Feature Overview

Feature Overview
Marketing Flash
Nomadix Key Features Overview
Introduction
The Nomadix Public-access Gateways are stand-alone, dedicated network appliances
placed at the edge solving key issues of connectivity, security, billing and roaming in
Public-access networks. Nomadix offers 4 different platforms capable of serving a wide
variety of venue types including airports, hotels, convention centers, college campuses
and Wi-Fi HotSpots:
• AG2100
• AG3000
• AG5000
• AG5000 Metro
Based on the proven USG platform that has been successfully deployed in thousands of
locations worldwide, the AG family of Gateways handles transparent connectivity,
authentication, bandwidth shaping, and service placement supporting flexible
configurations of up to 4,000 simultaneous users in a broadband-enabled environment.
The AG5000 offers:
• Up to 2,000 simultaneous users
• Mobile Connectivity
• Advanced Security and Access Control
• Network-based Authentication
• Bandwidth Management
• Service Presentment
Integration of a Nomadix Gateway into the network enables the rapid rollout of
ubiquitous broadband Internet services in any public “hot spot.” The Nomadix offer a
unique set of security and connectivity features for service providers needing to provide
universal connectivity and network-based authentication and service presentment.
Designed for smaller scale deployments, the AG2100 (max. 50 subscribers) and the
AG3000 (max. 200 subscribers) are the platforms of choice. For larger deployments
such as airports and larger hotels, the AG5000 platforms can support up to 2,000
subscribers and is the ideal product for these locations.
Table of Contents
Introduction..................................................................................................................... 1
Table of Contents............................................................................................................ 2
Listing of Nomadix Key Areas ....................................................................................... 4
Plug and Play ...................................................................................................................... 4
Dynamic Address TranslationTM..................................................................................... 4
Dynamic Transparent Proxy Support.............................................................................. 5
STUN Support ................................................................................................................ 5
HTTPS Support............................................................................................................... 5
Service Presentment............................................................................................................ 5
Internal Web Server (IWS) ............................................................................................. 6
Local Web Server ........................................................................................................... 7
External Web Server (EWS).......................................................................................... 7
Login Page Failover........................................................................................................ 7
Information and Control Console (ICC) ......................................................................... 7
Explicit Logout pop-up window ..................................................................................... 7
Portal Page Parameter Passing........................................................................................ 7
Goodbye URL Support ................................................................................................... 8
Screen Size and JAVA Detect ........................................................................................ 9
Splash Screen and Partner Image.................................................................................... 9
International Language Support...................................................................................... 9
End User VPN support...................................................................................................... 10
iNATTM Functionality................................................................................................... 10
iNATTM UDP Packet Fragmentation Support............................................................... 10
Bandwidth management.................................................................................................... 10
End User Bandwidth Management ............................................................................... 10
Wide Area Network side Bandwidth Management ...................................................... 10
Simultaneous Authentication ............................................................................................ 10
AAA.............................................................................................................................. 11
MAC based Authentication........................................................................................... 11
Group Accounts ............................................................................................................ 11
IEEE 802.1x Support .................................................................................................... 11
RADIUS (AAA) Proxy................................................................................................. 12
NAI Routing.................................................................................................................. 12
Smart Client Support..................................................................................................... 12
RADIUS Re-authentication .......................................................................................... 12
Idle User Management.................................................................................................. 13
Cookie Placement (“Remember Me” – feature) ........................................................... 13
RFC 1493 Cascading Support....................................................................................... 13
Billing ............................................................................................................................... 13
Billing Options.............................................................................................................. 13
Duration-based Billing.................................................................................................. 13
Stand-alone Billing ..................................................................................................... 14
PMS-support ................................................................................................................. 14
PMS Query support....................................................................................................... 15
Post-paid PMS billing ................................................................................................... 15
Credit Card payments ................................................................................................... 15
Simultaneous billing time parameter IWS.................................................................... 15
Max. billable unit support for PMS and Credit Card billing ........................................ 16
RADIUS based Billing ................................................................................................. 16
RADIUS Attributes....................................................................................................... 16
RADIUS counting Packets Sent/Received ................................................................... 16
Nomadix RADIUS Vendor Specific Attributes (VSA) ................................................ 16
Free Access Monitoring................................................................................................ 17
Port-based Policies........................................................................................................ 17
Security ............................................................................................................................. 17
Selective Access Control .............................................................................................. 17
Tracking Syslogs........................................................................................................... 17
SSL support for Internal Web Server............................................................................ 18
Increased Device Security............................................................................................. 18
URL Filtering................................................................................................................ 18
Proxy ARP Support....................................................................................................... 19
Security and Denial of Service Management.................................................................... 19
Session Rate Limiting and MAC Filtering ................................................................... 19
ICMP Blocking ............................................................................................................. 19
Secure XML.................................................................................................................. 19
End User IP address management..................................................................................... 19
Multiple DHCP Pools and Subnets............................................................................... 19
IP Address Upsell ......................................................................................................... 20
SNMP Re-Direct............................................................................................................... 20
SMTP Support for correctly configured subscribers .................................................... 20
DNS support for SMTP redirect ................................................................................... 20
Network Management....................................................................................................... 20
Management Interfaces................................................................................................. 20
Static Port Mapping for Devices on Private IPs ........................................................... 21
Location Identifier ........................................................................................................ 21
‘One click’ DATTM session clearance........................................................................... 21
“Help” Link at Login Screen ........................................................................................ 21
Administrative Access policy setting............................................................................ 22
Remote Authentication Testing Facility ....................................................................... 22
Easier Troubleshooting and Setup ................................................................................ 22
Centralized Management .............................................................................................. 22
SNMP MIB ................................................................................................................... 23
High-Availability .............................................................................................................. 23
Fail-over........................................................................................................................ 23
Remote (central) Printer support....................................................................................... 23
Driverless Printing (Click 2 Print) ................................................................................ 23
Listing of Nomadix Key Areas
Plug and Play
Dynamic Address TranslationTM
Technical barriers have previously stood in the way of providing profitable, customerfriendly ubiquitous Internet access—most notably, the expense and complication of
reconfiguring every computer or device so it can access the Internet regardless of how it
was originally configured.
