NSE integration in public devices

NSE integration in public devices
Nomadix Service Engine
Integration into Public Access Devices
Copyright © 2011 Nomadix, Inc. All Rights Reserved.
30851 Agnoura Road
Suite 102
Agoura Hills, CA 91301 USA
White Paper
Sheet 2 of 9
White Paper
The Nomadix Service Engine (NSE) allows manufactures of edge networking devices such as
Access Points and wireless switches to deliver feature-enhanced platforms specifically targeted at
the public access market. In order to quickly reach the public access market, many device
manufactures are looking to leverage Nomadix’ development efforts and bring products to market
that are NSE-enabled.
The NSE offers the most comprehensive set of
features and functionality, and is available as a
licensable software package. Depending upon
the target platform, the NSE can scale to
support any type of HotSpot – from a large,
multi-cell location like an airport to a small,
single cell coffee shop.
Nomadix also offers a series of NSE Modules and Bundles that can be added to the NSE Core to
support vertical billing and other applications or add enhanced functionality:
1. HOSPITALITY - AG 3xxx/5xxx
This module provides the most extensive range of CERTIFIED Property Management System
(PMS) interfaces to enable in-room guest billing for High-Speed Internet Access (HSIA).
This module also includes one-way and two-way PMS interfaces for in-room billing in a WI-FI
Bill mirroring of records to multiple destinations is also provided within this module. In addition,
a driverless printing option (“Click to Print”) provides the capability for a subscriber to send print
jobs to a designated server and have the charge billed to the room.
2. HIGH-AVAILABILITY - AG 2xxx/3xxx/5xxx
Fail-Over functionality provides expanded network uptime and service availability by utilizing a
second Nomadix Gateway that is regularly updated by the primary gateway to take over if the
primary device should fail.
Provides additional flexibility in architecting your network by configuring an NSE enabled
Access Gateway to support Layer 3, WLAN, MESH and other routed networks on the subscriber
or network side of the Nomadix device.
This module is useful where, for example, different departments each require a separate logical
network (with typical routed connections between them), but it is desired that users on each
P/N 230-1024-001
Sheet 3 of 9
White Paper
network are still able make use of the Nomadix subscriber features with respect to the public
This item is a special factory part number which configures the AG 5600 and packages the
Routed Subscriber, High Availability modules with user count upgrades to create an AG5600
Metro Gateway that supports up to 4000 users.
NSE Overview
The NSE is a suite of patented and patent-pending embedded software available for license into
networking devices such as wireless Access Points, routers, switches and residential gateways.
The NSE Core and Optional Modules that make up the Nomadix Service Engine are developed to
run in a VxWorks® environment, using the Tornado® II integrated development tools platform,
both of which are provided by Wind River Systems, Inc. VxWorks is the run-time component of
the Tornado II embedded development platform and is the most widely adopted real-time
operating system (RTOS) in the embedded industry. VxWorks is flexible, scalable, reliable, and
compatible with numerous industry standards.
The NSE principally operates at Layer 2 of the OSI Model. This means that the NSE is platformindependent and transport agnostic, making it capable of being integrated into any edge
aggregation device, whether the device supports wired or wireless networking interfaces.
The NSE provides functionality in the following key areas:
Customer Acquisition
Service Provisioning
Access Control and Authentication
Billing Enablement
Advanced Security
Policy-based Traffic Shaping
The following set of features make up the NSE Core:
Zero Configuration
Page Redirection
Dynamic Address Translation (DAT™ )
Portal Page Redirect
Dynamic Transparent Proxy
Home Page Redirect
Post-authentication URL
Destination HTTP Redirect
External Web Server Mode
P/N 230-1024-001
Sheet 4 of 9
White Paper
Radius Termination Action
Smart Client Support
Tri-Mode Authentication
(UAM/802.1x/Smart Clients)
Remember Me and RADIUS ReAuthentication
Integrated VPN Client for Management
IP Upsell
Static Port Mapping
Port Mapping
Secure Socket Layer (SSL)
Session Rate Limiting (SRL)
Secure XML API
Lawful intercept
Internal Web Server
Session Termination Redirect
Information and Control Console
Log-out Pop-Up Window/ Good-bye Page
International Language Support
Web Management Interface
Command Line Interface
Bridge Mode
Multi-level Admin Support
Access Control List
MAC Filtering
SNMPv2c Nomadix MIB
NTP Support
Bandwidth Management/ Group Bandwidth
Limit Policy (Radius)
Walled Garden
URL Filtering
RADIUS-driven Configuration
End User Licensee Count
The following sections detail certain features of the NSE Core in greater detail.
Customer Acquisition
Dynamic Address Translation
Nomadix’ patented Dynamic Address Translation™ (DAT™) technology offers a true “plug-andplay” solution that provides transparent broadband network connectivity covering a variety of PC
configurations (static IP, DHCP, DNS, and proxies), ensuring that everyone gets access to the
public access network.
Nomadix developed DAT™ to actively monitor every packet transmitted from each device to
ensure all packets are correctly configured for the network that computer is expecting. If
necessary, DAT™ will perform standard Network and Port Address Translation and supports
Application Level Gateways (ALGs) for protocols such as FTP, H.323, PPTP, IPSec etc.
DAT™ also ensures that a DNS server is always available to a user through the DNS redirection
function. This function redirects a user’s DNS requests to a local DNS server closer to the
P/N 230-1024-001
Sheet 5 of 9
White Paper
customer’s location—improving the response time and enabling true plug-and-play access when
the subscriber’s configured DNS server is behind a firewall or located on a private Intranet.
Home Page Redirection
The Home Page Redirect (HPR) feature of the NSE Core enables the device to intercept the
browser’s home page setting and redirect it to a new portal page determined by the Public Access
Service Operator (PASO) or HotSpot owner. When redirecting the customer to a new home page,
the original home page (Origin Server) is passed as a parameter to the new home page so the
customer can still access their default home page after the local or personalized page has been
HPR also allows unique redirects on a per subscriber basis per a RADIUS attribute stored in that
customer’s account. The NSE Core can deliver limited Web pages through its Internal Web
Service Branding
The NSE offers the unique ability to provide a 5-step service branding experience for the provider
and HotSpot owner.
Flash Branding
& Login
AAA status
branding with
‘Thank you and
(ICC or Logout
(IWS Goodbye
Page or RADIUS
Nomadix functionality
(Splash Page)
P/N 230-1024-001
(Portal Page &
(Home Page &
Sheet 6 of 9
White Paper
Nomadix offers redirection opportunities pre and post authentication as well as at service
disconnect for maximum service branding capability for both the service provider and the venue
Location-based Identification
Depending on the network architecture and vendor, the NSE can determine the physical location
of the user to personalize the service presentation and perform security or billing functions. This
is achieved by using aggregation equipment that supports port based IEEE 802.1q VLANs or
using the integrated SNMP Manager to query the Bridge MIB (RFC 1493 or certain proprietary
MIBs) to determine the physical port associated with the user’s MAC address and each packet it
came through.
Service Awareness
The NSE can drive a HTML/Javascript window down to each customer’s Internet browser
providing them with the ability to self-select services and upgrade their bandwidth and billing
options in real-time.
Nomadix’ patented Information and Control Console (ICC) also allows the premise owner or
service operator to send custom messages and advertising directly to the screen of the customer.
For credit card usage, the ICC displays a dynamic “time” field to inform customers of the time
remaining or expired on their account.
Access Control and Authentication
The NSE Core offers a Walled Garden feature allowing pre-authenticated users access to only
certain sites on the Internet. Depending upon the device, the NSE provides up to 300 IP passthrough addresses that allows the administrator to enforce security based on whether or not the
customer has been authenticated. The “walled garden” can be used to push local content and
services’ providing a custom experience dependent upon the public HotSpot owner.
By allowing selective access control to the network before the customer authenticates themselves,
service selection and Web based self-provisioning can be provided in a standard, efficient, low
P/N 230-1024-001
Sheet 7 of 9
White Paper
cost and convenient way. The NSE provides an additional layer of security for the public access
Wi-Fi network by blocking access to the Internet until the user has been authenticated.
Multi-mode Authentication Methods
In addition to supporting the secure Browser-based Universal Access Method via SSL, the NSE
enables the simultaneous support for Port-based Authentication using IEEE 802.1x and
authentication mechanisms used by Smart Clients by companies such as Boingo Wireless and
iPass. Nomadix is the only company capable of delivering this type of advanced authentication
Billing Enablement
A NSE-enabled device can automatically authenticate, authorize, track, and bill users for access.
Users can be identified and billed according to their Media Access Control (MAC) address,
username/password, and/or port identification number.
The NSE supports a wide variety of billing models enabling the deployment of profitable public
access network. Our technology allows equipment makers to sell solutions that enable billing
plans using credit cards, scratch cards or enable monthly subscriptions—then bill by a host of
different parameters including IP address type (Private/ Public), time, volume, or bandwidth.
Nomadix offers an integrated RADIUS client with the NSE Core allowing the service provider to
track or bill based upon the number of connections, location of the connection, bytes sent and
received, connect time, etc. The customer database can exist in a central RADIUS Server, along
with associated attributes for each user. When a customer connects into the network, the RADIUS
client authenticates the customer with the RADIUS Server, applies associated attributes stored in
that customer’s profile, and logs their activity (including bytes transferred, connect time, etc.).
Our RADIUS implementation also handles vendor specific attributes (VSAs), required by
WISPs—that want to enable more advanced services and billing schemes such as a per device/per
month connectivity fee.
XML Interface
Nomadix provides a secure XML Application Programmer’s Interface (API) with the NSE Core
allowing the device to accept and process XML commands from an external source for
integration with OSS, provisioning, and other network management elements for subscriber
management and location/port management. XML commands are sent over the network via an
SSL tunnel in the form of an encoded query string. The XML interface enables solution providers
P/N 230-1024-001
Sheet 8 of 9
White Paper
and integrators to customize and enhance the installations with value added capabilities and
Advanced Security
The NSE enhances today’s standards, enabling the secure deployment of large-scale public access
networks, regardless of the standards supported at the client, enabling a solution that covers the
wide variety of clients that will roam into the location.
VPN tunneling (PPTP, IPSec) remains the recommended method for transmitting data across a
wireless network for mobile workers wishing to connect back to their corporate resources.
Nomadix’ products feature its patented iNAT functionality that creates an intelligent mapping of
IP Addresses and their associated VPN tunnels allowing multiple tunnels to be established to the
same VPN server creating a seamless connection for all the users at the public access location.
Denial of Service Management
The NSE Core also provides Session Rate Limiting (SLR) and MAC filtering capabilities to
significantly reduce the risks of Denial of Service (DoS) attacks helping ensure network uptime
and reliability. Administrators can also block all ICMP packets of non-authenticated users to
further protect the network against common DoS attacks.
Policy-based Traffic Shaping
The Bandwidth Management feature is part of the NSE Core functionality and enables a service
provider to limit bandwidth usage on a per device (MAC Address/User) basis. This ensures every
user has a quality experience by placing a bandwidth ceiling on each device accessing the
network so every user gets a fair share of the available bandwidth.
The bandwidth for each device can be defined asymmetrically for both upstream and downstream
data transmissions. The service provider can also allow the individual user to increase or decrease
their bandwidth by the minute—or on an hourly, daily, weekly, or monthly basis—without having
to disconnect or re-establish a new session.
The NSE can also manage the WAN Link traffic providing complete bandwidth management
through the public access location. Bandwidth Management shapes traffic going over the WAN
Link to prevent its over-utilization. The NSE queues traffic from overly busy instances in time
and sends the packets over the WAN Link when a lull in traffic occurs.
P/N 230-1024-001
Sheet 9 of 9
White Paper
Management Features
The NSE Core running on a third party platform can be managed remotely via the built-in Web
Management Interface where various level of administration can be set. The NSE Core also
contains a CLI (Telnet and serial) and extensive SNMP support.
The NSE Core provides a unique RADIUS-driven Auto-Configuration functionality that utilizes
the existing infrastructure of a provider to deliver an effortless and rapid methodology to
configure devices for fast network rollout. Once configured, this methodology can also be
effectively used to centrally manage configuration profiles for all NSE devices in the public
access network.
Integration of the NSE into an edge device such as an Access Point or wireless gateway allows
the equipment maker to provide a full-featured device designed specifically for the public access
P/N 230-1024-001
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF