How it Works
Nomadix
Loading...
AG-2000WA
User Manual
254 pgs3.37 Mb0

Nomadix AG-2000W, AG-2000WA User Manual

Download
Nomadix AG-2000w
Copyright © 2003 Nomadix, Inc. All Rights Reserved.
This product also includes software developed by: The University of California, Berkeley and its contributors; Carnegie Mellon University, Copyright © 1998 by Carnegie Mellon University All Rights Reserved; Go Ahead Software, Inc., Copyright © 1999 Go Ahead Software, Inc. All Rights Reserved; Livingston Enterprises, Inc., Copyright © 1992 Livingston Enterprises, Inc. All Rights Reserved; The Regents of the University of Michigan and Merit Network, Inc., Copyright 1992 – 1995 All Rights Reserved; and includes source code covered by the Mozilla Public License, Version 1.0 and OpenSSL.
Part Number: 200-1026-001-B (August, 2003)
Trademarks
The symbol, , AG-2000w™, AG-2000wa™ and Nomadix Service Engine™ are trademarks of Nomadix, Inc. All other trademarks and
brand names are marks of their respective holders.
Product Information
Telephone: +1.818.597.1500 Fax: +1.818.597.1502 For technical support information, see the Appendix in this User’s Guide.
Write your product serial number in this box:
S/N
31355 Agoura Road, Westlake Village, CA 91361, USA (head office)
Written and Illustrated by Bill Wareing
This User’s Guide is protected by U.S. copyright laws. You may not transmit, copy, modify, or translate this manual, or reduce it or any part of it to any machine readable form, without the express permission of the copyright holder.
DISCLAIMER
Nomadix, Inc. makes no warranty, either express or implied, including but not limited to any implied warranties of merchantability and fitness for a particular purpose, regarding the product described herein. In no event shall Nomadix, Inc. be liable to anyone for special, collateral, incidental, or consequential damages in connection with or arising from the use of Nomadix, Inc. products.
FCC RADIATION EXPOSURE STATEMENT
This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of about eight inches (20cm) between the radiator and your body.
This transmitter must not be co-located or operated in conjunction with any other antenna or transmitter.
NOTIFICATIONS
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Also note that the communication connections for this device are not for use in Telephone-Network Voltage (TNV) circuits.
This Class B digital apparatus meets all requirements of the Canadian Interference­Causing Equipment Regulations.
Cet appareil numérique de la classe B respecte toutes les exigences du Réglement sur le matériel brouilleur du Canada.
WARNING
Risk of electric shock; do not open;
no user-serviceable parts inside.
Risque de choc electrique; ne pas ouvrir; ne pas tenter de démonter
l’appareil.
CAUTION
Read the instruction manual prior to
operation.
Lire le mode d’emploi avant
utilisation.
NOMADIX AG-2000W™ / AG-2000WA
Table of Contents
Introduction ..........................................................................................................7
About this User’s Guide ............................................................................................. 7
Organization................................................................................................................ 7
Why Choose Wireless?............................................................................................... 8
Welcome to the Nomadix AG-2000w and AG-2000wa............................................. 9
Product Definitions.............................................................................................. 9
Ensuring Compatibility........................................................................................ 9
Offering Speed and Efficiency ........................................................................... 10
Optimizing Performance.................................................................................... 10
Providing Effective Security .............................................................................. 11
Enabling Flexible Deployment Options............................................................. 11
WAN Connectivity:.................................................................................... 11
User Connectivity:...................................................................................... 11
Product Configuration and Licensing ............................................................... 11
Key Features and Benefits ........................................................................................ 12
Transparent Connectivity .................................................................................. 12
Local Content and Services ............................................................................... 13
Access Control and Authentication ................................................................... 13
Security .............................................................................................................. 13
Billing Enablement ............................................................................................ 13
5-Step Service Branding .................................................................................... 14
NSE Core Functionality............................................................................................ 15
Access Control................................................................................................... 16
Bandwidth Management .................................................................................... 16
Bridge Mode ...................................................................................................... 17
Command Line Interface ................................................................................... 17
Dynamic Address Translation™ ....................................................................... 17
Dynamic Transparent Proxy.............................................................................. 17
End User Licensee Count .................................................................................. 18
External Web Server Mode................................................................................ 18
Home Page Redirect.......................................................................................... 18
iNAT™............................................................................................................... 19
Information and Control Console...................................................................... 20
Internal Web Server........................................................................................... 20
International Language Support ....................................................................... 21
IP Upsell ............................................................................................................ 21
Logout Pop-Up Window .................................................................................... 21
MAC Filtering.................................................................................................... 22
Multi-Level Administration Support .................................................................. 22
Table of Contents i
NOMADIX AG-2000W™ / AG-2000WA
NTP Support ...................................................................................................... 22
Portal Page Redirect ......................................................................................... 22
Port Mapping..................................................................................................... 23
RADIUS-driven Auto Configuration.................................................................. 23
RADIUS Client................................................................................................... 23
RADIUS Proxy (not available with the AG-2000w) .......................................... 24
Remember Me and RADIUS Re-Authentication................................................ 24
Secure Management........................................................................................... 24
Secure Socket Layer (SSL)................................................................................. 25
Secure XML API ................................................................................................ 26
Session Rate Limiting (SRL) .............................................................................. 26
Session Termination Redirect............................................................................ 26
Smart Client Support ......................................................................................... 26
SNMP Nomadix Private MIB............................................................................. 27
Tri-Mode Authentication ................................................................................... 27
URL Filtering .................................................................................................... 27
Walled Garden................................................................................................... 28
Web Management Interface............................................................................... 28
Optional NSE Modules............................................................................................. 29
Hospitality Module (not available with the AG-2000w).................................... 29
PMS Integration.......................................................................................... 29
Billing Records Mirroring .......................................................................... 29
Credit Card Module........................................................................................... 30
Wholesale Roaming Module.............................................................................. 30
High Availability Module .................................................................................. 30
Network Architecture (Sample)................................................................................ 31
Product Specifications .............................................................................................. 32
Online Help (WebHelp)............................................................................................ 36
Notes, Cautions, and Warnings................................................................................. 36
Chapter 1: Installing the AG-2000w................................................................ 37
Unpacking the AG-2000w ........................................................................................ 38
Installation Workflow ............................................................................................... 39
Connecting the System ............................................................................................. 40
Installation Considerations ....................................................................................... 41
Logging In to the Command Line Interface ............................................................. 42
The Management Interfaces (CLI and Web) ............................................................ 43
Making Menu Selections and Inputting Data with the CLI ............................... 43
Menu Organization (Web Management Interface)............................................ 44
Inputting Data – Maximum Character Lengths................................................. 45
Online Documentation and Help....................................................................... 46
Quick Reference Guide............................................................................................. 46
Establishing the Start Up Configuration................................................................... 47
Assigning Login User Names and Passwords ................................................... 48
ii Table of Contents
NOMADIX AG-2000W™ / AG-2000WA
Setting the SNMP Parameters (optional) .......................................................... 49
Enabling the Logging Options (recommended)................................................. 50
Assigning the Location Information and IP Addresses ..................................... 51
Establishing the Basic Configuration for Subscribers .............................................. 53
Setting the DHCP Options................................................................................. 53
Setting the DNS Options .................................................................................... 55
Archiving Your Configuration Settings.................................................................... 56
Installing the Nomadix Private MIB......................................................................... 57
Chapter 2: System Administration .................................................................. 59
Enabling Wireless Connectivity ............................................................................... 59
Choosing a Remote Connection ............................................................................... 60
Using the Web Management Interface (WMI)................................................... 60
Using an SNMP Manager.................................................................................. 61
Using a Telnet Client......................................................................................... 62
Logging In................................................................................................................. 62
About Your Product License .................................................................................... 62
Configuration Menu.................................................................................................. 63
Defining the AAA Services {AAA} ..................................................................... 63
Enabling AAA Services with the Internal Web Server .............................. 66
Enabling AAA Services with an External Web Server .............................. 69
Establishing Secure Administration {Access Control}...................................... 71
Defining Automatic Configuration Settings {Auto Configuration} ................... 73
Enabling Auto Configuration ..................................................................... 74
Setting Up Bandwidth Management {Bandwidth Management}....................... 76
Establishing Billing Records “Mirroring” {Bill Record Mirroring}................ 77
Managing the DHCP Service Options {DHCP}................................................ 79
Managing the DNS Options {DNS} ................................................................... 83
Setting the Home Page Redirection Options {Home Page Redirect}................ 85
Enabling Intelligent Address Translation (iNAT) ............................................. 86
Establishing Your Location {Location} ............................................................. 88
Managing the System and Billing Log Options {Logging}................................ 90
Assigning Passthrough Addresses (Passthrough Addresses)............................ 91
Defining the RADIUS Client Settings {RADIUS Client} ................................... 92
Miscellaneous Options ............................................................................... 94
Defining the RADIUS Routing Settings {RADIUS Routing} ............................. 95
Adding a RADIUS Service Profile............................................................. 96
Adding a Realm Routing Policy................................................................. 98
Managing SMTP Redirection {SMTP} ............................................................ 101
Managing the SNMP Communities {SNMP}................................................... 102
Displaying Your Configuration Settings {Summary} ...................................... 104
Setting the System Date and Time {Time} ....................................................... 105
Setting Up URL Filtering {URL Filtering}...................................................... 106
Enabling Secure Management {VPN Tunnel} ................................................. 107
Table of Contents iii
NOMADIX AG-2000W™ / AG-2000WA
Network Info Menu ................................................................................................ 110
Displaying ARP Table Entries {ARP} ............................................................. 110
Displaying DAT Sessions {DAT}..................................................................... 110
Displaying the Host Table {Hosts}.................................................................. 111
Displaying ICMP Statistics {ICMP}................................................................ 111
Displaying the Network Interfaces {Interfaces} .............................................. 112
Displaying the IP Statistics {IP}...................................................................... 113
Displaying the Routing Tables {Routing}........................................................ 114
Displaying the Active IP Connections {Sockets}............................................. 115
Displaying the Static Port Mapping Table {Static Port-Mapping}................. 115
Displaying TCP Statistics {TCP} .................................................................... 116
Displaying UDP Statistics {UDP}................................................................... 117
Subscriber Administration Menu............................................................................ 118
Adding Subscriber Profiles {Add} ................................................................... 118
Displaying Current Subscriber Connections {Current}.................................. 120
Deleting Subscriber Profiles by MAC Address {Delete by MAC}................... 121
Deleting Subscriber Profiles by User Name {Delete by User} ....................... 122
Displaying the Currently Allocated DHCP Leases {DHCP Leases} .............. 123
Deleting All Expired Subscriber Profiles {Expired} ....................................... 123
Finding Subscriber Profiles by MAC Address {Find by MAC}....................... 124
Finding Subscriber Profiles by User Name {Find by User} ........................... 125
Listing Subscriber Profiles by MAC Address {List by MAC}.......................... 126
Listing Subscriber Profiles by User Name {List by User}............................... 127
Displaying Current Profiles and Connections {Statistics}.............................. 128
Subscriber Interface Menu...................................................................................... 129
Defining the Billing Options {Billing Options} ............................................... 129
Setting Up the Information and Control Console {ICC Setup} ....................... 133
Assigning Buttons .................................................................................... 135
Assigning Banners.................................................................................... 136
Pixel Sizes ................................................................................................ 138
Time Formats............................................................................................ 138
Defining Languages {Language Support} ....................................................... 139
Defining the Subscriber’s Login UI {Login UI}.............................................. 141
Subscriber Login Screen (Sample)........................................................... 144
Defining Subscriber UI Labels {Subscriber Labels}....................................... 146
Defining Subscriber Error Messages {Subscriber Errors} ............................. 147
Defining Subscriber Messages {Subscriber Messages} .................................. 149
System Menu .......................................................................................................... 152
Adding an ARP Table Entry {ARP Add} ......................................................... 152
Deleting an ARP Table Entry {ARP Delete} ................................................... 153
Enabling the Bridge Mode Option {Bridge Mode} ......................................... 154
Exporting Configuration Settings to the Archive File {Export} ...................... 155
Importing the Factory Defaults {Factory} ...................................................... 156
Viewing the History Log {History}.................................................................. 157
iv Table of Contents
NOMADIX AG-2000W™ / AG-2000WA
Importing Configuration Settings from the Archive File {Import}.................. 158
Establishing Login Access Levels {Login} ...................................................... 159
Defining the MAC Filtering Options {Mac Filtering}..................................... 161
Testing a Remote Host {Ping} ......................................................................... 162
Rebooting the System {Reboot} ....................................................................... 163
Adding a Route {Route Add} ........................................................................... 164
Deleting a Route {Route Delete} ..................................................................... 165
Establishing Session Rate Limiting {Session Limit}........................................ 166
Adding Static Ports {Static Port-mapping Add}.............................................. 167
Deleting Static Ports {Static Port-mapping Delete}........................................ 169
Updating the AG-2000w Firmware {Upgrade}............................................... 170
Defining the Wireless Configuration {Wireless Configuration} ..................... 171
Chapter 3: The Subscriber Interface............................................................. 175
Overview................................................................................................................. 175
Authorization and Billing ....................................................................................... 176
The AAA Structure ........................................................................................... 177
Process Flow (AAA) ........................................................................................ 178
Internal and External Web Servers.................................................................. 179
Language Support............................................................................................ 179
Home Page Redirection................................................................................... 179
Subscriber Management ......................................................................................... 179
Subscriber Management Models ..................................................................... 180
Configuring the Subscriber Management Models........................................... 181
Information and Control Console (ICC)................................................................. 182
ICC Pop-Up Window....................................................................................... 182
Chapter 4: Quick Reference Guide................................................................ 183
Web Management Interface (WMI) Menus............................................................ 183
Main Page........................................................................................................ 183
Configuration Menu Items............................................................................... 184
Network Info Menu Items................................................................................. 185
Subscriber Administration Menu Items ........................................................... 186
Subscriber Interface Menu Items..................................................................... 187
System Menu Items .......................................................................................... 188
Alphabetical Listing of Menu Items (WMI)........................................................... 189
Default (Factory) Configuration Settings ............................................................... 191
Product Specifications ............................................................................................ 193
Sample AAA Log ................................................................................................... 197
Message Definitions (AAA Log) ...................................................................... 197
Sample SYSLOG Report ........................................................................................ 198
Sample History Log ................................................................................................ 198
Keyboard Shortcuts................................................................................................. 199
Table of Contents v
NOMADIX AG-2000W™ / AG-2000WA
RADIUS Attributes................................................................................................. 200
Authentication-Request.................................................................................... 201
Authentication-Reply (Accept)......................................................................... 202
Accounting-Request ......................................................................................... 203
Selected Detailed Descriptions........................................................................ 204
Nomadix Vendor Specific Attributes................................................................ 205
Setting Up the SSL Feature .................................................................................... 206
Prerequisites.................................................................................................... 206
Obtain a Private Key File (cakey.pem) ........................................................... 207
Installing Cygwin and OpenSSL on a PC........................................................ 207
Private Key Generation ................................................................................... 211
Create a Certificate Signing Request (CSR) File ............................................ 214
Create a Public Key File (server.pem)............................................................ 215
Setting Up AG-2000w™ for SSL Secure Login............................................... 218
Setting Up the Portal Page .............................................................................. 219
Mirroring Billing Records ...................................................................................... 219
Sending Billing Records .................................................................................. 220
XML Interface.................................................................................................. 220
Chapter 5: Troubleshooting............................................................................ 223
General Hints and Tips ........................................................................................... 223
Management Interface Error Messages .................................................................. 223
Common Problems ................................................................................................. 225
Appendix: Technical Support......................................................................... 227
Contact Information................................................................................................ 227
Glossary of Terms ............................................................................................229
Index ..................................................................................................................245
vi Table of Contents
NOMADIX AG-2000W™ / AG-2000WA
Introduction
About this User’s Guide
This User’s Guide provides information and procedures that will enable system administrators to install, configure, manage, and use the Nomadix AG-2000w and AG-2000wa products successfully and efficiently. Use this guide to take full advantage of product functionality and features. For convenience, all references in this document are to the AG-2000w when data and procedures are common across the AG-2000w and AG-2000wa products. When information is specific to either product, these instances are clearly highlighted.