•
•
•
•
No client side software
Transparent HTTP Proxy support (subscriber does not need to disable their proxies).
DNS (Domain Name Server) Redirection (Subscriber’s DNS request are redirected to a
local server).
SMTP server redirection support (subscriber’s outgoing email will be redirected to a local
server).
Nomadix’ patented Dynamic Address Translation (DAT™) function offers a true “plugand-play” solution that provides transparent broadband network connectivity covering
every PC configuration (static IP, DHCP, DNS, and proxies), ensuring that everyone
gets access to the Public-access “hot spot” or Visitor-based Network (VBN). In addition,
Nomadix delivers additional advanced plug-n-play features that allow the seamless
sending of email, as well as the transparent usage of VPN services (IPSEC, PPTP) and
popular applications such as NetMeeting in an address translated network.
No client-side software or changes
to the PC’s configuration are
required in order to get connected
in an NSE-enabled network.
Nomadix developed DAT to actively monitor every packet transmitted from each device
to ensure each packet is correctly configured for the network that the computer is
expecting. The result, every customer can get access to the network without having to
reconfigure his computer, PDA or other Internet access device or load client-side
software.
DAT also ensures that a DNS server is always available to a user through the DNS
redirection function. The DNS redirection function redirects a user’s DNS requests to a
local DNS server closer to the customer’s location. This improves the response time and
enables true plug-and-play access when the subscriber’s configured DNS server is
behind a firewall or located on a private Intranet.
Dynamic Transparent Proxy Support
From 4.3 release , Gateways supports clients that dynamically change their browser’s
proxy status from non-proxy to proxy. Also, transparent proxy support has been
enhanced by offering support for additional assigned port ranges (e.g. ports 800-900,
911).
STUN Support
The NSE Dynamic Address Translation (DAT) functionality has been enhanced to
support the STUN Protocol and to conform to a restricted cone network address
translation (NAT_ style of operation.
HTTPS Support
It is possible for the administrator to set the AG to pass-thru HTTPS traffic in addition to
standard port 80 traffic without being redirected.
Once access to a non-HTTPS address (such as a stock broker or bank) has been
requested, the subscriber will then be redirected as usual.
Service Presentment
Once connected to the Public-access “hot spot” or VBN, a customer needs to be
directed to a Web site for local or personalized services, or to establish an account and
pay for services. For example, in an airport, a customer using an 802.11 wireless LAN
device can be presented with flight information. In a hotel, guests can be presented with
local concierge services, network-based printing offers or other eCommerce content.
Nomadix has developed sophisticated web page redirection technology that allows the
service provider to control the initial content experience prior and/or post authentication.
Internal Web Server (IWS)
The Nomadix Gateways contain an Internal Web Server that can deliver SSL encrypted
web pages that come pre-configured for user authentication and authorization. All core
parameters of these web pages (e.g. logos, text, font, colors) can be changed without
any knowledge of HTML. A banner at the top of each Internal Web Server page is
configurable and can contain the “hot spot” owner’s logo or any other image they desire.
Login or New Account
Verify and Purchase
Service Selection
Local Web Server
This release introduces the Local Web Server capability which enables the NSE to host
a limited number of web pages locally on its flash. These web pages can be served to
the subscribers during pre-authentication or during post-authentication phase. These
web pages can be updated remotely and uploaded using FTP on to the NSE. With this
capability there is no need to have a dedicated web server on site if the requirement is to
serve a few custom web pages to the end users.
External Web Server (EWS)
In External Web Server mode, the URL is defined where the graphics contents of the
Home Page Redirect is stored.
Login Page Failover
For installations that use an External Web Server or a Portal Server to provision their
Login and Authentication Pages to the subscribers, the Login Page Failover feature
provides a way for administrators to configure secondary or tertiary Login Pages in case
the primary Login Page becomes unavailable. This mechanism guarantees that the
subscribers will have some way of authenticating themselves and accessing the Internet
ifthe External and Portal Servers fail.
Information and Control Console (ICC)
The ICC drives a JAVA-based applet down to each customer’s Internet Browser
providing them with the ability to self-select services, upgrade their bandwidth and
service plans in a real-time fashion.
The existing JAVA-based ICC has been replaced with an HTML/Javascript version to
enhance its performance and reduce browser compatibility issues while also allowing its
distribution from a centralized location/server. (from 4.3 onwards)
The ICC allows the premise owner or service provider to send custom messages and
advertising directly to the screen of the customer. For credit card and PMS usage, the
ICC displays a dynamic “time” field to inform customers of the time remaining on their
account.
Explicit Logout pop-up window
The NSE lets the administrator define a simple HTML-based pop-up window for explicit
logout that can be used as an alternative to the more fully featured ICC. The Pop Up
Log-Out button contains the opportunity to display the elapsed/count-down time and one
logo for intra-session service branding. (from 4.3 onwards)
Portal Page Parameter Passing
The Portal Page Redirect (PPR) feature of the Nomadix Gateways enables the Publicaccess network to intercept the browser’s home page setting prior to authentication and
redirect it to a new portal page determined by the service provider or premise owner.
When redirecting the customer to a new home page, the original home page (Origin
Server) is passed as a parameter to the new home page so the customer can still
access their default home page after the local or personalized page has been presented.
The Home Page Redirect (HPR) feature of the Nomadix Gateways allow the service
provider to display a post-authentication web page tailored either to the users location
(e.g. Train Schedules for HotSpot at Waterloo Station) or the user himself (e.g. Welcome
John Smith – here is your personalized home page for the HotSpot Service). The
Gateways contain a comprehensive HTTP page redirection logic that allows for a page
redirect before (aka Portal Page Redirect) and/or after the authentication process (aka
Home Page Redirect).
A defined set of parameters to the portal page redirection logic allows an External Web
Server to perform a redirection based on:
• VLAN ID
• Subscriber MAC address
• Externally hosted RADIUS login failure page
This means that the network administrator can now perform location-specific service
branding (e.g. for an airport lounge) from a centralized web server.
• Radius Home Page Redirect
This feature allows the Gateway to receive a Nomadix VSA from the RADIUS server for
URL redirect. This feature provides a method for each user to be redirected to a different
site upon login based on a RADIUS attribute.
Goodbye URL Support
From 4.3 release, Nomadix has created a 5th step in Service Branding for Operators and
other Public-access network operators; the Goodbye Page. The 5 steps in Service
Branding now capable in a Nomadix-enabled network include the following:
1. Initial Flash Page branding.
2. Initial Portal Page Redirect (Pre-Authentication). Typically, this is used to
redirect the user to a venue-specific welcome and login page.
3. Home Page Redirect (Post-Authentication). This redirect page can be set to the
individual user (as part of the RADIUS Reply message, the URL is received by
the Nomadix Access Gateway) or set to re-display itself at freely configurable
intervals.
4. The ICC contains multiple opportunities for the Operator to display its branding
or the branding of partners during the user session.
5. The Goodbye page is a post session page that can either be defined as a
RADIUS VSA or be driven by the internal web server in the NSE. Using the
Internal Web Server option means that this functionality is available for other
post-paid billing mechanisms (e.g. post-paid PMS) as well. This IWS page
displays the details of the user’s connection such as:
- IP address of the user
- Type of AAA
- Start/Stop time
- Bytes sent/received
- Freely configurable Hypertext link (in case the ISP wants to link the user
back to a sign-up/help page page)
The Nomadix 5-Step
Service Branding Methodology
1
2
3
4
5
Screen Size and JAVA Detect
In order to better support PDAs and other handheld devices, the Nomadix Gateways
contain functionality that will automatically format the IWS pages to a screen size that is
optimal for the particular device. Since most PDAs today do not support JAVA applets,
the Gateway will also contain the necessary intelligence to prevent inconclusive JAVA
error messages caused by the IWS.
Splash Screen and Partner Image
Allow the display of the “You are being connected screen” and Partner Image even when
AAA is turned off.
International Language Support
Nomadix supports international customers by providing translations of the Information
and Control Console (ICC) into Japanese, Chinese, French, German and Spanish.
The AG platform allows all IWS text to be freely configurable/translatable. This includes
both the text in the IWS dialog boxes and the text on the IWS buttons (e.g. ‘Enter’,
‘Back’, etc).
End User VPN support
iNATTM Functionality
The iNATTM feature measurably improves the connection success rate of multiple VPN
tunnels to the same termination device, while optimizing the usage of available public IP
addresses.
• It uniquely supports users with static private (e.g. 192.168.x.x) or public (different
subnet) IP addresses without any client IP setting changes
• It dynamically adjusts the mode of address translation during the user’s session
depending on the packet type
• iNATTM dramatically heightens the reusability factor of costly public IP addresses
(‘only use them when you need them’), while maintaining the security benefits of
traditional address-translation technologies
iNATTM UDP Packet Fragmentation Support
(From version 4.3). Nomadix recently added support for UDP fragmentation within iNAT
to provide more seamless support for certificate-based VPN connections.
Bandwidth management
End User Bandwidth Management
The Bandwidth Management feature of the Nomadix Gateway enables service providers
to limit bandwidth usage on a per device (MAC Address/User) basis. This ensures every
user has a quality experience by placing a bandwidth ceiling on each device accessing
the network so every user gets a fair share of the available bandwidth.
The bandwidth for each device can be defined asymmetrically for both upstream and
downstream data transmissions. The service provider can also allow the individual user
to increase or decrease their bandwidth and/or change their IP address type (private vs.
public) dynamically without having to disconnect or re-establish a new session.
Wide Area Network side Bandwidth Management
The Nomadix Gateway can also manage the WAN Link traffic providing complete
bandwidth management through the Public-access “hot spot.” Bandwidth Management
shapes traffic going over the WAN link to prevent its over-utilization. The Gateway
queues traffic from overly busy instances in time, and send the packets over the WAN
Link when a lull in traffic occurs.
Simultaneous Authentication
AAA
A Nomadix-enabled network can automatically authenticate, authorize, track, and bill
users for broadband access. Customers can be identified and billed according to their
Media Access Control (MAC) address, username/password, and/or port identification
number.
The Authentication, Authorization and Accounting (AAA) module of the Gateway offers
various tracking, billing and security features for Web based self-provisioning, including
RADIUS Authentication, Authorization and Accounting as well as credit card billing. The
AG also supports an open XML Interface for control and integration with other network
components.
The Nomadix Gateway also simultaneously supports various proprietary and standardsbased authentication methods such as IEEE 802.1x and client-based solutions such as
those provided by Boingo Wireless, iPass and GRIC – the goal of which is to automate
the authentication process rendering the wholesale service provider transparent and
enabling Global Roaming across wireless LAN networks at the client level.
MAC based Authentication
The NSE already supports authentication for Web-based Universal Access Method
(UAM) clients and IEEE 802.1x clients. This release adds another method known as
MAC authentication. MAC authentication makes it possible for devices that do not
support a browser (like PSP, VoIP phones etc.) to be authenticated based on the device
MAC address. With this unique methodology, these devices can be automatically
authenticated against a RADIUS server using their MAC addresses while simultaneously
supporting other types of subscribers, via UAM or IEEE 802.1x.
Group Accounts
The NSE now supports group accounts or concurrent logins. Administrators can create a
special group account with a group username and password. Group members can then
login using these credentials. This feature is useful when giving out access to groups of
users for special occasions.
IEEE 802.1x Support
Nomadix supports the IEEE 802.1x standard for port-based authentication. 802.1x is a
standard for port-based Access Control that can be used by LAN access concentrators
(such as wireless Access Points, switches, hubs, etc.) to turn ports (points where the
clients connect to the concentrator) on and off based on the authentication state of the
client
In order to deploy 802.1x in a network, support for the standard must be present in the
client computer (via Windows XP), the point of aggregation (e.g. Access Point) and in
the RADIUS server. Also note that many companies are coming out with their own
802.1x clients and that Microsoft is planning patches to most of its Operating Systems to
support 802.1x
The Nomadix Gateway can now take the place of the “Authenticator” in an 802.1x
enabled network which is a function typically done by an Access Point or some other
LAN access concentrator. By becoming the Authenticator, the Nomadix Gateway allows
the deployment of lower costs, non-802.1x enabled Access Points but still derive the
benefits of 802.1x within the network. It also allows the administrator to deploy a network
that can support both 802.1x enabled clients and non-802.1x enabled clients
simultaneously.
“Edge-driven WISP Roaming”
RADIUS (AAA) Proxy
The purpose of the RADIUS or AAA Proxy functionality in the NSE is to relay
authentication and accounting packets between the parties performing the authentication
process. Different realms can be set up to directly channel RADIUS messages to the
various RADIUS servers. This functionality can be effectively deployed to:
•
•
Support a wholesale WISP model directly from the edge without the need for any
centralized AAA proxy infrastructure
Support EAP authenticators (e.g. WLAN Access Point) on the subscriber-side of
the NSE to transparently proxy all EAP types (e.g. TLS, SIM) and to allow for the
distribution of per-session keys to EAP authenticators and supplicants.
NAI Routing
Complementing the RADIUS Proxy functionality in the NSE is the ability to route
RADIUS messages depending on the Network Access Identifier (NAI). Both prefix (e.g.
ISP/username@ISP.net) and suffix-based (username@ISP.net) NAI routing
mechanisms are supported.
Together, the RADIUS Proxy and NAI Routing further support the deployment of the
Wholesale Wi-Fi model allowing multiple providers to service one location.
Smart Client Support
Nomadix supports various broadband Smart Clients being sold to Enterprise users.
Support is provided for Smart Clients from iPass, GRIC and Boingo.
iPass Generic Interface Specification (GIS) is supported (from 4.3 onwards).
Support for all these types of authentication mechanisms enables the concept of global
roaming where one bill can follow a mobile professional where ever they travel
A dedicated White Paper explaining this new functionality is available from Nomadix tech
support.
RADIUS Re-authentication
Nomadix’ RADIUS Re-authentication feature supports multiple MAC addresses per
UN/PW combination. This enhances the user-friendliness of this feature for users with
multiple PCs that only want to use one login.
The RADIUS Re-Authentication buffer contained within the NSE has been expanded
(from 48) to 720 hours, thus allowing an even more seamless and transparent
connection experience for repeat users. (from 4.3 onwards)
Idle User Management
There is an option to force Credit Card and PMS subscribers to enter a username and
password when they purchase Internet Access. Nomadix allows the network
administrator to set a policy to force the user to login after being idle even if they are
coming in from the same MAC address.
