Nomadix AG 5000 User Manual

Nomadix AG 5000 User’s Guide

AG 5000

This product also includes software developed by: The University of California, Berkeley and its contributors; Carnegie Mellon University, Copyright © 1998 by Carnegie Mellon University All Rights Reserved; Go Ahead Software, Inc., Copyright © 1999 Go Ahead Software, Inc. All Rights Reserved; Livingston Enterprises, Inc., Copyright © 1992 Livingston Enterprises, Inc. All Rights Reserved; The Regents of the University of Michigan and Merit Ne twork, Inc., Copyright 1992 – 1995 All Rights Reserved; and includes source code covered by the Mozilla Public License, Version 1.0 and OpenSSL.

Trademarks

The symbol, and Nomadix Service Engine™ are trademarks of Nomadix, Inc. All other trademarks and brand names are marks of their

respective holders.

Product Information

Telephone: +1.818.597.1500 Fax: +1.818.597.1502 For technical support information, see the Appendix in this User’s Guide.

Write your product serial number in this box:

S/N

Written and Illustrated by Bill Wareing

This User’s Guide is protected by U.S. copyright laws. You may not transmit, copy, modify, or translate this manual, or reduce it or any part of it to any machine readable form, without the express permission of the copyright holder.

DISCLAIMER

Nomadix, Inc. makes no warranty, either express or implied, including but not limited to any implied warranties of merchantability and fitness for a particular purpose, regarding the product described herein. In no event shall Nomadix, Inc. be liable to anyone for special, collateral, incidental, or consequential damages in connection with or arising from the use of Nomadix, Inc. products.

NOTIFICATIONS

This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

• Consult the dealer or an experienced radio/TV technician for help.

Modifications not expressly approved by the manufacturer could void the user's authority to operated the equipment under FCC rules.

This Class B digital apparatus meets all requirements of the Canadian Interference-

Causing Equipment Regulations.

Cet appareil numérique de la classe B respecte toutes les exigences du Réglement sur le matériel brouilleur du Canada.

WARNING

Risk of electric shock; do not open;

no user-serviceable parts inside.

Risque de choc electrique; ne pas ouvrir; ne pas tenter de démonter

Read the instruction manual prior to

Lire le mode d’emploi avant

CAUTION

operation.

utilisation.

l’appareil.

1100 Business Center Circle, Suite 100, Newbury Park, CA 91320, USA (head office)

This page intentionally blank

AG 5000

Table of Contents

Introduction .......................................................................................................... 9

About this User’s Guide ............................................................................................. 9

Organization................................................................................................................ 9

Welcome to the AG 5000 ......................................................................................... 10

Product Configuration and Licensing ............................................................... 10

Key Features and Benefits ........................................................................................ 11

Platform Reliability ........................................................................................... 11

Local Content and Services ............................................................................... 11

Transparent Connectivity .................................................................................. 12

Billing Enablement ............................................................................................ 12

Access Control and Authentication ................................................................... 13

Security .............................................................................................................. 13

5-Step Service Branding .................................................................................... 13

NSE Core Functionality ............................................................................................ 14

Access Control ................................................................................................... 15

Bandwidth Management.................................................................................... 15

Bridge Mode ...................................................................................................... 16

Command Line Interface ................................................................................... 16

Dynamic Address Translation™ ....................................................................... 16

Dynamic Transparent Proxy.............................................................................. 16

End User Licensee Count .................................................................................. 16

External Web Server Mode ................................................................................ 17

Home Page Redirect .......................................................................................... 17

iNAT™ ............................................................................................................... 18

Information and Control Console...................................................................... 19

Internal Web Server ........................................................................................... 19

International Language Support ....................................................................... 20

IP Upsell ............................................................................................................ 20

Logout Pop-Up Window .................................................................................... 20

MAC Filtering.................................................................................................... 21

Multi-Level Administration Support.................................................................. 21

NTP Support ...................................................................................................... 21

Portal Page Redirect ......................................................................................... 21

Port Mapping..................................................................................................... 22

RADIUS-driven Auto Configuration.................................................................. 22

RADIUS Client................................................................................................... 22

RADIUS Proxy................................................................................................... 23

Remember Me and RADIUS Re-Authentication ................................................ 23

Secure Management........................................................................................... 23

Table of Contents i

AG 5000

Secure Socket Layer (SSL)................................................................................. 24

Secure XML API ................................................................................................ 25

Session Rate Limiting (SRL) .............................................................................. 25

Session Termination Redirect ............................................................................ 25

Smart Client Support ......................................................................................... 25

SNMP Nomadix Private MIB............................................................................. 26

Tri-Mode Authentication ................................................................................... 26

URL Filtering .................................................................................................... 26

Walled Garden................................................................................................... 27

Web Management Interface............................................................................... 27

Optional NSE Modules............................................................................................. 28

Hospitality Module ............................................................................................ 28

Credit Card Module........................................................................................... 29

Wholesale Roaming Module.............................................................................. 29

High Availability Module .................................................................................. 29

Optional Standalone Applications ............................................................................ 30

Meeting Room Scheduler (MRS) ....................................................................... 30

Network Architecture (Sample) ................................................................................ 31

Product Specifications .............................................................................................. 32

Online Help (WebHelp) ............................................................................................ 34

Notes, Cautions, and Warnings................................................................................. 34

Chapter 1: Installing the AG 5000 ................................................................... 35

Unpacking the AG 5000 ........................................................................................... 36

Installation Workflow ............................................................................................... 37

Powering Up the System........................................................................................... 38

Logging In to the Command Line Interface ............................................................. 39

The Management Interfaces (CLI and Web) ............................................................ 40

Making Menu Selections and Inputting Data with the CLI ............................... 40

Menu Organization (Web Management Interface)............................................ 41

Inputting Data – Maximum Character Lengths................................................. 42

Online Documentation and Help ....................................................................... 43

Quick Reference Guide............................................................................................. 43

Establishing the Start Up Configuration ................................................................... 44

Assigning Login User Names and Passwords ................................................... 45

Setting the SNMP Parameters (optional) .......................................................... 46

Enabling the Logging Options (recommended)................................................. 47

Assigning the Location Information and IP Addresses ..................................... 48

Logging Out and Powering Down the System ......................................................... 50

Connecting the AG 5000 to the Customer’s Network .............................................. 51

Establishing the Basic Configuration for Subscribers .............................................. 52

Setting the DHCP Options................................................................................. 52

Setting the DNS Options .................................................................................... 54

Archiving Your Configuration Settings .................................................................... 55

ii Table of Contents

AG 5000

Installing the Nomadix Private MIB......................................................................... 56

Chapter 2: System Administration .................................................................. 57

Choosing a Remote Connection ............................................................................... 57

Using the Web Management Interface (WMI)................................................... 58

Using an SNMP Manager.................................................................................. 58

Using a Telnet Client ......................................................................................... 59

Logging In................................................................................................................. 59

About Your Product License .................................................................................... 59

Configuration Menu.................................................................................................. 60

Defining the AAA Services {AAA} ..................................................................... 60

Establishing Secure Administration {Access Control} ...................................... 67

Defining Automatic Configuration Settings {Auto Configuration} ................... 69

Setting Up Bandwidth Management {Bandwidth Management}....................... 72

Establishing Billing Records “Mirroring” {Bill Record Mirroring}................ 73

Managing the DHCP Service Options {DHCP}................................................ 75

Managing the DNS Options {DNS}................................................................... 79

Setting the Home Page Redirection Options {Home Page Redirect}................ 81

Enabling Intelligent Address Translation (iNAT) ............................................. 82

Establishing Your Location {Location} ............................................................. 83

Managing the System and Billing Log Options {Logging}................................ 85

Enabling the Meeting Room Scheduler {Meeting Room Scheduler}................. 86

Assigning Passthrough Addresses (Passthrough Addresses) ............................ 87

Assigning a PMS Service {PMS} ....................................................................... 88

Setting Up Port Locations {Port-Location}....................................................... 93

Defining the RADIUS Client Settings {RADIUS Client} ................................... 98

Defining the RADIUS Proxy Settings {RADIUS Proxy} ................................. 101

Defining the RADIUS Routing Settings {RADIUS Routing} ........................... 104

Managing SMTP Redirection {SMTP}............................................................ 110

Managing the SNMP Communities {SNMP}................................................... 111

Enabling Dynamic Multiple Subnet Support (Subnets)................................... 112

Displaying Your Configuration Settings {Summary} ...................................... 114

Setting the System Date and Time {Time} ....................................................... 115

Setting Up URL Filtering {URL Filtering}...................................................... 116

Enabling Secure Management {VPN Tunnel} ................................................. 117

Network Info Menu ................................................................................................ 121

Displaying ARP Table Entries {ARP} ............................................................. 121

Displaying DAT Sessions {DAT} ..................................................................... 121

Displaying the Host Table {Hosts} .................................................................. 122

Displaying ICMP Statistics {ICMP}................................................................ 122

Displaying the Network Interfaces {Interfaces} .............................................. 123

Displaying the IP Statistics {IP}...................................................................... 124

Displaying the Routing Tables {Routing}........................................................ 125

Displaying the Active IP Connections {Sockets}............................................. 126

Table of Contents iii

AG 5000

Displaying the Static Port Mapping Table {Static Port-Mapping} ................. 126

Displaying TCP Statistics {TCP} .................................................................... 127

Displaying UDP Statistics {UDP}................................................................... 128

Port-Location Menu ................................................................................................ 129

Adding and Updating Port-Location Assignments {Add} ............................... 129

Deleting All Port-Location Assignments {Delete All} ..................................... 131

Deleting Port-Location Assignments by Location {Delete by Location} ........ 131

Deleting Port-Location Assignments by Port {Delete by Port} ...................... 132

Exporting Port-Location Assignments {Export}.............................................. 133

Finding Port-Location Assignments by Description {Find by Description}... 134

Finding Port-Location Assignments by Location {Find by Location} ............ 135

Finding Port-Location Assignments by Port {Find by Port} .......................... 136

Importing Port-Location Assignments {Import}.............................................. 137

Displaying the Port-Location Mappings {List}............................................... 139

Subscriber Administration Menu ............................................................................ 140

Adding Subscriber Profiles {Add} ................................................................... 140

Displaying Current Subscriber Connections {Current}.................................. 142

Deleting Subscriber Profiles by MAC Address {Delete by MAC}................... 143

Deleting Subscriber Profiles by User Name {Delete by User} ....................... 144

Displaying the Currently Allocated DHCP Leases {DHCP Leases} .............. 145

Deleting All Expired Subscriber Profiles {Expired} ....................................... 145

Finding Subscriber Profiles by MAC Address {Find by MAC}....................... 146

Finding Subscriber Profiles by User Name {Find by User} ........................... 147

Listing Subscriber Profiles by MAC Address {List by MAC}.......................... 148

Listing Subscriber Profiles by User Name {List by User}............................... 149

Displaying Current Profiles and Connections {Statistics}.............................. 150

Subscriber Interface Menu...................................................................................... 151

Defining the Billing Options {Billing Options} ............................................... 151

Setting Up the Information and Control Console {ICC Setup} ....................... 158

Defining Languages {Language Support}....................................................... 165

Defining the Subscriber’s Login UI {Login UI}.............................................. 167

Defining the Post Session User Interface (Post Session UI) ........................... 171

Defining Subscriber UI Labels {Subscriber Labels}....................................... 175

Defining Subscriber Error Messages {Subscriber Errors}............................. 177

Defining Subscriber Messages {Subscriber Messages} .................................. 179

System Menu .......................................................................................................... 182

Adding an ARP Table Entry {ARP Add} ......................................................... 182

Deleting an ARP Table Entry {ARP Delete} ................................................... 183

Enabling the Bridge Mode Option {Bridge Mode} ......................................... 184

Exporting Configuration Settings to the Archive File {Export} ...................... 185

Importing the Factory Defaults {Factory} ...................................................... 186

Defining the Fail Over Options {Fail Over} ................................................... 187

Viewing the History Log {History} .................................................................. 188

Establishing ICMP Blocking Parameters {ICMP}.......................................... 189

iv Table of Contents

AG 5000

Importing Configuration Settings from the Archive File {Import}.................. 190

Establishing Login Access Levels {Login} ...................................................... 191

Defining the MAC Filtering Options {Mac Filtering}..................................... 193

Rebooting the System {Reboot} ....................................................................... 194

Adding a Route {Route Add} ........................................................................... 195

Deleting a Route {Route Delete} ..................................................................... 196

Establishing Session Rate Limiting {Session Limit}........................................ 197

Adding Static Ports {Static Port-Mapping Add} ............................................. 198

Deleting Static Ports {Static Port-Mapping Delete} ....................................... 200

Blocking a Subscriber Interface {Subscriber Interfaces}................................ 201

Updating the AG 5000 Firmware {Upgrade}.................................................. 201

Chapter 3: The Subscriber Interface ............................................................. 203

Overview................................................................................................................. 203

Authorization and Billing ....................................................................................... 204

The AAA Structure ........................................................................................... 205

Process Flow (AAA) ........................................................................................ 207

Internal and External Web Servers.................................................................. 208

Language Support............................................................................................ 208

Home Page Redirection ................................................................................... 208

Subscriber Management ......................................................................................... 208

Subscriber Management Models ..................................................................... 209

Configuring the Subscriber Management Models........................................... 210

Information and Control Console (ICC)................................................................. 211

ICC Pop-Up Window....................................................................................... 211

Logout Console ................................................................................................ 212

Chapter 4: Quick Reference Guide................................................................ 213

Web Management Interface (WMI) Menus............................................................ 213

Main Page........................................................................................................ 213

Configuration Menu Items............................................................................... 214

Network Info Menu Items................................................................................. 216

Port-Location Menu Items ............................................................................... 217

Subscriber Administration Menu Items ........................................................... 218

Subscriber Interface Menu Items..................................................................... 219

System Menu Items .......................................................................................... 220

Alphabetical Listing of Menu Items (WMI) ........................................................... 222

Default (Factory) Configuration Settings ............................................................... 224

Product Specifications ............................................................................................ 226

Sample AAA Log ................................................................................................... 228

Message Definitions (AAA Log) ...................................................................... 228

Sample SYSLOG Report ........................................................................................ 229

Sample History Log ................................................................................................ 229

Table of Contents v

AG 5000

Keyboard Shortcuts................................................................................................. 230

HyperTerminal Settings .......................................................................................... 230

RADIUS Attributes................................................................................................. 231

Authentication-Request.................................................................................... 232

Authentication-Reply (Accept) ......................................................................... 232

Accounting-Request......................................................................................... 233

Selected Detailed Descriptions........................................................................ 234

Nomadix Vendor Specific Attributes................................................................ 235

Setting Up the SSL Feature .................................................................................... 236

Prerequisites .................................................................................................... 236

Obtain a Private Key File (cakey.pem) ........................................................... 237

Installing Cygwin and OpenSSL on a PC ........................................................ 237

Private Key Generation ................................................................................... 241

Create a Certificate Signing Request (CSR) File ............................................ 244

Create a Public Key File (server.pem) ............................................................ 245

Setting Up AG 5000 for SSL Secure Login...................................................... 248

Setting Up the Portal Page .............................................................................. 249

Mirroring Billing Records ...................................................................................... 249

Sending Billing Records .................................................................................. 250

XML Interface .................................................................................................. 250

Chapter 5: Troubleshooting............................................................................ 253

General Hints and Tips ........................................................................................... 253

Management Interface Error Messages .................................................................. 254

Common Problems ................................................................................................. 256

Appendix: Technical Support......................................................................... 259

Contact Information ................................................................................................ 259

Glossary of Terms ............................................................................................261

Index .................................................................................................................. 277

vi Table of Contents

AG 5000

Introduction

About this User’s Guide

This User’s Guide provides information and procedures that will enable system administrators to install, configure, manage, and use the Nomadix AG 5000 product successfully and efficiently. Use this guide to take full advantage of the AG 5000’s functionality and features.

Organization

This User’s Guide is organized into the following chapters:

Chapter 1 – Installing the AG 5000. This chapter provides instructions for installing

the AG 5000 and establishing the start-up configuration.

Chapter 2 – System Administration. This chapter provides all the instructions and

procedures necessary to manage and administer the AG 5000 on the customer’s network, following a successful installation.

Chapter 3 – The Subscriber Interface. This chapter provides an overview and

sample scenario for the AG 5000’s subscriber interface. It also includes an outline of the authorization and billing processes utilized by the system, and the Nomadix Information and Control Console.

Chapter 4 – Quick Reference Guide. This chapter contains product reference

information, organized by topic and functionality. It also contains a full listing of all product configuration elements, sorted alphabetically and by menu.

Chapter 5 – Troubleshooting. This chapter provides information to help you resolve

common hardware and software problems. It also contains a list of error messages associated with the management interface.

Appendix – Technical Support. The appendix informs you how to obtain technical

support. You should refer to the troubleshooting procedures contained in Chapter 5 before contacting Nomadix, Inc. directly.

Glossary of Terms. The glossary provides an explanation of terms directly related to

Nomadix product technology. Glossary entries are organized alphabetically.

Index. The index is a valuable information search tool. Use the index to locate

specific topics and categories contained in this User’s Guide.

Introduction 9

Welcome to the AG 5000

The AG 5000 is a freestanding, fully featured network appliance that enables Public access service providers to offer broadband Internet connectivity to their customers.

The AG 5000 handles universal mobile connectivity, advanced security, policy-based traffic shaping, and service placement supporting up to 2,000 users simultaneously in a broadband environment. The AG 5000 also offers a unique set of security and connectivity features for deploying wireless 802.11 networks.

The AG 5000 yields a complete solution to a set of complex issues in the Enterprise, Public-LAN, and Residential segments.

Nomadix AG 5000

AG 5000

Product Configuration and Licensing

All Nomadix Access Gateway products, including the AG 5000, are powered by our patented and patent-pending suite of embedded software, called the Nomadix Service Engine™ (NSE). The AG 5000 employs our NSE core software package with the option to purchase additional modules to expand the product’s functionality.

This User’s Guide covers all features and functionality provided with the NSE core package, as well as the additional optional modules. Your product license must support the optional NSE modules if you want to take advantage of the expanded functionality. The following note will preface procedures that directly relate to optional modules:



See also:

 “NSE Core Functionality” on page 14.  “Optional NSE Modules” on page 28.

10 Introduction

Your product license may not support this feature.

AG 5000

Key Features and Benefits

The AG 5000 is a 1U high, free-standing or rack-mountable Access Gateway that employs three fast Ethernet ports to interface with the router (one for network side) and the aggregation equipment (two for subscriber side) within the network. It also incorporates an RS232 serial port for connecting to a Property Management System (PMS) and for system management and administration, while maintaining one billing relationship with their chosen provider.

The AG 5000 enables a wide variety of network deployment options for different venue types. For example:

 Allows for flexible WAN Connectivity (T1/E1, Cable, xDSL, and ISDN).  Supports 802.11a/b/g and hybrid networks utilizing wired Ethernet.  Supports key requirements needed to be compliant with the Wi-Fi ZONE™

program.

 Allows you to segment your existing network into public and private

sections using VLANs, then leverage your existing network investment to create new revenue streams.

 Enables you to provide Wi-Fi access as a billable service or as an amenity to

augment the main line of business for your venue.

 The AG 5000 contains an advanced XML interface for accepting and

processing XML commands, allowing the implementation of a variety of service plans and offerings.

 Offers three user-friendly ways of remote management—through a Web

interface, SNMP MIBs, and Telnet interfaces—allowing for scalable, large Public access deployments.

Platform Reliability

The AG 5000 is designed as a network appliance, providing maximum uptime and reliability unlike competitive offerings that use a server-based platform.

Local Content and Services

The AG 5000’s Portal Page feature intercepts the user’s browser settings and directs them to a designated Web site to securely sign up for service or log in if they have a pre-existing account.

 Allows the provider to present their customers with local services or have

the user sign up for service at zero expense.

 Offers both pre and post authentication redirects of the user’s browser,

providing maximum flexibility in service branding

Introduction 11

AG 5000

Transparent Connectivity

Resolving configuration conflicts is difficult and time consuming for network users who are constantly on the move, and costly to the solution provider. In fact, most users are reluctant to make changes to their computer’s network settings and won’t even bother. This fact alone has prevented the widespread deployment of broadband network services.

Our patented Dynamic Address Translation™ (DAT) functionality offers a true “plug and play” solution by enabling a seamless and transparent experience and the tools to acquire new customers on-site.

DAT greatly reduces provisioning and technical support costs and enables providers to deliver an easy to use, customer-friendly service.

Billing Enablement

The AG 5000 supports billing plans using credit cards, scratch cards, monthly subscriptions, or direct billing to a hotel’s Property Management System (PMS) and can base the billable event on a number of different parameters such as time, volume, IP address type, or bandwidth.

12 Introduction

AG 5000

Access Control and Authentication

The AG 5000 ensures that all traffic to the Internet is blocked until authentication has been completed, creating an additional level of security in the network. Also, allows service providers to create their own unique “walled garden,” enabling users to access only certain predetermined Web sites before they have been authenticated.

Nomadix simultaneously supports the secure browser-based Universal Access Method (UAM), IEEE 802.1x, and Smart Clients for companies such as Adjungo Networks, Boingo Wireless, GRIC and iPass.

Security

The patent-pending iNAT™ (Intelligent Network Address Translation) feature creates an intelligent mapping of IP Addresses and their associated VPN tunnels—by far the most reliable multi-session VPN passthrough to be tested against diverse VPN termination servers from companies such as Cisco, Checkpoint, Nortel and Microsoft. Nomadix’ iNAT feature allows multiple tunnels to be established to the same VPN server, creating a seamless connection for all users on the network.

The AG 5000 provides fine-grain management of DoS (Denial of Service) attacks through its Session Rate Limiting (SRL) feature, and MAC filtering for improved network reliability.

5-Step Service Branding

A network enabled with the Nomadix AG 5000 (or any other Nomadix Access Gateway) offers a 5-Step service branding methodology for service providers and their partners, comprising:

1. Initial Flash Page branding.

2. Initial Portal Page Redirect (Pre-Authentication). Typically, this is used to

redirect the user to a venue-specific Welcome and Login page.

3. Home Page Redirect (Post-Authentication). This redirect page can be

tailored to the individual user (as part of the RADIUS Reply message, the URL is received by the NSE) or set to re-display itself at freely configurable intervals.

4. The Information and Control Console (ICC) contains multiple opportunities

for an operator to display its branding or the branding of partners during the user’s session. As an alternative to the ICC, a simple pop-up window provides the opportunity to display a single logo.

5. The “Goodbye” page is a post-session page that can be defined either as a

RADIUS VSA or be driven by the Internal Web Server (IWS) in the NSE. Using the IWS option means that this functionality is also available for other post-paid billing mechanisms (for example, post-paid PMS).

Introduction 13

NSE Core Functionality

Powering Nomadix’ family of Access Gateways, the Nomadix Service Engine (NSE) delivers a full range of features needed to successfully deploy Wi-Fi Public access networks. These “core” features solve issues of connectivity, security, billing, and roaming in a Wi-Fi Public access network.

The NSE’s core package of features includes:

 Access Control  Bandwidth Management  Bridge Mode  Command Line Interface  Dynamic Address Translation™  Dynamic Transparent Proxy  End User Licensee Count  External Web Server Mode  Home Page Redirect  iNAT™  Information and Control Console  Internal Web Server  International Language Support  IP Upsell  Logout Pop-Up Window  MAC Filtering  Multi-Level Administration Support  NTP Support  Portal Page Redirect  Port Mapping  RADIUS Client  RADIUS-driven Auto Configuration  RADIUS Proxy  Remember Me and RADIUS Re-Authentication  Secure Management  Secure Socket Layer (SSL)  Secure XML API  Session Rate Limiting (SRL)  Session Termination Redirect  Smart Client Support  SNMP Nomadix Private MIB  Tri-Mode Authentication  URL Filtering  Walled Garden  Web Management Interface

AG 5000

14 Introduction

AG 5000

Access Control

For IP-based access control, the NSE incorporates a master access control list that checks the source (IP address) of administrator logins. A login is permitted only if a match is made with the master list contained within the NSE. If a match is not made, the login is denied, even if a correct login name and password are supplied.

The access control list supports up to 50 (fifty) entries in the form of a specific IP address or range of IP addresses.

The NSE also offers access control based on the interface being used. This feature allows administrators to block access from Telnet, Web Management, and FTP sources.

Bandwidth Management

The NSE optimizes bandwidth by limiting bandwidth usage symmetrically or asymmetrically on a per device (MAC address / User) basis, and manages the WAN Link traffic to provide complete bandwidth management over the entire network. You can ensure that every user has a quality experience by placing a bandwidth ceiling on each device accessing the network, so every user gets a fair share of the available bandwidth.

With the Nomadix Information and Control Console (ICC) feature enabled, subscribers can increase or decrease their own bandwidth dynamically (by the minute, or on an hourly, daily, weekly, or monthly basis), and also adjust the pricing plan for their service (see graphic).

Bandwidth selection (pull down)

Information and Control Console (ICC)

Introduction 15

AG 5000

Bridge Mode

This feature allows complete and unconditional access to devices. When Bridge Mode is enabled, your NSE-powered product is effectively transparent to the network in which it is located.

The NSE forwards any and all packets (except those addressed to the NSE network interface). The packets are unmodified and can be forwarded in both directions. The Bridge Mode function is a very useful feature when troubleshooting your entire network as it allows administrators to effectively “remove” your product from the network without physically disconnecting the unit.

Command Line Interface

The Command Line Interface (CLI) is a character-based user interface that can be accessed remotely or via a direct cable connection. Until your Nomadix product is up and running on the network, the CLI is the Network Administrator’s window to the system. Software upgrades can only be performed from the CLI.

See also:

 “The Management Interfaces (CLI and Web)” on page 40.

Dynamic Address Translation™

Dynamic Address Translation (DAT) enables transparent broadband network connectivity, covering all types of IP configurations (static IP, DHCP, DNS), regardless of the platform or the operating system used—ensuring that everyone gets access to the network without the need for changes to their computer’s configuration settings or client-side software. The NSE supports both PPTP and IPSec VPNs in a manner that is transparent to the user and that provides a more secure standard connection. See also, “Transparent Connectivity” on page 12.

Dynamic Transparent Proxy

The NSE directs all HTTP and HTTPS proxy requests through an internal proxy which is transparent to subscribers (no need for users to perform any reconfiguration tasks). Uniquely, the NSE also supports clients that dynamically change their browser status from non-proxy to proxy, or vice versa. In addition, the NSE supports proxy ports 80, 800-900, 911 and 990 as well as all unassigned ports (for example, ports above 1024), thus ensuring far fewer proxy related support calls than competitive products.

End User Licensee Count

16 Introduction

AG 5000

The NSE supports a range of simultaneous user counts depending on the Nomadix Access Gateway you choose. In addition, various user count upgrades are available for each of our NSE-powered products that allow you to increase the simultaneous user count.

External Web Server Mode

The External Web Server (EWS) interface is for customers who want to develop and use their own content. It allows you to create a “richer” environment than is possible with your product’s embedded Internal Web Server.

The advantages of using an External Web Server are:

 Manage frequently changing content from one location.  Serve different pages depending on site, sub-location (for example, VLAN),

and user.

 Take advantage of the comprehensive Nomadix XML API to implement

more complex billing plans.

 Recycle existing Web page content for the centrally hosted portal page.

If you choose to use the EWS interface, Nomadix Technical Support can provide you with sample scripts. See also, “Contact Information” on page 259.

Home Page Redirect

The NSE supports a comprehensive HTTP redirect logic that allows network administrators to define multiple instances to intercept the browser’s request and replace it with freely configurable URLs.

Portal page redirect enables redirection to a portal page process. This means that anyone will get redirected to a Web page to establish an account, select a service plan, and pay for access. Home Page redirect enables redirection to a page

after the authentication process (for example, to welcome a

specific user to the service—after the user has been identified by the authentication process. See also, “Portal Page Redirect” on page 21.

before the authentication

Introduction 17

AG 5000

iNAT™

Nomadix invented a new way of intelligently supporting multiple VPN connections to the same termination at the same time (iNAT™), thus solving a key problem of many Public access networks.

Nomadix’ patent-pending iNAT™ (intelligent Network Address Translation) feature contains an advanced, real-time translation engine that analyzes all data packets being communicated between the private address realm and the public address realm.

The NSE performs a defined mode of network address translation based on packet type and protocol (for example, GRE, ISAKMP etc.). UDP packet fragmentation is supported to provide more seamless translation engine for certificate-based VPN connections.