Organization
This User’s Guide is organized into the following chapters:
Chapter 1 – Installing the AG-2000w This chapter provides instructions for
installing the AG-2000w and establishing the start-up configuration.
Chapter 2 – System Administration. This chapter provides all the instructions and
procedures necessary to manage and administer the AG-2000w following a successful installation.
Chapter 3 – The Subscriber Interface. This chapter provides an overview and
sample scenario for the AG-2000w’s subscriber interface. It also includes an outline of the authorization and billing processes utilized by the system.
Chapter 4 – Quick Reference Guide. This chapter contains product reference
information, organized by topic and functionality. It also contains a full listing of all product configuration elements, sorted alphabetically and by menu.
Chapter 5 – Troubleshooting. This chapter provides information to help you resolve
common hardware and software problems. It also contains a list of error messages associated with the management interface.
Appendix – Technical Support. The appendix informs you how to obtain technical
support. You should refer to the troubleshooting procedures contained in Chapter 5 before contacting Nomadix, Inc. directly.
Glossary of Terms. The glossary provides an explanation of terms directly related to
the product technology. Glossary entries are organized alphabetically.
Index. The index is a valuable information search tool. Use the index to locate
specific topics and categories contained in this User’s Guide.
Introduction 7
NOMADIX AG-2000W™ / AG-2000WA
Why Choose Wireless?
Wireless Local Area Networks (WLANs) are cellular computer networks that transmit and receive data with radio signals instead of wires. Wireless LANs are used increasingly in both home and office environments, and Public-access locations such as airports, coffee shops and universities. Innovative ways to utilize WLAN technology are helping people to work and communicate more efficiently and with increased mobility and flexibity. The absence of cabling and other fixed infrastructure have proven to be beneficial for users and cost-effective for service providers.
Wireless users can use the same applications they use on a wired network. Wireless adapter cards used on laptop and desktop systems support the same protocols as Ethernet adapter cards.
It may sometimes be desirable for mobile network devices to link with conventional Ethernet LANs to connect with servers, printers or the Internet supplied through the wired LAN. A wireless Access Point (AP) is a device used to provide this link.
Wireless LAN technology is used for many different purposes:
Mobility:
Productivity increases when people have access to data in any location within the operating range of the WLAN. Management decisions based on real-time information can significantly improve worker efficiency.
Low Implementation Costs:
WLANs are easy to set up, manage, change and relocate. Networks that frequently change can benefit from the ease of WLAN implementations. WLANs can operate in locations where the installation of physical wiring may be impractical.
Installation and Network Expansion:
Installing a WLAN can be fast and easy and can eliminate the need to route cabling through walls and ceilings. Wireless technology allows the network to go where wires cannot go—even outside the home or office.
Inexpensive Solution:
Wireless networking devices are as competitively priced as conventional Ethernet networking devices.
Scalability:
WLANs can be configured in a variety of ways to meet the needs of specific applications and installations. Configurations are easily changed and range from peer-to-peer networks (suitable for a small number of users) to larger infrastructure networks that can accommodate hundreds or thousands of users, depending on the number of wireless devices deployed.
See also, “Defining the Wireless Configuration {Wireless Configuration}” on
page 171.
8 Introduction
NOMADIX AG-2000W™ / AG-2000WA
Welcome to the Nomadix AG-2000w and AG-2000wa
The Nomadix AG-2000w and AG-2000wa are cost-effective, integrated Wi-Fi™ HotSpot connectivity devices that combine our full suite of Public-access features with a powerful Wi-Fi Access Point—maximizing range and coverage to create a superior solution for single-cell HotSpot locations.
Product Definitions
The AG-2000w supports the IEEE 802.11b and the faster 802.11g wireless
standards within the 2.4 G.Hz band.
In addition to 802.11b and 802.11g, the AG-2000wa also supports the
802.11a wireless standard within the 5 GHz band.
For convenience and clarity, all future references in this User’s Guide are to the AG-2000w only, when data and procedures are common across both the AG-2000w and AG-2000wa products. When information is specific to either product, these instances are clearly highlighted.
Ensuring Compatibility
The AG-2000w is compatible with most popular operating systems, including Macintosh, Linux and Windows, and can be easily integrated into a large network.
Nomadix AG-2000w
By strictly adhering to IEEE standards, the AG-2000w allows users to securely access the data they want, when and where they want it, and enjoy the freedom that wireless networking delivers.
Introduction 9
NOMADIX AG-2000W™ / AG-2000WA
Offering Speed and Efficiency
The AG-2000w is a tri-mode, dualband Access Point providing the most expanded user bandwidth available in an Access Point. Wireless clients can now connect to the AG-2000w using any one of its 14 non-overlapping channels to transfer data at speeds never before achievable in a wireless device.
The AG-2000w operates seamlessly and simultaneously in the 2.4 GHz frequency spectrum supporting the 802.11b and the faster (up to 54 Mbps) 802.11g wireless standards, while the AG-2000wa also operates in the 5 GHz spectrum supporting the
802.11a wireless standard at speeds up to 54 Mbps—effectively eliminating interference by other devices that may be operating in the 2.4 GHz frequency range.
Both 802.11a and 802.11g wireless standards utilize OFDM (Orthogonal Frequency Division Multiplexing) technology. OFDM works by splitting the radio signal into multiple smaller sub-signals that are then transmitted simultaneously at different frequencies to the receiver. OFDM reduces the amount of crosstalk (interference) in signal transmissions, allowing you to transfer large files quickly or even watch a movie in MPEG format over your network without any noticeable delays.
In addition to its compatibility with 802.11a (AG-2000wa) and 802.11g devices, the AG-2000w is compatible with 802.11b devices. For HotSpots that already use
802.11b devices, the AG-2000w is the ideal way to expand an existing network, enabling even more users to communicate with each another, access data and connect to the Internet.
By offering transfer rates up to 54 Mbps, the AG-2000w enables large data packets to travel from the router to a remote desktop or roaming laptop PC at up to five times the speed of previous wireless devices.
See also, “Defining the Wireless Configuration {Wireless Configuration}” on
page 171.
Optimizing Performance
Network administrators can partition system usage by segmenting the users on the wireless network according to frequency band. For example, with the AG-2000wa, users who require special networking privileges (access to sensitive information, specific departments or videoconferencing) can use just the 802.11a channels while other employees use the 802.11b and 802.11g channels. This type of user segmentation optimizes the product’s performance and delivers the best network experience to all of its users.
10 Introduction
NOMADIX AG-2000W™ / AG-2000WA
Providing Effective Security
The AG-2000w is ideal for network administrators who require additional management, firewall, and other network security features. All of the system settings are easily accessible from the product’s embedded Web-based user interface.
The AG-2000w incorporates the 802.1x standard for wireless user authentication,
WPA (Wi-Fi Protected Access), and WEP (Wired Equivalent Privacy).
Enabling Flexible Deployment Options
The AG-2000w enables a wide variety of network deployment options by supporting IEEE 802.11a/b/g for maximum flexibility in the types of users supported, and the 10/ 100 WAN interface enables connectivity into a variety of backhaul types.
WAN Connectivity:
T1/E1 Cable Satellite ADSL/SDSL/VDSL ISDN
User Connectivity:
Supports IEEE 802.11a/b/g
Product Configuration and Licensing
All Nomadix Access Gateway products, including the AG-2000w, are powered by our patented and patent-pending suite of embedded software, called the Nomadix Service Engine™ (NSE). The AG-2000w employs our NSE core software package with the option to purchase additional modules to expand the product’s functionality.
This User’s Guide covers all features and functionality provided with the NSE core package, as well as the additional optional modules. Your product license must support the optional NSE modules if you want to take advantage of the expanded functionality. The following note will preface procedures that directly relate to optional modules:
See also:
“NSE Core Functionality” on page 15. “Optional NSE Modules” on page 29.
Your product license may not support this feature.
Introduction 11
NOMADIX AG-2000W™ / AG-2000WA
Key Features and Benefits
The AG-2000w allows carriers to deploy Wi-Fi service into a wide range of large or small Public-access locations while keeping deployment costs low.
Key features and benefits include:
Transparent Connectivity
Resolving configuration conflicts is difficult and time consuming for network users who are constantly on the move, and costly to the solution provider. In fact, most users are reluctant to make changes to their computer’s network settings and won’t even bother. This fact alone has prevented the widespread deployment of broadband network services.
Our patented Dynamic Address Translation™ (DAT) functionality offers a true “plug and play” solution by providing transparent broadband network access and the ability to acquire new customers onsite—no need for configuration changes to the client computer or any client-side software.
DAT greatly reduces provisioning and technical support costs and enables carriers to deliver an easy to use, customer-friendly service.
12 Introduction
NOMADIX AG-2000W™ / AG-2000WA
Local Content and Services
The Portal Page feature intercepts the user’s browser settings and directs them to a Web site to securely sign up for service or log in if they have a pre-existing account. Nomadix offers both pre and post authentication redirects of the user’s browser providing maximum flexibility in branding for both the carrier and the HotSpot owner.
Access Control and Authentication
The AG-2000w allows for the creation of a unique “Walled Garden” enabling users to access certain predetermined Web sites before they have been authenticated and paid for their service. All traffic to the Internet is blocked until authentication has been completed creating an additional level of security in the network.
Nomadix simultaneously supports the secure browser-based Universal Access Method, IEEE 802.1x, and Smart Clients for companies such as Adjungo Networks, Boingo Wireless, GRIC and iPass.
Security
The patent-pending iNAT™ (Intelligent Network Address Translation) feature creates an intelligent mapping of IP Addresses and their associated VPN tunnels—by far the most reliable multi-session VPN passthrough to be tested against diverse VPN termination servers from companies such as Cisco, Checkpoint, Nortel and Microsoft. Nomadix’ iNAT feature allows multiple tunnels to be established to the same VPN server, creating a seamless connection for all users at the Public-access location.
The AG-2000w supports WPA, 64/128-bit WEP security and automatic re-keying for protection of the data between the AG-2000w and the user, and supports multiple SSIDs for segmentation of the network.
The AG-2000w provides fine-grain management of DoS (Denial of Service) attacks through its Session Rate Limiting (SRL) feature, and MAC filtering for improved network reliability.
Billing Enablement
The AG-2000w supports a variety of billing models to enable the deployment of profitable Public-access networks.
The AG-2000w supports billing plans that use credit cards or scratch cards, or plans that enable monthly subscriptions—then facilitates billing by a host of different parameters including time, volume, IP address type, or bandwidth. The AG-2000w can also offer incentive-based billing.
Introduction 13
NOMADIX AG-2000W™ / AG-2000WA
5-Step Service Branding
A network enabled with the Nomadix AG-2000w (or any other Nomadix Access Gateway) offers a 5-Step service branding methodology for Public-access operators and their partners, comprising:
1. Initial Flash Page branding.
2. Initial Portal Page Redirect (Pre-Authentication). Typically, this is used to
redirect the user to a venue-specific Welcome and Login page.
3. Home Page Redirect (Post-Authentication). This redirect page can be
tailored to the individual user (as part of the RADIUS Reply message, the URL is received by the NSE) or set to re-display itself at freely configurable intervals.
4. The Information and Control Console (ICC) contains multiple opportunities
for an operator to display its branding or the branding of partners during the user’s session. As an alternative to the ICC, a simple pop-up window provides the opportunity to display a single logo.
5. The “Goodbye” page is a post-session page that can be defined either as a
RADIUS VSA or be driven by the Internal Web Server (IWS) in the NSE. Using the IWS option means that this functionality is also available for other post-paid billing mechanisms (for example, post-paid PMS).
14 Introduction
NOMADIX AG-2000W™ / AG-2000WA
NSE Core Functionality
Powering Nomadix’ family of Access Gateways, the Nomadix Service Engine (NSE) delivers a full range of features needed to successfully deploy Wi-Fi Public-access networks. These “core” features solve issues of connectivity, security, billing, and roaming in a Wi-Fi Public-access network.
The NSE’s core package of features includes:
Access Control Bandwidth Management Bridge Mode Command Line Interface Dynamic Address Translation™ Dynamic Transparent Proxy End User Licensee Count External Web Server Mode Home Page Redirect iNAT™ Information and Control Console Internal Web Server International Language Support IP Upsell Logout Pop-Up Window MAC Filtering Multi-Level Administration Support NTP Support Portal Page Redirect Port Mapping RADIUS Client RADIUS-driven Auto Configuration Remember Me and RADIUS Re-Authentication Secure Management Secure Socket Layer (SSL) Secure XML API Session Rate Limiting (SRL) Session Termination Redirect Smart Client Support SNMP Nomadix Private MIB Tri-Mode Authentication URL Filtering Walled Garden Web Management Interface
Introduction 15
NOMADIX AG-2000W™ / AG-2000WA
Access Control
For IP-based access control, the NSE incorporates a master access control list that checks the source (IP address) of administrator logins. A login is permitted only if a match is made with the master list contained within the NSE. If a match is not made, the login is denied, even if a correct login name and password are supplied.
The access control list supports up to 50 (fifty) entries in the form of a specific IP address or range of IP addresses.
The NSE also offers access control based on the interface being used. This feature allows administrators to block access from Telnet, Web Management, and FTP sources.
Bandwidth Management
The NSE optimizes bandwidth by limiting bandwidth usage symmetrically or asymmetrically on a per device (MAC address / User) basis, and manages the WAN Link traffic to provide complete bandwidth management over the entire network. You can ensure that every user has a quality experience by placing a bandwidth ceiling on each device accessing the network, so every user gets a fair share of the available bandwidth.
With the Nomadix Information and Control Console (ICC) feature enabled, subscribers can increase or decrease their own bandwidth dynamically (by the minute, or on an hourly, daily, weekly, or monthly basis), and also adjust the pricing plan for their service (see graphic).
Bandwidth selection (pull down)
Information and Control Console (ICC)
16 Introduction
NOMADIX AG-2000W™ / AG-2000WA
Bridge Mode
This feature allows complete and unconditional access to devices. When Bridge Mode is enabled, your NSE-powered product is effectively transparent to the network in which it is located.
The NSE forwards any and all packets (except those addressed to the NSE network interface). The packets are unmodified and can be forwarded in both directions. The Bridge Mode function is a very useful feature when troubleshooting your entire network as it allows administrators to effectively “remove” your product from the network without physically disconnecting the unit.
Command Line Interface
The Command Line Interface (CLI) is a character-based user interface that can be accessed remotely. Until your Nomadix product is up and running on the network, the CLI is the Network Administrator’s window to the system. Software upgrades can only be performed from the CLI (unless you have purchased our standalone Centralized Management System (CMS) application (not available with the AG­2000w). See also, “The Management Interfaces (CLI and Web)” on page 43.
Dynamic Address Translation™
Dynamic Address Translation (DAT) enables transparent broadband network connectivity, covering all types of IP configurations (static IP, DHCP, DNS), regardless of the platform or the operating system used—ensuring that everyone gets access to the network without the need for changes to their computer’s configuration settings or client-side software. The NSE supports both PPTP and IPSec VPNs in a manner that is transparent to the user and that provides a more secure standard connection. See also, “Transparent Connectivity” on page 12.
Dynamic Transparent Proxy
The NSE directs all HTTP and HTTPS proxy requests through an internal proxy which is transparent to subscribers (no need for users to perform any reconfiguration tasks). Uniquely, the NSE also supports clients that dynamically change their browser status from non-proxy to proxy, or vice versa. In addition, the NSE supports proxy ports 80, 800-900, 911 and 990 as well as all unassigned ports (for example, ports above 1024), thus ensuring far fewer proxy related support calls than competitive products.
Introduction 17
NOMADIX AG-2000W™ / AG-2000WA
End User Licensee Count
The NSE supports a range of simultaneous user counts depending on the Nomadix Access Gateway you choose. In addition, various user count upgrades are available for each of our NSE-powered products that allow you to increase the simultaneous user count.
External Web Server Mode
The External Web Server (EWS) interface is for customers who want to develop and use their own content. It allows you to create a “richer” environment than is possible with your product’s embedded Internal Web Server.
The advantages of using an External Web Server are:
Manage frequently changing content from one location. Serve different pages depending on site, sub-location (for example, VLAN),
and user.
Take advantage of the comprehensive Nomadix XML API to implement
more complex billing plans.
Recycle existing Web page content for the centrally hosted portal page.
If you choose to use the EWS interface, Nomadix Technical Support can provide you with sample scripts. See also, “Contact Information” on page 227.
Home Page Redirect
The NSE supports a comprehensive HTTP redirect logic that allows network administrators to define multiple instances to intercept the browser’s request and replace it with freely configurable URLs.
Portal page redirect enables redirection to a portal page process. This means that anyone will get redirected to a Web page to establish an account, select a service plan, and pay for access. Home Page redirect enables redirection to a page
after the authentication process (for example, to welcome a
specific user to the service—after the user has been identified by the authentication process. See also, “Portal Page Redirect” on page 22.
before the authentication
18 Introduction
NOMADIX AG-2000W™ / AG-2000WA
iNAT™
Nomadix invented a new way of intelligently supporting multiple VPN connections to the same termination at the same time (iNAT™), thus solving a key problem of many Public-access networks.
Nomadix’ patent-pending iNAT™ (intelligent Network Address Translation) feature contains an advanced, real-time translation engine that analyzes all data packets being communicated between the private address realm and the public address realm.
The NSE performs a defined mode of network address translation based on packet type and protocol (for example, GRE, ISAKMP etc.). UDP packet fragmentation is supported to provide more seamless translation engine for certificate-based VPN connections.
If address translation is needed to ensure the success of a specific application (for example, multiple users trying to access the same VPN termination server at the same time), the packet engine selects an IP address from a freely definable pool of publicly routable IP addresses. The same public IP address can be used as a source IP to support concurrent tunnels to different termination devices—offering unmatched efficiency in the utilization of costly public IP addresses. If the protocol type can be supported without the use of a public IP (for example, HTTP, FTP), our proven Dynamic Address Translation™ functionality continues to be used.
Some of the benefits of iNAT™ include:
Improves the success rate of VPN connectivity by misconfigured users, thus
reducing customer support costs and boosting customer satisfaction.
Maintains the security benefits of traditional address translation technologies
while enabling secure VPN connections for mobile workers accessing corporate resources from a Public-access location.
Dynamically adjusts the mode of address translation during the user's
session, depending on the packet type.
Supports users with static private IP addresses (for example, 192.168.x.x) or
public (different subnet) IP addresses without any changes to the client IP settings.
Dramatically heightens the reusability factor of costly public IP addresses.
Introduction 19
NOMADIX AG-2000W™ / AG-2000WA
Information and Control Console
The Nomadix Information and Control Console (ICC) is a HTML-based pop-up window that is presented to subscribers with their Web browser. The ICC allows subscribers to select their bandwidth and billing options quickly and efficiently from a simple pull-down menu. For credit card accounts, the ICC displays a dynamic “time” field to inform subscribers of the time remaining on their account.
Information and Control Console (ICC)
Additionally, the ICC contains multiple opportunities for an operator to display its branding or the branding of partners during the user’s session, as well as display advertising banners and present a choice of redirection options to their subscribers.
See also:
“5-Step Service Branding” on page 14.  “Logout Pop-Up Window” on page 21. “Information and Control Console (ICC)” on page 182.
Internal Web Server
The NSE offers an embedded Internal Web Server (IWS) to deliver Web pages stored in flash memory. These Web pages are configurable by the system administrator by selecting various parameters to be displayed on the internal pages. When providers or HotSpot owners do not want to develop their own content, the IWS is the answer. A banner at the top of each IWS page is configurable and contains the customer's company logo or any other image file they desire.
To support PDAs and other hand-held devices, the NSE automatically formats the IWS pages to a screen size that is optimal for the particular device being used.
See also:
“5-Step Service Branding” on page 14. “International Language Support” on page 21.
20 Introduction
NOMADIX AG-2000W™ / AG-2000WA
International Language Support
The NSE allows you to define the text displayed to your users by the IWS without any HTML or ASP knowledge. The language you select determines the language encoding that the IWS instructs the browser to use. See also, “Internal Web Server”
on page 20.
The available language options are:
English Chinese (Big 5) French German Japanese (Shift_JIS) Spanish Other, with drop-down menu
IP Upsell
System administrators can set two different DHCP pools for the same physical LAN. When DHCP subscribers select a service plan with a public pool address, the NSE associates their MAC address with their public IP address for the duration of the service level agreement. The opposite is true if they select a plan with a private pool address. This feature enables a competitive solution and is an instant revenue generator for ISPs.
The IP Upsell feature solves a number of connectivity problems, especially with regard to L2TP and certain video conferencing and online gaming applications.
Logout Pop-Up Window
As an alternative to the Information and Control Console (ICC), the NSE delivers a HTML-based pop-up window with the following functions:
Provides the opportunity to display a single logo. Displays the session’s elapsed/count-down time. Presents an explicit Logout button.
See also, “Information and Control Console” on page 20.
Introduction 21
NOMADIX AG-2000W™ / AG-2000WA
MAC Filtering
MAC Filtering enhances Nomadix' access control technology by allowing system administrators to block malicious users based on their MAC address. Up to 50 MAC addresses can be blocked at any one time. See also, “Session Rate Limiting (SRL)” on
page 26.
Multi-Level Administration Support
The NSE allows you to define 2 concurrent access levels to differentiate between managers and operators, where managers are permitted read/write access and operators are restricted to read access only.
Once the logins have been assigned, managers have the ability to perform all write commands (Submit, Reset, Reboot, Add, Delete, etc.), but operators cannot change any system settings. When Administration Concurrency is enabled, one manager and three operators can access the AG-2000w platform at any one time.
NTP Support
The NSE supports Network Time Protocol (NTP), an Internet standard protocol that assures accurate synchronization (to the millisecond) of computer clock times in a network of computers. NTP synchronizes the client’s clock to the U.S. Naval Observatory master clocks. Running as a continuous background client program on a computer, NTP sends periodic time requests to servers, obtaining server time stamps and using them to adjust the client's clock.
Portal Page Redirect
The NSE contains a comprehensive HTTP page redirection logic that allows for a page redirect (Home Page Redirect). As part of the Portal Page Redirect feature, the NSE can send a defined set of parameters to the portal page redirection logic that allows an External Web Server to perform a redirection based on:
AG-2000w ID and IP Address Origin Server Port Location Subscriber MAC address Externally hosted RADIUS login failure page
This means that the network administrator can now perform location-specific service branding (for example, an airport lounge) from a centralized Web server.
before (Portal Page Redirect) and/or after the authentication process
See also, “Home Page Redirect” on page 18.
22 Introduction
NOMADIX AG-2000W™ / AG-2000WA
Port Mapping
This feature allows the network administrator to setup a port mapping scheme that forwards packets received on a specific port to a particular static IP (typically private and misconfigured) and port number on the subscriber side of the NSE. The advantage for the network administrator is that free private IP addresses can be used to manage devices (such as Access Points) on the subscriber side of the NSE without setting them up with Public IP addresses.
RADIUS-driven Auto Configuration
Nomadix’ unique RADIUS-driven Auto Configuration functionality utilizes the existing infrastructure of a mobile operator to provide an effortless and rapid method for configuring devices for fast network roll-outs. Once configured, this methodology can also be effectively used to centrally manage configuration profiles for all Nomadix devices in the public access network.
Two subsequent events drive the automatic configuration of Nomadix devices:
1. A flow of RADIUS Authentication Request and Reply messages between
the Nomadix gateway and the centralized RADIUS server that specifies the location of the meta configuration file (containing a listing of the individual configuration files and their download frequency status) are downloaded from an FTP server into the flash of the Nomadix device.
2. Defines the automated login into the centralized FTP server and the actual
download process into the flash.
Optionally, the RADIUS authentication process and FTP download can be secured by sending the traffic through a peer-to-peer IPSec tunnel established by the Nomadix gateway and terminated at the NOC (Network Operations Center). See also, “Secure
Management” on page 24.
RADIUS Client
Nomadix offers an integrated RADIUS (Remote Authentication Dial-In User Service) client with the NSE allowing service providers to track or bill users based on the number of connections, location of the connection, bytes sent and received, connect time, etc. The customer database can exist in a central RADIUS server, along with associated attributes for each user. When a customer connects into the network, the RADIUS client authenticates the customer with the RADIUS server, applies associated attributes stored in that customer's profile, and logs their activity (including bytes transferred, connect time, etc.). The NSE's RADIUS implementation also handles vendor specific attributes (VSAs), required by WISPs that want to enable more advanced services and billing schemes, such as a per device/per month connectivity fee. See also, “RADIUS-driven Auto Configuration” on page 23.
Introduction 23
NOMADIX AG-2000W™ / AG-2000WA
RADIUS Proxy (not available with the AG-2000w)
The RADIUS Proxy feature relays authentication and accounting packets between the parties performing the authentication process. Different realms can be set up to directly channel RADIUS messages to the various RADIUS servers. This functionality can be effectively deployed to:
Support a wholesale WISP model directly from the edge without the need
for any centralized AAA proxy infrastructure.
Support EAP authenticators (for example, WLAN APs) on the subscriber-
side of the NSE to transparently proxy all EAP types (TLS, SIM, etc.) and to allow for the distribution of per-session keys to EAP authenticators and supplicants.
Complementing the RADIUS Proxy functionality is the ability to route RADIUS messages depending on the Network Access Identifier (NAI). Both prefix-based (for example, ISP/username@ISP.net) and suffix-based (username@ISP.net) NAI routing mechanisms are supported. Together, the RADIUS Proxy and NAI Routing further support the deployment of the Wholesale Wi-Fi™ model allowing multiple providers to service one location. See also, “RADIUS Client” on page 23.
Remember Me and RADIUS Re-Authentication
The NSE’s Internal Web Server (IWS) stores encrypted login cookies in the browser to remember logins, using Usernames and Passwords between Access Points. This “Remember Me” functionality creates a more efficient and better user experience in wireless networks.
The RADIUS Re-Authentication buffer has been expanded to 720 hours, allowing an even more seamless and transparent connection experience for repeat users.
Secure Management
There are many different ways to configure, manage and monitor the performance and up-time of network devices. SNMP, Telnet, HTTP and ICMP are all common protocols to accomplish network management objectives. And within those objectives is the requirement to provide the highest level of security possible.
While several network protocols have evolved that offer some level of security and data encryption, the preferred method for attaining maximum security across all network devices is to establish an IPSec tunnel using 3DES between the NOC (Network Operations Center) and the edge device (early VPN protocols such as PPTP have been widely discredited as a secure tunneling method).
24 Introduction
NOMADIX AG-2000W™ / AG-2000WA
As part of Nomadix’ commitment to provide outstanding carrier-class network management capabilities to its family of public access gateways, we offer secure management through the NSE’s standards-driven, peer-to-peer IPSec tunneling with strong data encryption. Establishing the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on the subscriber side of the Nomadix gateway. See also, “Enabling Secure Management {VPN Tunnel}” on page 107.
Two subsequent events drive the secure management function of the Nomadix gateway and the devices behind it:
1. Establishing an IPSec tunnel to a centralized IPSec termination server (for
example, Nortel Contivity). As part of the session establishment process, key tunnel parameters are exchanged (for example, Hash Algorithm, Security Association Lifetimes, etc.).
2. The exchange of management traffic, either originating at the NOC or from
the edge device through the IPSec tunnel. Alternatively, AAA data such as RADIUS Authentication and Accounting traffic can be sent through the IPSec tunnel. See also, “RADIUS-driven Auto Configuration” on page 23.
The advantage of using IPSec is that all types of management traffic are supported, including the following typical examples:
ICMP - PING from NOC to edge devices Telnet - Telnet from NOC to edge devices Web Management - HTTP access from NOC to edge devices SNMP
SNMP GET from NOC to subscriber-side device (for example, AP)SNMP SET from NOC to subscriber-side device (for example, AP)SNMP Trap from subscriber-side device (for example, AP) to NOC
Secure Socket Layer (SSL)
This feature allows for the creation of an end-to-end encrypted link between your NSE-powered product and wireless clients by enabling the Internal Web Server (IWS) to display pages under a secure link—important when transmitting AAA information in a wireless network when using RADIUS.
SSL requires service providers to obtain digital certificates from VeriSign™ to create HTTPS pages. Instructions for obtaining certificates are provided by Nomadix.
Introduction 25
NOMADIX AG-2000W™ / AG-2000WA
Secure XML API
XML (eXtensible Markup Language) is used by the subscriber management module for user administration. The XML interface allows the NSE to accept and process XML commands from an external source. XML commands are sent over the network to your NSE-powered product which executes the commands, and returns data to the system that initiated the command request. XML enables solution providers to customize and enhance their product installations.
This feature allows the operator to use Nomadix' popular XML API using the built-in SSL certificate functionality in the NSE so that parameters passed between the Gateway and the centralized Web server are secured via SSL.
If you plan to implement XML for external billing, please contact technical support for the XML specification of your product. Refer to
“Contact Information” on page 227.
Session Rate Limiting (SRL)
Session Rate Limiting (SRL) significantly reduces the risk of “Denial of Service” attacks by allowing administrators to limit the number sessions any one user can take over a given time period and, if necessary, then block malicious users.
Session Termination Redirect
Once connected to the Public-access network, the NSE will automatically direct the customer to a Web site for local or personalized services, or to establish an account and pay for services through its Home Page Redirect functionality. In addition, the NSE also provides pre and post authentication redirects as well as one at session termination. See also, “Home Page Redirect” on page 18.
Smart Client Support
The NSE supports authentication mechanisms used by Smart Clients by companies such as Adjungo Networks, Boingo Wireless, GRIC and iPass.
26 Introduction
NOMADIX AG-2000W™ / AG-2000WA
SNMP Nomadix Private MIB
Nomadix’ Access Gateways can be easily managed over the Internet with an SNMP client manager (for example, HP OpenView or Castle Rock).
To take advantage of the functionality provided with Nomadix’ private MIB (Management Information Base), simply import the
nomadix.mib file from the
Accessories CD (supplied with the product) to view and manage SNMP objects on your product.
See also:
“Using an SNMP Manager” on page 61 “Installing the Nomadix Private MIB” on page 57.
Tri-Mode Authentication
The NSE enables multiple authentication models providing the maximum amount of flexibility to the end user and to the operator by supporting any type of client entering their network and any type of business relationship on the back end. For example, in addition to supporting the secure browser-based Universal Access Method (UAM) via SSL, Nomadix is the only company to simultaneously support port-based authentication using IEEE 802.1x and authentication mechanisms used by Smart Clients.
See also:
“Access Control and Authentication” on page 13. “Smart Client Support” on page 26.
URL Filtering
The NSE can restrict access to specified Web sites based on URLs defined by the system administrator. URL filtering will block access to a list of sites and/or domains entered by the administrator using the following three methods:
1. Host IP address (for example, 1.2.3.4).
2. Host DNS name (for example, www.yahoo.com).
3. DNS domain name (for example, *.yahoo.com, meaning all sites under the
yahoo.com hierarchy, such as finance.yahoo.com, sports.yahoo.com, etc.).
The system administrator can dynamically add or remove up to 300 specific IP addresses and domain names to be filtered for each property.
Introduction 27
NOMADIX AG-2000W™ / AG-2000WA
Walled Garden
The NSE provides up to 300 IP passthrough addresses (and/or DNS entries), allowing you to create a “Walled Garden” within the Internet where unauthenticated users can be granted or denied access to sites of your choosing.
Web Management Interface
Nomadix’ Access Gateways can be managed remotely via the built-in Web Management Interface where various levels of administration can be established. See also, “Using the Web Management Interface (WMI)” on page 60.
28 Introduction
NOMADIX AG-2000W™ / AG-2000WA
Optional NSE Modules
Hospitality Module (not available with the AG-2000w)
The optional Hospitality Module provides the widest range of Property Management System (PMS) interfaces to enable in-room guest billing for HSIA (High Speed Internet Access) service. This module also includes 2-Way PMS interface capability for in-room billing in a Wi-Fi enabled network. In addition, the Hospitality Module includes the Bill Mirror functionality for posting of billing records to multiple sources. With this module, the NSE also supports billing over a TCP/IP connection to select PMS interfaces.
PMS Integration
 
By integrating with a hotel’s PMS, your NSE-powered product can post charges for Internet access directly to a guest’s hotel bill. In this case, the guest is billed only once. The NSE outputs a call accounting record to the PMS system whenever a subscriber purchases Internet service and decides to post the charges to their room. Nomadix’ Access Gateways are equipped with a dedicated PMS port to facilitate connectivity with a customer’s Property Management System.
Billing Records Mirroring
NSE-powered devices can send copies of credit card (and optionally, PMS) billing records to external servers that have been previously defined by system administrators. The NSE assumes control of billing transmissions and the saving of billing records. By effectively “mirroring” the billing data, the NSE can send copies of billing records to predefined “carbon copy” servers. Additionally, if the primary and secondary servers are not responding, the NSE can store up to 2,000 billing records. The NSE regularly attempts to connect with the primary and secondary severs. When a connection is re-established (with either server), the NSE sends the cached information to the server. Customers can be confident that their billing information is secure and that no transaction records are lost.
Your product license may not support this feature.
Some Property Management Systems may require you to obtain a license before integrating the PMS with your Nomadix Access Gateway product. Check with the PMS vendor.
Your product license may not support this feature.
Introduction 29
Credit Card Module
NOMADIX AG-2000W™ / AG-2000WA
The optional Credit Card Module provides a secure interface over SSL to enable billing via a credit card for HSIA. This module also includes the Billing Records Mirroring functionality for posting of billing records to multiple sources.
See also:
“Secure Socket Layer (SSL)” on page 25. “Billing Records Mirroring” on page 29.
Your product license may not support this feature.
Wholesale Roaming Module
The optional Wholesale Roaming Module provides advanced NAI (Network Access Identifier) routing capabilities, enabling multiple service providers to share a HotSpot location, further supporting a Wi-Fi wholesale model. This functionality allows users to interact only with their chosen provider in a seamless and transparent manner.
Your product license may not support this feature.
High Availability Module
The optional High Availability Module offers enhanced network uptime and service availability when delivering high-quality Wi-Fi service by providing Fail-Over functionality. This module allows a secondary Nomadix Access Gateway to be placed in the network that can take over if the primary device fails, ensuring Wi-Fi service remains uninterrupted.
30 Introduction
Your product license may not support this feature.
NOMADIX AG-2000W™ / AG-2000WA
Network Architecture (Sample)
The AG-2000w is an ideal solution for single cell Public-access environments. Other Nomadix products (for example, HotSpot Gateway and Universal Subscriber Gateway II) are more suited to dual cell and multi cell Public-access environments.
Introduction 31
Product Specifications
PUBLIC-ACCESS
User Support:
Nomadix recommends a maximum of 50 users per unit
Dynamic Address Translation Home Page Redirection (Pre and Post Authentication) iNAT (for seamless VPN connectivity) SMTP Redirection Full Authorization, Authentication and Accounting Support RADIUS Client Bandwidth Management Information and Control Console Global Roaming Support
M
EDIA ACCESS CONTROL
CSMA/CA
NOMADIX AG-2000W™ / AG-2000WA
Specifications
P
ORTS
10/100Base-T Ethernet, RJ-45 (UTP)
W
IRELESS
802.11b Specifications:
Frequency band: 2.4GHz - 2.4835GHz Data Rates: 11, 5.5, 2, 1 Mbps Modulation: Direct Sequence Spread Spectrum (CCK, DQPSK, DBPSK)
802.11g Specifications:
Frequency band: 2.4GHz - 2.482GHz Data Rates: 54, 48, 36, 24, 18, 12, 6 Mbps Modulation: Orthogonal Frequency Division Modulation (64 QAM, 16 QAM, QPSK, BPSK)
802.11a Specifications:
Frequency band: 5.150GHz - 5.350GHz Data Rates: 54, 48, 36, 24, 18, 12, 9 Mbps Modulation: Orthogonal Frequency Division Modulation (64 QAM, 16 QAM, QPSK, BPSK)
32 Introduction
NOMADIX AG-2000W™ / AG-2000WA
Specifications
NETWORKING
IEEE 802.3 / 3u IEEE 802.1d PoE per IEEE 802.3af DHCP Server DHCP Relay DHCP Client RADIUS Client (MD-5, PAP, CHAP, MS-CHAPv1, v2) PPPoE Client
S
ECURITY
64-bit/128-bit WEP with dynamic keying iNAT MAC Address Filtering and Session Limiting
A
NTENNA TYPE
802.11b/g: 2dBi
802.11a: 3dBi
A
UTHENTICATION
Internal data base Universal Access Method (UAM) using SSL Smart Client Support:
Adjungo Networks, Boingo Wireless, iPass, GRIC
IEEE 802.1x (SIM / MD-5 / TLS / TTLS / PEAP)
M
ANAGEMENT
Multi-Level Administration Controls Access Control Lists Web Administration UI SNMP v2c Secure XML API Auto Confirguration and Upgrades Syslog/AAA Log
P
OWER
100 to 240 VAC w/ +/-10% margin 50/60 Hz w/ +2%, -4% margin EN61000-3-2 compliant
Introduction 33
NOMADIX AG-2000W™ / AG-2000WA
Specifications
ENVIRONMENT
Operating temperature: 0 - 40°C Operating humidity: 10 - 90% RH non-condensing Storage temperature: -25 - 60°C Storage humidity: 5 - 95% RH non-condensing
R
EGULATORY
FCC Part 15 CE Mark CE/R&TTE: EN301328 / EN301893 / EN301489-1, EN301489-17 VCCI Class B, Telec UL 1950, CSA22.2 No 950, TÜV/GS(EN60950)
For further information on the certifications for the AG-2000w product, visit http://www.nomadix.com/downloads.
C
OMPATIBILITY
Communicates with all Wi-Fi certified wireless adapters
P
HYSICAL
9.25(L) x 6.25(W) x 1.5(H) inches
91.2(L) x 54(W) x 36.4(H) mm Weight: 500 grams Wall Mountable
LED
S
Power Indicator 10/100, ACT/Link
34 Introduction
NOMADIX AG-2000W™ / AG-2000WA
Specifications
TRANSMITTER OUTPUT POWER
11g TX Power Specification:
Typical RF Output Power at each Data Rate and at room
temperature: 25
+13dBm at 54Mbps +15dBm at 48Mbps +17dBm at 36Mbps +18dBm at 24, 18, 12, 9, & 6Mbps ALC loop to control transmit power within 0.9dB tolerance in
room temperature
11b TX Power Specification:
Typical 18dBm at 11, 5.5, 2, & 1Mbps at room temperature
25 degree C
ALC loop to control transmit power within 0.9dB tolerance in
room temperature
°C
11a TX Power Specification:
Typical RF Output Power at each Data Rate and at room
temperature: 25
+13dBm at 54Mbps +15dBm at 48Mbps +17dBm at 36Mbps +18dBm at 24, 18, 12, 9, & 6Mbps ALC loop to control transmit power within 0.9dB tolerance in
°C
room temperature
Introduction 35
NOMADIX AG-2000W™ / AG-2000WA
Online Help (WebHelp)
The AG-2000w incorporates an online Help system called “WebHelp” which is accessible through the Web Management Interface (when a remote Internet connection is established following a successful installation). WebHelp can be viewed on any platform (for example, Windows, Macintosh, or UNIX-based platforms) using either Internet Explorer or Netscape Navigator (see note).
WebHelp is useful when you have an Internet connection to the AG-2000w and you want to access information quickly and efficiently. It contains all the information you will find in this User’s Guide.
For more information about WebHelp and other online documentation resources, go to “Online Documentation and Help” on page 46.
WebHelp is best viewed using Internet Explorer, version 4.0 or higher.
Notes, Cautions, and Warnings
The following symbols are used throughout this User’s Guide:
This symbol is used for general notes and additional information that may be useful to you.
This symbol is used for cautions and warnings. Cautions and warnings provide important information to eliminate the risk of a system malfunction or possible damage.
36 Introduction
NOMADIX AG-2000W™ / AG-2000WA
Installing the AG-2000w
This chapter provides installation instructions for the hardware and software components of the AG-2000w. It also includes an overview of the management interface, some helpful hints for system administrators, and procedures for the following tasks:
Connecting the system.
Logging in to the Command Line Interface.
Establishing the AG-2000w’s start up configuration.
Establishing the basic configuration for subscribers.
Archiving your configuration settings.
Installing the Nomadix Private MIB.
1
Once you have installed your AG-2000w and established the configuration settings, you should write the settings to an archive file. If you ever experience problems with the system, your archived settings can be restored at any time. See “Archiving Your Configuration
Settings” on page 56.
Nomadix AG-2000w
Installing the AG-2000w 37
NOMADIX AG-2000W™ / AG-2000WA
Unpacking the AG-2000w
When you unpack the unit, you will find the following items in the carton:
Item Qty
PoE power entry module 1
Power supply 1
Power supply AC cord 1
Plastic anchor 2
Wall mounting screws 2
Rubber feet 4
Protective cardboard ends 2
AG-2000w or AG-2000wa unit 1
End User License Agreement (EULA) 1
Accessories CD-ROM (containing this User’s Guide, README file, Quick Start Guide, NOMADIX private MIB file, and any other useful accessories.
Customer welcome letter 1
1
38 Installing the AG-2000w
NOMADIX AG-2000W™ / AG-2000WA
Installation Workflow
This Installation Workflow illustrates the steps that are required to install and configure the AG-2000w successfully. Review this flowchart before attempting to install the AG-2000w on the customer’s network.
Place the AG-2000w on a flat and stable work surface and connect the power cord.
Connect the AG-2000w to a “live” network.
Start a Telnet session to communicate with the AG-2000w via the product’s
When prompted, accept to the Nomadix End User License Agreement (EULA). You must
accept the EULA before the AG-2000w can connect with the Nomadix License Key Server.
When the key is successfully received from the server, your AG-2000w will reboot.
IP address (172.30.30.172) or its default DHCP address.
Log in to the Command Line Interface.
Establish your AG-2000w’s start-up configuration settings.
Network
Log in to the AG-2000w and use the graphical Web Management Interface
(WMI) to configure the product's features. You have now established a basic
configuration for the AG-2000w that enables "Plug and Play" Internet
connectivity.
Export your configuration settings to an archive file.
Installing the AG-2000w 39
NOMADIX AG-2000W™ / AG-2000WA
Connecting the System
Use this procedure to connect the system. See also, “Installation Considerations” on
page 41.
1. Place the AG-2000w on a flat and stable work surface.
2. Connect the system (see graphic), including the power cord and adapter, and
Ethernet cable.
to Power Cord (via adapter)
40 Installing the AG-2000w
A straight-through cable is required when connecting the AG-2000w to a Router or Switch. A cross-over cable is required when connecting the AG-2000w directly to an Ethernet adapter on a computer.
to Router or Switch
(see note)
NOMADIX AG-2000W™ / AG-2000WA
Installation Considerations
Designed with an indoor range of up to 328 feet (100 meters), the AG-2000w wireless gateway allows you to access your network using a wireless connection from virtually anywhere. However, the number, thickness and location of walls, ceilings or other objects that the wireless signals must pass through may limit the range. Typical ranges vary depending on the types of materials and background RF (radio frequency) noise at your location. The key to maximizing the wireless range is to follow these basic guidelines:
1. Keep the number of walls and ceilings between the AG-2000w and your
receiving device to a minimum—each wall or ceiling can reduce the product’s range from between 3 and 90 feet (1 to 30 meters). Position your devices so that the number of walls or ceilings is minimized.
2. Be aware of the direct line between each device. For example:
A wall that is 1.5 feet thick (half a meter) at 90° is actually almost 3 feet thick (or 1 meter) when viewed at a 45° angle. At an acute 2° degree angle the same wall is over 42 feet (or 14 meters) thick! For best reception, try to ensure that your wireless devices are positioned so that signals will travel straight through a wall or ceiling.
90° 45°
< 3 feet
1.5 feet
3. Building materials can make all the difference—a solid metal door or aluminum
> 42 feet
wall studs may have a negative effect on signal range. Try to position wireless devices so that the signal passes through drywall (between studs) or open doorways and not other materials.
4. Keep the AG-2000w away from electrical devices or appliances that generate RF
noise. We recommend maintaining a distance of at least 3 to 6 feet (or 1 to 2 meters).
Installing the AG-2000w 41
NOMADIX AG-2000W™ / AG-2000WA
Logging In to the Command Line Interface
Use this procedure to initialize the system and log in to the Command Line Interface (CLI). The character-based CLI is used at initial start-up.
1. Start a Telnet session to communicate with the AG-2000w via the product’s
management IP address (172.30.30.172) or its default DHCP address.
2. When connected to the AG-2000w, a login prompt appears on your screen.
The default login user name is “admin.” The password is “admin.” Login names and passwords are case-sensitive.
3. Enter admin when prompted for a user name and password. The AG Menu
appears when you have logged in to the management interface successfully. If this is an initial installation which requires the AG-2000w to receive a license key from the Nomadix License Key Server, you must accept the End User License Agreement (EULA).
42 Installing the AG-2000w
NOMADIX AG-2000W™ / AG-2000WA
The Management Interfaces (CLI and Web)
The CLI is the administrator’s initial window to the system. This is where you establish all the AG-2000w start-up configuration parameters, depending on the customer’s network architecture.
The AG Menu is your starting point. From here, you access all the system administration items from the four primary menus available: configuration, network info, subscribers, and system. The AG Menu also includes a “logout” option for logging out of the system.
The AG-2000w supports various methods for managing the system remotely. These include, an embedded graphical Web Management Interface (WMI), an SNMP client, or Telnet. However, until the unit is installed and running, system management is performed from the product’s embedded Command Line Interface (CLI).
Although the basic functional elements are the same, the CLI and the WMI have some minor content and organizational differences. For example, in the WMI the “subscribers” menu is divided into “Subscriber Administration” and “Subscriber Interface.” See also,
“Menu Organization (Web Management Interface)” on page 44.
Making Menu Selections and Inputting Data with the CLI
The CLI is character-based. It recognizes the fewest unique characters it needs to correctly identify an entry. For example, in the AG Menu you need only enter access the Configuration menu, but you must enter and
sy to access the System menu (because they both start with the letter “s”).
You may also do any of the following:
Enter b (back) or press Esc (escape) to return to a previous menu. Press Esc to abort an action at any time. Press Enter to redisplay the current menu. Press ? at any time to access the CLI’s Help screen.
When using the CLI, if a procedure asks you to “enter sn,” this means you must type
sn and press the Enter key. The system does not accept data or commands until you
hit the Enter key.
Installing the AG-2000w 43
su to access the Subscribers menu
c to
NOMADIX AG-2000W™ / AG-2000WA
Menu Organization (Web Management Interface)
When you have successfully installed and configured the AG-2000w from the CLI, you can then access the AG-2000w from its embedded Web Management Interface (WMI). The WMI is easier to use (point and click) and includes some items not found in the CLI. You can use either interface, depending on your preference.
The following “composite” screen shows how the AG-2000w’s WMI menus (folders) are organized (shown here side-by-side for clarity and space).
Note: Your browser preferences or Internet options should be set to compare loaded pages with cached pages.
44 Installing the AG-2000w
NOMADIX AG-2000W™ / AG-2000WA
Inputting Data – Maximum Character Lengths
The following table details the maximum allowable character lengths when inputting data:
Data Field Max. Characters
All Messages (billing options) 72
All Messages (subscriber error messages) 72
All Messages (subscriber login UI) 72
All Messages (subscriber “other” messages) 72
Description of Service (billing options Plan) 140
Home Page URL 237
Host Name and Domain Name (DNS settings) 64
IP / DNS Name (passthrough addresses) 237
Label (billing options plan) 16
Location settings (all fields) 99
Partner Image File Name 12
Password (adding subscriber profiles) 128
Port Description (finding ports by description) 63
Redirection Frequency (in minutes) 2,147,483,647
(recommend 3600)
Reservation Number 24
Username (adding subscriber profiles) 96
Valid SSL Certificate DNS Name 64
Installing the AG-2000w 45
NOMADIX AG-2000W™ / AG-2000WA
Online Documentation and Help
The Web Management Interface (WMI) incorporates an online help system which is accessible from the main window.
Click here to access the online Help system
Other online documentation resources, available from our corporate Web site (www.nomadix.com), include a full PDF version of this User’s Guide (viewable with Acrobat™ Reader, version 4.0 or higher), white papers, technical notes, and business cases. The PDF version of this User’s Guide and associated README files are also available on the “Accessories” CD-ROM supplied with your AG-2000w.
Quick Reference Guide
This manual contains a “Quick Reference Guide” on page 183 which provides information to help you navigate and use the management interfaces (CLI and Web) quickly and efficiently. It also contains the product specifications, a listing of the factory default settings, sample log reports, listings of commands (by menu and alphabetical), and some common keyboard shortcuts.
46 Installing the AG-2000w
NOMADIX AG-2000W™ / AG-2000WA
Establishing the Start Up Configuration
The CLI allows you to administer the AG-2000w’s start-up configuration settings.
When establishing the start-up configuration for a new installation, you do not have remote access capability because the AG-2000w is not yet configured. Once the installation is complete (see “Installation
Workflow” on page 39) and the system is successfully configured, you
will have the additional options of managing the AG-2000w remotely from the system’s Web Management Interface, an SNMP client manager of your choice, or a simple Telnet interface.
The start up configuration must be established before connecting the AG-2000w to a customer’s network. The “start up” configuration settings include:
Assigning a Login Name and Password – You must assign a unique login
user name and password that enables you to administer and manage the AG­2000w securely.
Setting the SNMP Parameters – The SNMP (Simple Network
User names and passwords are case-sensitive.
Management Protocol) parameters must be established before you can use an SNMP client (for example, HP OpenView) to manage and monitor the AG-2000w remotely.
Enabling the Logging Options – Servers must be assigned and set up if you
want to create system and AAA (billing) log files, and retrieve error messages generated by the AG-2000w.
Assigning the Network Interface IP Address – This is the public IP
address that allows administrators and subscribers to see the AG-2000w on the network. Use this address when you need to make a network connection with the AG-2000w.
Assigning the Subnet Mask – The subnet mask defines the number of IP
addresses that are available on the routed subnet where the AG-2000w is located.
Assigning the Default Gateway IP Address – This is the IP address of the
router that the AG-2000w uses to transmit data to the Internet.
Installing the AG-2000w 47
NOMADIX AG-2000W™ / AG-2000WA
Assigning Login User Names and Passwords
When you initially powered up the AG-2000w and logged in to the Management Interface, the default login user name and password you used was “admin.” The AG­2000w allows you to define 2 concurrent access levels to differentiate between managers and operators, where managers are permitted read/write access and operators are restricted to read access only. Once the logins have been assigned, managers have the ability to perform all write commands (Submit, Reset, Reboot, Add, Delete, etc.), but operators cannot change any system settings. When Administration Concurrency is enabled, one manager and three operators can access the AG-2000w at any one time (the default setting for this feature is “disabled”).
1. Enter sy (system) at the AG Menu.
The System menu appears.
2. Enter lo (login).
The system prompts you for the current login. If this is the first time you are changing the login parameters since initializing the AG-2000w, the default login name and password is “admin.”
3. When prompted, confirm the current login parameters and enter new ones.
The system accepts up to 11 characters (any character type) for user names and passwords. All user names and passwords are case-sensitive.
SAMPLE SCREEN RESPONSE
System>lo
Enable/Disable Administration Concurrency [disabled ]: e
Current login: admin Current password: *****
Enter new manager login: newmgr Enter new password: ******* Retype new password: *******
The administrative login and password were changed
Enter new operator login: newop Enter new operator password: ***** Retype new operator password: *****
The operator login and password were changed
You must use the new login user name(s) and password(s) to access the system.
48 Installing the AG-2000w
NOMADIX AG-2000W™ / AG-2000WA
Setting the SNMP Parameters (optional)
You can address the AG-2000w using an SNMP client manager (for example, HP OpenView). SNMP is the standard protocol that regulates network management over the Internet. To do this, you must set up the SNMP communities and identifiers. For more information about SNMP, see “Using an SNMP Manager” on page 61.
1. Enter c (configuration) at the AG Menu. The Configuration menu appears.
2. Enter sn (snmp).
3. Enable the SNMP daemon, as required. The system displays any existing SNMP
If you want to use SNMP, you must manually turn on SNMP.
contact information and prompts you to enter new information. If this is the first time you have initialized the SNMP command since removing the AG-2000w from its box, the system has no information to display (there are no defaults).
4. Enter the SNMP parameters (communities and identifiers). The SNMP
parameters include your contact information, the get/set communities, and the IP address of the trap recipient. Your SNMP manager needs this information to enable network management over the Internet.
5. If you enabled the SNMP daemon, you must reboot the system for your changes
to take effect. In this case, enter
SAMPLE SCREEN RESPONSE
Configuration>sn
Enable the SNMP Daemon? [Yes]: Enter new system contact: newname@domainname.com [Nomadix, Westlake Village, CA] Enter new system location: Office, Westlake Village, CA Enter read/get community [public ]: Enter write/set community [private ]: Enter IP of trap recipient [0.0.0.0 ]: 10.11.12.13
y (yes) to reboot your AG-2000w.
SNMP Daemon Enabled System contact newname@domainname.com System location Office, Westlake Village, CA Get (read) community public Set (write) community private Trap recipient 10.11.12.13
Reboot to enable new changes? [yes/no] y
Rebooting ...
You can now address the AG-2000w using an SNMP client manager.
Installing the AG-2000w 49
NOMADIX AG-2000W™ / AG-2000WA
Enabling the Logging Options (recommended)
System logging creates log files and error messages generated at the system level. AAA logging creates activity log files for the AAA (Authentication, Authorization, and Accounting) functions. You can enable either of these options.
Although the AAA and billing logs can go to the same server, we recommend that they have their own unique server ID number assigned (between 0 and 7). When managing multiple properties, the properties are identified in the log files by their IP addresses.
When system logging is enabled, the standard SYSLOG protocol (UDP) is used to send all message logs generated by the AG-2000w to the specified server.
1. Enter log (logging) at the Configuration menu.
The system displays the current logging status (enabled or disabled).
2. Enable or disable the system and/or AAA logging options, as required.
If you enable either option, go to Step 3, otherwise logging is disabled and you can terminate this procedure.
3. Assign a valid ID number (0-7) to each server.
4. Enter the IP addresses to identify the location of the system and AAA SYSLOG
servers on the network (the default for both is 0.0.0.0).
When logging is enabled, log files and error messages are sent to these servers for future retrieval. To see sample reports, go to “Sample SYSLOG Report” on
page 198 and “Sample AAA Log” on page 197.
SAMPLE SCREEN RESPONSE
Configuration>log
Enable/disable system logging [disabled ]: enable Enter system SYSLOG number (0-7) [0 ]: 1 Enter system SYSLOG server IP [0.0.0.0 ]: 8.9.10.11 Enable/disable AAA logging [disabled ]: enable Enter AAA SYSLOG number (0-7) [0 ]: 2 Enter AAA SYSLOG server IP [0.0.0.0 ]: 9.10.11.12
System logging Enabled System SYSLOG number 1 System SYSLOG server IP 8.9.10.11
AAA logging Enabled AAA SYSLOG number 2 AAA SYSLOG server IP 9.10.11.12
50 Installing the AG-2000w
NOMADIX AG-2000W™ / AG-2000WA
Assigning the Location Information and IP Addresses
The “location” command in the Configuration menu establishes the AG-2000w’s location settings, the network interface IP address, the subnet mask, and the default gateway IP address. All of these “location” parameters must be set up as part of the system’s start up configuration (otherwise the AG-2000w will not be “visible” on the network).
1. Enter c (configuration) at the AG Menu.
The Configuration menu appears.
2. Enter loc (set Location options).
The system displays the Company Name. If the name displayed is not correct (or no name is entered), enter it now.
3. When prompted, enter the company’s address (line by line - 6 lines).
4. When prompted, enter a valid email address for this company.
The system now displays the current network interface IP address and prompts you for a valid address. The network interface IP address is the public IP address that allows administrators to see the AG-2000w on the network. Use this address when you need to make a network connection with the AG-2000w (see note).
5. When prompted, enter a valid network interface IP address.
After assigning the network interface IP address, the system displays the current subnet mask (the default mask is 255.255.255.0). The subnet mask defines the number of IP addresses that are available on the routed subnet where the AG­2000w is located.
6. Enter a valid subnet mask.
After assigning the subnet mask, the system displays the current default gateway IP address (the factory default is 10.0.0.1). This is the IP address of the router that the AG-2000w uses to transmit data to the Internet.
7. Enter a valid default gateway IP address.
If the DHCP Client is enabled, you can skip the remaining steps in this procedure. Continue only if the DHCP Client is disabled.
The network interface acts as a multifunctional “translator.” For example, if a subscriber’s computer is setup statically for a network with a gateway address of 10.1.1.1, the AG-2000w emulates the gateway to accommodate this subscriber while emulating other gateways to accommodate other subscribers.
Installing the AG-2000w 51
NOMADIX AG-2000W™ / AG-2000WA
8. After establishing all “Location” settings, you must reboot the AG-2000w for
your changes to take effect..
SAMPLE SCREEN RESPONSE
Configuration>loc
Please enter your company name [companyname ]: newname Please enter your address <Line 1> [line1address ]: newline1
<Line 2> [line2address ]: newline2
<City> [city ]: newcity
<State> [state ]: newstate
<Zip> [zip ]: newzip
<Country> [country ]: newcountry
Please enter your email address [em@em.com ]: newmail@email.com
Enable/disable DHCP Client [enabled ]: Enter network interface IP [10.0.0.10 ]: 192.168.0.2 Enter subnet mask [255.255.255.0 ]: 255.255.255.192 Enter default gateway IP [10.0.0.1 ]: 172.30.30.172
The system must be reset to function properly. Reboot? [yes/no]: y
Company Name: newname Address: newline1
newline2 newcity newstate newzip
newcountry Email: newmail@email.com DHCP Client enabled Network interface IP 192.168.0.2 Subnet mask 255.255.255.192 Default gateway IP 192.168.0.1 Rebooting ...
Your new settings are displayed and the AG-2000w reboots. When the system restarts, the Telnet interface is enabled (based on your new configuration settings which are saved to the AG-2000w’s on-board flash memory).
9. Go to “Establishing the Basic Configuration for Subscribers” on page 53.
52 Installing the AG-2000w
NOMADIX AG-2000W™ / AG-2000WA
Establishing the Basic Configuration for Subscribers
When you have successfully established the start up configuration and installed the unit onto the customer’s network, connect to the AG-2000w via Telnet. You must now set up the basic configuration parameters for subscribers, including:
Setting the DHCP Options – DHCP (Dynamic Host Configuration
Protocol) allows you to assign IP addresses automatically (to subscribers who are DHCP enabled). The AG-2000w can “relay” the service through an external DHCP server or it can be configured to act as its own DHCP server.
Setting the DNS Options – DNS (Domain Name System) allows
subscribers to enter meaningful URLs into their browsers (instead of complicated numeric IP addresses). DNS converts the URLs into the correct IP addresses automatically.
Setting the DHCP Options
When a device connects to the network, the DHCP server assigns it a “dynamic” IP address for the duration of the session. Most users have DHCP capability on their computer. To enable this service on the AG-2000w, you can either enable the DHCP relay (routed to an external DHCP server IP address), or you can enable the AG­2000w to act as its own DHCP server. In both cases, DHCP functionality is necessary if you want to automatically assign IP addresses to subscribers.
1. Enter c (configuration) at the AG Menu.
The Configuration menu appears.
2. Enter dh (dhcp).
The AG-2000w’s adaptive configuration technology provides Dynamic Address Translation (DAT) functionality. DAT is automatically configured to facilitate “plug-and-play” access to subscribers who are misconfigured with static (permanent) IP addresses, or subscribers that do not have DHCP capability on their computers. DAT allows all users to obtain network access, regardless of their computer’s network settings.
By default, the AG-2000w is configured to act as its own DHCP server and the relay feature is “disabled..”. Please verify that your DHCP Server supports DHCP packets before enabling the relay. Not all devices containing DHCP servers (for example, routers) support DHCP Relay functionality.
Installing the AG-2000w 53
NOMADIX AG-2000W™ / AG-2000WA
When assigning a DHCP Relay Agent IP address for the DHCP Relay, ensure that the IP address you use does not conflict with devices on the network side of the AG-2000w.
Although you cannot enable the DHCP relay and the DHCP service at the same time, it is possible to “disable” both functions from the Command Line Interface. In this case, a warning message informs you that no DHCP services are available to subscribers.
3. Follow the on-screen instructions to set up your DHCP options. For example:
SAMPLE SCREEN RESPONSE
Configuration>dh
Enable/Disable IP Upsell [disabled ]: Enable/Disable DHCP Relay [disabled ]: Enable/Disable DHCP Server [enabled ]: Enter external Subnet-based DHCP Service [disabled ]:
IP Upsell Disabled DHCP Relay Disabled External DHCP Server IP 0.0.0.0 DHCP Relay Agent IP 0.0.0.0 DHCP Server Enabled DHCP Server Subnet-based Disabled
Server-IP Server-Netmask Start-IP End-IP Lease Type IPUp
208.11.0.4 255.255.0.0 208.11.0.5 208.11.0.7 20 PRIV NO
10.0.0.4 255.255.255.0 10.0.0.5 10.0.0.250 30 PRIV NO *
* Default IP Pool
DHCP IP Pools Configuration:
0 - Show IP Pools 1 - Add a new IP Pool 2 - Modify an IP Pool 3 - Remove an IP Pool 4 - Exit this menu
Select the DHCP Pool configuration mode [0]:
After setting up your DHCP options, the system must be rebooted for your changes to take effect.
54 Installing the AG-2000w
NOMADIX AG-2000W™ / AG-2000WA
Setting the DNS Options
DNS allows subscribers to enter meaningful URLs into their browsers (instead of complicated numeric IP addresses) by automatically converting the URLs into the correct IP addresses. You can assign a primary, secondary, or tertiary (third) DNS server. The AG-2000w utilizes whichever server is currently available.
 
Use the following procedure to set the DNS configuration options.
1. Enter c (configuration) at the AG Menu.
The Configuration menu appears.
2. Enter dn (dns) at the Configuration menu.
The system displays the current domain (the default is “nomadix”).
3. Enter a valid domain name (the Internet domain that DNS requests will utilize).
4. Enter the host name (the DNS name of the AG-2000w). The host name must not
contain any spaces.
After assigning the host name, the system requests IP addresses for the primary, secondary, and tertiary DNS servers (the default for the DNS primary address is
0.0.0.2).
If the DHCP Client is enabled, you must configure DNS.
You must configure DNS if you want to enter meaningful URLs instead of numeric IP addresses into any of the AG-2000w’s configuration screens.
The secondary and tertiary DNS servers are only utilized if the primary DNS server is unavailable.
5. Enter the IP addresses for the DNS servers (located at the customer’s network
operating center where DNS requests are sent).
Installing the AG-2000w 55
NOMADIX AG-2000W™ / AG-2000WA
6. You must now reboot the system for your settings to take effect. Enter y (yes) to
reboot the AG-2000w.
SAMPLE SCREEN RESPONSE
Configuration>dn
Enter domain [domainname ]: newdomainname Enter host name <no spaces> [dnshostname ]: newhostname Enter primary DNS [0.0.0.2 ]: 20.21.22.23 Enter secondary DNS [0.0.0.0 ]: 21.22.23.24 Enter tertiary DNS [0.0.0.0 ]: 22.23.24.25
The system must be reset to function properly. Reboot? [yes/no]: y
Domain newdomainname Host Name newhostname Primary DNS 20.21.22.23 Secondary DNS 21.22.23.24 Tertiary DNS 22.23.24.25 Rebooting ...
The DNS options have been established. DNS will now convert subscriber browser URLs into the correct IP addresses automatically.
Archiving Your Configuration Settings
Once you have installed your AG-2000w and established the configuration settings, you should write the settings to an archive file. If you ever experience problems with the system, your archived settings can be restored at any time.
Refer to the following procedures:
“Exporting Configuration Settings to the Archive File {Export}” on
page 155.
“Importing Configuration Settings from the Archive File {Import}” on
page 158.
56 Installing the AG-2000w
NOMADIX AG-2000W™ / AG-2000WA
Installing the Nomadix Private MIB
The Nomadix Private MIB is supplied on the “Accessories” CD-ROM, delivered with your AG-2000w. After importing the nomadix.mib file from the CD-ROM you will be able to view and manage SNMP objects on your AG-2000w.
Procedure
1. Import the nomadix.mib file into your SNMP client manager.
2. Connect to the AG-2000w from a node on the network that is accessible via the
AG-2000w’s network port. Be sure to enable the SNMP daemon on the AG­2000w (available on the CLI or Web Management Interface, under the Configuration menu –
3. All variables defined by Nomadix start with the following prefix:
iso.org.dod.internet.private.enterprises.nomadix
4. You should now be able to define queries and set the SNMP values on your AG-
2000w. If necessary, consult this User’s Guide or your SNMP client manager’s documentation for further details.
snmp).
We recommend that you change the predefined community strings in order to maintain a secure environment for your AG-2000w.
Installing the AG-2000w 57
Notes
Use this page for your notes.
NOMADIX AG-2000W™ / AG-2000WA
58 Installing the AG-2000w
NOMADIX AG-2000W™ / AG-2000WA
System Administration
This chapter provides all the instructions and procedures necessary for system administrators to manage the AG-2000w on the customer’s network (after a successful installation).
The system administration procedures in this chapter are organized as they are listed under their respective Web Management Interface (WMI) menus (Configuration, Network Info, Subscriber Administration, Subscriber Interface, and System).
2
Now that the AG-2000w has been installed and configured successfully, this User’s Guide moves away from the Command Line Interface (CLI) and documents the AG-2000w from the Web Management Interface (WMI) viewpoint.
Enabling Wireless Connectivity
The AG-2000w operates seamlessly and simultaneously in the 2.4 GHz frequency spectrum supporting the 802.11b and the faster (up to 54 Mbps) 802.11g wireless standards, while the AG-2000wa also operates in the 5 GHz spectrum supporting the
802.11a wireless standard at speeds up to 54 Mbps—effectively eliminating interference by other devices that may be operating in the 2.4 GHz frequency range.
Before you can use your AG-2000w in a wireless environment, you must configure the unit for wireless connectivity. To configure the AG-2000w using the product’s embedded Web Management Interface, go to “Defining the Wireless Configuration
{Wireless Configuration}” on page 171.
See also:
“Why Choose Wireless?” on page 8. “Offering Speed and Efficiency” on page 10. “Optimizing Performance” on page 10. “802.11x” on page 229.
System Administration 59
NOMADIX AG-2000W™ / AG-2000WA
Choosing a Remote Connection
Once installed and configured for the customer’s network, the AG-2000w can be managed and administered remotely with any of the following interface options:
Embedded Web Management Server – providing a powerful and flexible
Web interface for network administrators.
SNMP Manager – allowing remote “Windows” management using an
SNMP client manager (for example, HP OpenView). However, before you can use SNMP to access the AG-2000w, you must set up the appropriate SNMP communities. For more information, refer to “Managing the SNMP
Communities {SNMP}” on page 102.
Tel ne t C l i e nt – for “character-based” administration and management, using
the Command Line Interface (CLI).
Choose an interface connection, based on your preference.
To use any of the remote connections (Web, SNMP, or Telnet), the network interface IP address for the AG-2000w must be established (you did this during the installation process).
Using the Web Management Interface (WMI)
The Web Management Interface (WMI) is a “graphical” version of the Command Line Interface, comprised of HTML files. The HTML files are embedded in the AG­2000w and are dynamically linked to the system’s functional command sets. You can
access the WMI from any Web browser.
To connect to the Web Management Interface, do the following:
1. Establish a connection to the Internet.
2. Open your Web browser.
Your browser preferences or Internet options should be set to compare loaded pages with cached pages.
3. Enter the network interface IP address of the AG-2000w (set up during the
installation process).
4. Log in as usual (supplying your user name and password).
60 System Administration
NOMADIX AG-2000W™ / AG-2000WA
To access any menu item from the WMI, simply click on the item you want. The corresponding work screen then appears in the right side frame. From here you can control the features and settings related to your selection. Although the appearance is very different from the Command Line Interface, the information displayed to you is basically the same. The only difference between the two interfaces is in the method used for making selections and applying your changes (selections are checkable boxes, and applying your changes is achieved by pressing the Pressing the
Reset button resets the screen to its previous state (clearing all your
Submit button).
changes without applying them).
Using an SNMP Manager
Once the SNMP communities are established, you can connect to the AG-2000w via the Internet using an SNMP client manager (for example, HP OpenView). SNMP is the standard protocol used in the Network Management (NM) system. This system contains two primary elements:
Manager – The console (client) through which system administrators
perform network management functions.
Agent – An SNMP-compliant device which stores data about itself in a
Management Information Base (MIB). The AG-2000w is an example of such a device.
The AG-2000w contains managed objects that directly relate to its current operational state. These objects include hardware configuration parameters and performance statistics.
Managed objects are arranged into a virtual information database, called a Management Information Base (MIB). SNMP enables managers and agents to communicate with each other for the purpose of accessing these MIBs and retrieving data. See also, “Installing the Nomadix Private MIB” on page 57.
The following example shows a (partial) SNMP screen response.
System Administration 61
NOMADIX AG-2000W™ / AG-2000WA
Using a Telnet Client
There are many Telnet clients that you can use to connect with the AG-2000w. Using Telnet provides a simple terminal emulation that allows you to see and interact with the AG-2000w’s Command Line Interface.
As with any remote connection, the network interface IP address for the AG-2000w must be established (you did this during the installation process).
Logging In
To access the AG-2000w’s Web Management Interface, use the Manager or Operator login user name and password you defined during the installation process (refer to
“Assigning Login User Names and Passwords” on page 48).
User names and passwords are case-sensitive.
About Your Product License
Some features included in this chapter will not be available to you unless you have purchased the appropriate product license from Nomadix. In this case, the following statement will appear either immediately below the section heading or when the feature is mentioned in the body text:
Your product license may not support this feature.
You can upgrade your product license at any time.
62 System Administration
NOMADIX AG-2000W™ / AG-2000WA
Configuration Menu
Defining the AAA Services {AAA}
This procedure shows you how to set up the AAA (Authentication, Authorization, and Accounting) service options. AAA Services are used by the AG-2000w to authenticate, authorize, and subsequently bill subscribers for their use of the customer’s network. The AG-2000w currently supports several AAA models which are discussed in “Subscriber Management” on page 179.
1. From the Web Management Interface, click on Configuration, then AAA.
The Authentication, Authorization, and Accounting Settings screen appears:
More screen image ...
System Administration 63
... AAA screen image continued:
NOMADIX AG-2000W™ / AG-2000WA
2. Enable or disable AAA Services.
If you enable AAA Services, go to Step 3, otherwise this feature is disabled and you can exit the procedure.
3. Enable or disable the XML Interface, as required.
XML (eXtensible Markup Language) is used by the AG-2000w’s subscriber management module for port location and user administration. Enabling the XML interface allows the AG-2000w to accept and process XML commands from an external source. XML commands are sent over the network to the AG­2000w. The AG-2000w parses the query string, executes the commands specified by the string, and returns data to the system that initiated the command request.
64 System Administration
NOMADIX AG-2000W™ / AG-2000WA
4. If you enabled the XML Interface feature, enter the XML IP (server) address.
5. Enable or disable Print Billing Command, as required. If this feature is enabled,
you must enable the XML interface and enter the IP address for the XML interface (Step 3 and Step 4).
6. Enable or disable the AAA Passthrough Port feature, as required.
System administrators can set the AG-2000w to pass-through HTTPS traffic, in addition to standard port 80 traffic, without being redirected. When access to a non-HTTPS address (for example, a Search Engine or News site) has been requested, the subscriber is then redirected as usual.
7. If AAA passthrough is enabled, enter the corresponding port number.
8. Enable or disable the 802.1x Authentication Support feature, as required.
9. Enable or disable the Origin Server (OS) parameter encoding for Portal Page
and EWS
10. Select the authorization mode you want to use:
Internal Web Server
External Web Server
11. Depending on which authorization mode you choose, go to the following sub-
The p ort n umber must be di fferent than 80, 2 111 , 1111, o r 1112 .
Both AAA and RADIUS Authentication must be enabled for 802.1x Authentication support.
feature, as required.
sections in this procedure:
Enabling AAA Services with the Internal Web Server – The IWS is
“flashed” into the system’s memory and the subscriber’s login page is served directly from the AG-2000w. In this mode, the login page consists of a simple request for the subscriber’s ID (user name) and password.
Enabling AAA Services with an External Web Server – In the EWS
mode, the AG-2000w redirects the subscriber’s login request to an external server (transparent to the subscriber). The login page served by the EWS reflects the “look and feel” of the solution provider’s network and presents more login options.
System Administration 65
NOMADIX AG-2000W™ / AG-2000WA
Enabling AAA Services with the Internal Web Server
You are here because you want to enable the AAA Services with the AG-2000w’s Internal Web Server. The AG-2000w maintains an internal database of authorized
subscribers, based on their MAC (hardware address) and user name (if enabled). By referring to its database record, also known as an authorization table, the AG-2000w instantly recognizes new subscribers on the network.
You can configure the AG-2000w to handle new subscribers in various ways (see the table on this page). With the IWS, you also have the option of enabling SSL support (if your license includes the SSL support feature and you have the certificate files
server.pem, cakey.pem and cacert.pem on the flash).
After selecting the Internal Web Server authorization mode, you have the option of enabling or disabling the Usernames and New Subscribers features. These features work in conjunction with each other to determine how new subscribers are handled. Refer to the following table:
Usernames
Disabled Enabled Allows new subscribers to enter the system
Enabled
(optional)
Enabled Disabled New subscribers are not allowed. Only
Disabled Disabled You will not use this combination unless you
1. Select the Internal Web Server.
New
Subscribers
Enabled Allows new subscribers or authentication by
System Response
without giving a user name and password.
their user name and password.
existing subscribers are allowed after authenticating their user name and password.
want to lock out all subscribers.
66 System Administration
NOMADIX AG-2000W™ / AG-2000WA
2. Enable or disable the SSL Support feature, as required. If you enable SSL
Support, you must provide a valid
For more information about setting up SSL, go to “Setting Up the SSL Feature”
on page 206.
SSL support allows for the creation of an end-to-end encrypted link between the AG-2000w and its clients by enabling the Internal Web Server (IWS) to display pages under a secure link—important when transmitting AAA information in a network. Adding SSL support to the AG-2000w requires service providers to obtain digital certificates from VeriSign™ to create HTTPS pages. Instructions for obtaining certificates are provided by Nomadix.
Certificate DNS Name.
3. If you want to designate a portal page, you must enable the Portal Page feature,
otherwise leave this feature disabled.
4. If you enabled the Portal Page feature, provide the following supporting
information:
Portal Page URL Parameter Passing (enabled or disabled)
Portal XML POST URL Portal XML Post Port Support GIS Clients (enabled or disabled—see following note)
Block IWS Login Page (enabled or disabled)
To enable SSL Support, your AG-2000w’s flash must include the server.pem, cakey.pem, and cacert.pem certificate files (the “cacert.pem” file is provided with your AG-2000w). For assistance, contact “Technical Support” on page 227.
You must reboot the AG-2000w every time you enable or disable SSL Support.
The Portal Page IP or DNS address are added to the IP passthrough list automatically
System Administration 67
GIS stands for Generic Interface Specification, a document written by iPass. Enabling the Smart Client option in the AG-2000w automatically supports all GIS compliant clients using the Internal Web Server. Enabling “Support for GIS Clients” under the Portal Page feature means that the AG-2000w will defer the managment of the GIS clients to the Portal Page server.
NOMADIX AG-2000W™ / AG-2000WA
5. Enable or disable the Usernames feature, as required (refer to table on page 66).
Some subscribers may want additional account flexibility and security for their services (for example, if they use more than one computer and their MAC address changes). In this case, a subscriber can define a unique user name and password which they can use from any machine or location (without being re­charged). Subscribers who choose this option are prompted for their user name and password whenever they try to access the Internet. Solution providers can charge a fee for this service.
6. Enable or disable the New Subscribers feature (refer to table on page 66).
7. If you enabled New Subscribers, enable or disable the Relogin After Timeout
option.
8. You can now enable or disable the Credit Card Service. When this feature is
enabled, subscribers are prompted for their credit card information (for billing purposes). The AG-2000w is configured to use either Authorize.net or Chainfusion (selected from a pull-down menu). You will need to open a merchant account with Authorize.net, Chainfusion or Datacenter (Luxembourg) before this feature can be used.
Please contact Nomadix Technical Support for assistance. Refer to “Contact
Information” on page 227.
9. If you enabled the Credit Card Service, define which service you require Authorize.net or Chainfusion) from the pull-down menu.
(
New Subscribers must be enabled before enabling the Credit Card Service.
All data communications between the AG-2000w and the credit card server are encrypted by the SSL (Secure Sockets Layer) protocol. The AG-2000w never “sees” subscriber credit card numbers. Your product license key must support this feature.
10. If the Credit Card Service is enabled, enter the information for the following
fields:
68 System Administration
DNS must be configured if you want to enter meaningful URLs instead of numeric IP addresses into any of the AG-2000w’s configuration screens (for example, the Credit Card Server URL in the following step).
Credit Card Server URL Credit Card Server IP Merchant ID (a valid ID issued by the credit card reconciliation service
provider – Authorize.net or Chainfusion).
NOMADIX AG-2000W™ / AG-2000WA
11. Enable or disable the SIM Compliant feature, as required. With this feature
enabled, you can change the transaction key at your discretion. To change the transaction key, simply enter the key in the re-enter the key in the
Verify Transaction Key box.
Change Transaction Key box, then
12. Enable or disable Smart Client Support, as required (if enabled, your license key
must support this feature).
13. You can assign a session idle timeout parameter for subscribers (see following
note). To assign an idle timeout, simply enter a numeric value (in seconds) in the
Subscriber Idle Timeout box (the default is 1200).
14. If you enabled or disabled SSL Support on this screen, you must click the check
box for Reboot after changes are saved? (the AG-2000w must be rebooted every time the SSL Support feature is enabled or disabled).
15. Click on the Submit button to save your changes, or click on the Reset button if
you want to reset all the values to their previous state.
Enabling AAA Services with an External Web Server
You are here because you want to enable the AAA Services with an External Web Server (EWS). In the EWS mode, the AG-2000w redirects the subscriber’s login
request to an external server.
The SIM Compliant option refers to Authorize.net's Simple Integration Method.
Subscriber Idle Timeout does not apply to RADIUS subscribers.
1. Select the External Web Server.
After enabling the External Web Server you must enter a Secret Key. The Secret Key ensures that the response the AG-2000w gets from the EWS is valid.
2. Enter the Secret Key (The AG-2000w and the external authorization server must
use the same secret key).
3. Enter the IP Address for the External Web Server.
4. Enter a valid External login page URL.
System Administration 69
DNS must be configured if you want to enter meaningful URLs instead of numeric IP addresses into any of the product’s configuration screens (for example, the External login page URL in the following step).
NOMADIX AG-2000W™ / AG-2000WA
5. You can assign a session idle timeout parameter for subscribers (see following
note). To assign an idle timeout, simply enter a numeric value (in seconds) in the
Subscriber Idle Timeout box (the default is 1200).
6. Click on the Submit button to save your changes, or click on the Reset button if
you want to reset all the values to their previous state (making changes to the EWS settings does not require a system reboot).
Subscriber Idle Timeout does not apply to RADIUS subscribers.
70 System Administration
NOMADIX AG-2000W™ / AG-2000WA
Establishing Secure Administration {Access Control}
The AG-2000w allows you to block administrator access to interfaces (Telnet, WMI and FTP) and incorporates a master access control list that checks the source (IP address) of administrator logins. A login is permitted only to the interfaces that have not been blocked, and only if a match is made with the master “Source IP” list contained on the AG-2000w. If a match is not made with the “Source IP list,” the login is denied, even if a correct login name and password are supplied. The access control list for source IPs supports up to 50 (fifty) entries in the form of a specific IP address or range of IP addresses.
This procedure allows you to enable the “Access Control” feature and block administrator access to specific interfaces, and add or remove administrator “Source IP” addresses.
1. From the Web Management Interface, click on Configuration, then Access
Control.
The Access Control screen appears:
2. Enable or disable administrator access to any of the following interfaces:
Telnet Web Management FTP
System Administration 71
NOMADIX AG-2000W™ / AG-2000WA
3. Click the check box for Access Control if you want to enable this feature, then
click on the
If you enabled Access Control, administrator access is restricted only to the IP addresses shown under the “Currently Access is Permitted for IPs” listing. If you want to add to or remove IP addresses from the list, go to Step 4 through Step 8.
4. To add an IP address (or range of IP addresses) to the list, enter the “starting” IP
address in the
5. If you are adding a range of IP addresses to the access control list, you must now
enter the “ending” IP address in the Access Control End IP field. If you are adding a single IP address, enter
Blocking or unblocking interface access will terminate the current session.
Do not enable the blocking of all interfaces without setting up and enabling SNMP. Enabling the blocking of all interfaces and disabling SNMP will completely block access to the AG-2000w administration interface. For assistance, contact Nomadix Technical Support.
Submit button to save your change.
The Access Control list can contain up to 50 (fifty) valid administrator IP addresses or up to 50 (fifty) ranges of IP addresses.
Access Control Start IP field.
None in the Access Control End IP field.
6. Click on the Add button to add the IP address (or range of IP addresses) to the
list.
7. To remove an IP address (or range of IP addresses) from the list, enter the
“starting” IP address in the
If you are removing a range of IP addresses from the access control list, you must now enter the “ending” IP address in the removing a single IP address, enter
8. Click on the Remove button to remove the IP address (or range of IP addresses)
from the list.
72 System Administration
If you enabled Access Control and have “locked yourself out,” of the system (for example, because you’ve forgotten your password), you must disable the Access Control feature from the Command Line Interface, or change the range of allowed IP addresses to access the management interfaces. If necessary, contact Nomadix Technical Support. Go to “Contact Information” on page 227.
Access Control Start IP field.
Access Control End IP field. If you are
None in the Access Control End IP field.
NOMADIX AG-2000W™ / AG-2000WA
Defining Automatic Configuration Settings {Auto Configuration}
The AG-2000w allows you to define parameters to enable the automatic configuration of the system. See also: “RADIUS-driven Auto Configuration” on
page 23.
1. From the Web Management Interface, click on Configuration, then Auto
Configuration.
The Autoconfiguration Settings screen appears:
2. Enable or disable Autoconfiguration, as required.
3. If you enabled Autoconfiguration, you must enter the following information into
the corresponding fields:
RADIUS Authentication Name Radius Password Confirm Password
Click on the check box for Reboot after changes are saved? to reboot the
4.
system when you submit your changes.
5. Click on the Submit button to save your changes, or click or the Reset button to
reset all data to its previous state.
System Administration 73
NOMADIX AG-2000W™ / AG-2000WA
Enabling Auto Configuration
As shown in the diagram below, two subsequent events drive the automatic configuration of Nomadix devices:
1. A flow of RADIUS Authentication Request and Reply messages between
the Nomadix gateway and the centralized RADIUS server that specifies the location of the meta configuration file (containing a listing of the individual configuration files and their download frequency status) are downloaded from an FTP server into the flash of the Nomadix device.
2. Defines the automated login into the centralized FTP server and the actual
download process into the flash.
Step 1: RADIUS Authen Req/ Response message to determine location of meta configuration file
Step 2: FTP download of configuration files (secure)
The Auto-Configuration setup requires a few basic steps to be completed by both the field engineer and the NOC administrator.
Administrative Steps to Enable Auto-Config
Typically, these tasks are performed either at a device pre-staging center or by the field engineer.
1. Establish a WAN connection and electronically accept the EULA.
2. Setup RADIUS Server parameters (go to “Defining the RADIUS Client
Settings {RADIUS Client}” on page 92).
3. Setup Username and Password for RADIUS Authentication.
74 System Administration
NOMADIX AG-2000W™ / AG-2000WA
Administrative Steps to Enable Auto-Config for the NOC Administrator
1. Add NAS IP address.
2. Add Nomadix Auto-Config VSA to the Nomadix dictionary file on the
RADIUS server.
3. Create a RADIUS profile with the configuration VSA.
4. Create an FTP server with the configuration files.
The following diagram shows a sample RADIUS configuration file, meta file and illustration of the FTP server setup.
The Nomadix device will automatically initiate one reboot to enable the new settings. Configuration updates for network maintenance can be accomplished by simply enabling the Auto-Configuration option and rebooting the device (for example, using SNMP). See also, “Defining Automatic Configuration Settings {Auto
Configuration}” on page 73.
System Administration 75
NOMADIX AG-2000W™ / AG-2000WA
Setting Up Bandwidth Management {Bandwidth Management}
The AG-2000w allows system administrators to manage the bandwidth for subscribers, defined in Kbps (Kilobits per seconds) for both upstream and downstream data transmissions. With the ICC feature enabled, subscribers can increase or decrease their own bandwidth dynamically (by the minute, or on an hourly, daily, weekly, or monthly basis), and also adjust the pricing plan for their service.
1. From the Web Management Interface, click on Configuration, then Bandwidth
Management.
The Bandwidth Management screen appears:
2. If required, click the check box for Bandwidth Management Enabled.
3. If you enabled Bandwidth Management, enter the uplink and downlink speeds (in
Kbps) in the appropriate fields.
4. If you made any changes to the settings on this screen, you must click the check
box for Reboot after changes are saved? (the AG-2000w must be rebooted).
5. Click on the Submit button to save your changes and reboot the system, or click
on the
76 System Administration
Setting the uplink or downlink speeds to anything greater than 100,000 Kbps is meaningless, because communication with the AG-2000w is established at 100 Mbps (100,000 Kbps).
Reset button if you want to reset all the values to their previous state.
NOMADIX AG-2000W™ / AG-2000WA
Establishing Billing Records “Mirroring” {Bill Record Mirroring}
The AG-2000w can send copies of credit card transaction billing records to external servers that have been previously defined by system administrators. The AG-2000w assumes control of billing transmissions and saving billing records. By “mirroring” the billing data, the AG-2000w can also send copies of billing records to predefined “carbon copy” servers. Additionally, if the primary and secondary servers are down, the AG-2000w can store up to 2,000 credit card transaction records. When a connection is re-established (with either server), the AG-2000w sends the stored information to the server—no records are lost!
For more information about the bill record mirroring feature, go to “Mirroring Billing
Records” on page 219.
1. From the Web Management Interface, click on Configuration, then Bill Record
Mirroring
The Credit Card Mirroring Settings screen appears:
The Bill Record Mirroring feature contained in the Credit Card and Hospitality optional modules is optional. Your product license may not support this feature.
.
System Administration 77
NOMADIX AG-2000W™ / AG-2000WA
2. If you want to enable the billing records “mirroring” functionality for credit card
transactions (and you have purchased the appropriate product license), click on the check box for
3. Enter the property identification code in the Property ID field.
4. Enter the communication parameters for the primary server that is to be used for
Enable CC Mirroring.
mirroring, including:
Primary IP URL
Secret Key
5.
Repeat Step 4 for the secondary server (if any) and all carbon copy servers.
6. Define the “fail-safe” provisions, including:
The AG-2000w and the “mirror” servers must use the same secret key.
Retransmit Method – Alternate, or do not alternate. Number of Retransmit Attempts – This tells the system how many
times it should attempt to retransmit billing records before suspending the task.
Retransmit Delay – This specifies the time delay between each
retransmission.
7. Click on the Submit button to save your changes, or click on the Reset button if
you want to reset all the values to their previous state.
78 System Administration
NOMADIX AG-2000W™ / AG-2000WA
Managing the DHCP Service Options {DHCP}
When a device connects to the network, the DHCP server assigns it a “dynamic” IP address for the duration of the session. Most users have DHCP capability on their computer. To enable this service on the AG-2000w, you can either enable the DHCP relay (routed to an external DHCP server IP address), or you can enable the AG­2000w to act as its own DHCP server. In both cases, DHCP functionality is necessary if you want to automatically assign IP addresses to subscribers.
1. From the Web Management Interface, click on Configuration, then DHCP.
The DHCP Settings screen appears:
System Administration 79
Nomadix’ patented Dynamic Address Translation (DAT) functionality is automatically configured to facilitate “plug-and-play” access to subscribers who are misconfigured with static (permanent) IP addresses, or subscribers that do not have DHCP capability on their computers. DAT allows all users to obtain network access, regardless of their computer’s network settings.
NOMADIX AG-2000W™ / AG-2000WA
2. DHCP Services is enabled by default. Do not disable it unless you want to lose
all your DHCP services.
3. To route DHCP through an external server, enable the DHCP Relay.
4. If you enabled the DHCP Relay feature, you must assign a valid DHCP Server IP
address (the default is 0.0.0.0) and a valid
The DHCP Relay Agent allows the AG-2000w to request a specific range of IP addresses from different IP pools from the DHCP Server. Leaving these fields blank forces the system to use the IP pool that contains IP addresses that are on the same subnet as the AG-2000w.
5. If you want the AG-2000w to act as its own DHCP Server (you did not enable
the DHCP Relay), enable it now.
6. If required, enable the IP Upsell feature.
By default, the AG-2000w is configured to act as its own DHCP server and the relay feature is “disabled.” If you want the AG-2000w to act as its own DHCP server, do not enable the relay. Go directly to Step 8.
DHCP Relay Agent IP address.
You must disable the DHCP server before enabling the DHCP relay. Both features cannot be enabled concurrently.
If the DHCP Relay Agent IP address is set for an address that is already used or the IP address of the server, the other system will get an IP conflict and will not have Internet access.
System administrators can set two different DHCP pools for the same physical LAN. When DHCP subscribers select a service plan with a public pool address, the AG-2000w associates their MAC address with their public IP address for the duration of the service level agreement. The opposite is true if they select a plan with a private pool address. This feature enables a competitive solution and is an instant revenue generator for ISPs. The IP Upsell functionality solves a number of connectivity problems, especially with regard to L2TP and certain video conferencing and online gaming applications.
80 System Administration
NOMADIX AG-2000W™ / AG-2000WA
7. If you want to add a new DHCP Pool, click on the Add button.
The Add DHCP Pools screen appears:
8. Enter a valid DHCP Server IP address for the DHCP server.
9. Enter the DHCP Server Netmask.
10. Enter the starting and ending IP addresses for the DHCP address pool you want
to use:
DHCP Pool Start IP DHCP Pool Stop IP
Enter the DHCP Lease Minutes.
11.
System Administration 81
NOMADIX AG-2000W™ / AG-2000WA
12. Select Public Pool or Private Pool, as required.
13. If required, make this an IP Upsell Pool and/or the Default Pool by checking the
appropriate boxes.
14. When finished establishing your DHCP Pools, click on the Back to Main DHCP
Configuration Page
15. You must now reboot the system for the new settings to take effect. Click the
check box for button to save your changes and reboot the system, or click on the Reset button if you want to reset all the values to their previous state.
When the system restarts, DHCP is enabled and configured. Skip the remaining steps in this procedure and go to “Managing the DNS Options {DNS}” on
page 83.
16. The existing lease pool and lease table are deleted and the AG-2000w reboots.
The AG-2000w can issue IP addresses to any DHCP enabled subscriber who enters the network.
A “public” IP address will not be translated by DAT.
Do not allow pools to overlap.
to return to the previous page.
Reboot after changes are saved? then click on the Submit
82 System Administration
NOMADIX AG-2000W™ / AG-2000WA
Managing the DNS Options {DNS}
DNS allows subscribers to enter meaningful URLs into their browsers (instead of complicated numeric IP addresses) by automatically converting the URLs into the correct IP addresses. You can assign a primary, secondary, or tertiary (third) DNS server. The AG-2000w utilizes whichever server is currently available.
Use the following procedure to set the DNS configuration options.
1. From the Web Management Interface, click on Configuration, then DNS.
The Domain Name System (DNS) Settings screen appears:
2. Enter the Host Name (the DNS name of the AG-2000w).
3. Enter a valid Domain name (the Internet domain that DNS requests will utilize).
System Administration 83
The host name must not contain any spaces.
NOMADIX AG-2000W™ / AG-2000WA
4. Enter the IP addresses for the DNS servers (located at the customer’s network
operating center where DNS requests are sent). Servers include:
Primary DNS Server Secondary DNS Server Tertiary DNS Sever
5. When finished, you must reboot the system for the new settings to take effect.
Click on the check box for
The secondary and tertiary DNS servers are only utilized if the primary DNS server is unavailable.
Reboot after changes are saved? to reboot the
system after saving your changes.
6. Click on the Submit button to save your changes and reboot the system, or click
on the
Reset button if you want to reset all the values to their previous state.
84 System Administration
NOMADIX AG-2000W™ / AG-2000WA
Setting the Home Page Redirection Options {Home Page Redirect}
This procedure shows you how to redirect the subscriber’s browser to a specified home page. Subscribers may also be redirected to a page specified by the solution provider, without any interaction with the credit card authentication process.
1. From the Web Management Interface, click on Configuration, then Home Page
Redirect.
The Home Page Redirection Settings screen appears:
2. Click on the check box for Home Page Redirection to enable this feature.
You must configure DNS if you want to enter meaningful URLs instead of numeric IP addresses into any of the AG-2000w’s configuration screens.
If you enable home page redirection, you must provide a URL for the redirected home page.
3. Enter the URL of the redirected home page in the Home Page URL field.
4. If required, click on the check box for Parameter Passing.
Parameter passing allows the AG-2000w to track a subscriber’s initial Web request (usually their home page) and pass the information on to the solution provider. The solution provider uses this information to ensure that the subscriber can return to their home page easily.
5. In the Redirection Frequency field, specify the frequency (in minutes) for home
page redirection. This is the interval at which the subscriber is redirected to the solution provider’s home page automatically.
6. Click on the Submit button to save your changes, or click on the Reset button if
you want to reset all the values to their previous state.
System Administration 85
NOMADIX AG-2000W™ / AG-2000WA
Enabling Intelligent Address Translation (iNAT)
Our patent-pending iNAT™ feature contains an advanced, real-time translation engine that analyzes all data packets being communicated between the private and public address domains. The Nomadix iNAT engine performs a defined mode of network address translation based on packet type and protocol (for example, GRE, IKE etc…).
1. From the Web Management Interface, click on Configuration, then iNAT.
The iNAT screen appears:
2. Enable of disable the iNAT feature, as required.
3. If you enabled iNAT, you have the option of enabling or disabling the following
VPN protocols:
PPTP IPSEC
86 System Administration
NOMADIX AG-2000W™ / AG-2000WA
At the time of this writing, Session Rate Limiting (SRL) appears in the iNAT menu. However, the Session Rate Limiting feature will have its own dedicated menu item. If the iNAT screen does not display the SRL feature, skip Step 4 and Step 5 and refer to “Establishing Session Rate
Limiting {Session Limit}” on page 166.
4. Click on the check box for Session Rate Limiting to enable (or disable) this
feature, as required.
5. Enter values for the following session “limiting” parameters:
Mean Rate Burst Size Time Interval (in seconds)
6. Click on the Submit button to save your options.
Use the
iNAT Start and iNAT End fields to enter an IP address or range of IP
addresses (up to 50), then click on the Add button to add the IP address(es), or click on the
Remove button to delete the IP address(es) from the database.
System Administration 87
NOMADIX AG-2000W™ / AG-2000WA
Establishing Your Location {Location}
This command sets up your location and the corresponding IP addresses for the network interface, subnet, and default gateway. You *must* provide your full location information.
1. From the Web Management Interface, click on Configuration, then Location.
The Location Settings screen appears:
2. Enter your location information in the following fields:
Company Name Address (Line 1 and Line 2)
City, State, Zip, and Country
E-mail Address
88 System Administration
NOMADIX AG-2000W™ / AG-2000WA
3. Enable or disable the DHCP Client, as required. If you are using a DHCP Client,
you can skip Step 4 through Step 6.
4. Enter a valid IP address in the Network IP Address field.
The Network IP Address is the public IP address that allows administrators to see the AG-2000w on the network. Use this address when you need to make a network connection with the AG-2000w.
5. Enter a valid IP address in the Subnet Mask field.
You must reboot the system if you make changes to any of the following IP settings.
You may lose your connection if you change the IP settings incorrectly (using invalid IP addresses). If you “misconfigure” the AG-2000w and network connectivity is lost, you can still access the AG-2000w from the Admin IP address (172.30.30.172).
All IP addresses must be established, otherwise the AG-2000w will not be “visible” on the network.
The subnet mask defines the number of IP addresses that are available on the routed subnet where the AG-2000w is located.
6. Enter a valid default gateway IP address in the Default Gateway field.
The default gateway is the IP address of the router that the AG-2000w uses to transmit data to the Internet.
7. When finished, you must reboot the system for the new settings to take effect.
Click on the check box for system after saving your changes.
8. Click on the Submit button to save your changes and reboot the system, or click
on the
Reset button if you want to reset all the values to their previous state.
Reboot after changes are saved? to reboot the
System Administration 89
NOMADIX AG-2000W™ / AG-2000WA
Managing the System and Billing Log Options {Logging}
System logging creates log files and error messages generated at the system level. AAA logging creates activity log files for the AAA (Authorization, Authentication, and Accounting) functions. You can enable either of these options.
1. From the Web Management Interface, click on Configuration, then Logging.
The Log Settings screen appears:
Although the AAA and billing logs can go to the same server, we recommend that they have their own unique server ID number assigned (between 0 and 7). When managing multiple properties, the properties are identified in the log files by their IP addresses.
2. If required, click on the check box for System Log to enable system logging.
When system logging is enabled, the standard SYSLOG protocol (UDP) is used to send all message logs generated by the AG-2000w to the specified SYSLOG server.
3. Enter a unique number (between 0 and 7) in the System Log Number field. This
ID number is assigned to the System Log Server.
4. Enter a valid IP address in the System Log Server IP field.
5. If required, repeat Steps 2 through 4 for the AAA Log feature.
6. Click on the Submit button to save your changes, or click on the Reset button if
you want to reset all the values to their previous state.
When logging is enabled, log files and error messages are sent to these servers for future retrieval. To see sample reports, go to “Sample SYSLOG Report” on
page 198 and “Sample AAA Log” on page 197.
90 System Administration
NOMADIX AG-2000W™ / AG-2000WA
Assigning Passthrough Addresses (Passthrough Addresses)
The AG-2000w allows up to 52 IP passthrough addresses and DNS names. This feature allows users to “pass through” the AG-2000w and access predetermined services (for example, the redirected home page) at the solution provider’s discretion, even though they may not have subscribed to the broadband Internet service. This is useful if solution providers want to openly promote selected services to all users, even if they are not currently subscribing (paying) for access.
1. From the Web Management Interface, click on Configuration, then
Passthrough Addresses.
The Passthrough Address Settings screen appears:
The AG-2000w is supplied with “Hotmail®” as a default passthrough setting.
2. If required, enable Passthrough Addresses, then click on the Submit button.
3. In the IP/DNS Name field, enter the IP address or DNS name of the pass-through
you want to add or remove from the system.
4. If adding this pass-through, click on the Add button, otherwise click on Remove
to delete this pass-through from the list.
System Administration 91
The system only accepts route DNS names (for example, www.nomadix.com). Do not include protocol, port, or path information.
NOMADIX AG-2000W™ / AG-2000WA
Defining the RADIUS Client Settings {RADIUS Client}
The AG-2000w supports Remote Authentication Dial-In User Service (RADIUS). RADIUS is an authentication and accounting system used by many Internet Service
Providers.
Nomadix offers an integrated RADIUS client, allowing service providers to track or bill users based on the number of connections, location of the connection, bytes sent and received, connect time, etc. The customer database can exist in a central RADIUS server, along with associated attributes for each user. When a customer connects into the network, the RADIUS client authenticates the customer with the RADIUS server, applies associated attributes stored in that customer's profile, and logs their activity (including bytes transferred, connect time, etc.).
The AG-2000w's RADIUS implementation also handles vendor specific attributes (VSAs), required by WISPs that want to enable more advanced services and billing schemes, such as a per device/per month connectivity fee.
The “Usernames” function must be enabled for a RADIUS login. See also, “Defining the AAA Services {AAA}” on page 63.
92 System Administration
All subscribers attempting to gain access to the network are validated by RADIUS.
NOMADIX AG-2000W™ / AG-2000WA
For additional RADIUS information, see also:
“Defining the RADIUS Routing Settings {RADIUS Routing}” on page 95. “RADIUS Attributes” on page 200.
1. From the Web Management Interface, click on Configuration, then RADIUS
Client.
The RADIUS Client Settings screen appears:
2. Under the Server Selection options, choose the Routing Mode:
Disabled (to disable RADIUS authentication) Realm-Based (for Realm routing) Fixed (for routing to predefined RADIUS servers)
System Administration 93
NOMADIX AG-2000W™ / AG-2000WA
3. Select the Default RADIUS Service Profile from the pull-down menu.
Miscellaneous Options
4. In the “Miscellaneous Options” category, enter a value for the time (in seconds)
in the
Default User Idle Timeout field. This value determines how much “idle”
time elapses before the subscriber’s session times out and they must login again.
5. The AG-2000w can reauthenticate “repeat” subscribers who return to the system
within 720 hours. To enable this feature, click on the check box for
Automatic Subscriber Reauthentication
6. If you want to enable the URL redirection feature, click on the check box for
Enable URL Redirection.
7. For a Network Access Server (NAS), if you want to send a NAS identifier with
your account access request, click on the check box for then define the NAS identifier in the
8. To send the NAS IP address with your account request, click on the check box for
Send NAS IP.
9. To send a NAS port type with your account request, click on the check box for
Send NAS Port type, then define the NAS port in the NAS Port Type field.
.
Send NAS identifier,
NAS identifier field.
Enable
10. To send the Framed IP address with your account request, click on the check box
for
Send Framed IP.
11. If required, check the box for Enable Session-Terminate-End-Of-Day When
Authorized
(to allow business policies that want to terminate the session at
midnight of every day).
12. If required, check the box for Enable Byte Count Reset On Account Start (to
reset the transmitted and received byte count for a subscriber once an “accounting start” is sent). This function prevents counting Walled Garden traffic if the billing plan is using bytes sent/received as a charge criterion.
13. If required, check the box for Enable Goodbye URL (if you want the system to
display a post session “goodbye” page). The “goodbye” page can be defined as a RADIUS VSA or be driven by the AG-2000w’s Internal Web Server (IWS).
14. If required, check the box for Enable WAN 802.1q Attribute. To enable the
default 802.1q tag, click on the check box for
System Traffic
15. Click on the Submit button to save your changes, or click on the Reset button if
Changing the default tag number may result in a loss of connectivity.
and, if necessary, enter the tag number (see caution).
Enable Default 802.1q Tag for
you want to reset all the values to their previous state.
94 System Administration
NOMADIX AG-2000W™ / AG-2000WA
Defining the RADIUS Routing Settings {RADIUS Routing}
Use this procedure when setting up RADIUS Service Profiles (up to 10) and Realm­based Routing Policies (up to 50).
For additional RADIUS information, see also:
“Defining the RADIUS Client Settings {RADIUS Client}” on page 92. “RADIUS Attributes” on page 200.
1. From the Web Management Interface, click on Configuration, then RADIUS
Routing.
The RADIUS Routing Settings screen appears:
System Administration 95
NOMADIX AG-2000W™ / AG-2000WA
Adding a RADIUS Service Profile
2. To add a RADIUS Service Profile, click on the appropriate Add button.
The Add RADIUS Service Profile screen appears:
3. Enter a name of your choice for this service profile in the Unique Name field.
Authentication
This category requires input for enabling RADIUS authentication and requires you to define IP addresses, ports, and secret keys for the primary and secondary RADIUS servers (the secondary server is optional).
4. Enable or disable the RADIUS Authentication Service, as required, by clicking
on the
5. If you enabled the RADIUS Authentication Service, enter the primary RADIUS
Enable RADIUS Authentication Service check box.
authentication server IP address in the
96 System Administration
Primary IP field.
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use