Cookie Placement (“Remember Me” – feature)
This feature allows the IWS to store an encrypted Login Cookie in the browser to
"Remember me" using UN/PW/NAI between Access Points, thus creating a better user
experience in wireless networks.
RFC 1493 Cascading Support
From a network architecture perspective, it is common practice to cascade multiple
DSLAMs or switches together so a service provider or property owner can increase the
port density of the in-building access concentration equipment.
Certain Nomadix Gateways are capable supporting up to fifty (50) RFC 1493 compliant
DSLAMs, TUT MDU Lite, HR and LR DSLAMs that are cascaded together to correctly
perform port location. Nomadix also supports any RFC 1493 compliant 3COM/ RC
Networks device that is designed in a cascaded or parallel configuration.
In a cascaded configuration, one central switch may control several secondary switches
in order to obtain network related information. Thus, the Nomadix Gateway will be able
to query the primary switch to retrieve MIB information from the primary switch and any
secondary switches. In a parallel configuration, the switches act as peers to one another
and will send distinct MIB queries to the Gateway.
Billing
Billing Options
Nomadix provides a very rich set of billing features.
1. Local billing features
• Connection to Hotel Property Management System for “bill to my room”
• Internal AG database for ad-hoc creation of UN/PW
2. Central billing features
• Credit Card payments (cleared by a remote Credit Card broker)
• RADIUS
Duration-based Billing
The purpose of this feature is to let hotels create billing plans that work in a similar
fashion to pre-paid telephone cards. This means an Operator can set the Internal Web
Server (IWS) of the NSE to let users online for time ‘x’ over period ‘y’. Standard billing
plans (time x = period y) can be used concurrently. For example, multiple plans with
flexible billing event options can be rolled out such as:
-
Plan A: 24 hours, 256kbit/s downstream, 128kbit/s upstream, public IP address,
$15
Plan B: 8 hours to be used over 5 days, 512kbit/s downstream, 256kbit/s
upstream, private IP address, $35
Plan C: 1 week, 1mbit/s downstream, 1mbit/s upstream, public IP address, $99
In addition to credit card billing, Property Management Systems used by hotels are also
supported along with the internal data base of the NSE and billing via Nomadix’ secure
XML API.
Stand-alone Billing
From version 4.3 of the NSE, Gateway supports the option to let the administrator create
a set of user profiles (Username, Password, Duration, Bandwidth Up, Bandwidth Down)
in the internal database and then start the count down timer upon user login. This
functionality has also been added to the NSE’s secure XML API. Applications of this
functionality can be found in the hospitality arena, as well as in smaller scale stand-alone
Public-access networks (e.g. hospitals).
PMS-support
Nomadix continues to provide certified interoperability with the largest number of
property management systems (PMS) in the market. The Nomadix Gateway
interoperates with all HOBIC protocol based PMS system, all PMS systems used by
Hilton, PMS protocol used in the NH Hotel Group, the Xeta Virtual XLTM call accounting
system, Ramesys ImagInnTM , Marriott’s proprietary PMS solution, System 21 PMS and
igets.net. It also offers post-paid usage-based PMS billing and a private DNS ‘logout’
option
2-Way OnQ (System 21) Compliance
(From version 4.3) The NSE’s proven Micros POS emulation interface has been adapted
to be interoperable with Hilton Corporation’s OnQ PMS system. OnQ is quickly replacing
all legacy PMS installations within Hilton North America (H1, H2) and currently Nomadix
is the only Gateway vendor that has both approved 1-Way (i.e. posting only, generally
used in wired networks) and 2-Way interfaces (i.e. query and post, specifically
developed to support Wi-Fi-enabled hotel networks).
Galaxy PMS Support
(From version 4.3) This release offers a 2-way interface to the Galaxy PMS system.
Micros FIAS Interface Compliance
(From version 4.3) Nomadix has extended its existing interfaces to the popular Micros
Fidelio PMS system to include three new interfaces. These interfaces have been tested
and approved by Micros Fidelio. In detail, the new interfaces are:
-
TCP/IP interface for PMS post messages to Micros Fidelio Opera
Serial FIAS-compliant post interface
-
Serial FIAS-compliant extension to the existing Micros POS (i.e. 2-Way)
emulation. The new interface includes the option to define a third query field (i.e.
reservation number) to enhance security in wireless high-speed Internet access
networks in hotels.
PMS Query support
Nomadix is able to query most popular PMS systems for confirmation of the name and
room number of the hotel guest/s. In essence, the Gateway will be a ‘clone’ of a popular
Micros POS system.
This will allow the hotel to seamlessly deploy wireless networks or, alternatively, use
low-cost wired access concentration equipment (e.g. certain HPNA gateways, DSLAMs,
CMTS solutions or even plain hubs) that either do not support port-ID or do so in a
proprietary format that Nomadix does not currently support and still be able to bill directly
to the room.
As with standard posting interfaces, most PMS vendors are likely to charge additional
fees for the PMS query interface. This feature was developed based on the Micros
Specification for 1700/2000/3700/4700/8700 system software (Part Number: 150502029). PMS solution vendors that have informed Nomadix about their interoperability with
the above specification include Micros, Hilton (H1, H2, System 21), HIS, Marriott and
GETS.
Post-paid PMS billing
Nomadix first implemented post-paid PMS billing logic to support the proprietary NH
PMS interface. Now, this billing logic has been extended to support all existing PMS
interfaces (e.g. all five HOBIC versions, Marriott, Micros Fidelio, etc.). With the new
functionality, the hotel guest now has the option to terminate his connection (via the ICC)
and be only billed for the actual time he/she was online.
Credit Card payments
Advanced functionality, such as integration with on-line secure credit card based selfprovisioning, allows the customer to setup a credit or time based pre-paid account. Also,
in order to support a revenue splitting business model between access providers and
service provider, an integrated Billing Mirror capability is provided that performs logging
of customer’s billing activities to more than one server. This allows BT to perform adhoc, pay-per-use service creation – a critical function to grow its customer base.
Simultaneous billing time parameter IWS
Nomadix has support for multiple simultaneous billing plans using PMS or Credit Card
AAA. For example, a hotel can now offer an hourly plan (e.g. $2) and a daily plan (e.g.
$15) at the same time without any External Web Server based XML scripts.
Incentive-based Billing: Promotional/discount code support for PMS and Credit Card
billing. This functionality offers you the opportunity to provide price incentives to
preferred customer groups
Max. billable unit support for PMS and Credit Card billing
In conjunction with the Minimum billable unit support, the Maximum billable unit support
allows you to define a range of values that the end-user can enter to purchase access,
thus preventing user complaints
RADIUS based Billing
Nomadix has an integrated RADIUS client allowing the service provider to track or bill
based upon number of connections, location of the connection, bytes sent and received,
connect time, etc. The customer database can exist in a central RADIUS Server, along
with associated attributes for each user. When a customer connects into the network,
the RADIUS client authenticates the customer with the RADIUS Server, applies
associated attributes stored in that customer’s profile, and logs their activity (including
bytes transferred, connect time, etc.). Our RADIUS implementation also handles vendorspecific attributes (VSAs) required by the emerging class of wireless service providers—
like BT and others—that want to enable more advanced services and billing schemes
such as a fixed per device per month connectivity fee.
RADIUS Attributes
RADIUS Attributes are available to enhance the flexibility of the Nomadix Gateway.
These new RADIUS attributes include:
• NAS-IP Address
• NAS-Port-Type
• Acct-Session-ID
• EAP-Packet
• Message-Authenticator
• State
• Acct-Interim-Interval
• Acct-Output-Packets
• Acct-Input-Packets
• Called-Station-ID
• Calling-Station-ID
RADIUS counting Packets Sent/Received
The RADIUS Accounting Start Packets Sent and Received values can be reset to zero
after login which gives the network administrator the option of either counting or not
counting Walled Garden traffic
Nomadix RADIUS Vendor Specific Attributes (VSA)
•
•
•
Time-based session timeout. (to terminate a session once a specified time period
has been reached)
Specified as date and time (e.g. 24:00/30 July 2003). This enhances the usability
of the product for pre-paid card visitor-based broadband networks.
Volume-Based Session Timeout (to terminate a session once a specified data
volume has been reached)
•
Log-Off-URL (to allow the placement of a Log-Off-URL – e.g. 1.1.1.1 – on an
external portal page)
• Reject-Message (to allow the customization of reject messages);
• Session-Terminate-End-Of-Day (to allow business policies terminating the
session at midnight of every day)
• Subnet (to allocate a specific subnet to a user)
Please see RADIUS Overview Specification for additional details on the AG RADIUS
implementation
Free Access Monitoring
Nomadix is able to send usage information of ‘free access’ or non-authenticated users to
external servers similar to the existing billing mirror feature.
Port-based Policies
The Port Location capabilities on the NSE have been enhanced. It is now possible to
define a policy per port. The billing methods (RADIUS, Credit Card, PMS, L2TP
Tunneling) and the billing plans available on each port can now be individually
configured.
A practical application of this feature is to have a hotel guest room with a plan that is for
$9.99 a day with and ability to bill to the room using the property management system
(PMS) billing and have a hotel meeting room with a plan of $14.99 an hour with Credit
Card billing.
Security
Selective Access Control
The Nomadix Gateways can be used to create a “walled garden,” allowing visitors to
access the network to predetermined Web sites, services or applications even though
they may not have subscribed to the broadband Internet service. A Nomadix-enabled
network provides up to 300 IP pass-through addresses and allows the service provider
to enforce security based upon whether or not the customer has been authenticated.
The “walled garden” can be used to push local content and services’ providing a custom
experience dependent upon the public “hot spot” owner.
By allowing selective access control to the network before the customer authenticates
themselves, service selection and Web based self-provisioning can be provided in a
standard, efficient, low cost and convenient way that does not depend upon the transport
technology (wired or wireless).
Tracking Syslogs
The NSE now supports Tracking Syslogs. This is a part of the Nomadic Lawful Intercept
compliance strategy.
The Tracking Syslogs can be enabled to monitor all the port assignments for the users
accessing a public network. These tracking logs enable trace-back to a particular MAC
address and Username based on port and IP information available to an external site
that has been attacked, hacked or used in an illegal fashion.
The tracking logs carry the following information.
1) Time Stamp
2) Source IP
3) Source Port
4) Destination IP
5) Destination Port
6) Translated IP
7) Translated Port
8) User Details
a. MAC Address
b. Local IP assigned
c. Type of user (RADIUS, PMS, Credit Card, XML, Admin Added...)
d. Username (if available)
A Sample Tracking Log example:
2005-06-24 01:11:29 Local1.Info
67.130.149.4 INFO [HSG v2.4.113] LI : IN-->: FRI
JUN 24 00:57:00 2005 | Site Name | S(192.168.2.4/3562), D(81.241.232.211/3478),
X(67.130.149.4/5003), non-proxy , 00:90:27:78:81:00, RADIUS, IPASS/0U0000
SSL support for Internal Web Server
This feature allow for the creation of an end-to-end encrypted link between the Noamdix
Gateway and the clients by enabling the IWS to display pages under a secure link. This
is important when transmitting AAA information in a wireless network, in particular when
using RADIUS.
Adding SSL support to the Gateway’s functionality will also mean that the service
provider will have to obtain a digital certificate from VeriSign to create HTTPS pages.
Charges for the certificate depend on the encryption level (40bit or 128 bit) and generally
range from approx. $350 to $900. Instructions on how to obtain such certificates will be
furnished by Nomadix.
Increased Device Security
The Nomadix Gateways now incorporates a master access control list that checks the
source (IP address) of administrator logins. This allows an administrator login only if a
match is made with the master list contained on the product. If a match is not made, the
login is denied, even if a correct login name and password are supplied. The access
control list supports up to 50 entries in the form of a specific IP address.
URL Filtering
The Nomadix Gateway can now restrict access to up to 300 specified websites based on
URLs defined by the administrator. URL filtering will block access to a list of sites and/or
domains entered by the administrator via three ways:
• Host IP address (e.g. 64.209.75.254)
• Host DNS name (e.g. www.yahoo.com)
• DNS domain name (e.g. *.yahoo.com, meaning all sites under the yahoo.com
hierarchy, e.g. finance.yahoo.com, sports.yahoo.com, etc).
The system administrator will be able to dynamically add or remove specific IP
addresses and domain names to be filtered for each property allowing service providers
and property owners to restrict certain sites from being visited, i.e. pornography,
gambling, etc.
Proxy ARP Support
Network administrators can enable simultaneous network security and same subnet
VoIP communication with the flexible proxy ARP definition feature. Changes in the WMI
enable the easy configuration of the Proxy ARP functionality
Security and Denial of Service Management
Session Rate Limiting and MAC Filtering
Session Rate Limiting (SRL) and MAC Address Filtering provide enhancements to
Nomadix’ Access Control technology; significantly reducing the risks of Denial of Service
attacks by allowing administrators to throttle the number sessions any one user can take
over a given time period and if necessary, then block a malicious user.
ICMP Blocking
This release of the NSE now contains the option to block all ICMP traffic from ‘pending’
or non authenticated users that are destined to addresses other than those defined in
the pass-through (walled garden) list. Please note that the default setting for this option
is ‘off’ since ICMP pass-through is a useful end-user troubleshooting feature and also
required by certain smart clients (e.g. GRIC).
Secure XML
This feature allows the Operator to use Nomadix’ popular XML API using the built-in SSL
certificate functionality in the NSE so parameters passed between the Gateway and the
centralized web server are secured via SSL.
End User IP address management
Multiple DHCP Pools and Subnets
Subnets and DHCP pool scopes can be assigned a number by a variety of methods
such as:
• Location ID (e.g. via VLAN ID)
• Nomadix RADIUS VSA (‘Subnet’)
• Administratively assigned
The Nomadix Gateways have two separate DHCP pools that can be defined. The first
pool of addresses will contain private addresses; the second will contain public
addresses. This feature allows a service provider to keep a centralized pool of public IP
addresses at the NOC and use the Gateway to distribute private IP addresses.
When a subscriber selects a service plan with a public pool address, Nomadix will
associate their MAC address with their public IP address for the duration of the service
level agreement. This feature also allows the administrator to set two different DHCP
pools for the same physical LAN.
Multi-subnet support allows you to:
• Use non-contiguous public DHCP pools. For example, if you need to provide
Internet access to 1,000 DHCP users and only have non-contiguous Class C
pools, you can now define these separate pools in the Nomadix gateway
• Use mixed public and private pools to meet the requirements of a varied network
topology as well as customer sets (residential vs. business). For example, all
residential users will get a private IP address and be address translated, whereas
all business customers will get a public IP and not be address translated
• Differentiate your customers depending on their location. For example, you may
want to place all users in one building in the same VLAN and provision all their IP
address from a dedicated pool
• Allocate different lease times to different users dependent on the peak usage
patterns of the network
• Keep all devices (e.g. Access Points) on a separate public subnet that will not get
address translated
IP Address Upsell
IP Upsell provides another method of revenue generation for the service provider by
allowing the upsell of added services by purchasing public IP addresses.
SNMP Re-Direct
SMTP Support for correctly configured subscribers
The administrator could set the Nomadix Gateway to pass all SMTP traffic through the
SMTP relay server independent of the PC’s settings.