If address translation is needed to ensure the success of a specific application (for example, multiple users trying to access the same VPN termination server at the same time), the packet engine selects an IP address from a freely definable pool of publicly routable IP addresses. The same public IP address can be used as a source IP to support concurrent tunnels to different termination devices—offering unmatched efficiency in the utilization of costly public IP addresses. If the protocol type can be supported without the use of a public IP (for example, HTTP, FTP), our proven Dynamic Address Translation™ functionality continues to be used.

Some of the benefits of iNAT™ include:

 Improves the success rate of VPN connectivity by misconfigured users, thus

reducing customer support costs and boosting customer satisfaction.

 Maintains the security benefits of traditional address translation technologies

while enabling secure VPN connections for mobile workers accessing corporate resources from a Public access location.

 Dynamically adjusts the mode of address translation during the user's

session, depending on the packet type.

 Supports users with static private IP addresses (for example, 192.168.x.x) or

public (different subnet) IP addresses without any changes to the client IP settings.

 Dramatically heightens the reusability factor of costly public IP addresses.

18 Introduction

AG 5000

Information and Control Console

The Nomadix Information and Control Console (ICC) is a HTML-based pop-up window that is presented to subscribers with their Web browser. The ICC allows subscribers to select their bandwidth and billing options quickly and efficiently from a simple pull-down menu. For credit card accounts, the ICC displays a dynamic “time” field to inform subscribers of the time remaining on their account.

Information and Control Console (ICC)

Additionally, the ICC contains multiple opportunities for an operator to display its branding or the branding of partners during the user’s session, as well as display advertising banners and present a choice of redirection options to their subscribers.

See also:

 “5-Step Service Branding” on page 13.  “Logout Pop-Up Window” on page 20.  “Information and Control Console (ICC)” on page 211.

Internal Web Server

The NSE offers an embedded Internal Web Server (IWS) to deliver Web pages stored in flash memory. These Web pages are configurable by the system administrator by selecting various parameters to be displayed on the internal pages. When providers or HotSpot owners do not want to develop their own content, the IWS is the answer. A banner at the top of each IWS page is configurable and contains the customer's company logo or any other image file they desire.

To support PDAs and other hand-held devices, the NSE automatically formats the IWS pages to a screen size that is optimal for the particular device being used.

See also:

 “5-Step Service Branding” on page 13.  “International Language Support” on page 20.

Introduction 19

AG 5000

International Language Support

The NSE allows you to define the text displayed to your users by the IWS without any HTML or ASP knowledge. The language you select determines the language encoding that the IWS instructs the browser to use. See also, “Internal Web Server”

on page 19.

The available language options are:

 English  Chinese (Big 5)  French

 German  Japanese (Shift_JIS)  Spanish

 Other, with drop-down menu

IP Upsell

System administrators can set two different DHCP pools for the same physical LAN. When DHCP subscribers select a service plan with a public pool address, the NSE associates their MAC address with their public IP address for the duration of the service level agreement. The opposite is true if they select a plan with a private pool address. This feature enables a competitive solution and is an instant revenue generator for ISPs.

The IP Upsell feature solves a number of connectivity problems, especially with regard to L2TP and certain video conferencing and online gaming applications.

Logout Pop-Up Window

As an alternative to the Information and Control Console (ICC), the NSE delivers a HTML-based pop-up window with the following functions:

 Provides the opportunity to display a single logo.

 Displays the session’s elapsed/count-down time.  Presents an explicit Logout button.

See also, “Information and Control Console” on page 19.

20 Introduction

AG 5000

MAC Filtering

MAC Filtering enhances Nomadix' access control technology by allowing system administrators to block malicious users based on their MAC address. Up to 50 MAC addresses can be blocked at any one time. See also, “Session Rate Limiting (SRL)” on

page 25.

Multi-Level Administration Support

The NSE allows you to define 2 concurrent access levels to differentiate between managers and operators, where managers are permitted read/write access and operators are restricted to read access only.

Once the logins have been assigned, managers have the ability to perform all write commands (Submit, Reset, Reboot, Add, Delete, etc.), but operators cannot change any system settings. When Administration Concurrency is enabled, one manager and three operators can access the AG 5000 platform at any one time.

NTP Support

The NSE supports Network Time Protocol (NTP), an Internet standard protocol that assures accurate synchronization (to the millisecond) of computer clock times in a network of computers. NTP synchronizes the client’s clock to the U.S. Naval Observatory master clocks. Running as a continuous background client program on a computer, NTP sends periodic time requests to servers, obtaining server time stamps and using them to adjust the client's clock.

Portal Page Redirect

The NSE contains a comprehensive HTTP page redirection logic that allows for a page redirect (Home Page Redirect). As part of the Portal Page Redirect feature, the NSE can send a defined set of parameters to the portal page redirection logic that allows an External Web Server to perform a redirection based on:

 AG 5000 ID and IP Address  Origin Server  Port Location  Subscriber MAC address  Externally hosted RADIUS login failure page

This means that the network administrator can now perform location-specific service branding (for example, an airport lounge) from a centralized Web server.

before (Portal Page Redirect) and/or after the authentication process

See also, “Home Page Redirect” on page 17.

Introduction 21

AG 5000

Port Mapping

This feature allows the network administrator to setup a port mapping scheme that forwards packets received on a specific port to a particular static IP (typically private and misconfigured) and port number on the subscriber side of the NSE. The advantage for the network administrator is that free private IP addresses can be used to manage devices (such as Access Points) on the subscriber side of the NSE without setting them up with Public IP addresses.

RADIUS-driven Auto Configuration

Nomadix’ unique RADIUS-driven Auto Configuration functionality utilizes the existing infrastructure of a mobile operator to provide an effortless and rapid method for configuring devices for fast network roll-outs. Once configured, this methodology can also be effectively used to centrally manage configuration profiles for all Nomadix devices in the public access network.

Two subsequent events drive the automatic configuration of Nomadix devices:

1. A flow of RADIUS Authentication Request and Reply messages between

the Nomadix gateway and the centralized RADIUS server that specifies the location of the meta configuration file (containing a listing of the individual configuration files and their download frequency status) are downloaded from an FTP server into the flash of the Nomadix device.

2. Defines the automated login into the centralized FTP server and the actual

download process into the flash.

Optionally, the RADIUS authentication process and FTP download can be secured by sending the traffic through a peer-to-peer IPSec tunnel established by the Nomadix gateway and terminated at the NOC (Network Operations Center). See also, “Secure

Management” on page 23.

RADIUS Client

Nomadix offers an integrated RADIUS (Remote Authentication Dial-In User Service) client with the NSE allowing service providers to track or bill users based on the number of connections, location of the connection, bytes sent and received, connect time, etc. The customer database can exist in a central RADIUS server, along with associated attributes for each user. When a customer connects into the network, the RADIUS client authenticates the customer with the RADIUS server, applies associated attributes stored in that customer's profile, and logs their activity (including bytes transferred, connect time, etc.). The NSE's RADIUS implementation also handles vendor specific attributes (VSAs), required by WISPs that want to enable more advanced services and billing schemes, such as a per device/per month connectivity fee. See also, “RADIUS Proxy” on page 23.

22 Introduction

AG 5000

RADIUS Proxy

The RADIUS Proxy feature relays authentication and accounting packets between the parties performing the authentication process. Different realms can be set up to directly channel RADIUS messages to the various RADIUS servers. This functionality can be effectively deployed to:

 Support a wholesale WISP model directly from the edge without the need

for any centralized AAA proxy infrastructure.

 Support EAP authenticators (for example, WLAN APs) on the subscriber-

side of the NSE to transparently proxy all EAP types (TLS, SIM, etc.) and to allow for the distribution of per-session keys to EAP authenticators and supplicants.

Complementing the RADIUS Proxy functionality is the ability to route RADIUS messages depending on the Network Access Identifier (NAI). Both prefix-based (for example, ISP/username@ISP.net) and suffix-based (username@ISP.net) NAI routing mechanisms are supported. Together, the RADIUS Proxy and NAI Routing further support the deployment of the Wholesale Wi-Fi™ model allowing multiple providers to service one location. See also, “RADIUS Client” on page 22.

Remember Me and RADIUS Re-Authentication

The NSE’s Internal Web Server (IWS) stores encrypted login cookies in the browser to remember logins, using Usernames and Passwords between Access Points. This “Remember Me” functionality creates a more efficient and better user experience in wireless networks.

The RADIUS Re-Authentication buffer has been expanded to 720 hours, allowing an even more seamless and transparent connection experience for repeat users.

Secure Management

There are many different ways to configure, manage and monitor the performance and up-time of network devices. SNMP, Telnet, HTTP and ICMP are all common protocols to accomplish network management objectives. And within those objectives is the requirement to provide the highest level of security possible.

While several network protocols have evolved that offer some level of security and data encryption, the preferred method for attaining maximum security across all network devices is to establish an IPSec tunnel between the NOC (Network Operations Center) and the edge device (early VPN protocols such as PPTP have been widely discredited as a secure tunneling method).

Introduction 23

AG 5000

As part of Nomadix’ commitment to provide outstanding carrier-class network management capabilities to its family of public access gateways, we offer secure management through the NSE’s standards-driven, peer-to-peer IPSec tunneling with strong data encryption. Establishing the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on the subscriber side of the Nomadix gateway. See also, “Enabling Secure Management {VPN Tunnel}” on page 117.

Two subsequent events drive the secure management function of the Nomadix gateway and the devices behind it:

1. Establishing an IPSec tunnel to a centralized IPSec termination server (for

example, Nortel Contivity). As part of the session establishment process, key tunnel parameters are exchanged (for example, Hash Algorithm, Security Association Lifetimes, etc.).

2. The exchange of management traffic, either originating at the NOC or from

the edge device through the IPSec tunnel. Alternatively, AAA data such as RADIUS Authentication and Accounting traffic can be sent through the IPSec tunnel. See also, “RADIUS-driven Auto Configuration” on page 22.

The advantage of using IPSec is that all types of management traffic are supported, including the following typical examples:

 ICMP - PING from NOC to edge devices  Telnet - Telnet from NOC to edge devices  Web Management - HTTP access from NOC to edge devices

 SNMP

 SNMP GET from NOC to subscriber-side device (for example, AP)  SNMP SET from NOC to subscriber-side device (for example, AP)  SNMP Trap from subscriber-side device (for example, AP) to NOC

Secure Socket Layer (SSL)

This feature allows for the creation of an end-to-end encrypted link between your NSE-powered product and wireless clients by enabling the Internal Web Server (IWS) to display pages under a secure link—important when transmitting AAA information in a wireless network when using RADIUS.

SSL requires service providers to obtain digital certificates from VeriSign™ to create HTTPS pages. Instructions for obtaining certificates are provided by Nomadix.

24 Introduction

AG 5000

Secure XML API

XML (eXtensible Markup Language) is used by the subscriber management module for user administration. The XML interface allows the NSE to accept and process XML commands from an external source. XML commands are sent over the network to your NSE-powered product which executes the commands, and returns data to the system that initiated the command request. XML enables solution providers to customize and enhance their product installations.

This feature allows the operator to use Nomadix' popular XML API using the built-in SSL certificate functionality in the NSE so that parameters passed between the Gateway and the centralized Web server are secured via SSL.



If you plan to implement XML for external billing, please contact technical support for the XML specification of your product. Refer to

“Contact Information” on page 259.

Session Rate Limiting (SRL)

Session Rate Limiting (SRL) significantly reduces the risk of “Denial of Service” attacks by allowing administrators to limit the number sessions any one user can take over a given time period and, if necessary, then block malicious users.

Session Termination Redirect

Once connected to the Public access network, the NSE will automatically direct the customer to a Web site for local or personalized services, or to establish an account and pay for services through its Home Page Redirect functionality. In addition, the NSE also provides pre and post authentication redirects as well as one at session termination. See also, “Home Page Redirect” on page 17.

Smart Client Support

The NSE supports authentication mechanisms used by Smart Clients by companies such as Adjungo Networks, Boingo Wireless, GRIC and iPass.

Introduction 25

AG 5000

SNMP Nomadix Private MIB

Nomadix’ Access Gateways can be easily managed over the Internet with an SNMP client manager (for example, HP OpenView or Castle Rock).

To take advantage of the functionality provided with Nomadix’ private MIB (Management Information Base), simply import the

nomadix.mib file from the

Accessories CD (supplied with the product) to view and manage SNMP objects on your product.

See also:

 “Using an SNMP Manager” on page 58

 “Installing the Nomadix Private MIB” on page 56.

Tri-Mode Authentication

The NSE enables multiple authentication models providing the maximum amount of flexibility to the end user and to the operator by supporting any type of client entering their network and any type of business relationship on the back end. For example, in addition to supporting the secure browser-based Universal Access Method (UAM) via SSL, Nomadix is the only company to simultaneously support port-based authentication using IEEE 802.1x and authentication mechanisms used by Smart Clients.

See also:

 “Access Control and Authentication” on page 13.

 “Smart Client Support” on page 25.

URL Filtering

The NSE can restrict access to specified Web sites based on URLs defined by the system administrator. URL filtering will block access to a list of sites and/or domains entered by the administrator using the following three methods:

1. Host IP address (for example, 1.2.3.4).

2. Host DNS name (for example, www.yahoo.com).

3. DNS domain name (for example, *.yahoo.com, meaning all sites under the

yahoo.com hierarchy, such as finance.yahoo.com, sports.yahoo.com, etc.).

The system administrator can dynamically add or remove up to 300 specific IP addresses and domain names to be filtered for each property.

26 Introduction

AG 5000

Walled Garden

The NSE provides up to 300 IP passthrough addresses (and/or DNS entries), allowing you to create a “Walled Garden” within the Internet where unauthenticated users can be granted or denied access to sites of your choosing.

Web Management Interface

Nomadix’ Access Gateways can be managed remotely via the built-in Web Management Interface where various levels of administration can be established. See also, “Using the Web Management Interface (WMI)” on page 58.

Introduction 27

Optional NSE Modules

Hospitality Module

The optional Hospitality Module provides the widest range of Property Management System (PMS) interfaces to enable in-room guest billing for HSIA (High Speed Internet Access) service. This module also includes 2-Way PMS interface capability for in-room billing in a Wi-Fi enabled network. In addition, the Hospitality Module includes the Bill Mirror functionality for posting of billing records to multiple sources. With this module, the NSE also supports billing over a TCP/IP connection to select PMS interfaces.

PMS Integration

AG 5000

 

By integrating with a hotel’s PMS, your NSE-powered product can post charges for Internet access directly to a guest’s hotel bill. In this case, the guest is billed only once. The NSE outputs a call accounting record to the PMS system whenever a subscriber purchases Internet service and decides to post the charges to their room. Nomadix’ Access Gateways are equipped with a dedicated PMS port to facilitate connectivity with a customer’s Property Management System.

Billing Records Mirroring



NSE-powered devices can send copies of credit card (and optionally, PMS) billing records to external servers that have been previously defined by system administrators. The NSE assumes control of billing transmissions and the saving of billing records. By effectively “mirroring” the billing data, the NSE can send copies of billing records to predefined “carbon copy” servers. Additionally, if the primary and secondary servers are not responding, the NSE can store up to 2,000 billing records. The NSE regularly attempts to connect with the primary and secondary severs. When a connection is re-established (with either server), the NSE sends the cached information to the server. Customers can be confident that their billing information is secure and that no transaction records are lost.

Your product license may not support this feature.

Some Property Management Systems may require you to obtain a license before integrating the PMS with the AG 5000. Check with the PMS vendor.

Your product license may not support this feature.

28 Introduction

AG 5000

Credit Card Module



The optional Credit Card Module provides a secure interface over SSL to enable billing via a credit card for HSIA. This module also includes the Bill Mirror functionality for posting of billing records to multiple sources.

See also:

 “Secure Socket Layer (SSL)” on page 24.  “Billing Records Mirroring” on page 28.

Your product license may not support this feature.

Wholesale Roaming Module



The optional Wholesale Roaming Module provides advanced NAI (Network Access Identifier) routing capabilities, enabling multiple service providers to share a HotSpot location, further supporting a Wi-Fi wholesale model. This functionality allows users to interact only with their chosen provider in a seamless and transparent manner.

Your product license may not support this feature.

High Availability Module



The optional High Availability Module offers enhanced network uptime and service availability when delivering high-quality Wi-Fi service by providing Fail-Over functionality. This module allows a secondary Nomadix Access Gateway to be placed in the network that can take over if the primary device fails, ensuring Wi-Fi service remains uninterrupted.

Introduction 29

Your product license may not support this feature.

Optional Standalone Applications

The following supplemental applications—delivered on a separate CD-ROM—are available from Nomadix:

Meeting Room Scheduler (MRS)

If you have purchased the NSE’s optional Hospitality Module, our Meeting Room Scheduler (MRS) application can further enhance your product’s integration into the hospitality environment. The MRS allows hotel desk clerks to schedule and reserve conference rooms on behalf of their hotel guests and generate the necessary invoices in advance. Hotel desk clerks can now effectively schedule meetings and collect payments directly.

AG 5000

30 Introduction

AG 5000

Network Architecture (Sample)

The AG 5000 can be deployed effectively in a variety of wireless and wired broadband environments where there are many users—usually mobile—who need high speed access to the Internet.

The following example shows a potential Hospitality application:

Phone

Laptop

DSL Modem

PMS

DSLAM

PBX

AG 5000

Introduction 31

Router

Product Specifications

PERFORMANCE

User Support:

Up to 2,000 users concurrently

Throughput:

97Mbits/s*

*As defined by RFC1242, Section 3.17

MOUNTING

1U rack space in a 19” rack

PERATING VOLTAGE

100 – 250 VAC, 47/63Hz, Auto Sensing

OWER CONSUMPTION

44 watts

AG 5000

Specifications

NVIRONMENTAL

Operating temperature: 5°C to 40° C Storage temperature: 0°C to 70° C Operating humidity: 20 - 90% RH non-condensing Storage humidity: 5 - 95% RH Altitude: Up to 15,000ft

OMPLIANCE

FCC Class B, Part 15 CE Mark CENELEC EN 55022:1998 Class B CENELEC EN 60950 UL Std. 1950 CSA22.2 No. 950

NTERFACES

3 x 10/100 Mbps Ethernet (RJ-45) 1 x DB9 serial (for serial management and PMS interface)

32 Introduction

AG 5000

LED INDICATORS

ACT/LINK and 10/100 for each Ethernet port Power

ETWORK MANAGEMENT

Multi-Level Administration Controls Integrated VPN Client (IPSec) for secure connection to an NOC Access Control Lists Web Administration UI CLI via Telnet and Serial Port SNMPv2c Secure XML API Auto Configuration and Upgrades Syslog/AAA log

Specifications

Introduction 33

Online Help (WebHelp)

The AG 5000 incorporates an online Help system called “WebHelp” which is accessible through the Web Management Interface (when a remote Internet connection is established following a successful installation). WebHelp can be viewed on any platform (for example, Windows, Macintosh, or UNIX-based platforms) using either Internet Explorer or Netscape Navigator (see note).

AG 5000



WebHelp is useful when you have an Internet connection to the AG 5000 and you want to access information quickly and efficiently. It contains all the information you will find in this User’s Guide.

For more information about WebHelp and other online documentation resources, go to “Online Documentation and Help” on page 43.

WebHelp is best viewed using Internet Explorer, version 4.0 or higher.

Notes, Cautions, and Warnings

The following symbols are used throughout this User’s Guide:





This symbol is used for general notes and additional information that may be useful to you.

This symbol is used for cautions and warnings. Cautions and warnings provide important information to eliminate the risk of a system malfunction or possible damage.

34 Introduction

AG 5000

Installing the AG 5000

This chapter provides installation instructions for the hardware and software components of the AG 5000. It also includes an overview of the management interface, some helpful hints for system administrators, and procedures for the following tasks:

 Powering up the system.

 Logging in to the management interface.

 Establishing the AG 5000’s start up configuration.

 Logging out and powering down the system.

 Connecting the AG 5000 to the customer’s network.

 Establishing the basic configuration for subscribers.

 Archiving your configuration settings.

 Installing the Nomadix Private MIB.



Once you have installed your AG 5000 and established the configuration settings, you should write the settings to an archive file. If you ever experience problems with the system, your archived settings can be restored at any time. See “Archiving Your Configuration

Settings” on page 55.

Nomadix AG 5000

Installing the AG 5000 35

Unpacking the AG 5000

When you unpack the AG 5000, you will find the following items in the carton:

Item Qty

AG 5000 module 1

Cable – power cord (US or European) 1

Cable – serial, DB9 female to DB9 female (6ft length) Null Modem (NM) 1

Cable – CATS5, standard (7 ft. length) 1

Cable – CATS5, crossover (7 ft. length) 1

Screw 10-32 X 1/2 PH with internal washer 4

Screw 4-40 5/16” flathead 100 deg 8

Plastic bumper feet 4

AG 5000

Universal mounting bracket 2

Quick Start Guide 1

“Accessories” CD-ROM (containing this User’s Guide, README file, NOMADIX Enterprise MIB file, and any other useful accessories).

Customer letter 1

End User License Agreement (EULA) 1

Packing materials (polystyrene end caps) 2

36 Installing the AG 5000

AG 5000

Installation Workflow

The following flowchart illustrates the steps that are required to install and configure your AG 5000 successfully. Review the installation workflow before attempting to install the AG 5000 on the customer’s network.

Place the AG 5000 on a flat and stable work surface and connect the power cord.

Connect the AG 5000 to a “live” network. Use the DB9 serial cable (6 ft.

length) between the AG 5000’s serial port and your computer.

Power up your computer and turn on the AG 5000.

Start a HyperTerminal session to communicate with the AG 5000 via the serial port.

When prompted, configure your AG 5000’s IP, DNS, and Location

settings. The AG 5000 will then prompt you to reboot the system.

When prompted, accept to the Nomadix End User License Agreement (EULA). You must accept the EULA before the AG 5000 can connect with the Nomadix License Key Server.

When the key is successfully received from the server, your AG 5000 will reboot. You can

now power down and connect the AG 5000 to the customer’s network.

Network

Connect the AG 5000 to the customer’s network.

Power up the AG 5000 and log in via a Telnet session or the Web Management Interface.

Set the basic configuration parameters for subscribers.

The AG 5000 is now ready for administrators to add, delete,

or change unique subscriber profiles.

Export your configuration settings to an archive file.

Installing the AG 5000 37

Powering Up the System

Use this procedure to establish a direct cable connection between the AG 5000 and your laptop computer, and to power up the system.

1. Place the AG 5000 on a flat and stable work surface.

2. Connect the power cord.

3. Connect the DB9 serial cable between the AG 5000’s “serial port” and your

computer.

4. Turn on your computer and allow it to boot up.

5. Turn on the AG 5000.

AG 5000

38 Installing the AG 5000

connect the serial cable here

AG 5000

Logging In to the Command Line Interface

Use this procedure to initialize the system and log in to the AG 5000’s Command Line Interface (CLI). The character-based CLI is used at initial start-up.

1. Start a HyperTerminal™ session to connect to the AG 5000. Use the following

HyperTerminal settings:

Bits per second 9600

Data bits 8

Parity None

Stop bits 1

Flow control None

2. When connected to the AG 5000, a login prompt appears on your screen.

The default login user name is “admin.” The password is “admin.” Login names and passwords are case-sensitive.

3. Enter admin when prompted for a user name and password. The AG 5000 Menu

appears when you have logged in to the AG 5000’s management interface successfully. If this is an initial installation which requires the AG 5000 to receive a license key from the Nomadix License Key Server, you must accept the Nomadix End User License Agreement (EULA).

Installing the AG 5000 39

The Management Interfaces (CLI and Web)

AG 5000



Until the unit is installed on the customer’s network and a remote connection is established, the CLI is the administrator’s window to the system. This is where you establish all the AG 5000 start-up configuration parameters, depending on the customer’s network architecture.

The AG 5000 Menu is your starting point. From here, you access all the system administration items from the 5 (five) primary menus available “configuration,” “network info,” “port-location,” “subscribers,” and “system.” The AG 5000 Menu also includes a “logout” option for logging out of the system.



The AG 5000 supports various methods for managing the system remotely. These include, an embedded graphical Web Management Interface (WMI), an SNMP client, or Telnet. However, until the unit is installed and running, system management is performed from the AG 5000’s embedded CLI via a direct serial cable connection. The CLI can also be accessed remotely.

Although the basic functional elements are the same, the CLI and the WMI have some minor content and organizational differences. For example, in the WMI the “subscribers” menu is divided into “Subscriber Administration” and “Subscriber Interface.” See also,

“Menu Organization (Web Management Interface)” on page 41.

Making Menu Selections and Inputting Data with the CLI

The CLI is character-based. It recognizes the fewest unique characters it needs to correctly identify an entry. For example, in the AG 5000 Menu you need only enter to access the Configuration menu, but you must enter menu and

You may also do any of the following:

When using the CLI, if a procedure asks you to “enter sn,” this means you must type

sn and press the Enter key. The system does not accept data or commands until you

hit the Enter key.

40 Installing the AG 5000

sy to access the System menu (because they both start with the letter “s”).

 Enter b (back) or press Esc (escape) to return to a previous menu.  Press Esc to abort an action at any time.

 Press Enter to redisplay the current menu.  Press ? at any time to access the CLI’s Help screen.

su to access the Subscribers

AG 5000

Menu Organization (Web Management Interface)

When you have successfully installed and configured the AG 5000 from the CLI, you can then access the AG 5000 from its embedded Web Management Interface (WMI). The WMI is easier to use (point and click) and includes some items not found in the CLI. You can use either interface, depending on your preference.

The following “composite” screen shows how the AG 5000’s WMI menus (folders) are organized (shown here side-by-side for clarity and space). The menu items listed here are for a fully featured AG 5000 (with all optional modules included). See also,

“About Your Product License” on page 59.

Note: Your browser preferences or Internet options should be set to compare loaded pages with cached pages.

Installing the AG 5000 41

AG 5000

Inputting Data – Maximum Character Lengths

The following table details the maximum allowable character lengths when inputting data:

Data Field Max. Characters

All Messages (billing options) 72

All Messages (subscriber error messages) 72

All Messages (subscriber login UI) 72

All Messages (subscriber “other” messages) 72

Description of Service (billing options Plan) 140

Home Page URL 237

Host Name and Domain Name (DNS settings) 64

IP / DNS Name (passthrough addresses) 237

Label (billing options plan) 16

Location settings (all fields) 99

Partner Image File Name 12

Password (adding subscriber profiles) 128

Port Description (finding ports by description) 63

Redirection Frequency (in minutes) 2,147,483,647

(recommend 3600)

Reservation Number 24

Username (adding subscriber profiles) 96

Valid SSL Certificate DNS Name 64

42 Installing the AG 5000

AG 5000

Online Documentation and Help

The Web Management Interface (WMI) incorporates an online help system which is accessible from the main window.

Click here to access the online Help system

Other online documentation resources, available from our corporate Web site (www.nomadix.com), include a full PDF version of this User’s Guide (viewable with Acrobat™ Reader, version 4.0 or higher), white papers, technical notes, and business cases. The PDF version of this User’s Guide and associated README files are also available on the “Accessories” CD-ROM supplied with your AG 5000.

Quick Reference Guide

This manual contains a “Quick Reference Guide” on page 213 which provides information to help you navigate and use the management interfaces (CLI and Web) quickly and efficiently. It also contains the product specifications, a listing of the factory default settings, sample log reports, listings of commands (by menu and alphabetical), HyperTerminal settings, and some common keyboard shortcuts.

Installing the AG 5000 43

Establishing the Start Up Configuration

The CLI allows you to administer the AG 5000’s start-up configuration settings.

AG 5000



When establishing the start-up configuration for a new installation, you are connected to the AG 5000 via a direct serial connection (you do not have remote access capability because the AG 5000 is not yet configured or connected to a network). Once the installation is complete (see “Installation Workflow” on page 37) and the system is successfully configured, you will have the additional options of managing the AG 5000 remotely from the system’s Web Management Interface, an SNMP client manager of your choice, or a simple Telnet interface.

The start up configuration must be established before connecting the AG 5000 to a customer’s network. The “start up” configuration settings include:

 Assigning a Login Name and Password – You must assign a unique login

user name and password that enables you to administer and manage the AG 5000 securely.



 Setting the SNMP Parameters – The SNMP (Simple Network

User names and passwords are case-sensitive.

Management Protocol) parameters must be established before you can use an SNMP client (for example, HP OpenView) to manage and monitor the AG 5000 remotely.

 Enabling the Logging Options – Servers must be assigned and set up if you

want to create system and AAA (billing) log files, and retrieve error messages generated by the AG 5000.

 Assigning the Network Interface IP Address – This is the public IP

address that allows administrators and subscribers to see the AG 5000 on the network. Use this address when you need to make a network connection with the AG 5000.

 Assigning the Subscriber Interface IP Address – This is the IP address

that subscribers will see on the private side of the AG 5000.

 Assigning the Subnet Mask – The subnet mask defines the number of IP

addresses that are available on the routed subnet where the AG 5000 is located.

 Assigning the Default Gateway IP Address – This is the IP address of the

router that the AG 5000 uses to transmit data to the Internet.

44 Installing the AG 5000

AG 5000

Assigning Login User Names and Passwords

When you initially powered up the AG 5000 and logged in to the Management Interface, the default login user name and password you used was “admin.” The AG 5000 allows you to define 2 concurrent access levels to differentiate between managers and operators, where managers are permitted read/write access and operators are restricted to read access only. Once the logins have been assigned, managers have the ability to perform all write commands (Submit, Reset, Reboot, Add, Delete, etc.), but operators cannot change any system settings. When Administration Concurrency is enabled, one manager and three operators can access the AG 5000 at any one time (the default setting for this feature is “disabled”).

1. Enter sy (system) at the AG 5000 Menu.

The System menu appears.

2. Enter lo (login).

The system prompts you for the current login. If this is the first time you are changing the login parameters since initializing the AG 5000, the default login name and password is “admin.”



The system accepts up to 11 characters (any character type) for user names and passwords. All user names and passwords are casesensitive.

3. When prompted, confirm the current login parameters and enter new ones.

SAMPLE SCREEN RESPONSE

System>lo

Enable/Disable Administration Concurrency [disabled ]: e

Current login: admin Current password: *****

Enter new manager login: newmgr Enter new password: ******* Retype new password: *******

The administrative login and password were changed

Enter new operator login: newop Enter new operator password: ***** Retype new operator password: *****

The operator login and password were changed

You must use the new login user name(s) and password(s) to access the system.

Installing the AG 5000 45

AG 5000

Setting the SNMP Parameters (optional)

You can address the AG 5000 using an SNMP client manager (for example, HP OpenView). SNMP is the standard protocol that regulates network management over the Internet. To do this, you must set up the SNMP communities and identifiers. For more information about SNMP, see “Using an SNMP Manager” on page 58.



1. Enter c (configuration) at the AG 5000 Menu. The Configuration menu appears.

2. Enter sn (snmp).

3. Enable the SNMP daemon, as required. The system displays any existing SNMP

If you want to use SNMP, you must manually turn on SNMP.

contact information and prompts you to enter new information. If this is the first time you have initialized the SNMP command since removing the AG 5000 from its box, the system has no information to display (there are no defaults).

4. Enter the SNMP parameters (communities and identifiers). The SNMP

parameters include your contact information, the get/set communities, and the IP address of the trap recipient. Your SNMP manager needs this information to enable network management over the Internet.

5. If you enabled the SNMP daemon, you must reboot the system for your changes

to take effect. In this case, enter

SAMPLE SCREEN RESPONSE

Configuration>sn

Enable the SNMP Daemon? [Yes]: Enter new system contact: newname@domainname.com [Nomadix, Westlake Village, CA] Enter new system location: Office, Westlake Village, CA Enter read/get community [public ]: Enter write/set community [private ]: Enter IP of trap recipient [0.0.0.0 ]: 10.11.12.13

y (yes) to reboot your AG 5000.

SNMP Daemon Enabled System contact newname@domainname.com System location Office, Westlake Village, CA Get (read) community public Set (write) community private Trap recipient 10.11.12.13

Reboot to enable new changes? [yes/no] y

Rebooting ...

You can now address the AG 5000 using an SNMP client manager.

46 Installing the AG 5000

AG 5000

Enabling the Logging Options (recommended)

System logging creates log files and error messages generated at the system level. AAA logging creates activity log files for the AAA (Authentication, Authorization, and Accounting) functions. You can enable either of these options.



Although the AAA and billing logs can go to the same server, we recommend that they have their own unique server ID number assigned (between 0 and 7). When managing multiple properties, the properties are identified in the log files by their IP addresses.

When system logging is enabled, the standard SYSLOG protocol (UDP) is used to send all message logs generated by the AG 5000 to the specified server.

1. Enter log (logging) at the Configuration menu.

The system displays the current logging status (enabled or disabled).

2. Enable or disable the system and/or AAA logging options, as required.

If you enable either option, go to Step 3, otherwise logging is disabled and you can terminate this procedure.

3. Assign a valid ID number (0-7) to each server.

4. Enter the IP addresses to identify the location of the system and AAA SYSLOG

servers on the network (the default for both is 0.0.0.0).

When logging is enabled, log files and error messages are sent to these servers for future retrieval. To see sample reports, go to “Sample SYSLOG Report” on

page 229 and “Sample AAA Log” on page 228.

SAMPLE SCREEN RESPONSE

Configuration>log

Enable/disable system logging [disabled ]: enable Enter system SYSLOG number (0-7) [0 ]: 1 Enter system SYSLOG server IP [0.0.0.0 ]: 8.9.10.11 Enable/disable AAA logging [disabled ]: enable Enter AAA SYSLOG number (0-7) [0 ]: 2 Enter AAA SYSLOG server IP [0.0.0.0 ]: 9.10.11.12

System logging Enabled System SYSLOG number 1 System SYSLOG server IP 8.9.10.11

AAA logging Enabled AAA SYSLOG number 2 AAA SYSLOG server IP 9.10.11.12

Installing the AG 5000 47

AG 5000

Assigning the Location Information and IP Addresses

The “location” command in the Configuration menu establishes the AG 5000’s location settings, the network interface IP address, the subscriber interface IP address, the subnet mask, and the default gateway IP address. All of these AG 5000 “location” parameters must be set up as part of the system’s start up configuration (otherwise the AG 5000 will not be “visible” on the network).

1. Enter c (configuration) at the AG 5000 Menu.

The Configuration menu appears.

2. Enter loc (set Location options).

The system displays the Company Name. If the name displayed is not correct (or no name is entered), enter it now.

3. When prompted, enter the company’s address (line by line - 6 lines).

4. When prompted, enter a valid email address for this company.

The system now displays the current network interface IP address (the default address is 10.0.0.10) and prompts you for a valid address. The network interface IP address is the public IP address that allows administrators to see the AG 5000 on the network. Use this address when you need to make a network connection with the AG 5000.



5. When prompted, enter a valid network interface IP address.

After assigning the network interface IP address, the system displays the current subscriber interface IP address (the default is 10.0.0.11). The IP addresses from subscribers that are on a subnet different from the AG 5000 (for example, misconfigured) are translated by Nomadix’ Dynamic Address Translation (DAT) patented technology to the

6. Enter a valid subscriber interface IP address.

After assigning the subscriber interface IP address, the system displays the current subnet mask (the default mask is 255.255.255.0). The subnet mask defines the number of IP addresses that are available on the routed subnet where the AG 5000 is located.



The network interface and subscriber interface addresses must be on the same subnet.

Subscriber IP Address.

The subscriber interface acts as a multifunctional “translator.” For example, if a subscriber’s computer is setup statically for a network with a gateway address of 10.1.1.1, the AG 5000 emulates the gateway to accommodate this subscriber while emulating other gateways to accommodate other subscribers.

48 Installing the AG 5000

AG 5000

7. Enter a valid subnet mask.

After assigning the subnet mask, the system displays the current default gateway IP address (the factory default is 10.0.0.1). This is the IP address of the router that the AG 5000 uses to transmit data to the Internet.

8. Enter a valid default gateway IP address.

9. After establishing all “Location” settings, you must reboot the AG 5000 for your

changes to take effect.

SAMPLE SCREEN RESPONSE

Configuration>loc

Please enter your company name [companyname ]: newname Please enter your address<Line 1> [line1address ]: newline1

<Line 2> [line2address ]: newline2

<City> [city ]: newcity

<State> [state ]: newstate

<Zip> [zip ]: newzip

<Country> [country ]: newcountry

Please enter your email address [em@em.com ]: newmail@email.com

Enter network interface IP [10.0.0.10 ]: 192.168.0.2 Enter subscriber interface IP [10.0.0.11 ]: 192.168.0.3 Enter subnet mask [255.255.255.0 ]: 255.255.255.192 Enter default gateway IP [10.0.0.1 ]: 192.168.0.1

The system must be reset to function properly. Reboot? [yes/no]: y

Company Name: newname Address: newline1

newline2 newcity newstate newzip newcountry

Email: newmail@email.com

Network interface IP 192.168.0.2 Subscriber interface IP 192.168.0.3 Subnet mask 255.255.255.192 Default gateway IP 192.168.0.1 Rebooting ...

Installing the AG 5000 49

AG 5000

Your new settings are displayed and the AG 5000 reboots. When the system restarts, the Telnet interface is enabled (based on your new configuration settings which are saved to the AG 5000’s on-board flash memory).



10. Go to “Logging Out and Powering Down the System” on page 50.

The start up configuration is now complete; however, before connecting the AG 5000 to the customer’s network, you must power down the system.

Logging Out and Powering Down the System

Use this procedure to log out and power down the AG 5000.

1. Enter l (logout) at the AG 5000 Menu.

Your serial session closes automatically.

SAMPLE SCREEN RESPONSE

AG 5000>l

Serial session 1 closing

Turn off the AG 5000 and disconnect the power cord.

3. Disconnect the serial cable between the AG 5000 and your computer.

50 Installing the AG 5000

AG 5000

Connecting the AG 5000 to the Customer’s Network

Use this procedure to connect the AG 5000 to the customer’s network (after the start up configuration parameters have been established).

1. Choose an appropriate physical location that allows a minimum clearance of 4cm

either side of the unit (for adequate airflow).

2. Connect the AG 5000 to the router, then connect the AG 5000 to the customer’s

subscriber port.

Rear Panel

Subscribers

3. Connect the power cord and turn on the AG 5000.

4. Go to “Establishing the Basic Configuration for Subscribers” on page 52.

Network

Installing the AG 5000 51

Establishing the Basic Configuration for Subscribers

When you have successfully established the start up configuration and installed the unit onto the customer’s network, connect to the AG 5000 via Telnet. You must now set up the basic configuration parameters for subscribers, including:

 Setting the DHCP Options – DHCP (Dynamic Host Configuration

Protocol) allows you to assign IP addresses automatically (to subscribers who are DHCP enabled). The AG 5000 can “relay” the service through an external DHCP server or it can be configured to act as its own DHCP server.

 Setting the DNS Options – DNS (Domain Name System) allows

subscribers to enter meaningful URLs into their browsers (instead of complicated numeric IP addresses). DNS converts the URLs into the correct IP addresses automatically.

Setting the DHCP Options

When a device connects to the network, the DHCP server assigns it a “dynamic” IP address for the duration of the session. Most users have DHCP capability on their computer. To enable this service on the AG 5000, you can either enable the DHCP relay (routed to an external DHCP server IP address), or you can enable the AG 5000 to act as its own DHCP server. In both cases, DHCP functionality is necessary if you want to automatically assign IP addresses to subscribers.

AG 5000



1. Enter c (configuration) at the AG 5000 Menu.

The Configuration menu appears.

2. Enter dh (dhcp).



The AG 5000’s adaptive configuration technology provides Dynamic Address Translation (DAT) functionality. DAT is automatically configured to facilitate “plug-and-play” access to subscribers who are misconfigured with static (permanent) IP addresses, or subscribers that do not have DHCP capability on their computers. DAT allows all users to obtain network access, regardless of their computer’s network settings.

By default, the AG 5000 is configured to act as its own DHCP server and the relay feature is “disabled.”. Please verify that your DHCP Server supports DHCP packets before enabling the relay. Not all devices containing DHCP servers (for example, routers) support DHCP Relay functionality.

52 Installing the AG 5000

AG 5000



When assigning a DHCP Relay Agent IP address for the DHCP Relay, ensure that the IP address you use does not conflict with devices on the network side of the AG 5000.



Although you cannot enable the DHCP relay and the DHCP service at the same time, it is possible to “disable” both functions from the Command Line Interface. In this case, a warning message informs you that no DHCP services are available to subscribers.

3. Follow the on-screen instructions to set up your DHCP options. For example:

SAMPLE SCREEN RESPONSE

Configuration>dh

Enable/Disable IP Upsell [disabled ]: Enable/Disable DHCP Relay [disabled ]: Enable/Disable DHCP Server [enabled ]: Enter external Subnet-based DHCP Service [disabled ]:

IP Upsell Disabled DHCP Relay Disabled External DHCP Server IP 0.0.0.0 DHCP Relay Agent IP 0.0.0.0 DHCP Server Enabled DHCP Server Subnet-based Disabled

Server-IP Server-Netmask Start-IP End-IP Lease Type IPUp

208.11.0.4 255.255.0.0 208.11.0.5 208.11.0.7 20 PRIV NO

10.0.0.4 255.255.255.0 10.0.0.5 10.0.0.250 30 PRIV NO *

* Default IP Pool

DHCP IP Pools Configuration:

0 - Show IP Pools 1 - Add a new IP Pool 2 - Modify an IP Pool 3 - Remove an IP Pool 4 - Exit this menu

Select the DHCP Pool configuration mode [0]:



After setting up your DHCP options, the system must be rebooted for your changes to take effect.

Installing the AG 5000 53

AG 5000

Setting the DNS Options

DNS allows subscribers to enter meaningful URLs into their browsers (instead of complicated numeric IP addresses) by automatically converting the URLs into the correct IP addresses. You can assign a primary, secondary, or tertiary (third) DNS server. The AG 5000 utilizes whichever server is currently available.



Use the following procedure to set the DNS configuration options.

1. Enter c (configuration) at the AG 5000 Menu.

The Configuration menu appears.

2. Enter dn (dns) at the Configuration menu.

The system displays the current domain (the default is “nomadix”).

3. Enter a valid domain name (the Internet domain that DNS requests will utilize).

4. Enter the host name (the DNS name of the AG 5000). The host name must not

contain any spaces.

After assigning the host name, the system requests IP addresses for the primary, secondary, and tertiary DNS servers (the default for the DNS primary address is

0.0.0.2).



5. Enter the IP addresses for the DNS servers (located at the customer’s network

operating center where DNS requests are sent).

You must configure DNS if you want to enter meaningful URLs instead of numeric IP addresses into any of the AG 5000’s configuration screens.

The secondary and tertiary DNS servers are only utilized if the primary DNS server is unavailable.

54 Installing the AG 5000

AG 5000

6. You must now reboot the system for your settings to take effect. Enter y (yes) to

reboot the AG 5000.

SAMPLE SCREEN RESPONSE

Configuration>dn

Enter domain [domainname ]: newdomainname Enter host name <no spaces> [dnshostname ]: newhostname Enter primary DNS [0.0.0.2 ]: 20.21.22.23 Enter secondary DNS [0.0.0.0 ]: 21.22.23.24 Enter tertiary DNS [0.0.0.0 ]: 22.23.24.25

The system must be reset to function properly. Reboot? [yes/no]: y

Domain newdomainname Host Name newhostname Primary DNS 20.21.22.23 Secondary DNS 21.22.23.24 Tertiary DNS 22.23.24.25 Rebooting ...

The DNS options have been established. DNS will now convert subscriber browser URLs into the correct IP addresses automatically.

Archiving Your Configuration Settings

Refer to the following procedures:

 “Exporting Configuration Settings to the Archive File {Export}” on

page 185.

 “Importing Configuration Settings from the Archive File {Import}” on

page 190.

Installing the AG 5000 55

Installing the Nomadix Private MIB

The Nomadix Private MIB is supplied on the “Accessories” CD-ROM, delivered with your AG 5000. After importing the nomadix.mib file from the CD-ROM you will be able to view and manage SNMP objects on your AG 5000.

Procedure

1. Import the nomadix.mib file into your SNMP client manager.

2. Connect to the AG 5000 from a node on the network that is accessible via the AG

5000’s network port (Internet, LAN, etc.). Be sure to enable the SNMP daemon on the AG 5000 (available on the AG 5000’s CLI or Web Management Interface, under the Configuration menu –

3. All variables defined by Nomadix start with the following prefix:

iso.org.dod.internet.private.enterprises.nomadix

4. You should now be able to define queries and set the SNMP values on your AG

5000. If necessary, consult this User’s Guide or your SNMP client manager’s documentation for further details.

snmp).

AG 5000



We recommend that you change the predefined community strings in order to maintain a secure environment for your AG 5000.

56 Installing the AG 5000

AG 5000

System Administration

This chapter provides all the instructions and procedures necessary for system administrators to manage the AG 5000 on the customer’s network (after a successful installation).

The system administration procedures in this chapter are organized as they are listed under their respective Web Management Interface (WMI) menus (Configuration,

Network Info, Port-Location, Subscriber Administration, Subscriber Interface, and System).



Now that the AG 5000 has been installed and configured successfully, this User’s Guide moves away from the Command Line Interface (CLI) and documents the AG 5000 from the Web Management Interface (WMI) viewpoint.

Choosing a Remote Connection

Once installed and configured for the customer’s network, the AG 5000 can be managed and administered remotely with any of the following interface options:

 Embedded Web Management Server – providing a powerful and flexible

Web interface for network administrators.

 SNMP Manager – allowing remote “Windows” management using an

SNMP client manager (for example, HP OpenView). However, before you can use SNMP to access the AG 5000, you must set up the appropriate SNMP communities. For more information, refer to “Managing the SNMP

Communities {SNMP}” on page 111.

 Telnet Client – for “character-based” administration and management,

using the Command Line Interface (CLI).



Choose an interface connection, based on your preference.

System Administration 57

To use any of the remote connections (Web, SNMP, or Telnet), the network interface IP address for the AG 5000 must be established (you did this during the installation process).

AG 5000

Using the Web Management Interface (WMI)

The Web Management Interface (WMI) is a “graphical” version of the Command Line Interface, comprised of HTML files. The HTML files are embedded in the AG 5000 and are dynamically linked to the system’s functional command sets. You can

access the WMI from any Web browser.



Your browser preferences or Internet options should be set to compare loaded pages with cached pages.

To connect to the Web Management Interface, do the following:

1. Establish a connection to the Internet.

2. Open your Web browser.

3. Enter the network interface IP address of the AG 5000 (set up during the

installation process).

4. Log in as usual (supplying your user name and password).

To access any menu item from the WMI, simply click on the item you want. The corresponding work screen then appears in the right side frame. From here you can control the features and settings related to your selection. Although the appearance is very different from the Command Line Interface, the information displayed to you is basically the same. The only difference between the two interfaces is in the method used for making selections and applying your changes (selections are checkable boxes, and applying your changes is achieved by pressing the Pressing the

Reset button resets the screen to its previous state (clearing all your

Submit button).

changes without applying them).

Using an SNMP Manager

Once the SNMP communities are established, you can connect to the AG 5000 via the Internet using an SNMP client manager (for example, HP OpenView). SNMP is the standard protocol used in the Network Management (NM) system. This system contains two primary elements:

 Manager – The console (client) through which system administrators

perform network management functions.

 Agent – An SNMP-compliant device which stores data about itself in a

Management Information Base (MIB). The AG 5000 is an example of such a device.

The AG 5000 contains managed objects that directly relate to its current operational state. These objects include hardware configuration parameters and performance statistics.

58 System Administration

AG 5000

Managed objects are arranged into a virtual information database, called a Management Information Base (MIB). SNMP enables managers and agents to communicate with each other for the purpose of accessing these MIBs and retrieving data. See also, “Installing the Nomadix Private MIB” on page 56.

The following example shows a (partial) SNMP screen response.

Using a Telnet Client

There are many Telnet clients that you can use to connect with the AG 5000. Using Telnet provides a simple terminal emulation that allows you to see and interact with the AG 5000’s Command Line Interface (as if you were connected via the serial interface). As with any remote connection, the network interface IP address for the AG 5000 must be established (you did this during the installation process).

Logging In

To access the AG 5000’s Web Management Interface, use the Manager or Operator login user name and password you defined during the installation process (refer to

“Assigning Login User Names and Passwords” on page 45).



User names and passwords are case-sensitive.

About Your Product License

Some features included in this chapter will not be available to you unless you have purchased the appropriate product license from Nomadix. In this case, the following statement will appear either immediately below the section heading or when the feature is mentioned in the body text:

Your product license may not support this feature.

You can upgrade your product license at any time.

System Administration 59

Configuration Menu

Defining the AAA Services {AAA}

This procedure shows you how to set up the AAA (Authentication, Authorization, and Accounting) service options. AAA Services are used by the AG 5000 to authenticate, authorize, and subsequently bill subscribers for their use of the customer’s network. The AG 5000 currently supports several AAA models which are discussed in “Subscriber Management” on page 208.

1. From the Web Management Interface, click on Configuration, then AAA.

The Authentication, Authorization, and Accounting Settings screen appears:

AG 5000

60 System Administration

AG 5000

... AAA screen image continued:

2. Enable or disable AAA Services.

If you enable AAA Services, go to Step 3, otherwise this feature is disabled and you can exit the procedure.

3. Enable or disable the XML Interface, as required.

XML (eXtensible Markup Language) is used by the AG 5000’s subscriber management module for port location and user administration. Enabling the XML interface allows the AG 5000 to accept and process XML commands from an external source. XML commands are sent over the network to the AG 5000. The AG 5000 parses the query string, executes the commands specified by the string, and returns data to the system that initiated the command request.

System Administration 61

AG 5000

4. If you enabled the XML Interface feature, enter the XML IP (server) address.

5. Enable or disable Print Billing Command, as required. If this feature is enabled,

you must enable the XML interface and enter the IP address for the XML interface (Step 3 and Step 4).

6. Enable or disable the AAA Passthrough Port feature, as required.

System administrators can set the AG 5000 to pass-through HTTPS traffic, in addition to standard port 80 traffic, without being redirected. When access to a non-HTTPS address (for example, a Search Engine or News site) has been requested, the subscriber is then redirected as usual.

7. If AAA passthrough is enabled, enter the corresponding port number.



8. Enable or disable the 802.1x Authentication Support feature, as required.



9. Enable or disable the Origin Server (OS) parameter encoding for Portal Page

and EWS

10. Select the authorization mode you want to use:

 Internal Web Server

 External Web Server

11. Depending on which authorization mode you choose, go to the following sub-

The port number must be different than 80, 2111, 1111, or 1112.

Both AAA and RADIUS Authentication must be enabled for 802.1x Authentication support.

feature, as required.

sections in this procedure:

 Enabling AAA Services with the Internal Web Server – The IWS is

“flashed” into the system’s memory and the subscriber’s login page is served directly from the AG 5000. In this mode, the login page consists of a simple request for the subscriber’s ID (user name) and password.

 Enabling AAA Services with an External Web Server – In the EWS

mode, the AG 5000 redirects the subscriber’s login request to an external server (transparent to the subscriber). The login page served by the EWS reflects the “look and feel” of the solution provider’s network and presents more login options.

62 System Administration

AG 5000

Enabling AAA Services with the Internal Web Server

You are here because you want to enable the AAA Services with the AG 5000’s Internal Web Server. The AG 5000 maintains an internal database of authorized

subscribers, based on their MAC (hardware address) and user name (if enabled). By referring to its database record, also known as an authorization table, the AG 5000 instantly recognizes new subscribers on the network.

You can configure the AG 5000 to handle new subscribers in various ways (see the table on this page). With the IWS, you also have the option of enabling SSL support (if your license includes the SSL support feature and you have the certificate files

server.pem, cakey.pem and cacert.pem on the flash).

After selecting the Internal Web Server authorization mode, you have the option of enabling or disabling the Usernames and New Subscribers features. These features work in conjunction with each other to determine how new subscribers are handled. Refer to the following table:

Usernames

Disabled Enabled Allows new subscribers to enter the system

Enabled

(optional)

Enabled Disabled New subscribers are not allowed. Only

Disabled Disabled You will not use this combination unless you

1. Select the Internal Web Server.

2. Enable or disable the SSL Support feature, as required. If you enable SSL

Support, you must provide a valid

New

Subscribers

without giving a user name and password.

Enabled Allows new subscribers or authentication by

their user name and password.

existing subscribers are allowed after authenticating their user name and password.

want to lock out all subscribers.

Certificate DNS Name.

System Response

For more information about setting up SSL, go to “Setting Up the SSL Feature”

on page 236.

SSL support allows for the creation of an end-to-end encrypted link between the AG 5000 and its clients by enabling the Internal Web Server (IWS) to display pages under a secure link—important when transmitting AAA information in a network.

System Administration 63

AG 5000

Adding SSL support to the AG 5000 requires service providers to obtain digital certificates from VeriSign™ to create HTTPS pages. Instructions for obtaining certificates are provided by Nomadix.



3. If you want to designate a portal page, you must enable the Portal Page feature,

otherwise leave this feature disabled.



4. If you enabled the Portal Page feature, provide the following supporting

information:

 Portal Page URL  Parameter Passing (enabled or disabled)

 Portal XML POST URL  Portal XML Post Port  Support GIS Clients (enabled or disabled—see following note)

 Block IWS Login Page (enabled or disabled)

To enable SSL Support, your AG 5000’s flash must include the server.pem, cakey.pem, and cacert.pem certificate files (the “cacert.pem” file is provided with your AG 5000). For assistance, contact “Technical Support” on page 259.

You must reboot the AG 5000 every time you enable or disable SSL Support.

The Portal Page IP or DNS address are added to the IP passthrough list automatically



5. Enable or disable the Usernames feature, as required (refer to table on page 63).

Some subscribers may want additional account flexibility and security for their services (for example, if they use more than one computer and their MAC address changes, or if they move between port-locations). In this case, a subscriber can define a unique user name and password which they can use from any machine or location (without being re-charged). Subscribers who choose this option are prompted for their user name and password whenever they try to access the Internet. Solution providers can charge a fee for this service.

64 System Administration

GIS stands for Generic Interface Specification, a document written by iPass. Enabling the Smart Client option in the AG 5000 automatically supports all GIS compliant clients using the Internal Web Server. Enabling “Support for GIS Clients” under the Portal Page feature means that the AG 5000 will defer the managment of the GIS clients to the Portal Page server.

AG 5000

6. Enable or disable the New Subscribers feature (refer to table on page 63).



7. If you enabled New Subscribers, enable or disable the Relogin After Timeout

option.

8. You can now enable or disable the Credit Card Service. When this feature is

enabled, subscribers are prompted for their credit card information (for billing purposes). The AG 5000 is configured to use either Authorize.net or Chainfusion (selected from a pull-down menu). You will need to open a merchant account with Authorize.net, Chainfusion or Datacenter (Luxembourg) before this feature can be used.

Please contact Nomadix Technical Support for assistance. Refer to “Contact

Information” on page 259.



9. If you enabled the Credit Card Service, define which service you require

(Authorize.net or Chainfusion) from the pull-down menu.

New Subscribers must be enabled before enabling the Credit Card and PMS options.

All data communications between the AG 5000 and the credit card server are encrypted by the SSL (Secure Sockets Layer) protocol. The AG 5000 never “sees” subscriber credit card numbers. Your product license key must support this feature.



10. If the Credit Card Service is enabled, enter the information for the following

fields:

11. Enable or disable the SIM Compliant feature, as required. With this feature

enabled, you can change the transaction key at your discretion. To change the transaction key, simply enter the key in the re-enter the key in the



System Administration 65

DNS must be configured if you want to enter meaningful URLs instead of numeric IP addresses into any of the AG 5000’s configuration screens (for example, the Credit Card Server URL in the following step).

 Credit Card Server URL  Credit Card Server IP  Merchant ID (a valid ID issued by the credit card reconciliation service

provider – Authorize.net or Chainfusion).

Change Transaction Key box, then

Verify Transaction Key box.

The SIM Compliant option refers to Authorize.net's Simple Integration Method.

AG 5000

12. Enable or disable Smart Client Support, as required (if enabled, your license key

must support this feature).

13. You can assign a session idle timeout parameter for subscribers (see following

note). To assign an idle timeout, simply enter a numeric value (in seconds) in the

Subscriber Idle Timeout box (the default is 1200).



14. If you enabled or disabled SSL Support on this screen, you must click the check

box for time the SSL Support feature is enabled or disabled).

15. Click on the Submit button to save your changes, or click on the Reset button if

you want to reset all the values to their previous state.

Enabling AAA Services with an External Web Server

You are here because you want to enable the AAA Services with an External Web Server (EWS). In the EWS mode, the AG 5000 redirects the subscriber’s login

request to an external server.

1. Select the External Web Server.

After enabling the External Web Server you must enter a Secret Key. The Secret Key ensures that the response the AG 5000 gets from the EWS is valid.

2. Enter the Secret Key (The AG 5000 and the external authorization server must

use the same secret key).



Subscriber Idle Timeout does not apply to RADIUS and Post Pay PMS subscribers.

Reboot after changes are saved? (the AG 5000 must be rebooted every

DNS must be configured if you want to enter meaningful URLs instead of numeric IP addresses into any of the AG 5000’s configuration screens (for example, the External login page URL in the following step).

3. Enter the IP Address for the External Web Server.

4. Enter a valid External login page URL.

5. You can assign a session idle timeout parameter for subscribers (see following

note). To assign an idle timeout, simply enter a numeric value (in seconds) in the

Subscriber Idle Timeout box (the default is 1200).



6. Click on the Submit button to save your changes, or click on the Reset button if

you want to reset all the values to their previous state (making changes to the EWS settings does not require a system reboot).

66 System Administration

Subscriber Idle Timeout does not apply to RADIUS and Post Pay PMS subscribers.

AG 5000

Establishing Secure Administration {Access Control}

The AG 5000 allows you to block administrator access to interfaces (Telnet, WMI and FTP) and incorporates a master access control list that checks the source (IP address) of administrator logins. A login is permitted only to the interfaces that have not been blocked, and only if a match is made with the master “Source IP” list contained on the AG 5000. If a match is not made with the “Source IP list,” the login is denied, even if a correct login name and password are supplied. The access control list for source IPs supports up to 50 (fifty) entries in the form of a specific IP address or range of IP addresses.

This procedure allows you to enable the “Access Control” feature and block administrator access to specific interfaces, and add or remove administrator “Source IP” addresses.

1. From the Web Management Interface, click on Configuration, then Access

Control.

The Access Control screen appears:

2. Enable or disable administrator access to any of the following interfaces:

 Telnet  Web Management  FTP

System Administration 67

AG 5000





3. Click the check box for Access Control if you want to enable this feature, then

click on the

If you enabled Access Control, administrator access is restricted only to the IP addresses shown under the “Currently Access is Permitted for IPs” listing. If you want to add to or remove IP addresses from the list, go to Step 4 through Step 8.



4. To add an IP address (or range of IP addresses) to the list, enter the “starting” IP

address in the

5. If you are adding a range of IP addresses to the access control list, you must now

enter the “ending” IP address in the adding a single IP address, enter

Blocking or unblocking interface access will terminate the current session.

Do not enable the blocking of all interfaces without setting up and enabling SNMP. Enabling the blocking of all interfaces and disabling SNMP will completely block access to the AG 5000 administration interface. For assistance, contact Nomadix Technical Support.

Submit button to save your change.

The Access Control list can contain up to 50 (fifty) valid administrator IP addresses or up to 50 (fifty) ranges of IP addresses.

Access Control Start IP field.

Access Control End IP field. If you are

None in the Access Control End IP field.

6. Click on the Add button to add the IP address (or range of IP addresses) to the

list.

7. To remove an IP address (or range of IP addresses) from the list, enter the

“starting” IP address in the Access Control Start IP field.

If you are removing a range of IP addresses from the access control list, you must now enter the “ending” IP address in the removing a single IP address, enter None in the Access Control End IP field.

8. Click on the Remove button to remove the IP address (or range of IP addresses)

from the list.



68 System Administration

If you enabled Access Control and have “locked yourself out,” of the system (for example, because you’ve forgotten your password), you must establish a local serial connection with the CLI to disable the Access Control feature, or change the range of allowed IP addresses to access the management interfaces. If you have changed the serial port to act as a PMS interface, please contact Nomadix technical support. In this case, refer to “Contact Information” on page 259.

Access Control End IP field. If you are

AG 5000

Defining Automatic Configuration Settings {Auto Configuration}

The AG 5000 allows you to define parameters to enable the automatic configuration of the system. See also, “RADIUS-driven Auto Configuration” on page 22.

1. From the Web Management Interface, click on Configuration, then Auto

Configuration.

The Autoconfiguration Settings screen appears:

2. Enable or disable Autoconfiguration, as required.

3. If you enabled Autoconfiguration, you must enter the following information into

the corresponding fields:

 RADIUS Authentication Name  Radius Password  Confirm Password

Click on the check box for Reboot after changes are saved? to reboot the system when you submit your changes.

5. Click on the Submit button to save your changes, or click or the Reset button to

reset all data to its previous state.

System Administration 69

Enabling Auto Configuration

As shown in the diagram below, two subsequent events drive the automatic configuration of Nomadix devices:

1. A flow of RADIUS Authentication Request and Reply messages between

2. Defines the automated login into the centralized FTP server and the actual

download process into the flash.

St e p 1: RADI US Auth en Req / Response message to determi ne lo cation of meta configuration file

AG 5000

Step 2: FTP downl oad o f configuration files (secure)

The Auto-Configuration setup requires a few basic steps to be completed by both the field engineer and the NOC administrator.

Administrative Steps to Enable Auto-Config

Typically, these tasks are performed either at a device pre-staging center or by the field engineer.

1. Establish a WAN connection and electronically accept the EULA.

2. Setup RADIUS Server parameters (go to “Defining the RADIUS Client

Settings {RADIUS Client}” on page 98).

3. Setup Username and Password for RADIUS Authentication.

70 System Administration

AG 5000

Administrative Steps to Enable Auto-Config for the NOC Administrator

1. Add NAS IP address.

2. Add Nomadix Auto-Config VSA to the Nomadix dictionary file on the

RADIUS server.

3. Create a RADIUS profile with the configuration VSA.

4. Create an FTP server with the configuration files.

5. The following diagram shows a sample RADIUS configuration file, meta

file and illustration of the FTP server setup.

The Nomadix device will automatically initiate one reboot to enable the new settings. Configuration updates for network maintenance can be accomplished by simply enabling the Auto-Configuration option and rebooting the device (for example, using SNMP). See also, “Defining Automatic Configuration Settings {Auto

Configuration}” on page 69.

System Administration 71

AG 5000

Setting Up Bandwidth Management {Bandwidth Management}

The AG 5000 allows system administrators to manage the bandwidth for subscribers, defined in Kbps (Kilobits per seconds) for both upstream and downstream data transmissions. With the ICC feature enabled, subscribers can increase or decrease their own bandwidth dynamically (by the minute, or on an hourly, daily, weekly, or monthly basis), and also adjust the pricing plan for their service.

1. From the Web Management Interface, click on Configuration, then Bandwidth

Management

The Bandwidth Management screen appears:

2. If required, click the check box for Bandwidth Management Enabled.

3. If you enabled Bandwidth Management, enter the uplink and downlink speeds (in

Kbps) in the appropriate fields.



4. If you made any changes to the settings on this screen, you must click the check

box for Reboot after changes are saved? (the AG 5000 must be rebooted).

5. Click on the Submit button to save your changes and reboot the system, or click

on the Reset button if you want to reset all the values to their previous state.

72 System Administration

Setting the uplink or downlink speeds to anything greater than 100,000 Kbps is meaningless, because communication with the AG 5000 is established at 100 Mbps (100,000 Kbps).

AG 5000

Establishing Billing Records “Mirroring” {Bill Record Mirroring}



The AG 5000 can send copies of credit card transaction and PMS billing records to external servers that have been previously defined by system administrators. The AG 5000 assumes control of billing transmissions and saving billing records. By “mirroring” the billing data, the AG 5000 can also send copies of billing records to predefined “carbon copy” servers. Additionally, if the primary and secondary servers are down, the AG 5000 can store up to 2,000 credit card transaction records. When a connection is re-established (with either server), the AG 5000 sends the stored information to the server—no records are lost!

For more information about the bill record mirroring feature, go to “Mirroring Billing

Records” on page 249.

1. From the Web Management Interface, click on Configuration, then Bill Record

Mirroring

The Credit Card/PMS Mirroring Settings screen appears:

The Bill Record Mirroring feature contained in the Credit Card and Hospitality optional modules is optional. Your product license may not support this feature.

System Administration 73

AG 5000

2. If you want to enable the billing records “mirroring” functionality for credit card

transactions (and you have purchased the appropriate product license), click on the check box for

3. Enter the property identification code in the Property ID field.

4. Enter the communication parameters for the primary server that is to be used for

Enable CC/PMS Mirroring.

mirroring, including:

 Primary IP  URL

 Secret Key



Repeat Step 4 for the secondary server (if any) and all carbon copy servers.

6. Define the “fail-safe” provisions, including:

The AG 5000 and the “mirror” servers must use the same secret key.

 Retransmit Method – Alternate, or do not alternate.  Number of Retransmit Attempts – This tells the system how many

times it should attempt to retransmit billing records before suspending the task.

 Retransmit Delay – This specifies the time delay between each

retransmission.

7. Click on the Submit button to save your changes, or click on the Reset button if

you want to reset all the values to their previous state.

74 System Administration

AG 5000

Managing the DHCP Service Options {DHCP}

1. From the Web Management Interface, click on Configuration, then DHCP.

The DHCP Settings screen appears:

System Administration 75

AG 5000



2. DHCP Services is enabled by default. Do not disable it unless you want to lose

all your DHCP services.



3. To route DHCP through an external server, enable the DHCP Relay.

4. If you enabled the DHCP Relay feature, you must assign a valid DHCP Server IP

address (the default is 0.0.0.0) and a valid

The DHCP Relay Agent allows the AG 5000 to request a specific range of IP addresses from different IP pools from the DHCP Server. Leaving these fields blank forces the system to use the IP pool that contains IP addresses that are on the same subnet as the AG 5000.

Nomadix’ patented Dynamic Address Translation (DAT) functionality is automatically configured to facilitate “plug-and-play” access to subscribers who are misconfigured with static (permanent) IP addresses, or subscribers that do not have DHCP capability on their computers. DAT allows all users to obtain network access, regardless of their computer’s network settings.

By default, the AG 5000 is configured to act as its own DHCP server and the relay feature is “disabled.” If you want the AG 5000 to act as its own DHCP server, do not enable the relay. Go directly to Step 8.

DHCP Relay Agent IP address.





5. If you want the AG 5000 to act as its own DHCP Server (you did not enable the

DHCP Relay), enable it now.

6. If required, you can make the DHCP Server feature Subnet -based by checking

the appropriate box.

7. If required, enable the IP Upsell feature.

You must disable the DHCP server before enabling the DHCP relay. Both features cannot be enabled concurrently.

If the DHCP Relay Agent IP address is set for an address that is already used or the IP address of the server, the other system will get an IP conflict and will not have Internet access.

76 System Administration

AG 5000

System administrators can set two different DHCP pools for the same physical LAN. When DHCP subscribers select a service plan with a public pool address, the AG 5000 associates their MAC address with their public IP address for the duration of the service level agreement. The opposite is true if they select a plan with a private pool address. This feature enables a competitive solution and is an instant revenue generator for ISPs. The IP Upsell functionality solves a number of connectivity problems, especially with regard to L2TP and certain video conferencing and online gaming applications.

8. If you want to add a new DHCP Pool, click on the Add button.

The Add DHCP Pools screen appears:

9. Enter a valid DHCP Server IP address for the DHCP server.

10. Enter the DHCP Server Netmask.

System Administration 77

AG 5000

11. Enter the starting and ending IP addresses for the DHCP address pool you want

to use:

 DHCP Pool Start IP  DHCP Pool Stop IP

Enter the DHCP Lease Minutes.

12.

13. Select Public Pool or Private Pool, as required.



14. If required, make this an IP Upsell Pool and/or the Default Pool by checking the

A “public” IP address will not be translated by DAT.

appropriate boxes.



15. When finished establishing your DHCP Pools, click on the Back to Main DHCP

Configuration Page

16. You must now reboot the system for the new settings to take effect. Click the

check box for

Do not allow pools to overlap.

to return to the previous page.

Reboot after changes are saved? then click on the Submit

button to save your changes and reboot the system, or click on the Reset button if you want to reset all the values to their previous state.

When the system restarts, DHCP is enabled and configured. Skip the remaining steps in this procedure and go to “Managing the DNS Options {DNS}” on

page 79.

17. The existing lease pool and lease table are deleted and the AG 5000 reboots. The

AG 5000 can issue IP addresses to any DHCP enabled subscriber who enters the network.

78 System Administration

AG 5000

Managing the DNS Options {DNS}

Use the following procedure to set the DNS configuration options.

1. From the Web Management Interface, click on Configuration, then DNS.

The Domain Name System (DNS) Settings screen appears:

2. Enter the Host Name (the DNS name of the AG 5000).



3. Enter a valid Domain name (the Internet domain that DNS requests will utilize).

System Administration 79

The host name must not contain any spaces.

AG 5000

4. Enter the IP addresses for the DNS servers (located at the customer’s network

operating center where DNS requests are sent). Servers include:

 Primary DNS Server  Secondary DNS Server  Tertiary DNS Sever



When finished, you must reboot the system for the new settings to take effect.

The secondary and tertiary DNS servers are only utilized if the primary DNS server is unavailable.

Click on the check box for Reboot after changes are saved? to reboot the system after saving your changes.

6. Click on the Submit button to save your changes and reboot the system, or click

on the Reset button if you want to reset all the values to their previous state.

80 System Administration

AG 5000

Setting the Home Page Redirection Options {Home Page Redirect}

This procedure shows you how to redirect the subscriber’s browser to a specified home page. Subscribers may also be redirected to a page specified by the solution provider, without any interaction with the credit card authentication process.



1. From the Web Management Interface, click on Configuration, then Home Page

Redirect

The Home Page Redirection Settings screen appears:

2. Click on the check box for Home Page Redirection to enable this feature.

You must configure DNS if you want to enter meaningful URLs instead of numeric IP addresses into any of the AG 5000’s configuration screens.

If you enable home page redirection, you must provide a URL for the redirected home page.

3. Enter the URL of the redirected home page in the Home Page URL field.

4. If required, click on the check box for Parameter Passing.

Parameter passing allows the AG 5000 to track a subscriber’s initial Web request (usually their home page) and pass the information on to the solution provider. The solution provider uses this information to ensure that the subscriber can return to their home page easily.

5. In the Redirection Frequency field, specify the frequency (in minutes) for home

page redirection. This is the interval at which the subscriber is redirected to the solution provider’s home page automatically.

6. Click on the Submit button to save your changes, or click on the Reset button if

you want to reset all the values to their previous state.

System Administration 81

AG 5000

Enabling Intelligent Address Translation (iNAT)

Our patent-pending iNAT™ feature contains an advanced, real-time translation engine that analyzes all data packets being communicated between the private and public address domains. The Nomadix iNAT engine performs a defined mode of network address translation based on packet type and protocol (for example, GRE, IKE etc…).

1. From the Web Management Interface, click on Configuration, then iNAT.

The iNAT screen appears:

2. Enable of disable the iNAT feature, as required.

3. If you enabled iNAT, you have the option of enabling or disabling the following

VPN protocols:

 PPTP  IPSEC

Click on the Submit button to save your options.

Use the

iNAT Start and iNAT End fields to enter an IP address or range of IP

addresses (up to 50), then click on the Add button to add the IP address(es), or click on the

Remove button to delete the IP address(es) from the database.

82 System Administration

AG 5000

Establishing Your Location {Location}

This command sets up your location and the corresponding IP addresses for the network interface, subscriber interface, subnet, and default gateway. You *must* provide your full location information.

1. From the Web Management Interface, click on Configuration, then Location.

The Location Settings screen appears:

2. Enter your location information in the following fields:

 Company Name  Address (Line 1 and Line 2)

 City, State, Zip, and Country

 E-mail Address

System Administration 83

AG 5000





3. Enter a valid IP address in the Network IP Address field.



The Network IP Address is the public IP address that allows administrators to see the AG 5000 on the network. Use this address when you need to make a network connection with the AG 5000.



You must reboot the system if you make changes to any of the following IP settings.

You may lose your connection if you change the IP settings incorrectly (using invalid IP addresses). If you “misconfigure” the AG 5000 and network connectivity is lost, you can still access the AG 5000 from the Command Line Interface (CLI) via a direct serial connection. In this case, refer to: “Powering Up the System” on page 38 and “Logging In”

on page 59.

The network interface and subscriber interface addresses must be on the same subnet.

All IP addresses must be established, otherwise the AG 5000 will not be “visible” on the network.

4. Enter a valid subscriber IP address in the Subscriber IP Address field.

The IP addresses from subscribers that are on a subnet different from the AG 5000 (for example, misconfigured) are translated by Nomadix’ Dynamic Address Translation (DAT) patented technology to the



5. Enter a valid IP address in the Subnet Mask field.

The subnet mask defines the number of IP addresses that are available on the routed subnet where the AG 5000 is located.

6. Enter a valid default gateway IP address in the Default Gateway field.

The default gateway is the IP address of the router that the AG 5000 uses to transmit data to the Internet.

84 System Administration

Subscriber IP Address.

AG 5000

7. When finished, you must reboot the system for the new settings to take effect.

Click on the check box for Reboot after changes are saved? to reboot the system after saving your changes.

8. Click on the Submit button to save your changes and reboot the system, or click

on the Reset button if you want to reset all the values to their previous state.

Managing the System and Billing Log Options {Logging}

System logging creates log files and error messages generated at the system level. AAA logging creates activity log files for the AAA (Authorization, Authentication, and Accounting) functions. You can enable either of these options.



1. From the Web Management Interface, click on Configuration, then Logging.

The Log Settings screen appears:

2. If required, click on the check box for System Log to enable system logging.

When system logging is enabled, the standard SYSLOG protocol (UDP) is used to send all message logs generated by the AG 5000 to the specified SYSLOG server.

3. Enter a unique number (between 0 and 7) in the System Log Number field. This

ID number is assigned to the System Log Server.

System Administration 85

AG 5000

4. Enter a valid IP address in the System Log Server IP field.

5. If required, repeat Steps 2 through 4 for the AAA Log feature.

6. Click on the Submit button to save your changes, or click on the Reset button if

you want to reset all the values to their previous state.

When logging is enabled, log files and error messages are sent to these servers for future retrieval. To see sample reports, go to “Sample SYSLOG Report” on

page 229 and “Sample AAA Log” on page 228.

Enabling the Meeting Room Scheduler {Meeting Room Scheduler}



The Meeting Room Scheduler is an optional standalone application delivered on CD-ROM.

The MRS allows hotel desk clerks to schedule and reserve conference rooms on behalf of their hotel guests and generate the necessary invoices in advance. Hotel desk clerks can now effectively schedule meetings and collect payments directly.

1. From the Web Management Interface, click on Configuration, then Meeting

Room Scheduler

The Meeting Room Scheduler screen appears:

2. Click on the check box for Meeting Room Scheduler to enable this feature.

3. In the MRS XML IP field, enter the IP address of the machine that will process

XML commands for the Meeting Room Scheduler (MRS) application.

4. Click on the Submit button to save your changes, or click on the Reset button if

you want to reset all the values to their previous state.

For detailed information about installing, configuring, and using the NOMADIX™ Meeting Room Scheduler application, refer to the following documentation:

Meeting Room Scheduler User’s Guide (P/N 200-1007-001)

86 System Administration

AG 5000

5. Click on the Submit button to save your changes, or click on the Reset button if

you want to reset all the values to their previous state.

Assigning Passthrough Addresses (Passthrough Addresses)

The AG 5000 allows up to 300 IP passthrough addresses and DNS names. This feature allows users to “pass through” the AG 5000 and access predetermined services (for example, the redirected home page) at the solution provider’s discretion, even though they may not have subscribed to the broadband Internet service. This is useful if solution providers want to openly promote selected services to all users, even if they are not currently subscribing (paying) for access. Allowing up to 300 passthroughs (IP and DNS) offers customers greater promotional flexibility.



1. From the Web Management Interface, click on Configuration, then

Passthrough Addresses

The Passthrough Address Settings screen appears:

The AG 5000 is supplied with “Hotmail®” as a default passthrough setting.

2. If required, enable Passthrough Addresses, then click on the Submit button.

System Administration 87

AG 5000

3. In the IP/DNS Name field, enter the IP address or DNS name of the pass-through

you want to add or remove from the system.



4. If adding this pass-through, click on the Add button, otherwise click on Remove

to delete this pass-through from the list.

The system only accepts route DNS names (for example, www.nomadix.com). Do not include protocol, port, or path information.

Assigning a PMS Service {PMS}



The AG 5000 can be integrated with existing Property Management Systems. For example, by integrating with a hotel’s PMS, the AG 5000 can post charges for Internet access directly to a guest’s hotel bill. In this case, the guest is billed only once. The AG 5000 outputs a call accounting record to the PMS system whenever a subscriber purchases Internet service and decides to post the charges to their room. The AG 5000 offers “post-paid” PMS billing functionality for all supported PMS interfaces, providing hotel guests with the option to terminate their connection (via the ICC) and be billed only for the actual time he/she was online. The AG 5000 is equipped with a serial port to facilitate connectivity with the system’s CLI or a

customer’s Property Management System.

Your product license may not support this feature.



Before you can change the PMS settings, a PMS must be connected to the AG 5000 via the serial port on the rear panel. See also, “Connecting the AG 5000 to the

Customer’s Network” on page 51.

The AG 5000 can query most popular Property Management Systems for confirmation of the “names” and “room numbers” of hotel guests—effectively becoming a “clone” of a popular Micros POS system. This functionality allows hotels to seamlessly deploy wireless networks (or alternatively use low-cost wired access concentration equipment) that either do not support port-ID or do so in a proprietary format that Nomadix does not currently support—and still be able to bill directly to the room.

88 System Administration

Some PMS vendors may require you to obtain a license before integrating the PMS with the AG 5000. Check with the PMS vendor.

Some Property Management Systems may use interfaces that are incompatible with the AG 5000. If your AG 5000 is having trouble communicating with a solution provider’s PMS, please contact technical support. Refer to “Contact Information” on page 259.

AG 5000

Supported PMS interfaces include:

 Lodging Link (PTI)  Holodex (AutoClerk)  HOBIC (OSPS, TSPS, 1BT2, TEST, RSI)  Galaxy (Post Only)  Marriot  NH (post-paid only)  Micros Fidelio (Query & Post, Post Only, and Post Only with TCP/IP)  Micros (1700/2000/3700/4700/8700 System Software Emulation)

System Administration 89

AG 5000

1. From the Web Management Interface, click on Configuration, then PMS.

The Property Management System Settings screen appears:

90 System Administration

AG 5000

2. You have the option of disabling PMS services by clicking on the PMS services

disabled

radio button, then clicking on the Submit button to save your choice. If

you disable PMS services you can exit this procedure, otherwise go to Step 3.

3. Select the Type of PMS (Pre-paid or Post-paid) you require from the available

list, or choose the ASCII Serial Printer option (when a serial printer is connected to the AG 5000’s serial port)—you can choose only one of the listed options.



The pre-paid option requires hotel guests to “pre-pay” for services. The post-paid option allows hotel guests to terminate their connection (via the ICC) and be billed only for the actual time they are online. The NH proprietary PMS is offered on a “post-paid” basis only.

 If you choose HOBIC - RSI, you must select the Type of Access.  If you choose Micros Fidelio (Post Only with TCP/IP), you must provide the

Target IP Address and the Target Port Number.

 If you choose Micros (1700/2000/3700/4700/8700 emulation) you must

provide the following additional information:

 Communications System Unit Number (1 - 64)

 Communications System Name  Store Revenue Center Number: Internet Access  Store Revenue Center Number: Other

You also have the following check box options (see note):

 Match Last Name Only  Skip First Char in Last Name  OnQ Compliant (Enable this option if you want to use Nomadix

Micros POS emulation to query & post to Hilton Corporation's OnQ PMS system).



PMS solutions such as Galaxy require this option to be enabled to work with Nomadix Micros POS emulation in wireless hospitality networks. Some PMS systems send selection records as lastname, padded with white space (ascii 0x20) on the right, followed by a comma along with first name initial and some flags. Normally, the AG 5000 compares every character of the name as typed by the user to the contents of the selection record. If the “Match Last Name Only” feature is enabled, the AG 5000 compares only the user input with the part of selection record which comes before the comma (assumes that the user only enters a last name). If the “Skip First Char in Last Name” feature is enabled, the space is reserved for purposes other than the first character of the last name, so the AG 5000 will skip the first space in the last name field for name verification.

System Administration 91

AG 5000

4. Post-paid PMS only: If you selected a Post-paid PMS option, you can define an

Idle Timeout (in minutes) and an Idle Data Threshold (in bytes). These

selections determine the thresholds when a “post-paid” hotel guest will be automatically disconnected from the service.

Property Management Systems generally operate at different baud rates. You must now select an appropriate baud rate for your chosen PMS.

5. Select the Speed of PMS Interface from the available list. If you are not sure

which baud rate to choose, select default.

6. You must now select the Type of Service Post Mappings you require relative to

the billing plans you established in “Defining the Billing Options {Billing

Options}” on page 151.

Because some Property Management Systems do not allow you to enter characters, you must enter these service descriptions as a numeric value only (no characters or delimiters). The numbers must be entered in the form of a

“telephone number” which the selected PMS will interpret.

Not Sure and the system will attempt to use the



7. Click on the Submit button to save your changes and restart the serial interface,

or click on the state.



If the “phone number” field required by the PMS is shorter than 15 characters, only the first required number of characters will be supplied.

Reset button if you want to reset all the values to their previous

Based on the HOBIC interface standards, Nomadix, Inc. has also certified interoperability with a number of other PMS and call accounting solutions such as Ramesys’ ImagInn, Xeta Virtual XL, and Hilton’s proprietary standard OnQ. This development effort is ongoing. For an up-to-date list of supported PMS systems, please contact our Technical Support team. Refer to “Technical Support” on

page 259.

92 System Administration

AG 5000

Setting Up Port Locations {Port-Location}

Port-Location allows you to establish the mode of operation for devices.

1. From the Web Management Interface, click on Configuration, then Port-

Location

The Port-Location Settings screen appears:

System Administration 93

AG 5000

2. System administrators can set the properties for each room from the subscriber

side of the AG 5000. The system automatically detects which port number the administrator is using and allows them to enter the fields for the room corresponding to the port they are using.

If required, click on the check box for feature.

3. If you enabled In Room Port Mapping, you must assign a Username and

Password. You will need these when you perform port mapping from the

subscriber side of the AG 5000.

Go to “In Room Port Mapping” on page 96 to map rooms from the subscriber side of the AG 5000.



4. Select No Port Location Mapping if you are not using Port-based access.

... or go to Step 5:

5. Select 802.1Q one-way or 802.1Q two-way (VLAN IDs) if you are using a

device that understands VLAN IDs. These options tell the AG 5000 that the device can process VLAN IDs to identify which port-location the information is coming from, and how to bill it.

For security reasons, this feature should be disabled when in room port mapping (from the subscriber side of the AG 5000) is completed.

In Room Port Mapping to enable this



... or go to Step 6 (next page):

94 System Administration

When assigning port-locations, the “port” is the VLAN ID (when using

802.1Q one-way or 802.1Q two-way).

AG 5000

6. If you are using an access concentration device that cannot handle VLAN IDs,

select one of the available Access Concentrator Query options:



The devices in the following list must be assigned an IP address on the same subnet as the AG 5000. You must remove “old” concentrator types before entering new ones.

 Tut Systems Expresso  Lucent DSL Terminator  Tut MDU Lite Systems  RFC1493 Compliant Systems  RiverDelta 1000B  Elastic Networks

These options enable an SNMP query to “ask” the access concentration device which card, slot, or port the information is coming from. The information can then be “sent to” and “billed by” the PMS. You must enter the IP address (not name) and SNMP community of all access concentrators connected to the site.

For “cascading” Tut and RFC1493 compliant systems, click on the associated

Cascading button. The Cascading Support screen appears, allowing you to enter

the IP address and SNMP community for the primary and all “cascading” devices connected to the site. For RFC1493 compliant systems, you have the additional option of defining the “Uplink port.”

Tut Syst em s

System Administration 95

RFC1493 Systems

AG 5000

From the Cascading Support screen, you can return to the main Port-Location Settings screen at any time by pressing the Back button.

7. Click on the Submit button to save your changes, or click on the Reset button if

you want to reset all the values to their previous state.

In Room Port Mapping

This section shows In Room Port Mapping from the subscriber side, when the In Room Port Mapping feature is enabled.



AG 5000 multiple VLAN tagged systems can use the same tags and be placed on different Subscriber ports. Although it is technically possible to place two different VLAN tagged switches (one on each Subscriber side) that have the same VLAN tags designated, this configuration can cause problems. To avoid conflicts, you must ensure that the VLAN tags are different on the different devices.

1. Enable In Room Port Mapping and assign a user name and password (see

previous section, Steps 2 and 3).

2. Enter the following URL target format:

http://(AG 5000 IP address):1111/usg/roommapping

For example:

http://219.57.108.103:1111/usg/roommapping

The Enter Network Password prompt appears:

Enter user name an password

Click here if you want to save

96 System Administration

Nomadix AG 5000 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual