under this AP. This AP will have two VAPs with two SSIDs according to
two Service Zones for clients to associate. If a user connected to one SSID (for example, SSID3) of this
AP and wishing to access the Internet, this user must log into these Service Zones (SZ3) first.
Check the checkbox to select the available Service Zones from the list. Click Apply to finish the
settings.
Caution:
1. This function only support in Tag-Base mode.
2. Not all AP types support this feature, only Multi-VAP-AP can Apply Service Zone in Tag-Based
mode.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
84
5.7.4 AP Background Discovery
Configure AP Background Discovery, go to: AP Management >> Discovery.
Background AP Discovery: Click Configure to enter Background AP Discovery interface and go
on related configuration.
The configuration is the same as AP Discovery. When Background AP Discovery function is
enabled, the system will scan once every 10 minutes or according to the time set by the
administrator. If any AP is discovered and Auto-Add AP is enabled, it will be assigned an available
IP from the starting IP address and apply the selected template. You can also set the channel of the
AP would use.
Caution:
The scanning process may take a long time if the IP range assigned to scan is too wide.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
85
5.7.5 Manually add AP
Configure AP adding by Manually, go to: Access Points >> Adding.
The AP also can be added manually even though when it is offline. Input the related data of the AP and
select a Template. After clicking Add, the AP will be added to the managed list.
AP Type: This is the supported type of APs for centralized management.
AP Name: Mnemonic name of the specific AP.
Admin Password: Password required for this AP.
IP Address: IP address of the specified AP.
MAC Address: MAC address of the specific AP.
Remark: Some extra information to be filled in for this AP if desired.
Service Zone (Tag-Based only): This item is only shown when Tag-Based mode is selected
in System Configuration >> LAN Port Mapping. Select the name of Service Zone such as
Service Zone 1, Guest or Employee. And it is only for Multi-VAP AP only.
Template Applied: The template which will be applied to the added AP.
Channel: The selected channel will be applied to the added AP.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
86
5.7.6 Firmware management and upgrade
Configure Firmware management, go to: Access Points >> Firmware.
Firmware Upload displays the current version of the AP’s firmware. New firmware can be uploaded
here to update the current firmware. To upload, click Browse to select the file and then click Upload.
Configure Firmware upgrade, go to: Access Points >> Upgrade.
AP Upgrade Select the APs which need to be upgraded and select the upgrade version of firmware, and
click Apply to upgrade firmware.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
87
6. Policies and Access Control
6.1 Black List
Configure Black List, go to: Users >> Black List.
The administrator can add, delete, or edit the black list for user access control. Each black list can
include lots of users. Users’ accounts that appear in the black list will be denied of network access. The
administrator can use the pull-down menu to select the desired black list.
Select Black List: There are multiple lists to select from for the desired black list.
Name: Set the black list name and it will show on the pull-down menu above.
Add User(s): Click the hyperlink to add users to the selected black list.
After entering the usernames in the Username blanks and the related information in the Remark
blank (not required), click Apply to add the users.
If removing a user from the black list is desired, click the user’s Delete link or click the Del All
button to remove all users from the black list.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
88
After the Black List is setup completed. You can select the Black List in each Authentication Server
to let it to become effective.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
89
6.2 MAC Address Control
Configure MAC Address Control, go to: Users >> Additional Control >> MAC ACL.
MAC ACL: With this function, only the users with their MAC addresses in this list can login to
AMG-2100/AMG-2101. There are maximum users allowed in this MAC address list. User authentication
is still required for these users. Click Edit to enter the MAC Address Control list. Fill in these MAC
addresses, select Enable, and then click Apply.
Caution:
The format of the MAC address is: xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
90
6.3 Policy
Configure Policy, go to: Users >> Policy.
AMG-2100/AMG-2101 supports multiple Policies, including one Global Policy and other individual
Policy. Each Policy consists of access control profiles that can be configured respectively and applied to
a certain Group of users. Global Policy is the system’s universal policy and applied to all clients, while
other individual Policy can be selected and defined to be applied to any Service Zone.
The clients belonging to a Service Zone will be bound by an applied Policy. In addition, a Policy can be
applied at a Group basis; a Group of users can be bound by a Policy. The same Group can be applied
with different Policies within different Service Zones.
When the type of authentication database is RADIUS, the Class-Group Mapping function will be
available to allow the administrator to assign a Group for a RADIUS class attribute; therefore, a Policy
applied to this Group will be mapped to a user Group of a RADIUS class attribute.
When the type of authentication database is LDAP, the Attribute-Group Mapping function will be
available to allow the administrator to assign a Group for LDAP attribute; therefore, a Policy applied to
this Group will be mapped to a user Group of a LDAP attribute.
When the type of database is Local, the Group selection function will be available to allow the
administrator to assign a Group to each user one by one.
When the type of database is On-demand, the Group selection function will be available in each Billing
Plan to allow the administrator to assign a Group to each Billing Plan; also it can assign a Group to each
user one by one when the On-demand user is creating.
Global Policy
Global is the system’s universal policy including Firewall Rules, Specific Routes Profile and
Maximum Concurrent Session which will be applied to all users unless the user has been regulated
and applied with another Policy.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
91
Select Policy: Select Global to set the Firewall Profile, Specific Route Profile and Maximum
Concurrent Session.
Firewall Profile: Global policy and each policy have a firewall service list and a set of firewall
profile which is composed of firewall rules.
Specific Route Profile: The default gateway of WAN1, WAN2, or a desired IP address can be
defined in a policy. When Specific Default Route is enabled, all clients applied this policy will access
the Internet through this gateway settings, include default gateway.
Maximum Concurrent Sessions: Set the maximum concurrent sessions for each client.
Policy
Beside Global Policy, there have Policy 1 to Policy X, each Policy consists of access control profiles
that can be configured respectively and applied to a certain Group of users. The clients belonging to a
Service Zone will also be bound by an applied Policy. In addition, a Policy can be applied at a Group basis;
a Group of users can be bound by a Policy. The same Group can be applied with different Policies within
different Service Zones.
Select Policy: Select Policy 1~Policy X to set the Firewall Profile, Specific Route Profile,
Schedule Profile and Maximum Concurrent Sessions.
Firewall Profile: Each Policy has a firewall service list and a set of firewall profile consisting of
firewall rules.
Specific Route Profile: The default gateway of WAN1, WAN2, or a desired IP address can be
defined in a policy. When Specific Default Route is enabled, all clients applied this policy will access
the Internet through this gateway settings, include default gateway.
Schedule Profile: The Schedule table in a 7X24 format is used to control the clients’ login time.
When Schedule is enabled, clients applied policies are only allowed to login the system at the time
which is checked in the applied policy.
Maximum Concurrent Sessions: Set the maximum concurrent sessions for each client.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
92
6.3.1 Firewall
Firewall Profile: Click Setting for Firewall Profile. The Firewall Configuration will appear. Click
Predefined and Custom Service Protocols to edit the protocol list. Click Firewall Rules to edit the
rules.
1. Predefined Protocols
Predefined and Custom Service Protocols: There are predefined service protocols available for
firewall rules editing.
The administrator is able to add new custom service protocols by clicking Add, and delete the added
protocols with Select All and Delete operations.
Caution:
The Predefined Service Protocols can not be deleted.
Click Add to add a custom service protocol. The Protocol Type can be defined from a list of service by
protocols (TCP/UDP/ICMP/IP); and then define the Source Port (range) and Destination Port
(range); click Apply to save this protocol .
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
93
If the Protocol Type is ICMP, it will need to define Type and Code.
If the Protocol Type is IP, it will need to define Protocol Number.
2. Rules
After the custom protocol is defined or just use the Predefined Service Protocols, you will need to
enable the Firewall Rule to apply these protocols.
o Firewall Rules: Click the number of Filter Rule No. to edit individual rules and click Apply
to save the settings. The rule status will show on the list. Check “Active” checkbox and click
Apply to enable that rule.
This link leads to the Firewall Rules page. Rule No.1 has the highest priority; Rule No.2 has
the second priority and so on. Each firewall rule is defined by Source, Destination and
Pass/Block action. Optionally, a Firewall Rule Schedule can be set to specify when the firewall
rule is enforced. It can be set to Always, Recurring or One Time.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
94
Selecting the Filter Rule Number 1 as an example:
o
Rule Number: This is the rule selected “1”. Rule No. 1 has the highest priority; rule No.
2 has the second priority, and so on.
o
Rule Name: The rule name can be changed here.
o
Source/Destination – Interface/Zone: There are choices of ALL, WAN1, WAN2,
Default, and the named Service Zones to be applied for the traffic interface.
o
Source/Destination – IP Address/Domain Name: Enter the source and
destination IP addresses. Domain Host filtering is supported but Domain name filtering
is not.
o
Source/Destination – Subnet Mask: Select the source and destination subnet
masks.
o
Source- MAC Address: The MAC Address of the source IP address. This is for specific
MAC address filter.
o
Service Protocol: There are defined protocols in the service protocols list to be
selected.
o
Schedule: When schedule is selected, clients assigned with this policy are applied the
firewall rule only within the time checked. There are three options, Always, Recurring
and One Time. Recurring is set with the hours within a week.
o
Action for Matched Packets: There are two options, Block and Pass. Block is to
prevent packets from passing and Pass is to permit packets passing.
User’s Manual
AMG-2100 Gigabit Access and AP Management Gateway/
AMG-2101 Gigabit Access and AP Management Gateway Plus
95
6.3.2 Routing
Specific Route Profile: Click the button of Setting for Specific Route Profile, the Specific
Route Profile list will appear.
1. Specific Route
Specific Route Profile: The Specific Route is use to control clients to access some specific IP
segment by the specified gateway.
o Destination / IP Address: The destination network address or IP address of the
destination host. Please note that, if applicable, the system will calculate and display the
appropriate value based on the combination of Network/IP Address and Subnet Mask that
are just entered and applied.
o Destination / Subnet Netmask: The subnet mask of the destination network. Select
255.255.255.255(/32) if the destination is a single host.
o Gateway / IP Address: The IP address of the gateway or next router to the destination.
Loading...