DNS support for SMTP redirect
This functionality allows you to use DNS load balancing for your SMTP servers
Network Management
Management Interfaces
The following interfaces are supported
•
•
•
•
•
Command Line Interface (CLI), i.e. A terminal session directly connected via a
serial cable.
Telnet session, i.e. Similar to CLI but remotely done
Web Management Interface (WMI) i.e. Remotely through any Web Browser.
FTP (File Transfer Protocol). , i.e For managing files in the flash of the Nomadix
Access Gateway
SNMP (Simple Network Management Protocol) Using stander networking tools.
Web Management Interface (WMI) and Command Line Interface (CLI) interfaces are
synchronized in several key areas (e.g. dmac, Current, URL filtering). This expands the
management options for network administrators. Now most of the commonly used
configuration options are available in both the WMI and CLI. The CLI displays the bytes
sent and received for every MAC address
The number of simultaneous operator logins has been extended to 3. This aligns the
feature with most carrier help desk operations.
In order to ease the initial setup and ongoing configuration of the NSE, the Subscriber
Side Configuration UI feature allows administrators to access the configuration
interfaces (WMI, CLI, TELNET, SFTP, and SSH) from the Subscriber/LAN side of the
NSE. Prior to this feature, the only way to get access to the configuration interface was
through the Network/WAN interface. This is particularly useful for the wireless gateway,
and can facilitate substantial savings in time and effort in implementing installation and
configuration changes.
Static Port Mapping for Devices on Private IPs
This feature allows the network administrator to setup a port mapping scheme that
forwards packets received on a specific port to a particular static IP (typically private and
mis-configured) and port number on the subscriber side of the NSE. The advantage for
the network administrator is that free private IP addresses can be used to manage
devices (such as Access Points) on the subscriber side of the NSE without setting them
up with Public IP addresses.
Location Identifier
The purpose of this feature is to aid in the management and monitoring of multiple NSE
devices via a browser by placing the ‘Location’ information of the NSE device in the
corner of the WMI screen. This allows the administrator to quickly identify which location
he is viewing when multiple browser windows are open.
‘One click’ DATTM session clearance
Network administrators can now clear all existing DATTM sessions without rebooting the
device to overcome any potential session limitation issues
“Help” Link at Login Screen
The Internal Web Server Login page will now allow a “Help” link that is configurable by
the Administrator
Administrative Access policy setting
The Network Administrator will now be able to define two levels of administrative access
• Manager Level: Read, Write and Reboot access to all configuration screens
• Operator Level: Read only access to all configuration screens
This provides the ability for a desk clerk to be able to view the status of the Gateway
without risking damaging configuration changes It will also provide a Management
Access history which details the last 500 entry logs of administrative access
Remote Authentication Testing Facility
Nomadix provides a "secure" web page (password protected) that enables an
administrator to type a username/password that commands the Gateway to send a
RADIUS Access-Request to the RADIUS Server following the same basic rules as if it
was from a subscriber. The Gateway would send a meta-refresh HTTP page (displaying
"Please wait...") until it displays an error/success message (accept, reject, timeout,
internal failure) result. This enables an administrator to test the back-end RADIUS
implementation remotely
Easier Troubleshooting and Setup
The Nomadix Gateways platform now allows complete and unconditional access to
devices on the subscriber side with its Bridge Mode feature. When Bridge Mode is
enabled, it is effectively transparent to the network in which it is located, allowing
clusters of switches (especially Cisco Systems switch clusters) to be managed using
STP (Spanning Tree Protocol). All packets are unmodified and can be forwarded in both
directions (except those addressed to the Gateway’s network side port). Bridge Mode
provides easier troubleshooting of the network by “removing” the Gateway from the
network without physically taking it out of the rack.
Centralized Management
The Nomadix Gateways enable system administrators to upgrade the firmware for all
Gateways in their network from a new, stand-alone Centralized Management
Application. This supports a simple, easy, remote upgrading of the Gateways to new
releases of code.
SNMP MIB
The Nomadix SNMP MIB includes MIB objects for all relevant configuration parameters.
High-Availability
Fail-over
Many large scale highly prominent networks (e.g. tradeshows, convention centers, etc.) require
Fail-over support for all devices in the Public-access network. From 4.3 release of the NSE, the
Gateway allows two Nomadix Gateways to act as siblings, where one device will take up the
users should the other device become disconnected from the network. As part of this
functionality, the settings (except IP addresses) between the two devices will be synchronized
automatically.
Remote (central) Printer support
Driverless Printing (Click 2 Print)
Nomadix partnered with Peerless Systems to create a driverless printing solution to
allow subscribers to print documents via an Internet Browser without having to make any
configuration or driver changes to the subscriber’s computer.
Peerless Systems has added XML support to their Print Server to communicate with the
Nomadix Gateway to allow for billing integration. The Click 2 Print driverless printing
solution:
• Supports printing web pages and offers a “print preview” option;
• Allows the print server to be centrally placed in-building or at the NOC to control
multiple properties
• Supports a wide variety of file formats
Driverless printing creates another revenue source for the property owner by providing
printing services 24 hours a day without requiring the guest to make any configuration
changes to their computer.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising