Users Guide x4 1
AG 2100
AG 2100
Copyright © 2005 Nomadix, Inc. All Rights Reserved.
This product also includes software developed by: The University of California,
Berkeley and its contributors; Carnegie Mellon University, Copyright © 1998 by
Carnegie Mellon University All Rights Reserved; Go Ahead Software, Inc., Copyright
© 1999 Go Ahead Software, Inc. All Rights Reserved; Livingston Enterprises, Inc.,
Copyright © 1992 Livingston Enterprises, Inc. All Rights Reserved; The Regents of the
University of Michigan and Merit Network, Inc., Copyright 1992 – 1995 All Rights
Reserved; and includes source code covered by the Mozilla Public License, Version 1.0
and OpenSSL.
This User’s Guide is protected by U.S. copyright laws. You may not transmit, copy,
modify, or translate this manual, or reduce it or any part of it to any machine readable
form, without the express permission of the copyright holder.
AG 2100
Trademarks
The
symbol,
, and Nomadix Service Engine™ are
trademarks of Nomadix, Inc. All other trademarks and brand names are marks of their
respective holders.
Product Information
Telephone: +1.818.597.1500
Fax: +1.818.597.1502
For technical support information, see “Appendix A: Technical Support” on page 303.
Write your product serial number in this box:
S/N
Patent Information
Covered by one or more of the following U.S. and foreign patents: US6,789,110,
US6,636,894-B1, US6,130,892, US6,868,399, US6,857,009, AU740,112, EP1,224,788,
EP1,282,955, EP1,222,791, DE600,11,799,5-08, MX222,100 Based on PCT/US98/04781,
NZ337,772, SG88,575, SG88,483, SG93,120, SG88,465, ZL00,815,827.4
This User’s Guide is protected by U.S. copyright laws. You may not transmit, copy, modify, or
translate this manual, or reduce it or any part of it to any machine readable form, without the
express permission of the copyright holder.
Disclaimer
Nomadix, Inc. makes no warranty, either express or implied, including but not limited to any
implied warranties of merchantability and fitness for a particular purpose, regarding the
product described herein. In no event shall Nomadix, Inc. be liable to anyone for special,
collateral, incidental, or consequential damages in connection with or arising from the use of
Nomadix, Inc. products.
FCC Radiation Exposure Statement
This equipment complies with FCC radiation exposure limits set forth for an uncontrolled
environment. This equipment should be installed and operated with a minimum distance of
about eight inches (20 cm) between the radiator and your body. This transmitter must not be
co-located or operated in conjunction with any other antenna or transmitter.
AG 2100
Notifications
This equipment has been tested and found to comply with the limits for a Class B digital
device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable
protection against harmful interference in a residential installation. This equipment generates,
uses and can radiate radio frequency energy and, if not installed and used in accordance with
the instructions, may cause harmful interference to radio communications. However, there is
no guarantee that interference will not occur in a particular installation. If this equipment does
cause harmful interference to radio or television reception, which can be determined by turning
the equipment off and on, the user is encouraged to try to correct the interference by one or
more of the following measures:
z
Reorient or relocate the receiving antenna.
z
Increase the separation between the equipment and receiver.
z
Connect the equipment into an outlet on a circuit different from that to which the
receiver is connected.
z
Consult the dealer or an experienced radio/TV technician for help.
Modifications not expressly approved by the manufacturer could void the user's authority to
operated the equipment under FCC rules.
This Class B digital apparatus meets all requirements of the Canadian Interference-Causing
Equipment Regulations.
Cet appareil numérique de la classe B respecte toutes les exigences du Réglement sur le
matériel brouilleur du Canada.
AG 2100
WARNING
CAUTION
Risk of electric shock; do not open; no user-serviceable
parts inside.
Read the instruction manual prior to operation.
ATTENTION
AVERTISSEMENT
Lire le mode d’emploi avant utilisation.
Risque de choc electrique; ne pas ouvrir; ne pas tenter de
demontre l’appareil.
WARNUNG
ACHTUNG
Lesen Sie das Handbuch bevor Sie das Gerät in Betrieb
nehmen.
Nicht öffnen; elektrische Bauteile.
PRECAUCIÓN
AVISO
Riesgo de shock eléctrico. No abrir. No hay piezas
configurables dentro.
Leer el manual de instrucciones antes de poner en
marcha el equipo.
1100 Business Center Circle, Suite 100, Newbury Park, CA 91320, USA (head office)
AG 2100
This page intentionally left blank.
AG 2100
Table of Contents
Introduction ...................................................................................................................... 1
About this User’s Guide............................................................................................................ 1
Organization.............................................................................................................................. 1
Why Choose Wireless? ............................................................................................................. 2
Welcome to the Nomadix AG 2100.......................................................................................... 3
Product Definitions............................................................................................................. 3
Ensuring Compatibility....................................................................................................... 3
Offering Speed and Efficiency ............................................................................................ 4
Optimizing Performance..................................................................................................... 4
Providing Effective Security ............................................................................................... 4
Enabling Flexible Deployment Options.............................................................................. 5
Product Configuration and Licensing ................................................................................ 5
Key Features and Benefits ........................................................................................................ 6
Transparent Connectivity ................................................................................................... 6
Local Content and Services ................................................................................................ 7
Access Control and Authentication..................................................................................... 7
Security ............................................................................................................................... 7
Billing Enablement ............................................................................................................. 8
5-Step Service Branding ..................................................................................................... 8
NSE Core Functionality ............................................................................................................ 9
Access Control .................................................................................................................. 10
Bandwidth Management ................................................................................................... 11
Bridge Mode ..................................................................................................................... 11
Command Line Interface .................................................................................................. 12
Dynamic Address Translation™....................................................................................... 12
Dynamic Transparent Proxy............................................................................................. 12
End User Licensee Count ................................................................................................. 12
External Web Server Mode ............................................................................................... 13
Home Page Redirect ......................................................................................................... 13
iNAT™ .............................................................................................................................. 14
Information and Control Console..................................................................................... 15
Internal Web Server .......................................................................................................... 16
International Language Support....................................................................................... 16
IP Upsell ........................................................................................................................... 17
Logout Pop-Up Window ................................................................................................... 17
MAC Filtering................................................................................................................... 17
Multi-Level Administration Support ................................................................................. 17
NTP Support ..................................................................................................................... 18
Portal Page Redirect ........................................................................................................ 18
Table of Contents
i
AG 2100
Port Mapping ...................................................................................................................
RADIUS-Driven Auto Configuration ...............................................................................
RADIUS Client .................................................................................................................
RADIUS Proxy .................................................................................................................
Remember Me and RADIUS Re-Authentication...............................................................
Secure Management .........................................................................................................
Secure Socket Layer (SSL) ...............................................................................................
Secure XML API...............................................................................................................
Session Rate Limiting (SRL).............................................................................................
Session Termination Redirect...........................................................................................
Smart Client Support ........................................................................................................
SNMP Nomadix Private MIB ...........................................................................................
Dual-Mode Authentication ...............................................................................................
URL Filtering ...................................................................................................................
Virtual Access Points (VAPs) ...........................................................................................
Walled Garden .................................................................................................................
Web Management Interface .............................................................................................
Optional NSE Modules............................................................................................................
Credit Card Module .........................................................................................................
Wholesale Roaming Module.............................................................................................
High Availability Module .................................................................................................
Network Architecture (Sample) ..............................................................................................
Product Specifications .............................................................................................................
Online Help (WebHelp) ..........................................................................................................
Notes, Cautions, and Warnings ...............................................................................................
18
19
19
20
20
21
22
22
23
23
23
23
24
24
24
25
25
26
26
26
26
27
28
31
31
Chapter 1: Installing the AG 2100 ................................................................................ 33
Unpacking the AG 2100 ..........................................................................................................
Installation Workflow..............................................................................................................
Connecting the System ............................................................................................................
Installation Considerations ......................................................................................................
Logging In to the Command Line Interface ............................................................................
The Management Interfaces (CLI and Web)...........................................................................
Making Menu Selections and Inputting Data with the CLI..............................................
Menu Organization (Web Management Interface) ..........................................................
Inputting Data – Maximum Character Lengths ...............................................................
Online Documentation and Help......................................................................................
Quick Reference Guide ...........................................................................................................
Establishing the Start Up Configuration..................................................................................
Assigning Login User Names and Passwords..................................................................
ii
34
35
36
37
38
39
40
40
42
43
43
44
46
Table of Contents
AG 2100
Resetting the AG 2100 ...................................................................................................... 47
Resetting Administrative Login Name and Password .............................................. 47
Resetting Settings to Factory Defaults ..................................................................... 47
Warm Reboot ............................................................................................................ 47
Other Cases .............................................................................................................. 47
Functionality Summary............................................................................................. 48
Error Reporting ........................................................................................................ 48
Changes to Existing Functionality ........................................................................... 49
Setting the SNMP Parameters (optional) ......................................................................... 49
Enabling the Logging Options (recommended)................................................................ 51
Assigning the Location Information and IP Addresses .................................................... 54
Establishing the Basic Configuration for Subscribers ............................................................ 57
Setting the DHCP Options ................................................................................................ 57
Setting the DNS Options ................................................................................................... 59
Archiving Your Configuration Settings.................................................................................. 60
Installing the Nomadix Private MIB....................................................................................... 61
Chapter 2: System Administration............................................................................... 63
Enabling Wireless Connectivity.............................................................................................. 63
Choosing a Remote Connection.............................................................................................. 64
Using an SNMP Manager................................................................................................. 65
Using a Telnet Client ........................................................................................................ 65
Using the Web Management Interface (WMI) .................................................................. 66
Logging In............................................................................................................................... 67
About Your Product License................................................................................................... 67
Configuration Menu................................................................................................................ 67
Defining the AAA Services {AAA} .................................................................................... 67
Enabling AAA Services with the Internal Web Server.............................................. 71
Enabling AAA Services with an External Web Server.............................................. 75
Establishing Secure Administration {Access Control} ..................................................... 76
Defining Automatic Configuration Settings {Auto Configuration} .................................. 79
Enabling Auto Configuration ................................................................................... 80
Setting Up Bandwidth Management {Bandwidth Management}...................................... 83
Establishing Billing Records “Mirroring” {Bill Record Mirroring} ............................... 84
Managing the DHCP Service Options {DHCP}............................................................... 86
Managing the DNS Options {DNS} .................................................................................. 90
Configuring Dynamic DNS {Dynamic DNS}.................................................................... 92
GRE Tunneling {Gre Tunneling}...................................................................................... 94
Setting Home Page Redirection Options {Home Page Redirect}..................................... 95
Enabling Intelligent Address Translation (iNAT™)......................................................... 96
Defining IPSec Tunnel Settings {IPSec}........................................................................... 98
IPSec Tunnel Peers................................................................................................... 99
IPSec Tunnel Security Policies............................................................................... 101
Table of Contents
iii
AG 2100
Establishing Your Location {Location} .........................................................................
Managing Log Options {Logging} .................................................................................
Assigning Passthrough Addresses (Passthrough Addresses).........................................
Setting Up Port Locations {Port-Location} ...................................................................
In Room Port Mapping ...........................................................................................
Defining the RADIUS Client Settings {RADIUS Client}................................................
Miscellaneous Options ............................................................................................
Defining the RADIUS Proxy Settings {RADIUS Proxy} ................................................
Adding an Upstream RADIUS NAS ........................................................................
Defining the Realm-Based Routing Settings {Realm-Based Routing} ...........................
Adding a RADIUS Service Profile ..........................................................................
Adding a Realm Routing Policy ..............................................................................
Managing SMTP Redirection {SMTP}...........................................................................
Managing the SNMP Communities {SNMP} .................................................................
Enabling Dynamic Multiple Subnet Support (Subnets)..................................................
Displaying Your Configuration Settings {Summary} .....................................................
Setting the System Date and Time {Time}......................................................................
Setting Up URL Filtering {URL Filtering} ....................................................................
Enabling Secure Management {VPN Tunnel}................................................................
Network Info Menu ...............................................................................................................
Displaying ARP Table Entries {ARP}............................................................................
Displaying DAT Sessions {DAT} ...................................................................................
Displaying the Host Table {Hosts} ................................................................................
Displaying ICMP Statistics {ICMP} ..............................................................................
Displaying the Network Interfaces {Interfaces}.............................................................
Displaying the IP Statistics {IP} ....................................................................................
Viewing IPSec Tunnel Status {IPSec} ............................................................................
Displaying the Routing Tables {Routing} ......................................................................
Displaying the Active IP Connections {Sockets} ...........................................................
Displaying the Static Port Mapping Table {Static Port-Mapping} ...............................
Displaying TCP Statistics {TCP} ...................................................................................
Displaying UDP Statistics {UDP} .................................................................................
Port-Location Menu...............................................................................................................
Adding and Updating Port-Location Assignments {Add} ..............................................
Adding a Port-Location Assignment .......................................................................
Updating a Port-Location Assignment ...................................................................
Deleting All Port-Location Assignments {Delete All} ...................................................
Deleting Port-Location Assignments by Location {Delete by Location}.......................
Deleting Port-Location Assignments by Port {Delete by Port} .....................................
Exporting Port-Location Assignments {Export} ............................................................
Finding Port-Location Assignments by Description {Find by Description} .................
Finding Port-Location Assignments by Location {Find by Location}...........................
Finding Port-Location Assignments by Port {Find by Port} .........................................
iv
104
106
109
111
114
116
118
119
120
122
123
125
128
129
131
133
134
135
136
138
138
139
140
141
142
143
143
144
145
146
147
148
149
150
150
153
154
155
156
157
158
159
160
Table of Contents
AG 2100
Importing Port-Location Assignments {Import}............................................................. 161
Viewing the “location.txt” File .............................................................................. 162
Creating a “location.txt” File ................................................................................ 162
Displaying the Port-Location Mappings {List} .............................................................. 163
Subscriber Administration Menu .......................................................................................... 164
Adding Subscriber Profiles {Add} .................................................................................. 164
Displaying Current Subscriber Connections {Current} ................................................. 167
Deleting Subscriber Profiles by MAC Address {Delete by MAC}.................................. 168
Deleting Subscriber Profiles by User Name {Delete by User}....................................... 169
Displaying the Currently Allocated DHCP Leases {DHCP Leases} ............................. 170
Deleting All Expired Subscriber Profiles {Expired} ...................................................... 171
Finding Subscriber Profiles by MAC Address {Find by MAC}...................................... 172
Finding Subscriber Profiles by User Name {Find by User}........................................... 173
Listing Subscriber Profiles by MAC Address {List by MAC}......................................... 174
Listing Subscriber Profiles by User Name {List by User}.............................................. 175
Viewing RADIUS Proxy Accounting History {RADIUS Session History} ..................... 176
Displaying Current Profiles and Connections {Statistics} ............................................. 177
Subscriber Interface Menu .................................................................................................... 178
Defining the Billing Options {Billing Options} .............................................................. 178
Setting Up the Information and Control Console {ICC Setup} ...................................... 183
Assigning Buttons ................................................................................................... 185
Assigning Banners .................................................................................................. 186
Pixel Sizes ............................................................................................................... 188
Time Formats.......................................................................................................... 188
Defining Languages {Language Support} ...................................................................... 189
Enabling Local Web Serving {Local Web Server} ......................................................... 191
Defining the Subscriber’s Login UI {Login UI} ............................................................. 193
Subscriber Login Screen (Sample) ......................................................................... 196
Defining the Post Session User Interface (Post Session UI) .......................................... 197
Defining Subscriber UI Buttons {Subscriber Buttons} ................................................... 200
Defining Subscriber UI Labels {Subscriber Labels} ...................................................... 201
Defining Subscriber Error Messages {Subscriber Errors} ............................................ 202
Defining Subscriber Messages {Subscriber Messages} ................................................. 204
System Menu......................................................................................................................... 207
Adding an ARP Table Entry {ARP Add}......................................................................... 207
Deleting an ARP Table Entry {ARP Delete} .................................................................. 208
Enabling the Bridge Mode Option {Bridge Mode}......................................................... 209
Exporting Configuration Settings to the Archive File {Export} ..................................... 210
Importing the Factory Defaults {Factory} ..................................................................... 211
Viewing the History Log {History} ................................................................................. 213
Establishing ICMP Blocking Parameters {ICMP}......................................................... 215
Importing Configuration Settings from the Archive File {Import}................................. 216
Establishing Login Access Levels {Login} ..................................................................... 217
Defining the MAC Filtering Options {Mac Filtering}.................................................... 220
Table of Contents
v
AG 2100
Rebooting the System {Reboot} ......................................................................................
Adding a Route {Route Add} ..........................................................................................
Deleting a Route {Route Delete}....................................................................................
Establishing Session Rate Limiting {Session Limit} ......................................................
Adding Static Ports {Static Port-mapping Add} ............................................................
Deleting Static Ports {Static Port-mapping Delete} ......................................................
Blocking a Subscriber Interface {Subscriber Interfaces} ..............................................
Updating the AG 2100 Firmware {Upgrade} ................................................................
Defining Wireless Configuration {Wireless Configuration}..........................................
Virtual AP Setup......................................................................................................
221
222
223
224
225
227
228
228
229
231
Chapter 3: The Subscriber Interface.......................................................................... 243
Overview ...............................................................................................................................
Authorization and Billing ......................................................................................................
The AAA Structure..........................................................................................................
Process Flow (AAA) .......................................................................................................
Internal and External Web Servers ................................................................................
Language Support ..........................................................................................................
Home Page Redirection .................................................................................................
Subscriber Management ........................................................................................................
Subscriber Management Models ....................................................................................
Configuring the Subscriber Management Models .........................................................
Information and Control Console (ICC)................................................................................
ICC Pop-Up Window .....................................................................................................
243
244
245
246
247
247
247
248
248
249
250
250
Chapter 4: Quick Reference Guide............................................................................. 251
Web Management Interface (WMI) Menus ..........................................................................
Main Page ......................................................................................................................
Configuration Menu Items .............................................................................................
Network Info Menu Items ...............................................................................................
Port-Location Menu Items .............................................................................................
Subscriber Administration Menu Items..........................................................................
Subscriber Interface Menu Items ...................................................................................
System Menu Items .........................................................................................................
Alphabetical Listing of Menu Items (WMI) .........................................................................
Default (Factory) Configuration Settings ..............................................................................
Product Specifications ...........................................................................................................
Message Definitions (AAA Log) .....................................................................................
Sample SYSLOG Report.......................................................................................................
Sample History Log...............................................................................................................
Keyboard Shortcuts ...............................................................................................................
RADIUS Attributes ...............................................................................................................
Authentication-Request ..................................................................................................
vi
251
251
252
254
255
256
257
258
260
262
264
268
268
269
270
271
273
Table of Contents
AG 2100
Authentication-Reply (Accept) ........................................................................................ 274
Accounting-Request ........................................................................................................ 275
Selected Detailed Descriptions....................................................................................... 276
Nomadix Vendor Specific Attributes............................................................................... 278
Setting Up the SSL Feature................................................................................................... 279
Prerequisites ................................................................................................................... 279
Obtain a Private Key File (cakey.pem) .......................................................................... 280
Installing Cygwin and OpenSSL on a PC ....................................................................... 281
Private Key Generation .................................................................................................. 286
Create a Certificate Signing Request (CSR) File ........................................................... 288
Create a Public Key File (server.pem) ........................................................................... 290
Setting Up AG 2100 for SSL Secure Login ..................................................................... 294
Setting Up the Portal Page ............................................................................................. 294
Mirroring Billing Records..................................................................................................... 295
Sending Billing Records.................................................................................................. 295
XML Interface ................................................................................................................. 296
Chapter 5: Troubleshooting ........................................................................................ 299
General Hints and Tips ......................................................................................................... 299
Management Interface Error Messages................................................................................. 299
Common Problems................................................................................................................ 301
Appendix A: Technical Support ................................................................................. 303
Contact Information .............................................................................................................. 303
Appendix B: Addendum .............................................................................................. 305
PPPoE Client......................................................................................................................... 306
L2TP Tunneling .................................................................................................................... 310
Define RADIUS Service Profiles .................................................................................... 310
Define Tunnel Profiles .................................................................................................... 312
Define Realm Routing Policies ....................................................................................... 313
Configure RADIUS Client .............................................................................................. 316
Local Syslog and Syslog Filters............................................................................................ 317
Periodic Syslogs: System Report Syslogs............................................................................. 320
Glossary of Terms ........................................................................................................ 323
Index .................................................................................................................................. 1
Table of Contents
vii
AG 2100
This page intentionally left blank.
viii
Table of Contents
AG 2100
Introduction
About this User’s Guide
This User’s Guide provides information and procedures that will enable system administrators
to install, configure, manage, and use the Nomadix AG 2100 successfully and efficiently. Use
this guide to take full advantage of product functionality and features.
Organization
This User’s Guide is organized into the following chapters:
Chapter 1 – Installing the AG 2100. This chapter provides instructions for installing the AG
2100 and establishing the start-up configuration.
Chapter 2 – System Administration. This chapter provides all the instructions and procedures
necessary to manage and administer the AG 2100 following a successful installation.
Chapter 3 – The Subscriber Interface. This chapter provides an overview and sample scenario
for the AG 2100’s subscriber interface. It also includes an outline of the authorization and
billing processes utilized by the system.
Chapter 4 – Quick Reference Guide. This chapter contains product reference information,
organized by topic and functionality. It also contains a full listing of all product configuration
elements, sorted alphabetically and by menu.
Chapter 5 – Troubleshooting. This chapter provides information to help you resolve common
hardware and software problems. It also contains a list of error messages associated with the
management interface.
Appendix A: Technical Support. Appendix A informs you how to obtain technical support.
You should refer to the troubleshooting procedures contained in “Troubleshooting” on
page 299 before contacting Nomadix, Inc. directly.
Appendix B: Addendum. Appendix B provides information and procedures that will enable
system administrators to configure and use the specific features introduced in the 1.3
Maintenance, 1.3 M+ and 1.4 releases for the Nomadix Wireless Access Gateway (AG 2100).
Glossary of Terms. The glossary provides an explanation of terms directly related to the
product technology. Glossary entries are organized alphabetically.
Index. The index is a valuable information search tool. Use the index to locate specific topics
and categories contained in this User’s Guide.
Introduction
1
AG 2100
Why Choose Wireless?
Wireless Local Area Networks (WLANs) are cellular computer networks that transmit and
receive data with radio signals instead of wires. Wireless LANs are used increasingly in both
home and office environments, and public access locations such as airports, coffee shops and
universities. Innovative ways to utilize WLAN technology are helping people to work and
communicate more efficiently and with increased mobility and flexibity. The absence of
cabling and other fixed infrastructure have proven to be beneficial for users and cost-effective
for service providers.
Wireless users can use the same applications they use on a wired network. Wireless adapter
cards used on laptop and desktop systems support the same protocols as Ethernet adapter cards.
It may sometimes be desirable for mobile network devices to link with conventional Ethernet
LANs to connect with servers, printers or the Internet supplied through the wired LAN. A
wireless Access Point (AP) is a device used to provide this link.
Wireless LAN technology is used for many different purposes:
z
Mobility - Productivity increases when people have access to data in any location
within the operating range of the WLAN. Management decisions based on real-time
information can significantly improve worker efficiency.
z
Low Implementation Costs - WLANs are easy to set up, manage, change and
relocate. Networks that frequently change can benefit from the ease of WLAN
implementations. WLANs can operate in locations where the installation of physical
wiring may be impractical.
z
Installation and Network Expansion - Installing a WLAN can be fast and easy and
can eliminate the need to route cabling through walls and ceilings. Wireless
technology allows the network to go where wires cannot go—even outside the home
or office.
z
Inexpensive Solution - Wireless networking devices are as competitively priced as
conventional Ethernet networking devices.
z
Scalability - WLANs can be configured in a variety of ways to meet the needs of
specific applications and installations. Configurations are easily changed, and range
from peer-to-peer networks (suitable for a small number of users) to larger
infrastructure networks that can accommodate hundreds or thousands of users,
depending on the number of wireless devices deployed.
See also, “Defining Wireless Configuration {Wireless Configuration}” on page 229.
2
Introduction
AG 2100
Welcome to the Nomadix AG 2100
The Nomadix AG 2100 is a cost-effective, integrated Wi-Fi™ HotSpot connectivity device
that combines our full suite of public access features with a powerful Wi-Fi Access Point—
maximizing range and coverage to create a superior solution for single- or dual-cell HotSpot
locations.
Product Definitions
The AG 2100 supports the IEEE 802.11b and the faster 802.11g wireless standards within the
2.4 GHz band.
Ensuring Compatibility
The AG 2100 is compatible with most popular operating systems, including Macintosh, Linux
and Windows, and can be easily integrated into a large network.
Nomadix AG 2100
By strictly adhering to IEEE standards, the AG 2100 allows users to securely access the data
they want, when and where they want it, and enjoy the freedom that wireless networking
delivers.
Introduction
3
AG 2100
Offering Speed and Efficiency
The AG 2100 is a dual-mode, dualband Access Point providing the most expanded user
bandwidth available in an Access Point. Wireless clients can now connect to the AG 2100
using any one of its 14 non-overlapping channels to transfer data at speeds never before
achievable in a wireless device.
The AG 2100 operates seamlessly and simultaneously in the 2.4 GHz frequency spectrum
supporting the 802.11b and the faster (up to 54 Mbps) 802.11g wireless standards.
802.11g wireless standards utilize OFDM (Orthogonal Frequency Division Multiplexing)
technology. OFDM works by splitting the radio signal into multiple smaller sub-signals that are
then transmitted simultaneously at different frequencies to the receiver. OFDM reduces the
amount of crosstalk (interference) in signal transmissions, allowing you to transfer large files
quickly, or even watch a movie in MPEG format over your network without any noticeable
delays.
In addition to its compatibility with 802.11g devices, the AG 2100 is compatible with 802.11b
devices. For HotSpots that already use 802.11b devices, the AG 2100 is the ideal way to
expand an existing network, enabling even more users to communicate with each another,
access data and connect to the Internet.
By offering transfer rates up to 54 Mbps, the AG 2100 enables large data packets to travel from
the router to a remote desktop or roaming laptop PC at up to five times the speed of previous
wireless devices.
See also, “Defining Wireless Configuration {Wireless Configuration}” on page 229.
Optimizing Performance
Network administrators can partition system usage by segmenting the users on the wireless
network according to frequency band. This type of user segmentation optimizes the product’s
performance and delivers the best network experience to all users.
Providing Effective Security
The AG 2100 is ideal for network administrators who require additional management, firewall,
and other network security features. All system settings are easily accessible from the product’s
embedded web-based user interface.
The AG 2100 incorporates the 802.1x standard for wireless user authentication, WPA (Wi-Fi
Protected Access), and WEP (Wired Equivalent Privacy).
4
Introduction
AG 2100
Enabling Flexible Deployment Options
The AG 2100 enables a wide variety of network deployment options by supporting IEEE
802.11b/g for maximum flexibility in the types of users supported, and the 10/100 WAN
interface enables connectivity into a variety of backhaul types.
WAN Connectivity:
z
T1/E1
z
Cable
z
Satellite
z
ADSL/SDSL/VDSL
z
ISDN
User Connectivity:
z
Supports IEEE 802.11b/g
Product Configuration and Licensing
All Nomadix Access Gateway products, including the AG 2100, are powered by our patented
and patent-pending suite of embedded software, called the Nomadix Service Engine™ (NSE).
The AG 2100 uses our NSE core software package with the option to purchase additional
modules to expand product functionality.
This User’s Guide covers all features and functionality provided with the NSE core package,
as well as the additional optional modules. Your product license must support the optional NSE
modules to take advantage of the expanded functionality. The following note will preface
procedures that directly relate to optional modules:
Your product license may not support this feature.
See also:
z
“NSE Core Functionality” on page 9
z
“Optional NSE Modules” on page 26
Introduction
5
AG 2100
Key Features and Benefits
The AG 2100 allows carriers to deploy Wi-Fi service into a wide range of large or small public
access locations while keeping deployment costs low.
Key features and benefits include:
Transparent Connectivity
Resolving configuration conflicts is difficult and time consuming for network users who are
constantly on the move, and costly to the solution provider. In fact, most users are reluctant to
make changes to their computer’s network settings and won’t even bother. This fact alone has
prevented the widespread deployment of broadband network services.
Our patented Dynamic Address Translation™ (DAT) functionality offers a true “plug and
play” solution by providing transparent broadband network access and the ability to acquire
new customers onsite—no need for configuration changes to the client computer or any clientside software.
DAT greatly reduces provisioning and technical support costs and enables carriers to deliver an
easy to use, customer-friendly service.
6
Introduction
AG 2100
Local Content and Services
The Portal Page feature intercepts the user’s browser settings and directs them to a Web site to
securely sign up for service or log in if they have a pre-existing account. Nomadix offers both
pre and post authentication redirects of the user’s browser providing maximum flexibility in
branding for both the carrier and the HotSpot owner.
Access Control and Authentication
The AG 2100 allows for the creation of a unique “Walled Garden” enabling users to access
certain predetermined Web sites before they have been authenticated and paid for their service.
All traffic to the Internet is blocked until authentication has been completed creating an
additional level of security in the network.
Nomadix simultaneously supports the secure browser-based Universal Access Method, IEEE
802.1x, and Smart Clients for companies such as Adjungo Networks, Boingo Wireless,
GoRemote and iPass.
Security
The patent-pending iNAT™ (Intelligent Network Address Translation) feature creates an
intelligent mapping of IP Addresses and their associated VPN tunnels—by far the most
reliable multi-session VPN passthrough to be tested against diverse VPN termination servers
from companies such as Cisco, Checkpoint, Nortel and Microsoft. Nomadix’ iNAT feature
allows multiple tunnels to be established to the same VPN server, creating a seamless
connection for all users at the public access location.
The AG 2100 supports WPA, 64-/128-bit WEP security and automatic re-keying for
protection of the data between the AG 2100 and the user, and supports multiple SSIDs for
segmentation of the network.
The AG 2100 provides fine-grain management of DoS (Denial of Service) attacks through its
Session Rate Limiting (SRL) feature, and MAC filtering for improved network reliability.
Introduction
7
AG 2100
Billing Enablement
The AG 2100 supports a variety of billing models to enable the deployment of profitable public
access networks.
The AG 2100 supports billing plans that use credit cards or scratch cards, or plans that enable
monthly subscriptions, then facilitates billing by a host of different parameters including time,
volume, IP address type, or bandwidth. The AG 2100 can also offer incentive-based billing.
5-Step Service Branding
A network enabled with the Nomadix AG 2100 (or any other Nomadix Access Gateway) offers
a 5-Step service branding methodology for public access operators and their partners,
comprising:
8
1.
Initial Flash Page branding.
2.
Initial Portal Page Redirect (Pre-Authentication). Typically, this is used to redirect the user
to a venue-specific Welcome and Login page.
3.
Home Page Redirect (Post-Authentication). This redirect page can be tailored to the
individual user (as part of the RADIUS Reply message, the URL is received by the NSE),
or can be set to re-display itself at freely configurable intervals.
4.
The Information and Control Console (ICC). This contains multiple opportunities for an
operator to display its branding or the branding of partners during the user’s session. As an
alternative to the ICC, a simple pop-up window provides the opportunity to display a
single logo.
5.
The “Goodbye” page. This is a post-session page that can be either defined as a RADIUS
VSA or be driven by the Internal Web Server (IWS) in the NSE. Using the IWS option
means that this functionality is also available for other post-paid billing mechanisms.
Introduction
AG 2100
NSE Core Functionality
The Nomadix Service Engine (NSE) powers the Nomadix family of Access Gateways, and
delivers a full range of features needed to successfully deploy Wi-Fi public access networks.
These “core” features solve issues of connectivity, security, billing, and roaming in a Wi-Fi
public access network.
The NSE’s core package of features includes:
z
Access Control
z
Bandwidth Management
z
Bridge Mode
z
Command Line Interface
z
Dynamic Address Translation™
z
Dynamic Transparent Proxy
z
End User Licensee Count
z
External Web Server Mode
z
Home Page Redirect
z
iNAT™
z
Information and Control Console
z
Internal Web Server
z
International Language Support
z
IP Upsell
z
Logout Pop-Up Window
z
MAC Filtering
z
Multi-Level Administration Support
z
NTP Support
z
Portal Page Redirect
z
Port Mapping
z
RADIUS Client
z
RADIUS-Driven Auto Configuration
z
Remember Me and RADIUS Re-Authentication
Introduction
9
AG 2100
z
Secure Management
z
Secure Socket Layer (SSL)
z
Secure XML API
z
Session Rate Limiting (SRL)
z
Session Termination Redirect
z
Smart Client Support
z
SNMP Nomadix Private MIB
z
Dual-Mode Authentication
z
URL Filtering
z
Virtual Access Points (VAPs)
z
Walled Garden
z
Web Management Interface
Access Control
For IP-based access control, the NSE incorporates a master access control list that checks the
source (IP address) of administrator logins. A login is permitted only if a match is made with
the master list contained within the NSE. If a match is not made, the login is denied, even if a
correct login name and password are supplied.
The access control list supports up to 50 (fifty) entries in the form of a specific IP address or
range of IP addresses.
The NSE also offers access control based on the interface being used. This feature allows
administrators to block access from Telnet, Web Management, and FTP sources.
10
Introduction
AG 2100
Bandwidth Management
The NSE optimizes bandwidth by limiting bandwidth usage symmetrically or asymmetrically
on a per device (MAC address/User) basis, and manages WAN Link traffic to provide
complete bandwidth management over the entire network. You can ensure that every user has a
quality experience by placing a bandwidth ceiling on each device accessing the network, so
every user gets a fair share of the available bandwidth.
With the Nomadix Information and Control Console (ICC) feature enabled, subscribers can
increase or decrease their own bandwidth dynamically (by the minute, or on an hourly, daily,
weekly, or monthly basis), and also adjust the pricing plan for their service (see graphic).
Bandwidth selection
(pull down)
Information and Control Console (ICC)
Bridge Mode
Bridge Mode allows complete and unconditional access to devices. When Bridge Mode is
enabled, your NSE-powered product is effectively transparent to the network in which it is
located.
The NSE forwards any and all packets (except those addressed to the NSE network interface).
The packets are unmodified and can be forwarded in both directions. The Bridge Mode
function is a very useful feature when troubleshooting your entire network, as it allows
administrators to effectively “remove” your product from the network without physically
disconnecting the unit.
Introduction
11
AG 2100
Command Line Interface
The Command Line Interface (CLI) is a character-based user interface that can be accessed
remotely. Until your Nomadix product is up and running on the network, the CLI is the
Network Administrator’s window to the system. Software upgrades can only be performed
from the CLI. See also, “The Management Interfaces (CLI and Web)” on page 39.
Dynamic Address Translation™
Dynamic Address Translation (DAT) enables transparent broadband network connectivity,
covering all types of IP configurations (static IP, DHCP, DNS), regardless of the platform or
the operating system used, ensuring that everyone gets access to the network without the need
for changes to their computer’s configuration settings or client-side software. The NSE
supports both Point-to-Point Tunneling Protocol (PPTP) and IPSec VPNs in a manner that is
transparent to the user and that provides a more secure standard connection. See also,
“Transparent Connectivity” on page 6.
Dynamic Transparent Proxy
The NSE directs all HTTP and HTTPS proxy requests through an internal proxy which is
transparent to subscribers (no need for users to perform any reconfiguration tasks). Uniquely,
the NSE also supports clients that dynamically change their browser status from non-proxy to
proxy, or vice versa. In addition, the NSE supports proxy ports 80, 800-900, 911 and 990 as
well as all unassigned ports (for example, ports above 1024), thus ensuring far fewer proxyrelated support calls than competitive products.
End User Licensee Count
The NSE supports a range of simultaneous user counts depending on the Nomadix Access
Gateway you choose. In addition, various user count upgrades are available for each of our
NSE-powered products that allow you to increase the simultaneous user count.
12
Introduction
AG 2100
External Web Server Mode
The External Web Server (EWS) interface is for customers who want to develop and use their
own content. It allows you to create a “richer” environment than is possible with your
product’s embedded Internal Web Server.
The advantages of using an External Web Server are:
z
Manage frequently changing content from one location.
z
Serve different pages depending on site, sub-location (for example, VLAN), and user.
z
Take advantage of the comprehensive Nomadix XML API to implement more
complex billing plans.
z
Recycle existing web page content for the centrally hosted portal page.
If you choose to use the EWS interface, Nomadix Technical Support can provide you with
sample scripts. See “Contact Information” on page 303.
Home Page Redirect
The NSE supports a comprehensive HTTP redirect logic that allows network administrators to
define multiple instances to intercept the browser’s request and replace it with freely
configurable URLs.
Portal page redirect enables redirection to a portal page before the authentication process.
This means that anyone will get redirected to a Web page to establish an account, select a
service plan, and pay for access. Home Page redirect enables redirection to a page after the
authentication process (for example, to welcome a specific user to the service) See also,
“Portal Page Redirect” on page 18.
Introduction
13
AG 2100
iNAT™
Nomadix invented intelligent Network Address Translation (iNAT™), a new way of
intelligently supporting multiple VPN connections to the same termination at the same time,
thus solving a key problem of many public access networks.
Nomadix’ patent-pending iNAT™ feature contains an advanced, real-time translation engine
that analyzes all data packets being communicated between the private address realm and the
public address realm.
The NSE performs a defined mode of network address translation based on packet type and
protocol (for example, GRE, ISAKMP etc.). UDP packet fragmentation is supported to provide
a more seamless translation engine for certificate-based VPN connections.
If address translation is needed to ensure the success of a specific application (for example,
multiple users trying to access the same VPN termination server at the same time), the packet
engine selects an IP address from a freely definable pool of publicly routable IP addresses. The
same public IP address can be used as a source IP to support concurrent tunnels to different
termination devices, offering unmatched efficiency in the utilization of costly public IP
addresses. If the protocol type can be supported without the use of a public IP (for example,
HTTP, FTP), our proven Dynamic Address Translation™ functionality continues to be used.
Some of the benefits of iNAT™ include:
14
z
Improved success rate of VPN connectivity by misconfigured users, thus reducing
customer support costs and boosting customer satisfaction.
z
Maintains security benefits of traditional address translation technologies while
enabling secure VPN connections for mobile workers accessing corporate resources
from a public access location.
z
Dynamically adjusts the mode of address translation during the user's session,
depending on packet type.
z
Supports users with static private IP addresses (for example, 192.168.x.x) or public
(different subnet) IP addresses without any changes to the client IP settings.
z
Dramatically heightens the reusability factor of costly public IP addresses.
Introduction
AG 2100
Information and Control Console
The Nomadix Information and Control Console (ICC) is an HTML-based pop-up window that
is presented to subscribers with their Web browser. The ICC allows subscribers to select their
bandwidth and billing options quickly and efficiently from a simple pull-down menu. For
credit card accounts, the ICC displays a dynamic “time” field to inform subscribers of the time
remaining on their account.
Information and Control Console (ICC)
Additionally, the ICC contains multiple opportunities for an operator to display its branding or
the branding of partners during the user’s session, as well as display advertising banners and
present a choice of redirection options to their subscribers.
See also:
z
“5-Step Service Branding” on page 8
z
“Logout Pop-Up Window” on page 17
z
“Information and Control Console (ICC)” on page 250
Introduction
15
AG 2100
Internal Web Server
The NSE offers an embedded Internal Web Server (IWS) to deliver web pages stored in flash
memory. These system administrator can configure these web pages by selecting various
parameters to be displayed on the internal pages. When providers or HotSpot owners do not
want to develop their own content, the IWS is the answer. A banner at the top of each IWS
page is configurable and contains the customer's company logo or any other image file they
desire.
To support PDAs and other hand-held devices, the NSE automatically formats the IWS pages
to the optimal screen size for the device being used.
See also:
z
“5-Step Service Branding” on page 8
z
“International Language Support” on page 16
International Language Support
The NSE lets you define the text displayed to your users by the IWS without any HTML or
ASP knowledge. The language you select determines the language encoding that the IWS
instructs the browser to use. See also, “Internal Web Server” on page 16.
The available language options are:
16
z
English
z
Chinese (Big 5)
z
French
z
German
z
Japanese (Shift_JIS)
z
Spanish
z
Other, with drop-down menu
Introduction
AG 2100
IP Upsell
System administrators can set two different DHCP pools for the same physical LAN. When
DHCP subscribers select a service plan with a public pool address, the NSE associates their
MAC address with their public IP address for the duration of the service level agreement. The
opposite is true if they select a plan with a private pool address. This feature is a competitive
solution that enables instant revenue generation for ISPs.
The IP Upsell feature solves a number of connectivity problems, especially with regard to
L2TP and certain video conferencing and online gaming applications.
Logout Pop-Up Window
As an alternative to the Information and Control Console (ICC), the NSE delivers a HTMLbased pop-up window with the following functions:
z
Provides the opportunity to display a single logo.
z
Displays the session’s elapsed/count-down time.
z
Presents an explicit Logout button.
See also, “Information and Control Console” on page 15.
MAC Filtering
MAC Filtering enhances Nomadix access control technology by allowing system
administrators to block malicious users based on their MAC address. Up to 50 MAC addresses
can be blocked at any one time. See also, “Session Rate Limiting (SRL)” on page 23.
Multi-Level Administration Support
The NSE lets you define two concurrent access levels to differentiate between managers and
operators, where managers are permitted read/write access and operators are restricted to readonly access.
Once logins have been assigned, managers can perform all write commands (Submit, Reset,
Reboot, Add, Delete, etc.), but operators cannot change any system settings. When
Administration Concurrency is enabled, one manager and three operators can access the AG
2100 platform at any one time.
Introduction
17
AG 2100
NTP Support
The NSE supports Network Time Protocol (NTP), an Internet standard protocol that assures
accurate synchronization (to the millisecond) of computer clock times in a network of
computers. NTP synchronizes the client’s clock to the U.S. Naval Observatory master clocks.
Running as a continuous background client program on a computer, NTP sends periodic time
requests to servers, obtains server time stamps, and uses them to adjust the client's clock.
Portal Page Redirect
The NSE contains a comprehensive HTTP page redirection logic that allows for a page redirect
before (Portal Page Redirect) and/or after the authentication process (Home Page Redirect).
As part of the Portal Page Redirect feature, the NSE can send a defined set of parameters to the
portal page redirection logic to allow an External Web Server to perform a redirection based
on:
z
AG 2100 ID and IP Address
z
Origin Server
z
Port Location
z
Subscriber MAC address
z
Externally hosted RADIUS login failure page
This means that the network administrator can now perform location-specific service branding
(for example, an airport lounge) from a centralized Web server.
See also, “Home Page Redirect” on page 13.
Port Mapping
This feature lets the network administrator setup a port mapping scheme that forwards packets
received on a specific port to a particular static IP (typically private and misconfigured) and
port number on the subscriber side of the NSE. The advantage for the network administrator is
that free private IP addresses can be used to manage devices (such as Access Points) on the
subscriber side of the NSE without setting them up with public IP addresses.
18
Introduction
AG 2100
RADIUS-Driven Auto Configuration
Nomadix’ unique Remote Authentication Dial-In User Service (RADIUS)-driven Auto
Configuration functionality utilizes the existing infrastructure of a mobile operator to provide
an effortless and rapid method for configuring devices for fast network roll-outs. Once
configured, this methodology can also be effectively used to centrally manage configuration
profiles for all Nomadix devices in the public access network.
Two subsequent events drive the automatic configuration of Nomadix devices:
z
A flow of RADIUS Authentication Request and Reply messages between the
Nomadix gateway and the centralized RADIUS server that specify the meta
configuration file location (containing a listing of individual configuration files and
their download frequency status) are downloaded from an FTP server into the flash of
the Nomadix device.
z
Defines the automated login into the centralized FTP server and the actual download
process into the flash.
Optionally, the RADIUS authentication process and FTP download can be secured by sending
traffic through a peer-to-peer IPSec tunnel established by the Nomadix gateway and
terminated at the NOC (Network Operations Center). See also, “Secure Management” on
page 21.
RADIUS Client
Nomadix offers an integrated RADIUS client with the NSE, allowing service providers to
track or bill users based on number of connections, connection location, bytes sent and
received, connect time, etc. The customer database can exist in a central RADIUS server,
along with associated attributes for each user. When a customer connects into the network, the
RADIUS client authenticates the customer with the RADIUS server, applies associated
attributes stored in that customer's profile, and logs their activity (including bytes transferred,
connect time, etc.). The NSE's RADIUS implementation also handles vendor specific
attributes (VSAs), required by WISPs that want to enable more advanced services and billing
schemes, such as a per device/per month connectivity fees. See also, “RADIUS-Driven Auto
Configuration” on page 19.
Introduction
19
AG 2100
RADIUS Proxy
The RADIUS Proxy feature relays authentication and accounting packets between the parties
performing the authentication process. Different realms can be set up to directly channel
RADIUS messages to the various RADIUS servers. This functionality can be effectively
deployed to:
z
Support a wholesale WISP model directly from the edge, without the need for any
centralized AAA proxy infrastructure.
z
Support EAP authenticators (for example, WLAN APs) on the subscriber-side of the
NSE to transparently proxy all EAP types (TLS, SIM, etc.), and allow for the
distribution of per-session keys to EAP authenticators and supplicants.
Complementing the RADIUS Proxy functionality is the ability to route RADIUS messages
depending on the Network Access Identifier (NAI). Both prefix-based (for example, ISP/
username@ISP.net) and suffix-based (username@ISP.net) NAI routing mechanisms are
supported. Together, the RADIUS Proxy and NAI Routing further support the deployment of
the Wholesale Wi-Fi™ model, allowing multiple providers to service one location. See also,
“RADIUS Client” on page 19.
Remember Me and RADIUS Re-Authentication
The NSE’s Internal Web Server (IWS) stores encrypted login cookies in the browser to
remember logins, using Usernames and Passwords between Access Points. This “Remember
Me” functionality creates a more efficient and better user experience in wireless networks.
The RADIUS Re-Authentication buffer has been expanded to 720 hours, allowing an even
more seamless and transparent connection experience for repeat users.
20
Introduction
AG 2100
Secure Management
There are many different ways to configure, manage and monitor the performance and up-time
of network devices. SNMP, Telnet, HTTP and ICMP are all common protocols to accomplish
network management objectives. And within those objectives is the requirement to provide the
highest level of security possible.
While several network protocols have evolved that offer some level of security and data
encryption, the preferred method for attaining maximum security across all network devices is
to establish an IPSec tunnel between the NOC (Network Operations Center) and the edge
device (early VPN protocols such as PPTP have been widely discredited as a secure tunneling
method).
As part of Nomadix’ commitment to provide outstanding carrier-class network management
capabilities to its family of public access gateways, we offer secure management through the
NSE’s standards-driven, peer-to-peer IPSec tunneling with strong data encryption.
Establishing the IPSec tunnel not only allows for the secure management of the Nomadix
gateway using any preferred management protocol, but also the secure management of third
party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on
the subscriber side of the Nomadix gateway. See also, “Enabling Secure Management {VPN
Tunnel}” on page 136.
Two subsequent events drive the secure management function of the Nomadix gateway and the
devices behind it:
z
Establishing an IPSec tunnel to a centralized IPSec termination server (for example,
Nortel Contivity). As part of the session establishment process, key tunnel parameters
are exchanged (for example, Hash Algorithm, Security Association Lifetimes, etc.).
z
The exchange of management traffic, either originating at the NOC or from the edge
device through the IPSec tunnel. Alternatively, AAA data such as RADIUS
Authentication and Accounting traffic can be sent through the IPSec tunnel. See also,
“RADIUS-Driven Auto Configuration” on page 19.
Introduction
21
AG 2100
The advantage of using IPSec is that all types of management traffic are supported, including
the following typical examples:
z
ICMP - PING from NOC to edge devices
z
Telnet - Telnet from NOC to edge devices
z
Web Management - HTTP access from NOC to edge devices
z
SNMP
z
SNMP GET from NOC to subscriber-side device (for example, AP)
z
SNMP SET from NOC to subscriber-side device (for example, AP)
z
SNMP Trap from subscriber-side device (for example, AP) to NOC
Secure Socket Layer (SSL)
SSL allows for the creation of an end-to-end encrypted link between your NSE-powered
product and wireless clients by enabling the Internal Web Server (IWS) to display pages under
a secure link—important when transmitting AAA information in a wireless network when
using RADIUS.
SSL requires service providers to obtain digital certificates from VeriSign™ to create HTTPS
pages. Instructions for obtaining certificates are provided by Nomadix.
Secure XML API
XML (eXtensible Markup Language) is used by the subscriber management module for user
administration. The XML interface allows the NSE to accept and process XML commands
from an external source. XML commands are sent over the network to your NSE-powered
product, which executes the commands and returns data to the system that initiated the
command request. XML enables solution providers to customize and enhance their product
installations.
This feature allows the operator to use Nomadix' popular XML API using the built-in SSL
certificate functionality in the NSE, so that parameters passed between the Gateway and the
centralized Web server are secured via SSL.
If you plan to implement XML for external billing, please contact technical
support for the XML specification of your product. Refer to “Contact
Information” on page 303.
22
Introduction
AG 2100
Session Rate Limiting (SRL)
SRL significantly reduces the risk of “Denial of Service” attacks by allowing administrators to
limit the number of sessions any one user can take over a given time period and, if necessary,
then block malicious users.
Session Termination Redirect
Once connected to the public access network, the NSE automatically directs the customer to a
web site for local or personalized services, or to establish an account and pay for services
through its Home Page Redirect functionality. In addition, the NSE also provides pre and post
authentication redirects, as well as a redirect at session termination. See also, “Home Page
Redirect” on page 13.
Smart Client Support
The NSE supports authentication mechanisms used by Smart Clients by companies such as
Adjungo Networks, Boingo Wireless, GoRemote and iPass.
SNMP Nomadix Private MIB
Nomadix’ Access Gateways can be easily managed over the Internet with an SNMP client
manager (for example, HP OpenView or Castle Rock).
To take advantage of the functionality provided with Nomadix’ private Management
Information Base (MIB), simply import the nomadix.mib file from the Accessories CD
(supplied with the product) to view and manage SNMP objects on your product.
See also:
z
“Using an SNMP Manager” on page 65
z
“Installing the Nomadix Private MIB” on page 61.
Introduction
23
AG 2100
Dual-Mode Authentication
The NSE enables multiple authentication models, providing the maximum amount of
flexibility to the end user and to the operator by supporting any type of client entering their
network and any type of business relationship on the back end. For example, in addition to
supporting the secure browser-based Universal Access Method (UAM) via SSL, Nomadix is
the only company to simultaneously support port-based authentication using IEEE 802.1x and
authentication mechanisms used by Smart Clients.
See also:
z
“Access Control and Authentication” on page 7.
z
“Smart Client Support” on page 23.
URL Filtering
The NSE can restrict access to specified web sites based on URLs defined by the system
administrator. URL filtering will block access to a list of sites and/or domains entered by the
administrator using the following three methods:
z
Host IP address (for example, 1.2.3.4)
z
Host DNS name (for example, www.yahoo.com)
z
DNS domain name (for example, *.yahoo.com, meaning all sites under the
yahoo.com hierarchy, such as finance.yahoo.com, sports.yahoo.com, etc.)
The system administrator can dynamically add or remove up to 300 specific IP addresses and
domain names to be filtered for each property.
Virtual Access Points (VAPs)
Your product license may not support this feature.
The NSE can create virtual access points (VAPs) from one physical access point by assigning
unique BSSIDs to each SSID. Single providers can use VAPs to offer multiple services (for
example, offering access to different VLANs, using different authentication/association
methods). Multiple providers can also use VAPs to share the same wireless infrastructure.
VAPs are primarily used with enterprise hotspots.
You can create a maximum of 16 VAPs (including the original base AP). It is recommended
that you configure each VAP with a different SSID and Authentication/Association method.
24
Introduction
AG 2100
Walled Garden
The NSE provides up to 300 IP passthrough addresses (and/or DNS entries), allowing you to
create a “Walled Garden” within the Internet where unauthenticated users can be granted or
denied access to sites of your choosing.
Web Management Interface
Nomadix’ Access Gateways can be managed remotely via the built-in Web Management
Interface where various levels of administration can be established. See also, “Using the Web
Management Interface (WMI)” on page 66.
Introduction
25
AG 2100
Optional NSE Modules
Credit Card Module
Your product license may not support this feature.
The optional Credit Card Module provides a secure interface over SSL to enable billing via a
credit card for HSIA.
See also:
z
“Secure Socket Layer (SSL)” on page 22.
Wholesale Roaming Module
Your product license may not support this feature.
The optional Wholesale Roaming Module provides advanced NAI (Network Access Identifier)
routing capabilities, enabling multiple service providers to share a HotSpot location, further
supporting a Wi-Fi wholesale model. This functionality allows users to interact only with their
chosen provider in a seamless and transparent manner.
High Availability Module
Your product license may not support this feature.
The optional High Availability Module offers enhanced network uptime and service
availability when delivering high-quality Wi-Fi service by providing Fail-Over functionality.
This module allows a secondary Nomadix Access Gateway to be placed in the network which
can take over if the primary device fails, ensuring Wi-Fi service remains uninterrupted.
26
Introduction
AG 2100
Network Architecture (Sample)
The AG 2100 is an ideal solution for single- or dual-cell public access environments.
Introduction
27
AG 2100
Product Specifications
Specifications
PUBLIC ACCESS
User Support:
AG 2100 supports a total of 100 wired and wireless users. Nomadix
recommends a maximum of 50 wireless concurrent users.
Dynamic Address Translation (DAT)
Home Page Redirection (Pre and Post Authentication)
iNAT (for seamless VPN connectivity)
SMTP Redirection
Full Authorization, Authentication and Accounting Support
RADIUS Client
Bandwidth Management
Information and Control Console (ICC)
Global Roaming Support
MEDIA ACCESS CONTROL
CSMA/CA
PORTS
10/100Base-T Ethernet, RJ-45 (UTP)
WIRELESS
802.11b Specifications:
Frequency band: 2.4 GHz - 2.4835 GHz
Data Rates: 11, 5.5, 2, 1 Mbps
Modulation: Direct Sequence Spread Spectrum
(CCK, DQPSK, DBPSK)
802.11g Specifications:
Frequency band: 2.4 GHz - 2.482 GHz
Data Rates: 54, 48, 36, 24, 18, 12, 6 Mbps
Modulation: Orthogonal Frequency Division Modulation
(64 QAM, 16 QAM, QPSK, BPSK)
28
Introduction
AG 2100
Specifications
NETWORKING
IEEE 802.3 / 3u
IEEE 802.1d
PoE per IEEE 802.3af
DHCP Server
DHCP Relay
DHCP Client
RADIUS Client (MD-5, PAP, CHAP, MS-CHAPv1, v2)
PPPoE Client
SECURITY
64-bit/128-bit WEP with dynamic keying
iNAT
MAC Address Filtering and Session Limiting
WPA/2
ANTENNA TYPE
802.11b/g: 2dBi
AUTHENTICATION
Internal data base
Universal Access Method (UAM) using SSL
Smart Client Support:
Adjungo Networks, Boingo Wireless, iPass, GoRemote
IEEE 802.1x (SIM / MD-5 / TLS / TTLS / PEAP)
MANAGEMENT
Multi-Level Administration Controls
Access Control Lists
Web Administration UI
SNMP v2c
Secure XML API
Auto Confirguration and Upgrades
Syslog/AAA Log
POWER
100 to 240 VAC w/ ±10% margin
50/60 Hz w/ +2%, -4% margin
EN61000-3-2 compliant
Introduction
29
AG 2100
Specifications
ENVIRONMENT
Operating temperature: 0 - 40°C
Operating humidity: 10 - 90% RH non-condensing
Storage temperature: -25 - 60°C
Storage humidity: 5 - 95% RH non-condensing
REGULATORY
FCC Part 15
CE Mark
CE/R&TTE: EN301328 / EN301893 / EN301489-1, EN301489-17
VCCI Class B, Telec
UL 1950, CSA22.2 No 950, TÜV/GS(EN60950)
For further information on the certifications for the AG 2100 product, visit
www.nomadix.com/downloads.
COMPATIBILITY
Communicates with all Wi-Fi certified wireless adapters
PHYSICAL
9.25(L) x 6.25(W) x 1.5(H) inches
91.2(L) x 54(W) x 36.4(H) mm
Weight: 500 grams
Wall Mountable
LEDS
Power Indicator
10/100, ACT/Link
TRANSMITTER OUTPUT POWER
11g TX Power Specification:
Typical RF Output Power at each Data Rate and at room temperature: 25°C
+13 dBm at 54 Mbps
+15 dBm at 48 Mbps
+17 dBm at 36 Mbps
+18 dBm at 24, 18, 12, 9, & 6 Mbps
ALC loop to control transmit power within 0.9 dB tolerance in room temperature
11b TX Power Specification:
Typical 18 dBm at 11, 5.5, 2, & 1 Mbps at room temperature 25°C
ALC loop to control transmit power within 0.9 dB tolerance in room temperature
30
Introduction
AG 2100
Online Help (WebHelp)
The AG 2100 incorporates an online Help system called WebHelp that is accessible through
the Web Management Interface (when a remote Internet connection is established following a
successful installation). WebHelp can be viewed on any platform (for example, Windows,
Macintosh, or UNIX-based platforms) using either Internet Explorer or Netscape Navigator
(see note).
WebHelp is best viewed using Internet Explorer, version 4.0 or higher.
WebHelp is useful when you have an Internet connection to the AG 2100 and you want to
access information quickly and efficiently. It contains all the information found in this User’s
Guide.
For more information about WebHelp and other online documentation resources, go to “Online
Documentation and Help” on page 43.
Notes, Cautions, and Warnings
The following symbols are used throughout this User’s Guide:
This symbol is used for general notes and additional information that may be
useful to you.
This symbol is used for cautions and warnings. Cautions and warnings provide
important information to eliminate the risk of a system malfunction or possible
damage.
Introduction
31
AG 2100
This page intentionally left blank.
32
Introduction
2
AG 2100
Installing the AG 2100
This chapter provides installation instructions for the hardware and software components of the
AG 2100. It also includes an overview of the management interface, some helpful hints for
system administrators, and procedures for the following tasks:
z
Unpacking the AG 2100
z
Connecting the System
z
Installation Considerations
z
Logging In to the Command Line Interface
z
Establishing the Start Up Configuration
z
Establishing the Basic Configuration for Subscribers
z
Archiving Your Configuration Settings
z
Installing the Nomadix Private MIB
See also “Installation Workflow” on page 35.
Once you have installed your AG 2100 and established the configuration
settings, you should write the settings to an archive file. If you ever experience
problems with the system, your archived settings can be restored at any time.
See “Archiving Your Configuration Settings” on page 60.
Nomadix AG 2100
Installing the AG 2100
33
AG 2100
Unpacking the AG 2100
When you unpack the AG 2100, you will find the following items in the carton:
Item
Qty
PoE power entry module
1
Power supply
1
Power supply AC cord
1
Plastic anchor
2
Wall mounting screws
2
Rubber feet
4
Protective cardboard ends
2
AG 2100 unit
1
End User License Agreement (EULA)
1
Accessories CD-ROM (containing this User’s Guide, README file, Quick Start
Guide, NOMADIX private MIB file, and any other useful accessories.
1
Customer welcome letter
1
34
Installing the AG 2100
AG 2100
Installation Workflow
This Installation Workflow illustrates the steps required to install and configure the AG 2100
successfully. Review this flowchart before attempting to install the AG 2100 on the customer’s
network.
Place the AG 2100 on a flat and stable work surface and connect the power cord.
Connect the AG 2100 to a “live” network.
Start a Telnet session to communicate with the AG 2100 via the product’s IP
address (172.30.30.172) or its default DHCP address.
Log in to the Command Line Interface.
Establish your AG 2100’s start-up configuration settings.
When prompted, accept to the Nomadix End User License Agreement (EULA). You must
accept the EULA before the AG 2100 can connect with the Nomadix License Key Server.
When the key is successfully received from the server, your AG 2100 will reboot.
Network
Log in to the AG 2100 and use the graphical Web Management Interface (WMI) to
configure the product's features. You have now established a basic configuration for the
AG 2100 that enables "Plug and Play" Internet connectivity.
Export your configuration settings to an archive file.
Installing the AG 2100
35
AG 2100
Connecting the System
Use this procedure to connect the system. See also, “Installation Considerations” on page 37.
1.
Place the AG 2100 on a flat and stable work surface.
2.
Connect the system (see graphic), including the power cord and adapter, and Ethernet
cable.
to Power Cord
(via adapter)
to Router or Switch
(see note)
A straight-through cable is required when connecting the AG 2100 to a Router or
Switch. A cross-over cable is required when connecting the AG 2100 directly to
an Ethernet adapter on a computer.
36
Installing the AG 2100
AG 2100
Installation Considerations
Designed with an indoor range of up to 328 feet (100 meters), the AG 2100 wireless gateway
allows you to access your network using a wireless connection from virtually anywhere.
However, the number, thickness and location of walls, ceilings or other objects that the
wireless signals must pass through may limit the range. Typical ranges vary depending on the
types of materials and background radio frequency (RF) noise at your location. The key to
maximizing the wireless range is to follow these basic guidelines:
1.
Keep the number of walls and ceilings between the AG 2100 and your receiving device to
a minimum—each wall or ceiling can reduce the product’s range from between 3 and 90
feet (1 to 30 meters). Position your devices so that the number of walls or ceilings is
minimized.
2.
Be aware of the direct line between each device. For example: A wall that is 1.5 feet thick
(half a meter) at 90° is actually almost 3 feet thick (or 1 meter) when viewed at a 45°
angle. At an acute 2° degree angle on the same wall is over 42 feet (or 14 meters) thick!
For best reception, try to ensure that your wireless devices are positioned so that signals
will travel straight through a wall or ceiling.
90°
45°
2°
> 42 feet
< 3 feet
1.5 feet
3.
Building materials can make all the difference—a solid metal door or aluminum wall
studs may have a negative effect on signal range. Try to position wireless devices so that
the signal passes through drywall (between studs) or open doorways and not other
materials.
4.
Keep the AG 2100 away from electrical devices or appliances that generate RF noise. We
recommend maintaining a distance of at least 3 to 6 feet (or 1 to 2 meters).
Installing the AG 2100
37
AG 2100
Logging In to the Command Line Interface
Use this procedure to initialize the system and log in to the Command Line Interface (CLI).
The character-based CLI is used at initial start-up.
38
1.
Start a Telnet session to communicate with the AG 2100 via the product’s management IP
address (172.30.30.172) or its default DHCP address.
2.
When connected to the AG 2100, a login prompt appears on your screen. The default login
user name is “admin.” The password is “admin.” Login names and passwords are casesensitive.
3.
Enter admin when prompted for a user name and password. The AG Menu appears when
you have logged in to the management interface successfully. If this is an initial
installation which requires the AG 2100 to receive a license key from the Nomadix
License Key Server, you must accept the End User License Agreement (EULA).
Installing the AG 2100
AG 2100
The Management Interfaces (CLI and Web)
The AG 2100 supports various methods for managing the system remotely. These
include an embedded graphical Web Management Interface (WMI), an SNMP
client, or Telnet. However, until the unit is installed and running, system
management is performed from the product’s embedded Command Line Interface
(CLI).
The CLI is the administrator’s initial window to the system. This is where you establish all the
AG 2100 start-up configuration parameters, depending on the customer’s network architecture.
The AG Menu is your starting point. From here, you access all the system administration items
from the five primary menus available:
z
Configuration
z
Network Info
z
Port-Location
z
Subscribers
z
System
The AG Menu also includes a “logout” option for logging out of the system.
Although the basic functional elements are the same, the CLI and the WMI have
some minor content and organizational differences. For example, in the WMI the
“Subscribers” menu is divided into “Subscriber Administration” and
“Subscriber Interface.” See also, “Menu Organization (Web Management
Interface)” on page 40.
Installing the AG 2100
39
AG 2100
Making Menu Selections and Inputting Data with the CLI
The CLI is character-based. It recognizes the fewest unique characters it needs to correctly
identify an entry. For example, in the AG Menu you need only enter c to access the
Configuration menu, but you must enter su to access the Subscribers menu and sy to access
the System menu (because they both start with the letter “s”).
You may also do any of the following:
z
Enter b (back) or press Escape to return to a previous menu.
z
Press Escape to abort an action at any time.
z
Press Enter to redisplay the current menu.
z
Press ? at any time to access the CLI’s Help screen.
When using the CLI, if a procedure asks you to “enter sn,” this means you must type sn and
press Enter. The system does not accept data or commands until you hit Enter.
Menu Organization (Web Management Interface)
When you have successfully installed and configured the AG 2100 from the CLI, you can then
access the AG 2100 from its embedded Web Management Interface (WMI). The WMI is easier
to use (point and click) and includes some items not found in the CLI. You can use either
interface, depending on your preference.
The following composite screen shows how the AG 2100’s WMI menu (folder) hierarchy is
organized (shown here side-by-side for clarity and space).
40
Installing the AG 2100
AG 2100
Note: Your browser preferences or
Internet options should be set to
compare loaded pages with cached
pages.
Installing the AG 2100
41
AG 2100
Inputting Data – Maximum Character Lengths
The following table details the maximum allowable character lengths when inputting data:
Data Field
Max. Characters
All Messages (billing options)
72
All Messages (subscriber error messages)
72
All Messages (subscriber login UI)
72
All Messages (subscriber “other” messages)
72
Description of Service (billing options Plan)
140
Home Page URL
237
Host Name and Domain Name (DNS settings)
IP / DNS Name (passthrough addresses)
64
237
Label (billing options plan)
16
Location settings (all fields)
99
Partner Image File Name
12
Password (adding subscriber profiles)
Port Description (finding ports by description)
Redirection Frequency (in minutes)
128
63
2,147,483,647
(recommend 3600)
Reservation Number
24
Username (adding subscriber profiles)
96
Valid SSL Certificate DNS Name
64
42
Installing the AG 2100
AG 2100
Online Documentation and Help
The Web Management Interface (WMI) incorporates an online help system which is accessible
from the main window.
Click here to access
the online Help system
Other online documentation resources, available from our corporate Web site
(www.nomadix.com), include a full PDF version of this User’s Guide (viewable with
Acrobat™ Reader, version 4.0 or higher), white papers, technical notes, and business cases.
The PDF version of this User’s Guide and associated README files are also available on the
“Accessories” CD-ROM supplied with your AG 2100.
Quick Reference Guide
This manual contains a “Quick Reference Guide” on page 251 which provides information to
help you navigate and use the management interfaces (CLI and Web) quickly and efficiently. It
also contains product specifications, a listing of factory default settings, sample log reports,
listings of commands (by menu and alphabetical), and some common keyboard shortcuts.
Installing the AG 2100
43
AG 2100
Establishing the Start Up Configuration
The CLI allows you to administer the AG 2100’s start-up configuration settings.
When establishing the start-up configuration for a new installation, you do not
have remote access capability because the AG 2100 is not yet configured. Once
the installation is complete (see “Installation Workflow” on page 35) and the
system is successfully configured, you can manage the AG 2100 remotely from
the system’s Web Management Interface, an SNMP client manager of your
choice, or a simple Telnet interface.
The start up configuration must be established before connecting the AG 2100 to a customer’s
network. The start up configuration settings include:
z
Assigning Login User Names and Passwords - You must assign a unique login user
name and password that enables you to administer and manage the AG 2100 securely.
User names and passwords are case-sensitive.
44
z
Setting the SNMP Parameters (optional) - The SNMP (Simple Network Management
Protocol) parameters must be established before you can use an SNMP client (for
example, HP OpenView) to manage and monitor the AG 2100 remotely.
z
Enabling the Logging Options (recommended) - Servers must be assigned and set up
if you want to create system and AAA (billing) log files, and retrieve error messages
generated by the AG 2100.
z
Assigning the Location Information and IP Addresses - This is the public IP address
that allows administrators and subscribers to see the AG 2100 on the network. Use
this address when you need to make a network connection with the AG 2100.
Installing the AG 2100
AG 2100
z
Assigning the Location Information and IP Addresses:
z
z
z
z
Assigning the Network Interface IP Address - This is the public IP
address that allows administrators and subscribers to see the AG 2100 on the
network. Use this address when you need to make a network connection with
the AG 2100.
Assigning the Subscriber Interface IP Address – This is the IP address
that subscribers will see on the private side of the AG 2100.
Assigning the Subnet Mask – The subnet mask defines the number of IP
addresses that are available on the routed subnet where the AG 2100 is located.
Assigning the Default Gateway IP Address – This is the IP address of
the router that the AG 2100 uses to transmit data to the Internet.
Installing the AG 2100
45
AG 2100
Assigning Login User Names and Passwords
When you initially powered up the AG 2100 and logged in to the Management Interface, the
default login user name and password you used was “admin.” The AG 2100 allows you to
define 2 concurrent access levels to differentiate between managers and operators. Managers
have read/write access and operators are restricted to read-only access. Once the logins are
assigned, managers can perform all write commands (Submit, Reset, Reboot, Add, Delete, etc.),
but operators cannot change any system settings. When Administration Concurrency is
enabled, one manager and three operators can access the AG 2100 at any one time (the default
setting for this feature is disabled).
1.
Enter sy (system) at the AG Menu. The System menu appears.
2.
Enter lo (login). The system prompts you for the current login. If this is the first time you
are changing login parameters since initializing the AG 2100, the default login name and
password is “admin”.
The system accepts up to 11 characters (any character type) for user names and
passwords. All user names and passwords are case-sensitive.
3.
When prompted, confirm the current login parameters and enter new ones.
Sample Screen Response:
System>lo
Enable/Disable Administration Concurrency [disabled]: e
Current login: admin
Current password: *****
Enter new manager login: newmgr
Enter new password: *******
Retype new password: *******
The administrative login and password were changed
Enter new operator login: newop
Enter new operator password: *****
Retype new operator password: *****
The operator login and password were changed
Enter RADIUS remote test login: rad
Enter new RADIUS remote test password: *****
Retype new RADIUS remote test password: *****
The RADIUS remote test login and password were changed
You must use the new login user name(s) and password(s) to access the system.
46
Installing the AG 2100
AG 2100
Resetting the AG 2100
Resetting Administrative Login Name and Password
The AG 2100 resets the administrative Login Name and password to "admin" and "admin"
respectively when the reset button is clicked 3 times in a 2 second window. When the trigger
for this event is detected, the device
z
Updates the login name and password
z
Writes all settings to current.txt
z
Performs a warm reboot.
Resetting Settings to Factory Defaults
The AG 2100 resets the current settings to factory defaults when the reset button is clicked five
times in a two second window. When the trigger for this event is detected the device will:
z
Rename the existing current.txt to current.bak (an existing current.bak is discarded if
present)
z
Creates a new current.txt file containing the exact copy of the factory.txt file
z
Performs a warm reboot.
See “Importing the Factory Defaults {Factory}” on page 211.
Warm Reboot
The device performs a warm reboot if the reset button is clicked fewer than three times (i.e.,
one or two) in a 2 second window.
Other Cases
In all other cases (in terms of the number of clicks of the reset button), no action is taken.
Installing the AG 2100
47
AG 2100
Functionality Summary
Number of reset button
clicks
Action after a 2-second window after the first click
1
Warm reboot
2
Warm reboot
3
Reset Login Name and Password to admin/admin
4
Ignore - the intent cannot be determined
5
Reset the current settings to factory defaults
6 and more
Ignore - the intent cannot be determined
Error Reporting
The device generates the following syslogs:
48
Number of
clicks
Syslog type
1
INFO
Reset switch: reboot requested 1 click(s)
2
INFO
Reset switch: reboot requested 2 click(s)
3
INFO
Reset switch: administrative login/password reset
requested
4
WARNING
Reset switch: incorrect input, 4 clicks
5
INFO
Reset switch: factory reset requested
6 or more
WARNING
Reset switch: incorrect input, N clicks
Syslog message
Installing the AG 2100
AG 2100
Changes to Existing Functionality
This feature introduces a 2-second delay between the time when the reset button is clicked and
the time when a warm reboot occurs.
This feature introduces dependence on the functionality provided by the
operating system. In an unlikely event some of this functionality may not
properly operate. This could render the reset button inoperable and would
require you to power cycle the unit using the on/off switch to get it to work.
Setting the SNMP Parameters (optional)
You can address the AG 2100 using an SNMP client manager (for example, HP OpenView).
SNMP is the standard protocol that regulates network management over the Internet. To do
this, you must set up the SNMP communities and identifiers. For more information about
SNMP, see “Using an SNMP Manager” on page 65.
If you want to use SNMP, you must manually turn on SNMP.
1.
Enter c (configuration) at the AG Menu. The Configuration menu appears.
2.
Enter sn (snmp).
3.
Enable the SNMP Daemon, as required. The system displays any existing SNMP contact
information and prompts you to enter new information. If this is the first time you have
initialized the SNMP command since removing the AG 2100 from its box, the system will
not display any information (there are no defaults).
4.
Enter the SNMP parameters (communities and identifiers). The SNMP parameters include
your contact information, the get/set communities, and the IP address of the trap recipient.
Your SNMP manager needs this information to enable network management over the
Internet.
Installing the AG 2100
49
AG 2100
5.
If you enabled the SNMP daemon, you must reboot the system for your changes to take
effect. In this case, enter y (yes) to reboot your AG 2100.
Sample Screen Response:
Configuration>sn
Enable the SNMP Daemon? [Yes]:
Enter new system contact: newname@domainname.com
[Nomadix, Newbury Park, CA]
Enter new system location: Office, Newbury Park, CA
Enter read/get community[public]:
Enter write/set community[private]:
Enter name of trap community[public]:
Enter IP of trap recipient[0.0.0.0]: 10.11.12.13
SNMP Daemon
Enabled
System contactnewname@domainname.com
System locationOffice, Newbury Park, CA
Get (read) communitypublic
Set (write) communityprivate
Trap communitypublic
Trap recipient
10.11.12.13
Reboot to enable new changes? [yes/no] y
Rebooting ...
You can now address the AG 2100 using an SNMP client manager.
50
Installing the AG 2100
AG 2100
Enabling the Logging Options (recommended)
System logging creates log files and error messages generated at the system level.
Authentication, Authorization and Accounting (AAA) logging creates activity log files for
those functions. You can enable either of these options.
Although the AAA and billing logs can go to the same server, we recommend that
they have their own unique server ID number assigned (between 0 and 7). When
managing multiple properties, the properties are identified in the log files by their
IP addresses.
When system logging is enabled, the standard SYSLOG protocol (UDP) is used to send all
message logs generated by the AG 2100 to the specified server.
1.
Enter log (logging) at the Configuration menu. The system displays the current logging
status (enabled or disabled).
2.
Enable or disable the system and/or AAA logging options, as required. If you enable
either option, go to Step 3, otherwise logging is disabled and you can terminate this
procedure.
3.
Assign a valid ID number (0-7) to each server.
4.
Enter the IP addresses to identify the location of the system and AAA SYSLOG servers on
the network (the default for both is 0.0.0.0).
When logging is enabled, log files and error messages are sent to these servers for future
retrieval. To see sample reports, go to “Sample SYSLOG Report” on page 268 and
“Product Specifications” on page 264.
Installing the AG 2100
51
AG 2100
Sample Screen Response:
Configuration>log
Enable/disable system log
[disabled]: enable
Enter system log number (0-7)[0]: 1
Enter System log filter
0: Emergency
1: Alert
2: Critical
3: Error
4: Warning
5: Notice
6: Info
7: Debug
Select an option from above
Enter system server IP
Enable/disable system log savefile
[6]
[0.0.0.0]:
[disabled]:
6
8.9.10.11
enable
Enable/disable AAA logging
Enter AAA number (0-7)
Enter AAA log filter
Enter AAA server IP
Enable/disable log save to file
[disabled]:
[0]:
[6]
[0.0.0.0]:
[disabled]:
enable
2
Enable/disable RADIUS History log
Enter RADIUS history log number (0-7)
Enter RADIUS history log filter
Enter RADIUS history log server IP
Enable/disable RADIUS history log Save to file
[disabled]:
[0]:
[6]
[0.0.0.0]:
[disabled]:
enable
2
Enable/disable System Report log
Enter System Report log number (0-7)
Enter System Report log server IP
Enter System Report log Interval (minutes)
[disabled]:
[0]:
[0.0.0.0]:
[10]
enable
2
9.10.11.12
Enable/disable Tracking log
Enter Tracking number (0-7)
Enter Tracking server IP
Enable/disable Tracking log save to file
[disabled]:
[0]:
[0.0.0.0]:
[disabled]:
enable
2
9.10.11.12
enable
System log
System log number
System log filter
System log server IP
System log Save to file
52
9.10.11.12
enable
9.10.11.12
enable
Enabled
1
6
8.9.10.11
Disabled
Installing the AG 2100
AG 2100
AAA log
AAA log number
AAA log filter
AAA log server IP
AAA log Save to file
Enabled
1
6
8.9.10.11
Disabled
RADIUS History log
RADIUS History log number
RADIUS History log filter
RADIUS History log server IP
RADIUS History log Save to file
Enabled
1
6
8.9.10.11
Disabled
System Report log
System Report log number
System Report log server IP
System Report log Save to file
Enabled
1
8.9.10.11
Disabled
Tracking logging
Tracking log number
Tracking log server IP
Tracking log Save to file
Enabled
1
8.9.10.11
Disabled
Installing the AG 2100
53
AG 2100
Assigning the Location Information and IP Addresses
The “location” command in the Configuration menu establishes the AG 2100’s location
settings, the network interface IP address, the subnet mask, and the default gateway IP address.
All of these “location” parameters must be set up as part of the system’s start up configuration
(otherwise the AG 2100 will not be visible on the network).
1.
Enter c (configuration) at the AG Menu. The Configuration menu appears.
2.
Enter loc (set Location options). The system displays the Company Name. If the name
displayed is not correct (or no name is entered), enter it now.
3.
When prompted, enter the company’s address (line by line, 6 lines).
4.
When prompted, enter a valid email address for this company.
The system now displays the current network interface IP address and prompts you for a
valid address. The network interface IP address is the public IP address that allows
administrators to see the AG 2100 on the network. Use this address when you need to
make a network connection with the AG 2100.
If the DHCP Client is enabled, you can skip the remaining steps in this procedure.
Continue only if the DHCP Client is disabled.
5.
When prompted, enter a valid network interface IP address.
After assigning the network interface IP address, the system displays the current subnet
mask (the default mask is 255.255.255.0). The subnet mask defines the number of IP
addresses that are available on the routed subnet where the AG 2100 is located.
The network interface acts as a multifunctional translator. For example, if a
subscriber’s computer is set up statically for a network with a gateway address of
10.1.1.1, the AG 2100 emulates the gateway to accommodate this subscriber
while emulating other gateways to accommodate other subscribers.
6.
Enter a valid subnet mask.
After assigning the subnet mask, the system displays the current default gateway IP
address (the factory default is 10.0.0.1). This is the IP address of the router that the AG
2100 uses to transmit data to the Internet.
54
7.
Enter a valid default gateway IP address.
8.
After establishing all Location settings, you must reboot the AG 2100 for your changes to
take effect.
Installing the AG 2100
AG 2100
Sample Screen Response:
Configuration>loc
Please enter your company name
[companyname]: newname
Please enter your site name
[sitename]: Coffee House
Please enter your address
<Line 1>
[line1address]: newline1
<Line 2>
[line2address]: newline2
<City>
[city
]: newcity
<State>
[state
]: newstate
<Zip/Postal Code>[zip
]: newzip
<Country>
[country
]: newcountry
Please enter your email address[em@em.com]:newmail@email.com
Please select the venu type that most reflects your location
1. Apartment
2. Bar/Coffeeshot/Restaurant
3. Convention Center
4. Corporate Guest Access
5. Education
6. Hospitality
7. Marina/Camp Ground
8. Public Space
9. Public Transport
10. Airport
11. Truckstop / Rest Area
12. Car Rental Facility
13. Club
14. Health Club
15. Bar
16. Retail Business
17. Marina
18. Arena
19. Theatre
20. Metro Area / HotZone
21. Indoor Public Space / Hospital / Museum / Library
22. Gas Station
23. Resort
24. Lab / Test
25. Other
Please enter a number from the above list [ 1]:
Select Network Interface Configuration Mode:
0 - Static
1 - DHCP Client
2 - PPPoE Client
Select the Network Interface Configuration Mode: [0]:
Installing the AG 2100
55
AG 2100
Enter network interface IP
Enter subnet mask
Enter default gateway IP
Please enter your ISO country code
Please enter your phone country code
Please enter your calling area code
Please enter your network SSID/Zone
[
[
[
[US]:
[1]:
[818]:
[
]:
]:
]:
US
1
818
samplezonename
]:
The system must be reset to function properly. Reboot? [yes/no]: y
Your new settings are displayed and the AG 2100 reboots. When the system restarts, the Telnet
interface is enabled (based on your new configuration settings which are saved to the AG
2100’s on-board flash memory).
Go to “Establishing the Basic Configuration for Subscribers” on page 57.
56
Installing the AG 2100
AG 2100
Establishing the Basic Configuration for Subscribers
When you have successfully established the start up configuration and installed the unit onto
the customer’s network, connect to the AG 2100 via Telnet. You must now set up the basic
configuration parameters for subscribers, including:
z
Setting the DHCP Options - Dynamic Host Configuration Protocol (DHCP) lets you
assign IP addresses automatically to subscribers who are DHCP enabled. The AG
2100 can relay the service through an external DHCP server, or it can be configured
to act as its own DHCP server.
z
Setting the DNS Options - Domain Name System (DNS) allows subscribers to enter
meaningful URLs into their browsers (instead of complicated numeric IP addresses).
DNS converts the URLs into the correct IP addresses automatically.
Setting the DHCP Options
When a device connects to the network, the DHCP server assigns it a dynamic IP address for
the duration of the session. Most users have DHCP capability on their computer. To enable this
service on the AG 2100, you can either enable the DHCP relay (routed to an external DHCP
server IP address), or you can enable the AG 2100 to act as its own DHCP server. In both
cases, DHCP functionality is necessary if you want to automatically assign IP addresses to
subscribers.
The AG 2100’s adaptive configuration technology provides Dynamic Address
Translation (DAT) functionality. DAT is automatically configured to facilitate
plug-and-play access to subscribers who are misconfigured with static
(permanent) IP addresses, or subscribers that do not have DHCP capability on
their computers. DAT allows all users to obtain network access, regardless of
their computer’s network settings.
1.
Enter c (configuration) at the AG Menu. The Configuration menu appears.
2.
Enter dh (dhcp).
By default, the AG 2100 is configured to act as its own DHCP server and the
relay feature is disabled. Please verify that your DHCP Server supports DHCP
packets before enabling the relay. Not all devices containing DHCP servers (for
example, routers) support DHCP Relay functionality.
Installing the AG 2100
57
AG 2100
When assigning a DHCP Relay Agent IP address for the DHCP Relay, ensure
that the IP address you use does not conflict with devices on the network side
of the AG 2100.
Wenn einen DHCP Relay agent einen IP Adresse fuer die DHCP Relay
einrichtet, machen sie sicher dass die benutzte IP Adresse nicht Konfliktieren
mit Geraete an der Netzwerk Seite des AG 2100.
Although you cannot enable the DHCP relay and the DHCP service at the
same time, you can disable both functions from the Command Line Interface.
In this case, a warning message informs you that no DHCP services are
available to subscribers.
Sie Koennen nicht gleichzeitig die DHCP relay und die DHCP Service
benutzen, est is aber moeglich um beide Funktionen von der Command Line
Interface (CLI) aus zu schalten. In diesem Falle wird einen Nachricht auf
Ihnen zukommen dass fuer Benutzer (Subscribers) keinen DHCP Service zur
Verfuegung stehen.
3.
Follow the on-screen instructions to set up your DHCP options. For example:
Sample Screen Response:
Configuration>dh
Enable/Disable IP Upsell
[disabled]:
Enable/Disable DHCP Relay
[disabled]:
Enable/Disable DHCP Server
[enabled]:
Enter external Subnet-based DHCP Service
[disabled]:
IP Upsell
Disabled
DHCP Relay
Disabled
External DHCP Server IP
0.0.0.0
DHCP Relay Agent IP
0.0.0.0
DHCP Server
Enabled
DHCP Server Subnet-based
Disabled
Server-IP
Server-Netmask
Start-IP
End-IP
208.11.0.4 255.255.0.020
8.11.0.5
208.11.0.7
10.0.0.4
255.255.255.0
10.0.0.5
10.0.0.250
* Default IP Pool
DHCP IP Pools Configuration:
0 - Show IP Pools
1 - Add a new IP Pool
2 - Modify an IP Pool
3 - Remove an IP Pool
4 - Exit this menu
Select the DHCP Pool configuration mode[0]:
Lease
20
30
Type IPUp
PRIV NO
PRIV NO *
After setting up your DHCP options, the system must be rebooted for your
changes to take effect.
58
Installing the AG 2100
AG 2100
Setting the DNS Options
DNS allows subscribers to enter meaningful URLs into their browsers (instead of complicated
numeric IP addresses) by automatically converting the URLs into the correct IP addresses. You
can assign a primary, secondary, or tertiary (third) DNS server. The AG 2100 utilizes
whichever server is currently available.
If the DHCP Client is enabled, you must configure DNS.
You must configure DNS if you want to enter meaningful URLs instead of numeric
IP addresses into any of the AG 2100’s configuration screens.
Use the following procedure to set the DNS configuration options.
1.
Enter c (configuration) at the AG Menu. The Configuration menu appears.
2.
Enter dn (dns) at the Configuration menu. The system displays the current domain (the
default is “nomadix”).
3.
Enter a valid domain name (the Internet domain that DNS requests will utilize).
4.
Enter the host name (the DNS name of the AG 2100). The host name must not contain any
spaces.
After assigning the host name, the system requests IP addresses for the primary,
secondary, and tertiary DNS servers (the default for the DNS primary address is 0.0.0.2).
The secondary and tertiary DNS servers are only utilized if the primary DNS
server is unavailable.
5.
Enter the IP addresses for the DNS servers (located at the customer’s network operating
center where DNS requests are sent).
Installing the AG 2100
59
AG 2100
6.
You must now reboot the system for your settings to take effect. Enter y (yes) to reboot the
AG 2100.
Sample Screen Response:
Configuration>dn
Enter domain [domainname]:
Enter host name <no spaces>[dnshostname]:
Enter primary DNS[0.0.0.2]:
Enter secondary DNS[0.0.0.0]:
Enter tertiary DNS[0.0.0.0]:
newdomainname
newhostname
20.21.22.23
21.22.23.24
22.23.24.25
The system must be reset to function properly. Reboot? [yes/no]: y
Domain
Host Name
Primary DNS
Secondary DNS
Tertiary DNS
Rebooting ...
newdomainname
newhostname
20.21.22.23
21.22.23.24
22.23.24.25
The DNS options have been established. DNS will now convert subscriber browser URLs
into the correct IP addresses automatically.
Archiving Your Configuration Settings
Once you install your AG 2100 and establish the configuration settings, you should write the
settings to an archive file. If you ever experience problems with the system, you can restore
your archived settings at any time.
Refer to the following procedures:
• “Exporting Configuration Settings to the Archive File {Export}” on page 210.
• “Importing Configuration Settings from the Archive File {Import}” on page 216.
60
Installing the AG 2100
AG 2100
Installing the Nomadix Private MIB
The Nomadix Private MIB is supplied on the “Accessories” CD-ROM, delivered with your
AG 2100. After importing the nomadix.mib file from the CD-ROM, you can view and manage
SNMP objects on your AG 2100.
Procedure
1.
Import the nomadix.mib file into your SNMP client manager.
2.
Connect to the AG 2100 from a node on the network that is accessible via the AG 2100’s
network port. Be sure to enable the SNMP Daemon on the AG 2100 (available on the
CLI or Web Management Interface, under the Configuration menu – snmp).
3.
All variables defined by Nomadix start with the following prefix:
iso.org.dod.internet.private.enterprises.nomadix
4.
You should now be able to define queries and set SNMP values on your AG 2100. If
necessary, consult this User’s Guide or your SNMP client manager’s documentation for
further details.
We recommend that you change the predefined community strings in order to
maintain a secure environment for your AG 2100.
Installing the AG 2100
61
AG 2100
This page intentionally left blank.
62
Installing the AG 2100
3
AG 2100
System Administration
This chapter provides all the instructions and procedures necessary for system administrators to
manage the AG 2100 on the customer’s network (after a successful installation).
The system administration procedures in this chapter are organized as they are listed under their
respective Web Management Interface (WMI) menus:
z
Configuration Menu
z
Network Info Menu
z
Port-Location Menu
z
Subscriber Administration Menu
z
Subscriber Interface Menu
z
System Menu
Now that the AG 2100 has been installed and configured successfully, this
User’s Guide moves away from the Command Line Interface (CLI) and
documents the AG 2100 from the Web Management Interface (WMI) viewpoint.
Enabling Wireless Connectivity
The AG 2100 operates seamlessly and simultaneously in the 2.4 GHz frequency spectrum
supporting the 802.11b and the faster (up to 54 Mbps) 802.11g wireless standards—effectively
eliminating interference by other devices that may be operating in the 2.4 GHz frequency
range.
Before you can use your AG 2100 in a wireless environment, you must configure the unit for
wireless connectivity. To configure the AG 2100 using the product’s embedded Web
Management Interface, go to “Defining Wireless Configuration {Wireless Configuration}” on
page 229.
System Administration
63
AG 2100
See also:
z
“Why Choose Wireless?” on page 2
z
“Offering Speed and Efficiency” on page 4
z
“Optimizing Performance” on page 4
z
“802.11x” on page 323
Choosing a Remote Connection
Once installed and configured for the customer’s network, you can manage and administer the
AG 2100 remotely with any of the following interface options:
z
Using an SNMP Manager - Allows remote “Windows” management using an SNMP
client manager (for example, HP OpenView). However, before you can use SNMP to
access the AG 2100, you must set up the appropriate SNMP communities. For more
information, refer to “Managing the SNMP Communities {SNMP}” on page 129.
z
Using a Telnet Client - For “character-based” administration and management, using
the Command Line Interface (CLI).
To use any of the remote connections (Web, SNMP, or Telnet), the network
interface IP address for the AG 2100 must be established (you did this during the
installation process).
z
Using the Web Management Interface (WMI) - Provides a powerful and flexible web
interface for network administrators.
Choose an interface connection, based on your preference.
64
System Administration
AG 2100
Using an SNMP Manager
Once the SNMP communities are established, you can connect to the AG 2100 via the Internet
using an SNMP client manager (for example, HP OpenView). SNMP is the standard protocol
used in the Network Management (NM) system. This system contains two primary elements:
z
Manager - The console (client) through which system administrators perform
network management functions.
z
Agent - An SNMP-compliant device which stores data about itself in a Management
Information Base (MIB). The AG 2100 is an example of such a device.
The AG 2100 contains managed objects that directly relate to its current operational state.
These objects include hardware configuration parameters and performance statistics.
Managed objects are arranged into a virtual information database, called a Management
Information Base (MIB). SNMP enables managers and agents to communicate with each other
for the purpose of accessing these MIBs and retrieving data. See also, “Installing the Nomadix
Private MIB” on page 61.
The following example shows a (partial) SNMP screen response.
Using a Telnet Client
You can use many Telnet clients to connect with the AG 2100. Using Telnet provides a simple
terminal emulation that lets you see and interact with the AG 2100’s Command Line Interface.
As with any remote connection, the network interface IP address for the AG 2100 must be
established (you did this during the installation process).
System Administration
65
AG 2100
Using the Web Management Interface (WMI)
The Web Management Interface (WMI) is a graphical version of the Command Line Interface,
comprised of HTML files. The HTML files are embedded in the AG 2100 and are dynamically
linked to the system’s functional command sets. You can access the WMI from any Web
browser.
Your browser preferences or Internet options should be set to compare loaded
pages with cached pages.
To connect to the Web Management Interface, do the following:
1.
Establish a connection to the Internet.
2.
Open your Web browser.
3.
Enter the network interface IP address of the AG 2100 (set up during the installation
process).
4.
Log in as usual (supply your user name and password).
To access any menu item from the WMI, simply click on the item you want. The corresponding
work screen then appears in the right side frame. From here you can control the features and
settings related to your selection. Although the appearance is very different from the Command
Line Interface, the information displayed to you is basically the same. The only difference
between the two interfaces is in the method used for making selections and applying your
changes (selections are checkable boxes, and applying your changes is achieved by pressing
Submit). Pressing Reset resets the screen to its previous state (clearing all your changes
without applying them).
The remaining sections in this chapter describe the NSA features using the Web
Management Interface.
66
System Administration
AG 2100
Logging In
To access the AG 2100’s Web Management Interface, use the Manager or Operator login user
name and password you defined during the installation process (refer to “Assigning Login
User Names and Passwords” on page 46).
User names and passwords are case-sensitive.
About Your Product License
Some features included in this chapter will not be available to you unless you have purchased
the appropriate product license from Nomadix. In this case, the following statement will
appear either immediately below the section heading or when the feature is mentioned in the
body text:
Your product license may not support this feature.
You can upgrade your product license at any time.
Configuration Menu
Defining the AAA Services {AAA}
This procedure shows you how to set up the Authentication, Authorization, and Accounting
(AAA) service options. The AG 2100 uses AAA Services to authenticate, authorize, and
subsequently bill subscribers for their use of the customer’s network. The AG 2100 currently
supports several AAA models which are discussed in “Subscriber Management” on page 248.
1.
From the Web Management Interface, click on Configuration, then AAA. The
Authentication, Authorization, and Accounting Settings screen appears:
System Administration
67
AG 2100
68
System Administration
AG 2100
2.
Enable or disable AAA Services. If you enable AAA Services, go to Step 3, otherwise this
feature is disabled and you can exit the procedure.
3.
Enable or disable the XML Interface, as required.
XML (eXtensible Markup Language) is used by the AG 2100’s subscriber management
module for port location and user administration. Enabling the XML interface allows the
AG 2100 to accept and process XML commands from an external source. XML
commands are sent over the network to the AG 2100. The AG 2100 parses the query
string, executes the commands specified by the string, and returns data to the system that
initiated the command request.
4.
If you enabled the XML Interface feature, enter the XML IP (server) address.
System Administration
69
AG 2100
5.
Enable or disable the AAA Passthrough Port feature, as required.
System administrators can set the AG 2100 to passthrough HTTPS traffic, in addition to
standard port 80 traffic, without being redirected. When access to a non-HTTPS address
(for example, a search engine or news site) has been requested, the subscriber is then
redirected as usual.
If AAA passthrough is enabled, enter the corresponding port number.
The port number must be different than 80, 2111, 1111, or 1112.
6.
Enable or disable the 802.1x Authentication Support feature, as required.
Both AAA and RADIUS Authentication must be enabled for 802.1x
Authentication support.
7.
Enable or disable the Origin Server (OS) parameter encoding for Portal Page and EWS
feature, as required.
8.
You can choose to Enable failover to Internal Web Server Authentication if
Portal Page/External Web Server is not reachable by placing a check in that box.
9.
Enable of disable Port Based Billing Policies.
The Port Location capabilities on the NSE have been enhanced. It is now possible to
define a policy on a port. The billing methods (RADIUS, Credit Card, L2TP Tunneling)
and the billing plans available on each port can now be individually configured. This
ability allows for having different billing methods and billing plans on different ports of
the NSE.
In order for the port-based policies to work, you must enable Port Based Billing Policies.
See also “Adding and Updating Port-Location Assignments {Add}” on page 150.
70
System Administration
AG 2100
10. Select the authorization mode you want to use for enabling AAA services:
z
Enabling AAA Services with the Internal Web Server - The IWS is “flashed” into the
system’s memory and the subscriber’s login page is served directly from the AG
2100. In this mode, the login page consists of a simple request for the subscriber’s ID
(user name) and password.
z
Enabling AAA Services with an External Web Server - In the EWS mode, the AG
2100 redirects the subscriber’s login request to an external server (transparent to the
subscriber). The login page served by the EWS reflects the look and feel of the
solution provider’s network, and presents more login options.
Enabling AAA Services with the Internal Web Server
The AG 2100 maintains an internal database of authorized subscribers, based on their MAC
(hardware address) and user name (if enabled). By referring to its database record, also known
as an authorization table, the AG 2100 instantly recognizes new subscribers on the network.
You can configure the AG 2100 to handle new subscribers in various ways (see the table on
this page). With the IWS, you also have the option of enabling SSL support (if your license
includes the SSL support feature and you have the certificate files server.pem, cakey.pem,
and cacert.pem on the flash).
1.
Select the Internal Web Server.
2.
Enable or disable the SSL Support feature, as required. If you enable SSL Support, you
must provide a valid Certificate DNS Name.
You must click the check box for Reboot after changes are saved? at the bottom of this
window if you enable SSL Support (the AG 2100 must be rebooted every time the SSL
Support feature is enabled or disabled).
SSL support allows for the creation of an end-to-end encrypted link between the AG 2100
and its clients by enabling the IWS to display pages under a secure link—important when
transmitting AAA information in a network. Adding SSL support to the AG 2100 requires
service providers to obtain digital certificates from VeriSign™ to create HTTPS pages.
Instructions for obtaining certificates are provided by Nomadix.
For more information about setting up SSL, go to “Setting Up the SSL Feature” on
page 279.
To enable SSL Support, your AG 2100’s flash must include the server.pem,
cakey.pem, and cacert.pem certificate files (the “cacert.pem” file is provided
with your AG 2100). For assistance, contact “Appendix A: Technical Support”
on page 303.
System Administration
71
AG 2100
You must reboot the AG 2100 every time you enable or disable SSL Support.
3.
If you want to designate a portal page, you must enable the Portal Page, otherwise leave
this feature disabled.
The Portal Page IP or DNS address are added to the IP passthrough list
automatically
If you enabled the Portal Page feature, provide the following supporting information:
z
Portal Page URL
z
Parameter Passing (enabled or disabled)
z
Portal XML POST URL
z
Portal XML Post Port
z
Support GIS Clients (enabled or disabled—see following note)
z
Block IWS Login Page (enabled or disabled)
GIS stands for Generic Interface Specification, a document written by iPass.
Enabling the Smart Client option in the AG 2100 automatically supports all GIScompliant clients using the Internal Web Server. Enabling Support for GIS Clients
under Portal Page means that the AG 2100 will defer the managment of GIS
clients to the Portal Page server.
4.
Enable or disable Usernames and New Subscribers, as required (refer to table on
“Enabling AAA Services with the Internal Web Server” on page 71).
New Subscribers must be enabled before enabling the Credit Card Service.
72
System Administration
AG 2100
Usernames and New Subscribers work in conjunction with each other to determine how
new subscribers are handled. Refer to the following table:
Usernames
New Subscribers
System Response
Disabled
Enabled
Allows new subscribers to enter the system without
giving a user name and password.
Enabled
(optional)
Enabled
Allows new subscribers or authentication by their
user name and password.
Enabled
Disabled
New subscribers are not allowed. Only existing
subscribers are allowed after authenticating their
user name and password.
Disabled
Disabled
You will not use this combination unless you want to
lock out all subscribers.
Some subscribers may want additional account flexibility and security for their services
(for example, if they use more than one computer and their MAC address changes). In this
case, a subscriber can define a unique username and password which can be used from any
machine or location (without being re-charged). Subscribers who choose this option are
prompted for their username and password whenever they try to access the Internet.
Solution providers can charge a fee for this service.
5.
If you enabled New Subscribers, enable or disable the Relogin After Timeout option.
6.
You can now enable or disable the Credit Card Service. When enabled, subscribers are
prompted for their credit card information for billing purposes. The AG 2100 is
configured to use either Authorize.net or Chainfusion (selected from a pull-down menu).
You will need to open a merchant account with Authorize.net, Chainfusion or Datacenter
(Luxembourg) before this feature can be used.
Please contact Nomadix “Appendix A: Technical Support” on page 303 for assistance.
All data communications between the AG 2100 and the credit card server are
encrypted by the SSL protocol. The AG 2100 never “sees” subscriber credit card
numbers. Your product license key must support this feature.
If you enabled the Credit Card Service, define which service you require
(Authorize.net or Chainfusion) from the pull-down menu.
DNS must be configured if you want to enter meaningful URLs instead of numeric
IP addresses into any of the AG 2100’s configuration screens (for example, the
Credit Card Server URL in the following step).
System Administration
73
AG 2100
Enter the information for the following fields:
z
Credit Card Server URL
z
Credit Card Server IP
z
Merchant ID (a valid ID issued by the credit card reconciliation service provider –
Authorize.net or Chainfusion).
Enable or disable the SIM Compliant feature, as required. With this feature enabled, you
can change the transaction key at your discretion. To change the transaction key, simply
enter the key in the Change Transaction Key box, then re-enter the key in the Verify
Transaction Key box.
The SIM Compliant option refers to Authorize.net's Simple Integration Method.
7.
Enable or disable Smart Client Support, as required (if enabled, your license key must
support this feature).
8.
You can assign a session idle timeout parameter for subscribers (see following note). To
assign an idle timeout, simply enter a numeric value (in seconds) in the Subscriber Idle
Timeout box (the default is 1200).
Subscriber Idle Timeout does not apply to RADIUS subscribers.
9.
74
Click Submit to save your changes, or click Reset to reset all the values to their previous
state.
System Administration
AG 2100
Enabling AAA Services with an External Web Server
In the EWS mode, the AG 2100 redirects the subscriber’s login request to an external server.
1.
Select the External Web Server.
After enabling the External Web Server you must enter a Secret Key. The Secret Key
ensures that the response the AG 2100 gets from the EWS is valid. (The AG 2100 and the
external authorization server must use the same Secret Key.)
DNS must be configured if you want to enter meaningful URLs instead of numeric
IP addresses into any of the product’s configuration screens (for example, the
External login page URL in the following step).
2.
Enter the IP Address for the External Web Server.
3.
Enter a valid External login page URL.
4.
You can assign a session idle timeout parameter for subscribers (see following note). To
assign an idle timeout, simply enter a numeric value (in seconds) in the Subscriber Idle
Timeout box (the default is 1200).
Subscriber Idle Timeout does not apply to RADIUS subscribers.
5.
Click Submit to save your changes, or click Reset to reset all the values to their previous
state (making changes to the EWS settings does not require a system reboot).
System Administration
75
AG 2100
Establishing Secure Administration {Access Control}
The AG 2100 allows you to block administrator access to interfaces (Telnet, WMI and FTP),
and incorporates a master access control list that checks the source (IP address) of
administrator logins. Logins are permitted only to interfaces that have not been blocked, and
only if a match is made with the master Source IP list on the AG 2100. If a match is not made
with the Source IP list, the login is denied, even if a correct login name and password are
supplied. The access control list for source IPs supports up to 50 (fifty) entries in the form of a
specific IP address or range of IP addresses.
This procedure allows you to enable the Access Control feature, block administrator access to
specific interfaces, and add or remove administrator Source IP addresses.
1.
76
From the Web Management Interface, click on Configuration, then Access Control. The
Access Control screen appears:
System Administration
AG 2100
2.
Enable or disable administrator access to any of the following interfaces:
z
Telnet
z
Web Management
z
FTP
z
SFTP
z
SSH Shell
Blocking or unblocking interface access will terminate the current session.
Do not enable the blocking of all interfaces without setting up and enabling
SNMP. Enabling the blocking of all interfaces and disabling SNMP will
completely block access to the AG 2100 administration interface. For
assistance, contact “Appendix A: Technical Support” on page 303.
Ohne SNMP einstellungen koennen Sie besser nicht alle interfaces blokkieren.
Dass festsetzen blokkierung aller Interfaces und dass freigeben (disabling)
SNMP wird es keinen zugang geben zur AG 2100 Administration. Fuer
Support bitte nehmen Sie Kontakt auf mit Nomadix “Appendix A: Technical
Support” on page 303.
3.
Click the check box for Access Control to enable this feature, then click Submit to save
your change.
4.
If you enabled Access Control, administrator access is restricted only to the IP addresses
shown under Currently Access is Permitted for IPs. If you want to add to or remove
IP addresses from the list, go to Step 5.
5.
To add or remove an IP address (or range of IP addresses) to or from the list, enter the
starting IP address in the Access Control Start IP field. If you are adding/removing a
range of IP addresses to the access control list, you must now enter the ending IP address
in the Access Control End IP field. If you are adding/removing a single IP address, enter
None in the Access Control End IP field.
The Access Control list can contain up to 50 (fifty) valid administrator IP
addresses, or up to 50 (fifty) ranges of IP addresses.
Click Add to add this IP address range to the list or Remove to remove this IP address
range from the list.
System Administration
77
AG 2100
If you enabled Access Control and locked yourself out of the system (for
example, because you’ve forgotten your password), you must disable the Access
Control feature from the Command Line Interface, or change the range of
allowed IP addresses to access the management interfaces. If necessary,
contact Nomadix “Appendix A: Technical Support” on page 303.
Wenn Sie Access Kontrolle benutzen und Sie haben sich selber blokkiert vom
System, dann muessen die Access Kontrolle moeglichkeit der Command Line
Interface (CLI) blokkiert (disabled) werden. Oder Sie koennen die moegliche
IP Adressen zum acces management interface aendern. Wenn moeglich
nehmne Sie Kontakt auf mit Nomadix “Appendix A: Technical Support” on
page 303 fuer Auskuenfte.
78
System Administration
AG 2100
Defining Automatic Configuration Settings {Auto Configuration}
The AG 2100 lets you define parameters to enable automatic configuration of the system. See
also: “RADIUS-Driven Auto Configuration” on page 19.
1.
From the Web Management Interface, click Configuration, then Auto Configuration.
The Autoconfiguration Settings screen appears:
System Administration
79
AG 2100
2.
Enable or disable Autoconfiguration, as required.
3.
If you enabled Autoconfiguration, you must enter the following information into the
corresponding fields:
z
RADIUS Authentication Name
z
Radius Password
z
Confirm Password
4.
Click the check box for Reboot after changes are saved? to reboot the system when you
submit your changes.
5.
Click Submit to save your changes, or click Reset to reset all data to its previous state.
Enabling Auto Configuration
As shown in the diagram below, two subsequent events drive the automatic configuration of
Nomadix devices:
z
A flow of RADIUS Authentication Request and Reply messages between the
Nomadix gateway and the centralized RADIUS server that specifies the location of
the meta configuration file (containing a listing of the individual configuration files
and their download frequency status) are downloaded from an FTP server into the
flash of the Nomadix device.
z
Defines the automated login into the centralized FTP server and the actual download
process into the flash.
Step 1: RADIUS Authen Req/Response message to determine location
of meta configuration file
Step 2: FTP
download of configuration files (secure)
80
System Administration
AG 2100
Auto Configuration setup requires a few basic steps to be completed by both the field engineer
and the NOC administrator.
Administrative Steps to Enable Auto-Config
Typically, these tasks are performed either at a device pre-staging center or by the field
engineer.
1.
Establish a WAN connection and electronically accept the EULA.
2.
Setup RADIUS Server parameters (go to “Defining the RADIUS Client Settings
{RADIUS Client}” on page 116).
3.
Setup Username and Password for RADIUS Authentication.
Administrative Steps to Enable Auto-Config for the NOC Administrator
1.
Add NAS IP address.
2.
Add Nomadix Auto-Config VSA to the Nomadix dictionary file on the RADIUS server.
3.
Create a RADIUS profile with the configuration VSA.
4.
Create an FTP server with the configuration files.
The following diagram shows a sample RADIUS configuration file, meta file and illustration
of the FTP server setup.
System Administration
81
AG 2100
The Nomadix device will automatically initiate one reboot to enable the new settings.
Configuration updates for network maintenance can be accomplished by simply enabling the
Auto Configuration option and rebooting the device (for example, using SNMP). See also,
“Defining Automatic Configuration Settings {Auto Configuration}” on page 79.
82
System Administration
AG 2100
Setting Up Bandwidth Management {Bandwidth Management}
The AG 2100 allows system administrators to manage bandwidth for subscribers, defined in
Kbps (Kilobits per seconds) for both upstream and downstream data transmissions. With the
“Information and Control Console (ICC)” on page 250 feature enabled, subscribers can
increase or decrease their own bandwidth dynamically (by the minute, or on an hourly, daily,
weekly, or monthly basis), and also adjust the pricing plan for their service.
1.
From the Web Management Interface, click Configuration, then Bandwidth
Management.
The Bandwidth Management screen appears:
2.
If required, click the check box for Bandwidth Management Enabled.
3.
If you enabled Bandwidth Management, enter the uplink and downlink speeds (in Kbps)
in the appropriate fields.
Setting the uplink or downlink speeds to anything greater than 100,000 Kbps is
meaningless, because communication with the AG 2100 is established at 100
Mbps (100,000 Kbps).
4.
If you made any changes to the settings on this screen, you must click the check box for
Reboot after changes are saved? (the AG 2100 must be rebooted).
5.
Click Submit to save your changes and reboot the system, or click Reset to reset all the
values to their previous state.
System Administration
83
AG 2100
Establishing Billing Records “Mirroring” {Bill Record Mirroring}
The Bill Record Mirroring feature contained in the Credit Card and Hospitality
optional modules is optional. Your product license may not support this feature.
The AG 2100 can send copies of credit card transaction billing records to external servers that
have been previously defined by system administrators. The AG 2100 assumes control of
billing transmissions and saving billing records. By mirroring the billing data, the AG 2100 can
also send copies of billing records to predefined carbon-copy servers. Additionally, if the
primary and secondary servers are down, the AG 2100 can store up to 2,000 credit card
transaction records. When a connection is re-established (with either server), the AG 2100
sends the stored information to the server—no records are lost!
For more information about the bill record mirroring feature, go to “Mirroring Billing
Records” on page 295.
1.
From the Web Management Interface, click on Configuration, then Bill Record
Mirroring.
The Credit Card Mirroring Settings screen appears:
2.
84
If you want to enable the billing records “mirroring” functionality for credit card
transactions (and you have purchased the appropriate product license), click the check box
for Enable CC Mirroring.
System Administration
AG 2100
3.
Enter the property identification code in the Property ID field.
4.
Enter the communication parameters for the primary server that will be used for mirroring,
including:
z
Primary IP
z
URL
z
Secret Key
z
Port
The AG 2100 and the “mirror” servers must use the same secret key.
Die AG 2100 und die "mirror" server muessen die gleichen Geheimnis
Schluessel (password) benutzten.
5.
Repeat Step 4 for the secondary server (if any) and all carbon copy servers.
6.
Define the Failsafe provisions, including:
7.
z
Retransmit Method – Alternate, or Do not alternate.
z
Number of Retransmit Attempts – This tells the system how many times it should
attempt to retransmit billing records before suspending the task.
z
Retransmit Delay – This specifies the time delay between each retransmission.
Click Submit to save your changes, or click Reset to reset all the values to their previous
state.
System Administration
85
AG 2100
Managing the DHCP Service Options {DHCP}
When a device connects to the network, the DHCP server assigns it a dynamic IP address for
the duration of the session. Most users have DHCP capability on their computer. To enable this
service on the AG 2100, you can either enable the DHCP relay (routed to an external DHCP
server IP address), or you can enable the AG 2100 to act as its own DHCP server. In both cases,
DHCP functionality is necessary if you want to automatically assign IP addresses to
subscribers.
1.
From the Web Management Interface, click Configuration, then DHCP.
The DHCP Settings screen appears:
Nomadix’ patented Dynamic Address Translation (DAT) functionality is
automatically configured to facilitate plug-and-play access to subscribers who
are misconfigured with static (permanent) IP addresses, or subscribers that do
not have DHCP capability on their computers. DAT allows all users to obtain
network access, regardless of their computer’s network settings.
86
System Administration
AG 2100
2.
DHCP Services is enabled by default. Do not disable it unless you want to lose all DHCP
services.
By default, the AG 2100 is configured to act as its own DHCP server and the
relay feature is disabled. If you want the AG 2100 to act as its own DHCP server,
do not enable the relay. Go directly to Step 8.
3.
To route DHCP through an external server, enable the DHCP Relay.
You must now assign a valid DHCP Server IP address (the default is 0.0.0.0) and a valid
DHCP Relay Agent IP address.
The DHCP Relay Agent let the AG 2100 request a specific range of IP addresses from
different IP pools from the DHCP Server. Leaving these fields blank forces the system to
use the IP pool that contains IP addresses that are on the same subnet as the AG 2100.
You must disable the DHCP server before enabling the DHCP relay. Both
features cannot be enabled concurrently.
If the DHCP Relay Agent IP address is set for an address that is already used or
is the IP address of the server, the other system will get an IP conflict and will
not have Internet access.
Wenn die DHCP Relay Agent IP adresse benutzt, die schon beutzt werden von
IP Adresse des servers , dann wird dass andere System einen IP Konflikt
bekommen und wird deshalb keinen Internet zugang haben.
4.
If you want the AG 2100 to act as its own DHCP Server (and you did not enable the
DHCP Relay), enable it now.
5.
If required, enable the IP Upsell feature.
System administrators can set two different DHCP pools for the same physical LAN.
When DHCP subscribers select a service plan with a public pool address, the AG 2100
associates their MAC address with their public IP address for the duration of the servicelevel agreement. The opposite is true if they select a plan with a private pool address. This
feature enables a competitive solution and is an instant revenue generator for ISPs. IP
Upsell solves a number of connectivity problems, especially with regard to L2TP and
certain video conferencing and online gaming applications.
6.
If you want to add a new DHCP Pool, click Add.
The Add DHCP Pools screen appears:
System Administration
87
AG 2100
7.
Enter a valid DHCP Server IP address for the DHCP server.
8.
Enter the DHCP Server Netmask.
9.
Enter the starting and ending IP addresses for the DHCP address pool you want to use:
z
DHCP Pool Start IP
z
DHCP Pool Stop IP
10. Enter the DHCP Lease Minutes.
88
System Administration
AG 2100
11. Select Public Pool or Private Pool, as required.
A “public” IP address will not be translated by DAT.
If required, make this an IP Upsell Pool and/or the Default Pool by checking the
appropriate boxes.
Do not allow pools to overlap.
12. When finished establishing your DHCP Pools, click on the Back to Main DHCP
Configuration Page to return to the previous page.
13. You must now reboot the system for the new settings to take effect. Click the check box
for Reboot after changes are saved? then click Submit to save your changes and reboot
the system, or click Reset to reset all the values to their previous state.
When the system restarts, DHCP is enabled and configured. The existing lease pool and
lease table are deleted and the AG 2100 reboots. The AG 2100 can issue IP addresses to
any DHCP enabled subscriber who enters the network.
See “Managing the DNS Options {DNS}” on page 90.
System Administration
89
AG 2100
Managing the DNS Options {DNS}
DNS allows subscribers to enter meaningful URLs into their browsers (instead of complicated
numeric IP addresses) by automatically converting the URLs into the correct IP addresses. You
can assign a primary, secondary, or tertiary (third) DNS server. The AG 2100 utilizes
whichever server is currently available.
Use the following procedure to set the DNS configuration options.
1.
From the Web Management Interface, click Configuration, then DNS.
The Domain Name System (DNS) Settings screen appears:
2.
Enter the Host Name (the DNS name of the AG 2100).
The host name must not contain any spaces.
3.
90
Enter a valid Domain name (the Internet domain that DNS requests will utilize).
System Administration
AG 2100
4.
Enter the IP addresses for the DNS servers (located at the customer’s network operating
center where DNS requests are sent). Servers include:
z
Primary DNS Server
z
Secondary DNS Server
z
Tertiary DNS Sever
The secondary and tertiary DNS servers are only utilized if the primary DNS
server is unavailable.
If DHCP Client or PPPoE Client is enabled, the Primary and Secondary DNS
Server may not be configured, since the DHCP/PPPoE server may provide those
items. Furthermore, if DHCP Client is configured, the Domain may not be
configured
5.
When finished, you must reboot the system for the new settings to take effect. Click the
check box for Reboot after changes are saved? to reboot the system after saving your
changes.
6.
Click Submit to save your changes and reboot the system, or click Reset to reset all the
values to their previous state.
System Administration
91
AG 2100
Configuring Dynamic DNS {Dynamic DNS}
These settings can be accessed under the following menus:
WMI Configuration
z
Go to Configuration->Dynamic DNS
CLI Configuration
z
Go to Configuration->dyndns
z
Go to Configuration->dyndns->configure for configurations
SNMP Configuration
z
92
Go to ag->dyndns (enterprises.3309.1.3.50) for DDNS configuration branch
System Administration
AG 2100
Enable Checkbox
This is the checkbox to enable or disable the Dynamic DNS functionality
Provider Information
This is to specify provider details. Currently only dyndns.org is supported.
Protocol the vendor supports.
Server and Port to which the client sends updates to the DDNS server.
Account Information
The Host Name is the DDNS name mapped to the client IP address; DDNS mapping is
configured on the DynDNS.org account. Username and Password for the DDNS server
account.
Force Update
This forces an immediate update to the DDNS server. Please note that too many updates could
be considered as abuse by the DDNS vendor.
System Administration
93
AG 2100
GRE Tunneling {Gre Tunneling}
Use the following procedure to set the GRE Tunneling options.
1.
From the Web Management Interface, click Configuration, then Gre Tuneling.
The GRE Tuneling screen appears:
94
2.
Click the checkbox for GRE Tunneling to enable this feature.
3.
Enter the VPN Concentrator IP Address. This is the IP address of the remote server.
4.
Enter the GRE Interface IP Address. This is the IP of the local GRE interface on the
AG 2100.
5.
Enter the GRE Interface Subnet Mask. This is the subnet mask for the GRE
connection.
6.
Enter the GRE Interface Default Gateway. This is the IP address of the GRE interface
of the remote host.
7.
When finished, you must reboot the system for the new settings to take effect. Click the
check box for Reboot after changes are saved? to reboot the system after saving your
changes.
8.
Click Submit to save your changes and reboot the system, or click Reset to reset all the
values to their previous state.
System Administration
AG 2100
Setting Home Page Redirection Options {Home Page Redirect}
This procedure shows you how to redirect the subscriber’s browser to a specified home page.
Subscribers may also be redirected to a page specified by the solution provider, without any
interaction with the credit card authentication process.
You must configure DNS if you want to enter meaningful URLs instead of numeric
IP addresses into any of the AG 2100’s configuration screens.
1.
From the Web Management Interface, click Configuration, then Home Page Redirect.
The Home Page Redirection Settings screen appears:
2.
Click the check box for Home Page Redirection to enable this feature. If you enable
home page redirection, you must provide a URL for the redirected home page.
3.
Enter the URL of the redirected home page in the Home Page URL field.
4.
If required, click the Enable box for Parameter Passing. Parameter passing allows the
AG 2100 to track a subscriber’s initial web request (usually the subscriber’s home page)
and pass the information on to the solution provider. The solution provider uses this
information to ensure that the subscriber can return to their home page easily.
5.
In the Redirection Frequency field, specify the frequency (in minutes) for home page
redirection. This is the interval at which the subscriber is redirected to the solution
provider’s home page automatically.
6.
Click the Submit to save your changes, or click Reset to reset all the values to their
previous state.
System Administration
95
AG 2100
Enabling Intelligent Address Translation (iNAT™)
Our patent-pending iNAT™ feature contains an advanced, real-time translation engine that
analyzes all data packets being communicated between the private and public address domains.
The Nomadix iNAT™ engine performs a defined mode of network address translation based
on packet type and protocol (for example, GRE, IKE etc…).
1.
From the Web Management Interface, click Configuration, then iNAT. The iNAT screen
appears:
2.
Enable or disable the iNAT feature, as required. If you enabled iNAT, you have the option
of enabling or disabling the following VPN protocols:
z
PPTP - Enable with the checkbox.
z
PPTP Call ID - Enable this if the PPTP Server uses PPTP Call IDs to differentiate user
connections
z
IPSEC - Enable with the checkbox
You must reboot the system if you make changes to any of the following
IP settings.
Click Submit to save your options.
96
System Administration
AG 2100
3.
Configure the iNAT Address Pool. To add or remove an IP address (or range of IP
addresses) to or from the list, enter the starting IP address in the iNAT Start IP field. If you
are adding or removing a range of IP addresses to the iNAT list, you must now enter the
ending IP address in the iNAT End IP field. If you are adding or removing a single IP
address, enter None in the iNAT End IP field.
The iNAT list can contain up to 50 (fifty) valid IP addresses, or up to 50 (fifty)
ranges of IP addresses.
Click Add to add this IP address range to the list or Remove to remove this IP address
range from the database.
The iNAT IP addresses display under Currently configured iNAT IP addresses/
ranges.
System Administration
97
AG 2100
Defining IPSec Tunnel Settings {IPSec}
From the Web Management Interface, click on Configuration, then IPSec. (You can also
access IPSec from the CLI by going to Configuration->IPSec to configure settings, and
Network Info->IPSec to view IPSec Tunnel status.)
The IPSEC Tunnel Settings screen appears:
To enable this feature, click on the Enable IPSEC check box.
Enable/disable with checkbox but requires a reboot.
98
System Administration
AG 2100
Click on Add button in the Peers and Security Policy (SP) tables to add an entry.
Peer IP addresses in Peers and SP tables are links to the configured policies.
IPSec Tunnel Peers
System Administration
99
AG 2100
Tunnel Peer
z
IP address of peer
Peer Authentication Method
z
Choice of Pre-shared key or X.509 certificates
z
Enter the Pre-shared Key in the Shared Key text field if Pre-shared Key is selected
z
Enter the filename of the private and public certificates if X.509 is selected. Note:
files must exist on flash first.
IKE Channel Security Parameters
100
z
Encryption Algorithm – at least one must be selected
z
Hash Algorithm – at least one must be selected
z
Key Strength (a.k.a. Diffie-Hellman) – either Group 1 (768 bit) or Group 2 (1024 bit)
z
Lifetime – in seconds; Data life size is NOT supported
System Administration
AG 2100
IPSec Tunnel Security Policies
System Administration
101
AG 2100
Tunnel Peer Address
z
Select a Peer IP Address from the pull-down menu with which this security
association is to be established.
z
Must select a Peer if the policy is using ESP or AH.
z
Able to select ‘none’ only if policy is a discard or bypass policy
Traffic Selector
Protocol
z
To select a specific protocol via pull-down menu or protocol number
z
Protocol numbers available at www.iana.org/assignments/protocol-numbers
The following settings define selectors of the Security Policy. All selectors must match in order
for the policy to be applied.
Remote End
z
Remote End/ Peer IP setting - The IP address of the remote VPN server.
z
Remote IP/Subnet - This is the IP address of the remote network secured by the IPSec
tunnel. The address could specify a host.
z
Subnet Mask - This is the subnet mask of the remote network secured by the IPSec
tunnel.
z
Remote Port – 0 is for all ports (only if protocol is UDP or TCP)
Local End
102
z
Choice of using current Network Interface IP address or specifying a subnet - Security
Policy can derive the settings for the Local End from the current Network IP settings
of the unit.
z
Local IP subnet - This is the IP address of the local network secured by the IPSec
tunnel. The address could specify a host.
z
Subnet Mask - This is the subnet mask of the local network secured by the IPSec
tunnel. The address could specify a host.
z
Local Port – 0 is for all ports (only if protocol is UDP or TCP)
System Administration
AG 2100
Security Parameters
z
Choice of Discard, Bypass, ESP, or AH.
z
Discard/Bypass => a select direction type
z
ESP only => select all acceptable encryption algorithms
z
ESP/AH => select all acceptable authentication algorithms
z
z
z
z
Perfect Forward Secrecy Strength
Maximum Lifetime
Maximum Life size
Automatic renewal
Perfect Forward Secrecy checkbox
When selected, it enables PFS. PFS makes the keying material used in protecting the data
independent of the keying material used for protecting the IKE exchanges.
System Administration
103
AG 2100
Establishing Your Location {Location}
This command sets up your location and the corresponding IP addresses for the network
interface, subnet, and default gateway. You must provide your full location information.
1.
104
From the Web Management Interface, click Configuration, then Location. The Location
Settings screen appears:
System Administration
AG 2100
2.
Enter your location information in the following fields:
z
Company Name
z
Address (Line 1 and Line 2)
z
City, State, Zip, and Country
z
E-mail Address
z
SO Country Code
z
Phone Country Code
z
Calling Area Code
3.
Select the area type that most resembles your location from the drop down list.
4.
Enter a Network SSID/Zone.
You must reboot the system if you make changes to any of the following IP
settings.
You must reboot the system if you make changes to any of the following IP
settings.
You may lose your connection if you change the IP settings incorrectly (using
invalid IP addresses). If you misconfigure the AG 2100 and network
connectivity is lost, you can still access the AG 2100 from the Admin IP address
(172.30.30.172).
Wenn Sie die IP settings nicht Korrekt aendern, benutzung nicht Korrekte IP
Adressen, koennen Sie Ihre Internet Verbindung verlieren. Wenn Sie die AG
2100 nicht rechtzeitig Konfigurieren und die Netzwerk Verbindung ist verloren
dann koennen Sie die AG 2100 erreichen vom Admin IP Adresse
(172.30.30.172).
System Administration
105
AG 2100
5.
Choose a Network Interface Configuration Method:
z
DHCP Client. Enable or disable the DHCP Client, as required. If you are using a
DHCP Client, you can skip Step 5 through Step 6.
z
PPPoE Client. See “PPPoE Client” on page 306 in Appendix B for information
about configuring a PPPoE Client.
z
Static. Enables a static IP address. Enter Static Configuration Paramters:
z
Enter a valid IP address in the Network IP Address field. The Network IP Address is
the public IP address that allows administrators to see the AG 2100 on the network.
Use this address when you need to make a network connection with the AG 2100.
All IP addresses must be established, otherwise the AG 2100 will not be visible on
the network.
The network interface and subscriber interface addresses must be on the same
subnet.
z
Enter a valid IP address in the Subnet Mask field. The subnet mask defines the
number of IP addresses that are available on the routed subnet where the AG 2100 is
located.
z
Enter a valid default gateway IP address in the Default Gateway field. The default
gateway is the IP address of the router that the AG 2100 uses to transmit data to the
Internet.
6.
When finished, you must reboot the system for the new settings to take effect. Click the
check box for Reboot after changes are saved? to reboot the system after saving your
changes.
7.
Click Submit to save your changes and reboot the system, or click Reset to reset all the
values to their previous state.
Managing Log Options {Logging}
System logging creates log files and error messages generated at the system level. AAA
logging creates activity log files for the Authorization, Authentication, and Accounting (AAA)
functions.
Although the AAA and billing logs can go to the same server, we recommend that
they have their own unique server ID number assigned (between 0 and 7). When
managing multiple properties, the properties are identified in the log files by their
IP addresses.
106
System Administration
AG 2100
1.
From the Web Management Interface, click Configuration, then Logging. The Log
Settings screen appears:
System Administration
107
AG 2100
2.
If required, click the check box for System Log to enable system logging. When system
logging is enabled, the standard SYSLOG protocol (UDP) is used to send all message logs
generated by the AG 2100 to the specified SYSLOG server.
3.
Enter a unique number (between 0 and 7) in the System Log Number field. This ID
number is assigned to the System Log Server.
4.
Enter a valid IP address in the System Log Server IP field.
5.
If required, repeat Steps 2 through 4 for the AAA Log feature.
6.
Click Submit to save your changes, or click Reset to reset all the values to their previous
state.
When logging is enabled, log files and error messages are sent to these servers for future
retrieval. To see sample reports, go to “Sample SYSLOG Report” on page 268 and “Product
Specifications” on page 264.
Additional configurations have been added to the Log Settings window. Please refer to “Local
Syslog and Syslog Filters” on page 317 and “Periodic Syslogs: System Report Syslogs” on
page 320 in Appendix B: Addendum.
108
System Administration
AG 2100
Assigning Passthrough Addresses (Passthrough Addresses)
The AG 2100 allows up to 52 IP passthrough addresses and DNS names. This feature allows
users to “pass through” the AG 2100 and access predetermined services (for example, the
redirected home page) at the solution provider’s discretion, even though users may not have
subscribed to the broadband Internet service. This is useful if solution providers want to openly
promote selected services to all users, even if users are not currently subscribing (paying) for
access.
The AG 2100 is supplied with “Hotmail®” as a default passthrough setting.
1.
From the Web Management Interface, click Configuration, then Passthrough
Addresses.
The Passthrough Address Settings screen appears:
2.
If required, enable Passthrough Addresses, then click Submit.
System Administration
109
AG 2100
3.
In the IP/DNS Name field, enter the IP address or DNS name of the passthrough you want
to add or remove from the system.
The system only accepts route DNS names (for example, www.nomadix.com). Do
not include protocol, port, or path information.
4.
110
If adding this passthrough, click Add, otherwise click Remove to delete this passthrough
from the list.
System Administration
AG 2100
Setting Up Port Locations {Port-Location}
Port-Location allows you to establish the mode of operation for devices.
1.
From the Web Management Interface, click on Configuration, then Port-Location. The
Port-Location Settings screen appears:
System Administration
111
AG 2100
2.
System administrators can set the properties for each room from the subscriber side of the
AG 2100. The system automatically detects which port number the administrator is using
and allows them to enter the fields for the room corresponding to the port they are using. If
required, click on the check box for In Room Port Mapping to enable this feature.
3.
If you enabled In Room Port Mapping, you must assign a Username and Password. You
will need these when you perform port mapping from the subscriber side of the AG 2100.
Go to “In Room Port Mapping” on page 114 to map rooms from the subscriber side of the
AG 2100.
For security reasons, this feature should be disabled when in room port
mapping (from the subscriber side of the AG 2100) is completed.
4.
Select No Port Location Mapping if you are not using Port-based access.
... or go to Step 5:
5.
Select 802.1Q one-way or 802.1Q two-way (VLAN IDs) if you are using a device that
understands VLAN IDs. These options tell the AG 2100 that the device can process
VLAN IDs to identify which port-location the information is coming from, and how to bill
it.
When assigning port-locations, the “port” is the VLAN ID (when using 802.1Q
one-way or 802.1Q two-way).
... or go to Step 6 (next page):
6.
If you are using an access concentration device that cannot handle VLAN IDs, select one
of the available Access Concentrator Query options:
The devices in the following list must be assigned an IP address on the same
subnet as the AG 2100. You must remove “old” concentrator types before
entering new ones.
112
z
Tut Systems Expresso
z
Lucent DSL Terminator
z
Tut MDU Lite Systems
z
RFC1493 Compliant Systems
z
RiverDelta 1000B
z
Elastic Networks
System Administration
AG 2100
These options enable an SNMP query to “ask” the access concentration device which
card, slot, or port the information is coming from. You must enter the IP address (not
name), SNMP community, and SNMP query duration (maximum time it takes to detect
subscriber migration) of all access concentrators connected to the site. You can also opt to
Relogin after migration by checking the “Relogin after migration” Enable box.
For “cascading” Tut and RFC1493 compliant systems, click on the associated Cascading
button. The Cascading Support screen appears, allowing you to enter the IP address and
SNMP community for the primary and all “cascading” devices connected to the site. For
RFC1493 compliant systems, you have the additional option of defining the “Uplink
port.”
Tut Systems
RFC1493 Systems
From the Cascading Support screen, you can return to the main Port-Location Settings
screen at any time by pressing the Back button.
7.
Click on the Submit button to save your changes, or click on the Reset button if you want
to reset all the values to their previous state.
System Administration
113
AG 2100
In Room Port Mapping
This section shows In Room Port Mapping from the subscriber side, when the In Room
Port Mapping feature is enabled.
AG 2100 multiple VLAN tagged systems can use the same tags and be placed on
different Subscriber ports. Although it is technically possible to place two
different VLAN tagged switches (one on each Subscriber side) that have the
same VLAN tags designated, this configuration can cause problems. To avoid
conflicts, you must ensure that the VLAN tags are different on the different
devices.
1.
Enable In Room Port Mapping and assign a user name and password (see previous
section, Steps 2 and 3).
2.
Enter the following URL target format:
http://(AG 2100 IP address):1111/usg/roommapping
For example:
http://219.57.108.103:1111/usg/roommapping
The Enter Network Password prompt appears:
Enter user name
and password
Click here if you want to save
your user name and password
114
System Administration
AG 2100
3.
Enter your user name and password, then click on the OK button. The In Room Port
Mapping screen appears:
4.
Enter the room number and a description for this room.
5.
Select the access mode you want to assign to this room:
z
Room Free Access
z
Room For Charge
z
Room Blocked
6.
Click on the Submit button to save your changes.
7.
Repeat Steps 4 through 6 for each room (see note).
If you leave your browser open, the “cookie” that is placed on your system will
allow you to go from room to room during the mapping process. However, if you
close your browser, the cookie is deleted and you will need to login again.
System Administration
115
AG 2100
Defining the RADIUS Client Settings {RADIUS Client}
The AG 2100 supports Remote Authentication Dial-In User Service (RADIUS). RADIUS is an
authentication and accounting system used by many Internet Service Providers.
The “Usernames” function must be enabled for a RADIUS login. See also,
“Defining the AAA Services {AAA}” on page 67.
Nomadix offers an integrated RADIUS client, allowing service providers to track or bill users
based on the number of connections, location of the connection, bytes sent and received,
connect time, etc. The customer database can exist in a central RADIUS server, along with
associated attributes for each user. When a customer connects into the network, the RADIUS
client authenticates the customer with the RADIUS server, applies associated attributes stored
in that customer's profile, and logs their activity (including bytes transferred, connect time,
etc.).
The AG 2100's RADIUS implementation also handles vendor specific attributes (VSAs),
required by WISPs that want to enable more advanced services and billing schemes, such as a
per device/per month connectivity fee.
All subscribers attempting to gain access to
the network are validated by RADIUS.
116
System Administration
AG 2100
For additional RADIUS information, see also:
z
“Defining the Realm-Based Routing Settings {Realm-Based Routing}” on page 122.
z
“RADIUS Attributes” on page 271.
1.
From the Web Management Interface, click on Configuration, then RADIUS Client. The
RADIUS Client Settings screen appears:
2.
Under the Server Selection options, choose the Routing Mode:
3.
z
Disabled (to disable RADIUS authentication)
z
Realm-Based (for Realm routing)
z
Fixed (for routing to predefined RADIUS servers)
Select the Default RADIUS Service Profile from the pull-down menu.
System Administration
117
AG 2100
Miscellaneous Options
1.
In the “Miscellaneous Options” category, enter a value for the time (in seconds) in the
Default User Idle Timeout field. This value determines how much “idle” time elapses
before the subscriber’s session times out and they must login again.
2.
The AG 2100 can reauthenticate “repeat” subscribers who return to the system within 720
hours. To enable this feature, click on the check box for Enable Automatic Subscriber
Reauthentication.
3.
If you want to enable the URL redirection feature, click on the check box for Enable URL
Redirection.
4.
For a Network Access Server (NAS), if you want to send a NAS identifier with your
account access request, click on the check box for Send NAS identifier, then define the
NAS identifier in the NAS identifier field.
5.
To send the NAS IP address with your account request, click on the check box for Send
NAS IP.
6.
To send a NAS port type with your account request, click on the check box for Send NAS
Port type, then define the NAS port in the NAS Port Type field.
7.
To send the Framed IP address with your account request, click on the check box for Send
Framed IP.
8.
If required, check the box for Enable Session-Terminate-End-Of-Day When Authorized
(to allow business policies that want to terminate the session at midnight of every day).
9.
If required, check the box for Enable Byte Count Reset On Account Start (to reset the
transmitted and received byte count for a subscriber once an “accounting start” is sent).
This function prevents counting Walled Garden traffic if the billing plan is using bytes
sent/received as a charge criterion.
10. If required, check the box for Enable Goodbye URL (if you want the system to display a
post session “goodbye” page). The “goodbye” page can be defined as a RADIUS VSA or
be driven by the AG 2100’s Internal Web Server (IWS).
11. If required, check the box for Enable WAN 802.1q Attribute. To enable the default 802.1q
tag, click on the check box for Enable Default 802.1q Tag for System Traffic and, if
necessary, enter the tag number (see caution).
Changing the default tag number may result in a loss of connectivity.
Aenderung die Standard Tag Nummer kann die Internet Verbindung wegfallen
lassen.
12. Click on the Submit button to save your changes, or click on the Reset button if you want
to reset all the values to their previous state.
118
System Administration
AG 2100
Defining the RADIUS Proxy Settings {RADIUS Proxy}
A RADIUS Proxy allows the NSE to relay authentication and accounting packets between the
parties performing the authentication process. Different realms can be set up to directly
channel RADIUS messages to the various RADIUS servers.
For additional RADIUS information, see also:
1.
z
“Defining the RADIUS Client Settings {RADIUS Client}” on page 116.
z
“Defining the Realm-Based Routing Settings {Realm-Based Routing}” on page 122.
z
“RADIUS Attributes” on page 271.
From the Web Management Interface, click on Configuration, then RADIUS Proxy.
The RADIUS Proxy Settings screen appears:
2.
Enable or disable RADIUS Proxy Services, as required, by clicking on the appropriate
check box.
3.
If you enabled RADIUS Proxy Services, you must provide the Authentication Server Port
and the Accounting Server Port references.
4.
Click on the Submit button to save your changes, or click on the Reset button if you want
to reset all the values to their previous state.
System Administration
119
AG 2100
Adding an Upstream RADIUS NAS
5.
If you want to add a new Upstream RADIUS NAS (for example, an 802.11 Access Point
on the subscriber side of the AG 2100)., click on the Add button.
The Add Upstream RADIUS NAS screen appears:
6.
To make this entry the “active” NAS entry, click on the Entry Active check box.
7.
Enter an IP Address for the Upstream NAS.
8.
Enter a secret key in the Authentication Secret Key field. During the authentication
process, the server and client exchange secret keys. The secret keys must match for
communication between the server and the client to continue. The secret key is a valuable
and necessary security measure.
9.
Enter a secret key in the Accounting Secret Key field.
10. Select the Default RADIUS Service Profile from the pull-down menu (see note).
RADIUS requests originating from this Upstream NAS will be routed via the
specified profile if it cannot be routed based on realm. Leave this field blank if
default routing is not desired.
120
System Administration
AG 2100
11. Click on the Add button to add this Upstream RADIUS NAS definition, then click on the
Back to Main RADIUS Proxy Settings page link to return to the RADIUS Proxy Settings
screen.
The Upstream RADIUS NAS definition you just added appears in the list. You can add up
to 10 definitions.
12. Repeat Steps 5 through 11 to add more Upstream RADIUS NAS definitions, as required.
13. To view your configured RADIUS Service Profiles and Realm Routing Policies, click on
the link: Click here to see configured RADIUS service profiles and Realm Routing
Policies (this will take you to the Realm-Based Routing Settings screen).
See also, “Defining the Realm-Based Routing Settings {Realm-Based Routing}” on
page 122.
System Administration
121
AG 2100
Defining the Realm-Based Routing Settings {Realm-Based Routing}
Use this procedure when setting up RADIUS Service Profiles (up to 10) and Realm-based
Routing Policies (up to 50).
For additional RADIUS information, see also:
z
“Defining the RADIUS Client Settings {RADIUS Client}” on page 116
z
“Defining the RADIUS Proxy Settings {RADIUS Proxy}” on page 119
z
“RADIUS Attributes” on page 271
z
“L2TP Tunneling” on page 310
From the Web Management Interface, click on Configuration, then Realm-Based Routing.
The Realm-Based Routing Settings screen appears:
122
System Administration
AG 2100
Adding a RADIUS Service Profile
1.
To add a RADIUS Service Profile, click on the appropriate Add button. The Add RADIUS
Service Profile screen appears:
2.
Enter a name of your choice for this service profile in the Unique Name field.
System Administration
123
AG 2100
Authentication
This category requires input for enabling RADIUS authentication and requires you to define IP
addresses, ports, and secret keys for the primary and secondary RADIUS servers (the
secondary server is optional).
1.
Enable or disable the RADIUS Authentication Service, as required, by clicking on the
Enable RADIUS Authentication Service check box.
2.
If you enabled the RADIUS Authentication Service, enter the primary RADIUS
authentication server IP address in the Primary IP field.
3.
Enter the authorization port in the Port field for the primary RADIUS authentication
server. This is the port the system uses when authorizing subscribers.
4.
Enter a secret key in the Secret Key field for the primary RADIUS authentication server.
During the authentication process, the server and client exchange secret keys. The secret
keys must match for communication between the server and the client to continue. The
secret key is a valuable and necessary security measure.
The AG 2100 and the RADIUS servers must use the same secret key.
Die AG 2100 und der RADIUS Server muessen die gleiche Geheimen Schluessel (key) benutzten.
5.
Repeat Steps 2 through 4 for the secondary RADIUS authentication server (if used).
Accounting
This category requires input for enabling the RADIUS accounting service, and also requires
the necessary IP addresses, ports and secret keys for the primary and secondary RADIUS
accounting servers. The RADIUS accounting server is responsible for receiving accounting
requests and returning a response to the client indicating that it has received the request.
124
1.
To enable the accounting service for your RADIUS functionality, click on the check box
for Enable RADIUS Accounting Service.
2.
Enter the primary RADIUS accounting server IP address in the Primary IP field.
3.
Enter the accounting port in the Port field for the primary RADIUS accounting server.
This is the port the system uses when communicating accounting records.
4.
Enter a secret key in the Secret Key field for the primary RADIUS accounting server.
5.
Repeat Steps 1 through 4 for the secondary RADIUS accounting server (if used).
System Administration
AG 2100
Retransmission Options
This category requires you to define the data retransmission method (failover or round-robin),
the retransmission frequency, and how many retransmissions the system should attempt.
1.
Select the Retransmission Method (Failover or Round Robin).
2.
Enter a value for the time (in seconds) in the Retransmission Frequency field. This
value determines how much time elapses between transmission attempts.
3.
Enter a numeric value in the Retransmission Attempts (per server) field to define how
many times the system attempts to transmit the data.
4.
Click on the Add button to add this RADIUS Service Profile.
5.
When you have completed the definition of your RADIUS Service Profile, you can return
to the previous screen (Realm-Based Routing Settings) by clicking on the Back to Main
Realm-Based Routing Settings page link.
The RADIUS Service Profile you just created is added to the list.
Adding a Realm Routing Policy
Your product license may not support this feature.
1.
To add a RADIUS Service Profile, click on the appropriate Add button on the RealmBased Routing Settings screen.
System Administration
125
AG 2100
The Add Realm Routing Policy screen appears:
2.
To make this entry the “active” entry, click on the Entry Active check box.
3.
To define a specific realm, choose the Specific Realm option and enter the destination in
the Realm Name field. Alternatively, you can choose the Wildcard match option, then
define your search options:
Prefix match only
z
Suffix match only
z
Match either
Select the required RADIUS Service Profile from the pull-down menu.
z
4.
126
5.
Click on the Strip off routing information check box if you want to remove the routing
information.
6.
Click on the Add button to add this Realm Routing Policy.
7.
When you have completed the definition of your Realm Routing Policy, you can return to
the previous screen (Realm-Based Routing Settings) by clicking on the Back to Main
Realm-Based Routing Settings page link.
System Administration
AG 2100
8.
The Realm Routing Policy you just created is added to the list.
Your new RADIUS
Service Profiles are
added to this list
Your new Realm
Routing Policies are
added to this list
System Administration
127
AG 2100
Managing SMTP Redirection {SMTP}
When SMTP redirection is enabled (for misconfigured or properly configured subscribers), the
AG 2100 redirects the subscriber’s E-mail through a dedicated SMTP server, including SMTP
servers which support login authentication. To the subscriber, sending and receiving E-mail is
as easy as it’s always been. This function is transparent to subscribers.
1.
From the Web Management Interface, click on Configuration, then SMTP.
The SMTP Redirection Settings screen appears:
2.
Click on the check box for SMTP Redirection (Misconfigured) to enable this feature for
“misconfigured” subscribers.
3.
Click on the check box for SMTP Redirection (Properly Configured) to enable this
feature for “properly configured” subscribers.
If you enable SMTP redirection, you must provide the IP address of the SMTP server.
4.
5.
In the SMTP Server IP/DNS field, enter the address of the SMTP server you want to use.
For SMTP servers which support login authentication, enter a valid username in the SMTP
Server Account Username field.
128
6.
For SMTP servers which support login authentication, enter a valid password in the SMTP
Server Account Password field.
7.
Click on the Submit button to save your changes, or click on the Reset button if you want
to reset all the values to their previous state.
System Administration
AG 2100
Managing the SNMP Communities {SNMP}
You can address the AG 2100 using an SNMP client manager (for example, HP OpenView).
SNMP is the standard protocol that regulates network management over the Internet. To do
this, you must set up the SNMP communities and identifiers. For more information about
SNMP, see “Using an SNMP Manager” on page 65.
If you want to use SNMP, you must manually turn on SNMP.
1.
From the Web Management Interface, click on Configuration, then SNMP.
The SNMP Settings screen appears:
2.
Click on the check box for SNMP Daemon to enable this functionality.
System Administration
129
AG 2100
3.
Enter the SNMP parameters (communities and identifiers), including:
z
System Contact
z
System Location
z
Get (Read) Community
z
Set (Write) Community
z
Trap Community
z
Trap Recipient IP
Your SNMP manager needs this information to enable network management over the
Internet.
4.
When finished, you must reboot the system for the new settings to take effect. Click on the
check box for Reboot after changes are saved? to reboot the system after saving your
changes.
5.
Click on the Submit button to save your changes and reboot the system, or click on the
Reset button if you want to reset all the values to their previous state.
You can now use your SNMP client to manage the AG 2100 via the Internet.
130
System Administration
AG 2100
Enabling Dynamic Multiple Subnet Support (Subnets)
Nomadix’ dynamic multiple subnet support allows you to create flexible and cost-effective IP
pool solutions to meet the demands of complex networks in large residential and public access
networks. For example:
1.
z
Establish a maximum of 15 different DHCP pools for routable IP addresses at the
same time.
z
Establish a maximum of 10 different public IP subnets that will not be addresstranslated by Nomadix' market-leading Dynamic Address Translation (DAT) feature.
z
Define the user's subnet via the management interfaces.
From the Web Management Interface, click on Configuration, then Subnets. The Public
Subnets Settings screen appears:
System Administration
131
AG 2100
2.
Click on the Add button to add a new public subnet. The Add Public Subnets screen
appears:
3.
Enter a valid IP address for this subnet in the Subnet field.
4.
Enter the subnet mask for this subnet in the Subnet Mask field.
5.
Click on the Back to Main Subnet Configuration Page link to return to the previous
screen (Public Subnets Settings).
To edit the Current Public DHCP Subnets table, go to “Managing the DHCP
Service Options {DHCP}” on page 86.
For additional information about the multiple subnet feature, go to “Contact
Information” on page 303 for Nomadix Technical Support.
132
System Administration
AG 2100
Displaying Your Configuration Settings {Summary}
You can display a summary listing of all your current Configuration settings.
To view the summary listing, go to the Web Management Interface, click on Configuration,
then click on Summary.
The Summary of Configuration Settings screen appears (partial screen shown here):
More listings ...
System Administration
133
AG 2100
Setting the System Date and Time {Time}
This procedure shows you how to set the system date and time.
1.
From the Web Management Interface, click on Configuration, then Time. The Set Date
and Time screen appears:
The AG 2100 establishes its time relative to UTC (Universal Coordinated Time, based on
the ISO 8601 standard). UTC is used in conjunction with RADIUS servers (for example, if
the RADIUS server is setup for a time zone that is different from the AG 2100).
134
2.
Enter UTC offset values for Hours and Minutes in the appropriate fields and define
whether this time is plus or minus from the +/- (from UTC) pull-down menu.
3.
When finished, click on the Submit button to save your changes, or click on the Reset
button if you want to reset all the values to their previous state.
System Administration
AG 2100
Setting Up URL Filtering {URL Filtering}
The AG 2100 can restrict access to specified Web sites based on URLs defined by the system
administrator. URL filtering will block access to a list of sites and/or domains entered by the
administrator using the following three methods:
z
Host IP address (for example, 1.2.3.4)
z
Host DNS name (for example, www.yahoo.com)
z
DNS domain name (for example, *.yahoo.com, meaning all sites under the
yahoo.com hierarchy, such as finance.yahoo.com, sports.yahoo.com, etc.).
The system administrator can dynamically add or remove specific IP addresses and domain
names to be filtered for each property.
1.
From the Web Management Interface, click on Configuration, then URL Filtering.
The URL Filtering Address Settings screen appears:
2.
If you want to enable this feature, click on the check box for URL Filtering.
3.
Click on the Submit button to save your setting.
4.
If URL Filtering is enabled, you can add (or remove) up to 300 addresses in the IP/DNS
Name field. After entering the address you want to add, simply click on the Add button
(the address will be added to the displayed list). Add or remove addresses, as required.
System Administration
135
AG 2100
Enabling Secure Management {VPN Tunnel}
There are many different ways to configure, manage and monitor the performance and up-time
of network devices. SNMP, Telnet, HTTP and ICMP are all common protocols to accomplish
network management objectives. And within those objectives is the requirement to provide the
highest level of security possible.
While several network protocols have evolved that offer some level of security and data
encryption, the preferred method for attaining maximum security across all network devices is
to establish an IPSec tunnel between the NOC (Network Operations Center) and the edge
device (early VPN protocols such as PPTP have been widely discredited as a secure tunneling
method).
As part of Nomadix’ commitment to provide outstanding carrier-class network management
capabilities to its family of public access gateways, we offer secure management through the
NSE’s standards-driven, peer-to-peer IPSec tunneling with strong data encryption. Establishing
the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any
preferred management protocol, but also the secure management of third party devices (for
example, WLAN Access Points and 802.3 switches) on private subnets on the subscriber side
of the Nomadix gateway.
The advantage of using IPSec is that all types of management traffic are supported, including
the following typical examples:
ICMP - PING from NOC to edge devices
Telnet - Telnet from NOC to edge devices
z
Web Management - HTTP access from NOC to edge devices
z
SNMP
z
SNMP GET from NOC to subscriber-side device (for example, AP)
z
SNMP SET from NOC to subscriber-side device (for example, AP)
z
SNMP Trap from subscriber-side device (for example, AP) to NOC
Two subsequent events drive the secure management function of the Nomadix gateway and the
devices behind it:
z
z
136
1.
Establishing an IPSec tunnel to a centralized IPSec termination server (for example, Nortel
Contivity). As part of the session establishment process, key tunnel parameters are
exchanged (for example, Hash Algorithm, Security Association Lifetimes, etc.).
2.
The exchange of management traffic, either originating at the NOC or from the edge
device through the IPSec tunnel. Alternatively, AAA data such as RADIUS Authentication
System Administration
AG 2100
and Accounting traffic can be sent through the IPSec tunnel. See also, “Defining
Automatic Configuration Settings {Auto Configuration}” on page 79.
This procedure allows system administrators to establish the peer-to-peer IPSec connection.
Basic IPSec parameters must be entered by the system administrator to successfully establish
the VPN session.
We recommend that you create different private subnets behind the VPN
termination device and the AG 2100.
System Administration
137
AG 2100
Network Info Menu
Displaying ARP Table Entries {ARP}
You can display a table that shows the current status of the ARP (Address Resolution Protocol)
assignments. ARP is used to dynamically bind a high level IP address to a low level physical
hardware (MAC) address. ARP is limited to a single physical network that supports hardware
broadcasting.
To view the ARP Table, go to the Web Management Interface, click on Network Info, then
click on ARP.
The ARP Table screen appears:
138
System Administration
AG 2100
Displaying DAT Sessions {DAT}
The AG 2100 provides “plug-and-play” access to subscribers who are misconfigured with
static (permanent) IP addresses, or subscribers that do not have DHCP functionality on their
computers. Dynamic Address Translation (DAT) allows all users to obtain network access,
regardless of their computer’s network settings.
To view the DAT Session Table, go to the Web Management Interface, click on Network Info,
then click on DAT.
The DAT Session Table screen appears:
Click on the Delete all sessions button to clear all current subscriber sessions.
Deleting DAT sessions will cause all misconfigured subscribers to lose their
Internet connection for a short period of time.
Alle nicht Korrekt Konfigurierte benuzter werden bei dass deleten von DAT
Sessionen die Internet Verbindung fuer eine kuerze Zeit verlieren
System Administration
139
AG 2100
Displaying the Host Table {Hosts}
You can display a table which lists the hosts that are currently configured. This table includes
the assigned host names, their corresponding IP addresses, and any aliases that may be
assigned to each host. Hosts provide services to other computers that are linked to it by a
network.
To view the Host Table, go to the Web Management Interface, click on Network Info, then
click on Hosts.
The Host Table screen appears:
140
System Administration
AG 2100
Displaying ICMP Statistics {ICMP}
You can display the current ICMP (Internet Control Message Protocol) statistics. ICMP is a
standard Internet protocol that delivers error and control messages from hosts to message
requestors. These statistics are presented as a listing which details the current status of each
ICMP transmission element.
To view the ICMP Statistics, go to the Web Management Interface, click on Network Info, then
click on ICMP.
The ICMP Statistics screen appears:
System Administration
141
AG 2100
Displaying the Network Interfaces {Interfaces}
You can display the network interfaces which are presented as a detailed listing of all interface
communication elements and their current status.
To view the Network Interfaces, go to the Web Management Interface, click on Network Info,
then click on Interfaces.
The Network Interfaces screen appears:
142
System Administration
AG 2100
Displaying the IP Statistics {IP}
You can display the IP (Internet Protocol) statistics which are presented as a detailed listing of
all IP elements and their current status. With IP transmissions, data is broken up into packets
which are then sent over the network. By using IP addressing, Internet Protocol ensures that
the data reaches its destination, even though different packets may “pass through” different
networks to get to the same location.
To view the IP Statistics, go to the Web Management Interface, click on Network Info, then
click on IP.
The IP Statistics screen appears:
Viewing IPSec Tunnel Status {IPSec}
To view the current IPSec Tunnel Status, go to the Web Management Interface, click on
Network Info, then click on IPSec.
System Administration
143
AG 2100
Displaying the Routing Tables {Routing}
You can display the current Routing Tables, including any dynamically generated routes,
unreachable routes, or wildcard routes.
To view the Routing Tables, go to the Web Management Interface, click on Network Info, then
click on Routing.
The Routing Tables screen appears:
144
System Administration
AG 2100
Displaying the Active IP Connections {Sockets}
You can display a table which provides a detailed listing of all currently active IP (Internet
Protocol) connections.
To view the Socket Table, go to the Web Management Interface, click on Network Info, then
click on Sockets.
The Socket Table screen appears:
System Administration
145
AG 2100
Displaying the Static Port Mapping Table {Static Port-Mapping}
You can display a table which provides a detailed listing of the currently active static port
mapping scheme.
To view the Static Port-Mapping Table, go to the Web Management Interface, click on
Network Info, then click on Static Port-Mapping.
The Static Port-Mapping Table screen appears:
146
System Administration
AG 2100
Displaying TCP Statistics {TCP}
You can display the TCP (Transmission Control Protocol) statistics which are presented as a
detailed listing of all TCP elements and their current status. TCP is a standard protocol that
manages data transmissions across networks.
To view the TCP Statistics, go to the Web Management Interface, click on Network Info, then
click on TCP.
The TCP Statistics screen appears:
System Administration
147
AG 2100
Displaying UDP Statistics {UDP}
You can display the UDP (User Datagram Protocol) statistics which are presented as a detailed
listing of all UDP elements and their current status. UDP is an Internet standard transport layer
protocol. It is a connectionless protocol which adds a level of reliability and multiplexing to the
Internet Protocol (IP).
To view the UDP Statistics, go to the Web Management Interface, click on Network Info, then
click on UDP.
The UDP Statistics screen appears:
148
System Administration
AG 2100
Port-Location Menu
The Port Location capabilities on the NSE have been enhanced. It is now possible to define a
policy on a port. The billing methods (RADIUS, Credit Card, L2TP Tunneling) and the billing
plans available on each port can now be individually configured. This ability allows for having
different billing methods and billing plans on different ports of the NSE.
This new feature is called Port-based Policies. In order for the port-based policies to work it
has to be enabled from the Configuration->AAA page
System Administration
149
AG 2100
Adding and Updating Port-Location Assignments {Add}
Port-locations can be assigned at any level (for example, a specific room in a hotel or
apartment building, a floor number, wing, or building). There may even be multiple ports
assigned to a single room or location. The AG 2100 uses a port-location authorization table to
manage the assigned ports and ensure accurate billing for the services used by a particular port.
Adding a Port-Location Assignment
This procedure shows you how to add a port-location assignment. If you want to update an
existing assignment, go to “Adding a Port-Location Assignment” on page 150
1.
From the Web Management Interface, click on Port-Location, then Add.
The Add Port-Location Assignments screen appears:
150
System Administration
AG 2100
2.
Enter a location identifier in the Location field. Locations can be assigned as an alpha,
numeric, or alpha-numeric value.
All alpha characters (used for locations and descriptions) are case-sensitive.
3.
In the Port field, enter the port (the VLAN ID when using 802.1Q 2-way).
4.
In the Description field, enter a meaningful description for this port-location assignment.
5.
Enter a Subnet for the port assignment you are adding.
6.
You must now assign a State for this port-location. Possible states are, No Charge for
using this port-location, Charge for Use, and Blocked. If you do not assign a conditional
state, the state is registered as “No Charge” by default.
Select the conditional state you want to assign to this port-location.
z
If you choose Charge for Use additional configurations are available. Refer to the
Note. Port-based Policies should be enabled from the Configuration->AAA page for
these settings to take effect.
z
Choose Enable RADIUS Billing if you want RADIUS billing to be enabled on this
port.
z
Choose Enable Tunneling if you want L2TP Tunneling based billing to be enabled
on this port.
z
Choose Enable PMS Billing if you want PMS based room billing to be enabled on
this port. (The AG 2100 series does not support PMS billing and this option will not
show.)
z
Choose Enable Credit Card Billing if you want Credit Card based billing to be
enabled on this port.
You can select any number of billing methods per port.
A specific billing plan can be assigned to a port or all the existing billing plans defined on
the NSE can be enabled on the port. Please select the appropriate option from the
dropdown list for Billing Plan(s) available on port.
Please note that while it is possible to set the value of a per-port configuration parameter
independently of the value of the corresponding global parameter, the feature itself is
disabled for a port unless both the per-port and global parameters are set to enabled. Thus:
z
RADIUS authentication for a port is enabled only if the RADIUS Client is globally
enabled AND the per-port enable RADIUS billing parameter is set.
z
Credit card billing for a port is enabled only if Credit Card Services is globally
enabled AND the per-port enable Credit Card billing parameter is set.
System Administration
151
AG 2100
z
7.
152
Tunneling for a port is enabled only if Tunneling is globally enabled AND the perport enable Tunneling parameter is set.
Click on the Add button to save your changes (the message: Entry added or updated in
the location file appears), or click on the Reset button if you want to reset all the values to
their previous state.
System Administration
AG 2100
Updating a Port-Location Assignment
The procedure for updating a port-location assignment is similar to adding a port-location
assignment. The difference between the two procedures is how they are presented to you. For
example, if you already have port-locations assigned and you enter an existing “port” value,
each data field that you go through (port, location, state, and description) displays the value
currently assigned to the field.
To update a Port-Location assignment, simply update the fields with new values.
If you have updated a port-location assignment, you may want to change its
description to distinguish from the old assignment. Although the old assignment
will no longer exist in the system, a meaningful description can often be a
valuable quick reference guide.
System Administration
153
AG 2100
Deleting All Port-Location Assignments {Delete All}
This procedure shows you how to delete all port-location assignments. The AG 2100 displays a
warning and prompts you to confirm this action before deleting all the port-locations currently
assigned in the system.
1.
From the Web Management Interface, click on Port-Location, then Delete All.
The Delete All Port-Location Assignments screen appears:
2.
154
Click on the Delete All button to delete all Port-Location assignments.
System Administration
AG 2100
Deleting Port-Location Assignments by Location {Delete by Location}
This procedure shows you how to delete a port-location assignment, based on its location. The
AG 2100 prompts you to confirm this action before deleting the requested port-location.
If you have updated a port-location assignment, you may want to change its
description to distinguish from the old assignment. Although the old assignment
will no longer exist in the system, a meaningful description can often be a
valuable quick reference guide.
If you are unsure which port-locations are currently mapped to the system, you
can view a list at “Subscriber Administration Menu” on page 164.
1.
From the Web Management Interface, click on Port-Location, then Delete by Location.
The Delete Port-Location Assignments by Location screen appears:
2.
In the Location field, enter the location of the port-location assignment you want to
delete.
Locations are case-sensitive.
3.
Click on the Delete button to delete the specified port-location assignment, or click on the
Reset button if you want to reset the “location” value to its blank state.
System Administration
155
AG 2100
Deleting Port-Location Assignments by Port {Delete by Port}
This procedure shows you how to delete a port-location assignment, based on its port. The AG
2100 prompts you to confirm this action before deleting the requested port-location.
If you are unsure which port-locations are currently mapped to the system, you
can view a list at “Displaying the Port-Location Mappings {List}” on page 163.
1.
From the Web Management Interface, click on Port-Location, then Delete by Port. The
Delete Port-Location Assignments by Port screen appears:
2.
In the Port field, enter the port of the assignment you want to delete.
The “port” is the VLAN ID (when using 802.1Q 2-way).
3.
156
Click on the Delete button to delete the specified port-location assignment, or click on the
Reset button if you want to reset the “port” value to its blank state.
System Administration
AG 2100
Exporting Port-Location Assignments {Export}
This procedure shows you how to export your current port-location assignments to the
“location.txt” file. The location.txt file is stored in: /flash/location.txt (resident in the AG
2100’s flash memory).
Exporting your current port-location assignments to the AG 2100’s flash memory
will overwrite the existing location.txt file.
1.
From the Web Management Interface, click on Port-Location, then Export. The Export
Port-Location Assignments screen appears:
2.
Click on the Export button to export port-location assignment to the /flash/location.txt.
file.
System Administration
157
AG 2100
Finding Port-Location Assignments by Description {Find by Description}
This procedure shows you how to find a port-location assignment, based on its description.
This procedure is useful if you want to review the details of a specific port-location. You can
also find port-locations based on their location or port.
1.
From the Web Management Interface, click on Port-Location, then Find by Description.
The Find a Port-Location Assignment by Description screen appears:
2.
In the Enter Description field, enter the description of the assignment you want to find.
The system ignores the case (upper or lower) of the characters you enter.
3.
Click on the Show button to view the specified port-location assignment, or click on the
Reset button if you want to reset the “description” value to its blank state. The requested
port-location is displayed:
Active link to “Port”
processing screen
158
System Administration
AG 2100
Finding Port-Location Assignments by Location {Find by Location}
This procedure shows you how to find a port-location assignment, based on its location. This
procedure is useful if you want to review the details of a specific port-location. You can also
find port-locations based on their description or port.
1.
From the Web Management Interface, click on Port-Location, then Find by Location.
The Find a Port-Location Assignment by Location screen appears:
2.
In the Enter Location field, enter the location of the assignment you want to find.
The system ignores the case (upper or lower) of the characters you enter.
3.
Click on the Show button to view the specified port-location assignment, or click on the
Reset button if you want to reset the “location” value to its blank state.
The requested port-location is displayed:
Active link to “Port”
processing screen
System Administration
159
AG 2100
Finding Port-Location Assignments by Port {Find by Port}
This procedure shows you how to find a port-location assignment, based on its location. This
procedure is useful if you want to review the details of a specific port-location. You can also
find port-locations based on their description or location.
1.
From the Web Management Interface, click on Port-Location, then Find by Port. The
Find a Port-Location Assignment by Port screen appears:
2.
In the Enter Port field, enter the port you want to find.
The “port” is the VLAN ID (when using 802.1Q 2-way).
3.
Click on the Show button to view the Process Port-Location Assignments screen, or click
on the Reset button if you want to reset the “port” value to its blank state.
From this screen you can add, update or delete port-location assignments.
160
System Administration
AG 2100
Importing Port-Location Assignments {Import}
This procedure shows you how to import port-location assignments from the “location.txt”
file. The location.txt file is stored in: /flash/location.txt (resident in the AG 2100’s flash
memory).
If you have never exported port-location assignments (since installing the AG
2100 at this site), the location.txt is empty. See also, “Exporting Port-Location
Assignments {Export}” on page 157. You can create your own location.txt file,
FTP to the AG 2100’s flash directory (for example, [IP address]/flash/
location.txt), and upload the file. See also, “Creating a “location.txt” File” on
page 162.
1.
From the Web Management Interface, click on Port-Location, then Import. The Import
Port-Location Assignments screen appears:
Click here to view the
“location.txt” file
2.
Click on the Import button to import port-location assignments from the /flash/location.txt
file.
System Administration
161
AG 2100
Viewing the “location.txt” File
You can click on the “View location.txt” link if you want to view the current contents of the
file.
Creating a “location.txt” File
You can create your own “location.txt” file and upload the file to the AG 2100’s flash memory
at [IP address]/flash/location.txt.
Use the following format when creating the file:
“1”,1,00:00:00:00:00:00,0.0.0.0,0, “Room 101”
The 4 (four) fields used in the format represent the standard format for port-location
assignments (location, port, modem MAC address for RiverDelta, subnet, state, description).
Characters (used for locations and descriptions) are case-sensitive.
z
z
z
z
z
z
162
Location – Locations are assigned as an alpha, numeric, or alpha-numeric value .
Port – Any number between 1 and 65535.
Modem MAC Address – MAC address of the modem being used.
Subnet – Subscriber’s subnet address.
State – Possible states are: (0) no charge for using this port-location, (1) charge for
use, and (2) blocked. If you do not assign a conditional state, the state is registered as
“No Charge” by default.
Description – Use a meaningful description for the assignment.
System Administration
AG 2100
Displaying the Port-Location Mappings {List}
You can display a listing of all port-locations assigned to this system.
To view the listing of port-location assignments, go to the Web Management Interface, click on
Network Info, then click on List. The List Port-Location Assignments screen appears:
Click on a link to view the
associated port
System Administration
163
AG 2100
Subscriber Administration Menu
Adding Subscriber Profiles {Add}
AAA Services must be enabled before you can add a subscriber profile into the
AG 2100’s internal authorization database. Refer to, “Defining the AAA
Services {AAA}” on page 67.
This procedure shows you how to add subscriber profiles into a table of authorized users. Use
this procedure when the credit card service option is disabled and the solution provider wants
to limit access to pre-qualified users only. For more information about subscriber access and
billing options, see the following sections:
1.
164
z
“Authorization and Billing” on page 244.
z
“Subscriber Management” on page 248.
z
“Subscriber Management Models” on page 248.
z
“Configuring the Subscriber Management Models” on page 249.
From the Web Management Interface, click on Subscriber Administration, then Add.
System Administration
AG 2100
The Add a Subscriber Profile to the Database screen appears:
2.
Choose Subscriber or Device for this profile.
3.
Define the DHCP Address Type: Public or Private (only used when the IP Upsell feature
is enabled, otherwise leave this set to “private”).
4.
Leave the Proxy Arp For Device check box unchecked (not required with the AG 2100).
5.
Leave the 802.1Q Device Port field blank.
6.
Enter a valid MAC Address for the subscriber.
If you have chosen to manage this subscriber by user name only, you do not need to enter
a MAC address (but you must enter a user name).
7.
Enter the IP Address of the subscriber.
8.
Leave the Subnet field blank (not required with the AG 2100).
System Administration
165
AG 2100
9.
In the Username field, enter a user name for this subscriber. If you entered a MAC address
and you do not want to assign a user name, skip Step 9 (password).
User names and passwords are case-sensitive. Having a user name and password
is an optional service that subscribers may request (for example, if they are using
more than one machine, or moving between locations and they want an
additional level of security). If they request this service, they are prompted at the
login screen for the user name and password you assign here. Solution providers
can charge a fee for this service, at their discretion.
10. If you assigned a user name, you must now assign a Password.
11. In the Expiration Time field, define the duration (in hours and minutes) for the
subscriber’s authorized access time. When the assigned time expires, the subscriber must
“re-subscribe” to the service.
12. Enter an amount in the Paid field.
13. The next two fields (User Definable 1 and User Definable 2) are optional. Use these
fields for simple notations about the subscriber.
14. Define the Upstream Bandwidth and Downstream Bandwidth range for this subscriber
(in Kbps).
15. Click on the Add button to add this subscriber to the database, or click on the Reset button
if you want to reset all the values to their previous state.
166
System Administration
AG 2100
Displaying Current Subscriber Connections {Current}
You can display a listing of all the subscribers currently connected to the system. The list
includes the MAC addresses of the subscribers, their active state, the individual expiration
times, port numbers (if assigned), and the number of bytes that have been passed from the
subscriber to the Internet. This data can be used if a dispute arises between the subscriber and
the solution provider (for example, if a subscriber claims that their connection to the Internet
was not completed). By reviewing the “byte” statistics, you can clearly see if the subscriber
made a successful connection.
To view the list of Current Subscriber Connections, go to the Web Management Interface,
click on Subscriber Administration, then click on Current.
The Subscriber Statistics screen appears (split here for clarity), showing the usage statistics for
all subscribers currently connected to the system:
Click on a link to view the
associated subscriber
In the State field, “Valid” denotes that the subscriber has been authenticated.
“Pending” indicates that the subscriber is still waiting for authentication.
To view individual subscribers, simply click on the linked MAC address.
System Administration
167
AG 2100
Deleting Subscriber Profiles by MAC Address {Delete by MAC}
This procedure shows you how to delete a subscriber profile from the AG 2100’s database of
authorized subscribers, based on the profile’s MAC address.
To see a current listing of the subscriber database, sorted by MAC addresses, go
to “Listing Subscriber Profiles by MAC Address {List by MAC}” on page 174.
168
1.
From the Web Management Interface, click on Subscriber Administration, then Delete
by MAC. The Delete a Subscriber Profile (by MAC) screen appears:
2.
In the Enter MAC Address field, enter the MAC address of the profile you want to delete.
3.
Click on the Delete button to delete this subscriber profile, or click on the Reset button if
you want to reset the “MAC Address” value to the 00 state.
System Administration
AG 2100
Deleting Subscriber Profiles by User Name {Delete by User}
This procedure shows you how to delete a subscriber profile from the AG 2100’s database of
authorized subscribers, based on the profile’s user name.
To see a current listing of the subscriber database, sorted by user name, go to
“Listing Subscriber Profiles by User Name {List by User}” on page 175.
1.
From the Web Management Interface, click on Subscriber Administration, then Delete
by User. The Delete a Subscriber Profile (by User) screen appears:
2.
In the Username field, enter the user name of the profile you want to delete.
3.
Click on the Delete button to delete this subscriber profile, or click on the Reset button if
you want to reset the “Username” value to its blank state.
System Administration
169
AG 2100
Displaying the Currently Allocated DHCP Leases {DHCP Leases}
You can display a listing of the DHCP (Dynamic Host Configuration Protocol) leases that are
currently active on the system’s DHCP server. DHCP is a standard method for assigning IP
addresses automatically to network devices. DHCP leases define the amount of time that
subscribers can utilize the system’s DHCP service.
To view the list of Currently Allocated DHCP Leases, go to the Web Management Interface,
click on Subscriber Administration, then click on DHCP Leases.
To utilize this feature, your AG 2100 must be set to act as its own DHCP Server.
The DHCP function cannot be set to DHCP Relay. Refer to “Managing the DHCP
Service Options {DHCP}” on page 86.
The Currently Allocated DHCP Leases screen appears:
170
System Administration
AG 2100
Deleting All Expired Subscriber Profiles {Expired}
This procedure shows you how to delete all expired subscriber profiles from the AG 2100’s
database of authorized subscribers. Use this procedure when you want to “clean up” the
subscriber database.
1.
From the Web Management Interface, click on Subscriber Administration, then Expired.
The Remove Expired Profiles screen appears:
2.
Click on the OK button to remove all expired profiles.
System Administration
171
AG 2100
Finding Subscriber Profiles by MAC Address {Find by MAC}
This procedure shows you how to find a subscriber profile from the AG 2100’s database of
authorized subscribers, based on the profile’s MAC address. Use this procedure when you want
to see the statistics corresponding to the MAC address. Statistics include user name and
password (if any) and the access time remaining for this subscriber.
172
1.
From the Web Management Interface, click on Subscriber Administration, then Find by
MAC. The Find a Subscriber Profile screen appears:
2.
In the Enter MAC Address field, enter the MAC address of the subscriber you want to
find.
3.
Click on the Show button to view this subscriber profile, or click on the Reset button if
you want to reset the “MAC Address” value to the 00 state.
System Administration
AG 2100
Finding Subscriber Profiles by User Name {Find by User}
This procedure shows you how to find a subscriber profile from the AG 2100’s database of
authorized subscribers, based on the profile’s user name. Use this procedure when you want to
see the statistics corresponding to the user name. Statistics include the subscriber’s MAC
address and the access time remaining for this subscriber.
1.
From the Web Management Interface, click on Subscriber Administration, then Find by
User. The Find a Subscriber Profile screen appears:
2.
In the Enter Username field, enter the user name of the subscriber you want to find.
3.
Click on the Show button to view this subscriber profile, or click on the Reset button if
you want to reset the “Username” value to its blank state.
System Administration
173
AG 2100
Listing Subscriber Profiles by MAC Address {List by MAC}
You can display the currently active database of authorized subscribers, based on MAC
addresses.
To view the list of Authorized Subscriber Profiles, go to the Web Management Interface, click
on Subscriber Administration, then click on List by MAC.
The Authorized Subscriber Profiles screen appears:
Click on a link to view the
associated subscriber
174
System Administration
AG 2100
Listing Subscriber Profiles by User Name {List by User}
You can display the currently active database of authorized subscribers, based on user names.
You can display the currently active database of authorized subscribers, based on their user
names.
To view the list of Authorized Subscriber Profiles, go to the Web Management Interface, click
on Subscriber Administration, then click on List by User.
The Authorized Subscriber Profiles screen appears:
Click on a link to view the
associated subscriber
System Administration
175
AG 2100
Viewing RADIUS Proxy Accounting History {RADIUS Session History}
These settings are available under Subscriber Administration/RADIUS Session History menu.
Enable Logfile checkbox
When this setting is enabled any RADIUS proxy accounting messages sent or received by the
RADIUS proxy application are logged into a file named “RADHIST.RAD” in the /flash
directory. This log contains accounting messages exchanged with downstream servers, and
upstream NASs. The size of the log file is limited to 2000 records (accounting messages) or
320000 bytes -- when and if necessary the oldest records are purged to make room for new
records.
If the logfile is disabled the current logfile is purged from the flash. If this is re-enabled again,
only RADIUS accounting message sent/received from that point in time forward will be stored
in the log.
Enable Syslogs checkbox
If enabled then the same information described above is sent to the configured Syslog server.
The content of the syslogs is sent in human-readable format. The configuration page of the
syslog server to which these RADIUS proxy accounting messages are sent is available under
the Configuration/Logging menu as described above. The third set of Syslog parameters on
that page pertains to the RADIUS History Log.
176
System Administration
AG 2100
Displaying Current Profiles and Connections {Statistics}
You can view the total number of profiles and connections currently stored in the AG 2100’s
database of authorized subscribers. The displayed list includes the number of subscribers
currently in the database (Current Table) and a numerical breakdown of how the subscribers
can utilize the system (for example, free access, credit card, etc.). The total number of user
profiles stored in the AG 2100’s internal database is also shown.
To view the Subscriber Statistics, go to the Web Management Interface, click on Subscriber
Administration, then click on Statistics.
The Subscriber Statistics screen appears:
System Administration
177
AG 2100
Subscriber Interface Menu
Defining the Billing Options {Billing Options}
You can define various billing options for use with the Internal Web Server (IWS), based on:
178
z
Billing plans, including pricing and bandwidth.
z
Messages displayed to subscribers, including an Introduction Message, Offer
Message and Policy Message.
z
Billing schemes (units of access).
z
Free billing options (free access).
z
Promotional code options (for example, when offering a percentage discount).
System Administration
AG 2100
1.
From the Web Management Interface, click on Subscriber Interface, then Billing
Options.
The Internal Billing Options Setup screen appears:
System Administration
179
AG 2100
2.
Review the billing plans that are currently active. To view or edit a billing plan, simply
click on the Show/Change button opposite the corresponding plan.
The Internal Billing Options Plan Setup screen appears for the billing plan you selected
(Plan 0 shown here):
180
System Administration
AG 2100
3.
If required, click on the Enable check box to enable (make active) this billing plan.
4.
Define a “label” for this billing plan in the Label field.
Each plan must have a unique label, different from other plans.
5.
Enter a description for this billing plan in the Description of Service field.
6.
Define the Pricing schemes for this billing plan (rate per minute, per hour, per day, per
week, and per month).
7.
Define the Up (to network) and Down (to subscribers) bandwidth range for this billing
plan.
8.
Define the DHCP Pool (public or private) -- see following note.
The “public” option requires IP Upsell to be turned on, otherwise subscribers
will receive private IP addresses.
9.
Define the Time Unit of the billable event (either Minute, Hour, Day, Week, or Month).
One time unit is assigned to each billing plan.
The AG 2100 allows you to define multiple billing plans with different time units
at the same time. For example, you can define one billing plan that changes by
the hour (e.g. $2.95 per hour) and a second plan that charges per day (e.g.
$12.95 per day).
The ICC is limited to one simultaneous time unit.
10. Click on the Submit button to save your changes and establish this billing plan, or click on
the Reset button if you want to reset all the values to their previous state.
11. Click on the Back button at any time to return to the Internal Billing Options Setup
(previous) screen.
12. Repeat Steps 2 through 11 for each billing plan. You can enable (make active) any or all of
the available billing plans.
13. Define the messages you want to present to subscribers, including:
z
Introduction Message
z
Offer Message
z
Policy Message
System Administration
181
AG 2100
14. Define the Units of Access (Minute, Hour, Day, Week, or Month) you want to make
available to subscribers.
15. If you want to allow free access to subscribers, you can define the following free billing
options:
z
Default Free Access Time (in days)
z
Maximum Subscriber Lifetime (in days)
16. Define any Promotional Code Options in the Code Definition and Percentage Discount
fields, as required. You can define up to 5 Promotional Code Options.
The “Percentage Discount” parameter must be between 1 and 99.
17. Click on the Submit button to save your changes, or click on the Reset button if you want
to reset all the values to their previous state.
182
System Administration
AG 2100
Setting Up the Information and Control Console {ICC Setup}
The Nomadix Information and Control Console (ICC) is a HTML pop-up window that is
presented to subscribers, allowing them to select their bandwidth and billing plan options
quickly and efficiently, and displays a dynamic “time” field to inform them of the time
remaining on their account. The ICC also offers service providers an opportunity to display
advertising banners and provide a choice of redirection options.
This procedure allows you to set up how the ICC is displayed to subscribers. For more
information about the ICC, go to “Information and Control Console (ICC)” on page 250.
System Administration
183
AG 2100
184
1.
From the Web Management Interface, click on Subscriber Interface, then ICC Setup.
The ICC Setup screen appears:
2.
If you want subscribers to see the ICC (pop-up window), click on the check box for
Display ICC (Information and Control Console) to enable this feature.
3.
If you enabled the ICC, you can choose a unique name for the console. Simply type a
meaningful name in the Title field.
System Administration
AG 2100
4.
5.
Define how you want to display the subscriber session time:
z
Elapsed Time (how much time has elapsed since the start of the session)
z
Time Remaining (how much time is remaining for the session)
You must now decide what you want the ICC to do if the subscriber closes it.
Choose one of the following options:
z
Redisplay itself
z
Logout (return the subscriber to a “pending” state) – valid only with RADIUS.
You must now assign the buttons that you want to display to subscribers.
Assigning Buttons
1.
When assigning the redirect buttons that will appear in the ICC, you can define one ISP
Logo Button (large button) and up to 8 smaller buttons (Button 2 through Button 9), with
the following parameters:
z
Name/Text – The name of the button and the mouse-over text. The mouse-over text
is the text that appears in the ICC’s Message Bar when your mouse pointer “rolls”
over a button image.
Mes
z
Target URL – Where subscribers are sent when they click on the button.
z
Image Name – The representative image file you want to use for the button.
When assigning images for buttons, refer to: “Pixel Sizes” on page 188.
If you assign (or change) button images or banner images, the AG 2100 must be
rebooted for your changes to take effect.
System Administration
185
AG 2100
2.
When you have completed assigning all your redirect buttons, click on the check box for
Reboot after changes are saved?
3.
Click on the Submit button to save your changes, or click on the Reset button if you want
to reset all the values to their previous state.
4.
You can now assign the banners that you want to display to subscribers.
Assigning Banners
1.
From the Subscriber Console (Information and Control Console - ICC) Setup screen, click
on the Configure Banners link.
The Subscriber Console (Information and Control Console - ICC) Banners Setup screen
appears:
Click here to return to
the previous screen
186
System Administration
AG 2100
You can display up to 5 banners, but they must be defined here. Banners require all the
same parameters that “buttons” use (see “Assigning Buttons” on page 185), with the
addition of 3 (three) more. These are:
z
Duration – Defines how long the banner is displayed in the ICC.
z
Start Time – This is an optional parameter that you set if you want to assign a “start”
time (for when the banner is displayed).
z
Stop Time – This is an optional parameter that you set if you want to assign a “stop”
time (for when the displayed banner closes).
When assigning images and times for banners, refer to: “Pixel Sizes” on page 188 and
“Time Formats” on page 188.
2.
Define the parameters for your banner(s):
z
Name/Text
z
Target URL
z
Image Name (see following note)
z
Duration (secs)
z
Start Time (Optional)
z
Stop Time (Optional)
If you assign (or change) button images or banner images, the AG 2100
must be rebooted for your changes to take effect.
3.
If you changed any of the Image Name definitions, click on the check box for Reboot
after changes are saved? (to reboot the AG 2100).
4.
When finished, click on the Submit button to save your changes, or click on the Reset
button if you want to reset all the values to their previous state.
5.
To return to the previous screen, click on the Configure ICC link.
System Administration
187
AG 2100
Pixel Sizes
Use the following parameters when defining images for buttons and banners:
z
Banners – 373 pixels (width) x 32 pixels (height)
z
ISP Button – 98 pixels (width) x 26 pixels (height)
z
Small buttons – 45 pixels (width) x 26 pixels (height)
Banner
(373 x 32 pixels)
Small Buttons
(45 x 26 pixels)
ISP Button
(98 x 26 pixels)
Time Formats
Use the following formats when defining times:
188
z
Duration for Banners – 1 through 9999, or more
z
Start or Stop times for Banners – hh:mm PM/AM (for example, 2:35 PM)
System Administration
AG 2100
Defining Languages {Language Support}
The AG 2100 allows you to define the text displayed to your users by the Internal Web Server
(IWS) without any HTML or ASP knowledge. The language you select here will determine the
language encoding that the AG 2100’s Internal Web Server instructs the browser to use.
The available language options are:
z
z
z
z
z
z
z
1.
English
Chinese (Big 5)
French
German
Japanese (Shift_JIS)
Spanish
Other, with drop-down menu (see note)
From the Web Management Interface, click on Subscriber Interface, then Language
Support.
The Language Support screen appears:
System Administration
189
AG 2100
2.
Select the language you want to use (see notes).
There are currently 6 (six) “pre-translated” language options. If you want to
have the ICC pre-translated into Japanese and enter and display Japanese
characters on the Web Management Interface and the subscriber’s portal page,
choose the Japanese (Shift_JIS) option. If you want to have the ICC displayed in
English but enter and display Japanese characters on the Web Management
Interface and the subscriber’s portal page, choose the Other option, then choose
one of the available Japanese character sets from the drop-down menu.
If sufficient space is available, the AG 2100’s Internal Web Server also supports
multiple languages at the same time.
The following sample image shows the Web Management Interface (WMI) displayed with
Asian language characters.
WMI
190
System Administration
AG 2100
Enabling Local Web Serving {Local Web Server}
Here are the quick setup instructions to enable serving of local web pages.
1.
Upload the required pages and images to the /flash/web directory using FTP. Total file size
of all pages and images cannot exceed 200 KB. File names should be labeled using the 8.3
format.
2.
Go to WMI->Subscriber Interface->Local Web Server and add the names of the HTML or
image files that were uploaded to the /flash/web directory.
3.
Reboot the AG 2100
4.
The pages can now be served by referencing the URL http://nseip:1111/web/<filename>
or at https://nseip:1112/web/<filename> for preauthenticated end users.
5.
The post-authentication pages and images are available at http://nseip:3111/web/
<filename>
These settings are available under Subscriber Interface/Local Web Server menu.
System Administration
191
AG 2100
Web Page File Name
This text box lets you add or remove the names of the web pages that you intend to serve to the
end users.
The name of the web page has to be added in order for it to be served to the end
Image File Name
This text box lets you add or remove the names of the image files that you intend to server to
the end users. Note: The name of the image file has to be added in order for it to be served to
the end users. Uploading the image file to the /web directory is not sufficient.
192
System Administration
AG 2100
Defining the Subscriber’s Login UI {Login UI}
This procedure allows you to set up the presentation and content of the subscriber’s login User
Interface (UI).
1.
From the Web Management Interface, click on Subscriber Interface, then Login UI. The
Subscriber Login User Interface Settings screen appears:
System Administration
193
AG 2100
2.
Define the messages you want subscribers to see when they log in. Keep messages brief
and to the point. Available message categories include:
z
Service Selection Message
z
Existing Username Message
z
New Username Message
z
Contact Message
3.
If any of your devices do not support Java™ scripts, you have the option of disabling the
AG 2100’s JavaScript™ support (JavaScript support is enabled by default). If necessary
(and if JavaScript support is already enabled), click on the check box for Enable
Javascript to disable this feature.
4.
Click on the check box for Enable “Remember Me” option if you want to enable (or
disable) this feature. This option enables the AG 2100 to “remember” logins for a
predetermined duration (see next step).
The “Remember Me” option requires JavaScript to be enabled.
5.
If you enabled the “Remember Me” option, define the duration (in days) in the Remember
for how many days field.
6.
If required, define a Help Hyperlink Message and a corresponding Help Hyperlink URL.
7.
Define the location in the Locale field.
8.
Define the currency labeling (for example, $) in the Currency field.
The currency must be defined using an IS0 4217 currency code (for example,
USD for US Dollars, GBP for Great British Pounds).
9.
Enter a numeric value for the Number of decimals for amount. This field defines the
number of decimal places that are shown for the displayed amounts.
10. Define the appearance of the internal login screen. Appearance settings include:
194
z
Image File Name (if you want to include a unique image)
z
Page Background Color
z
Table Background Color
z
Page Title Font
z
Line Item Font
System Administration
AG 2100
Take care when mixing font and background colors. You may want to experiment before
establishing these settings to ensure that your chosen color scheme is both presentable and
readable to subscribers (see notes).
You must reboot the AG 2100 for the “Image File Name” or “Partner Image File
Name” settings to take effect.
You can view a grid of acceptable screen colors. To view the grid, simply click on
the “View Color Grid” link.
If you click on the “View Color Grid” link, the Browser Safe Background Colors by RGB
screen appears (partial view only shown here):
More colors ...
11. Click on the check box for Partner Image to enable this feature, then enter the name of the
image file in the Partner Image File Name field.
12. If you made changes to the Image File Name or Partner Image File Name fields, you
must reboot the AG 2100 for your changes to take effect. In this case, click on the check
box for Reboot after changes are saved?.
The partner image (splash screen) is not the same screen that is defined by the
Image File Name (IWS screen) field.
13. Click on the Submit button to save your changes, or click on the Reset button if you want
to reset all the values to their previous state.
System Administration
195
AG 2100
Subscriber Login Screen (Sample)
The following sample shows a subscriber login screen:
196
System Administration
AG 2100
Defining the Post Session User Interface (Post Session UI)
The Post Session UI (Goodbye Page) can be defined either as a RADIUS VSA or be driven by
the AG 2100’s Internal Web Server (IWS). Using the IWS option means that this functionality
is available for other post-paid billing mechanisms. The IWS page displays the details of the
user's connection, such as:
z
IP address of the user
z
Type of AAA
z
Start/Stop time
z
Bytes sent/received
z
Freely configurable hypertext link (in case the ISP wants to link the user back to a
sign-up/help page).
Sample of Post Session UI (Goodbye Page)
System Administration
197
AG 2100
1.
198
From the Web Management Interface, click on Subscriber Interface, then Post Session
UI. The Subscriber Post Session User Interface Settings screen appears:
System Administration
AG 2100
2.
Click on the Enable IWS Goodbye Page check box to enable (or disable) the IWS
Goodbye Page, as required.
3.
If you enabled the IWS Goodbye Page, select your preferred display options by checking
the corresponding boxes:
z
Display IP Address
z
Display Authen Type
z
Display Start Time
z
Display Stop Time
z
Display Byte Sent
z
Display Byte Received
z
Display Hypertext Link URL
4.
If you enabled the Hypertext Link URL feature, enter the URL for the link in the Hyper
Text Link URL field.
5.
Define the following Field Label Definitions for your Goodbye Page:
z
Session Summary
z
IP Address
z
Authen Type
z
Start Time
z
Stop Time
z
Byte Sent
z
Byte Received
z
Go To
If you enabled the Partner image for the Login UI, you will also see the same
image in the IWS Post Session page.
6.
Click on the Submit button to save your changes. Alternatively, you can click on the
Reset button to reset all values to their previous state, or click on the Revert button to
revert all values to their default state.
System Administration
199
AG 2100
Defining Subscriber UI Buttons {Subscriber Buttons}
This procedure allows you to define how each of the control buttons are displayed to
subscribers.
1.
From the Web Management Interface, click on Subscriber Interface, then Subscriber
Buttons.
The Subscriber Page -- Control Button Definitions screen appears:
See
Caution
Only the Login button should be named “Login.” Do not assign this name to
any other button.
Nur die Login Knopf kann die Name "login" tragen. Diese Name darf nicht zu
einen anderen Knopf gebraucht werden
2.
Enter the definitions you want for each control button in the corresponding fields.
3.
Click on the Submit button to save your changes, or click on the Reset button if you want
to reset all the values to their previous state.
If you want to reset all field values to their default state, click on the Revert button.
200
System Administration
AG 2100
Defining Subscriber UI Labels {Subscriber Labels}
This procedure allows you to define how the user interface (UI) field labels are displayed to
subscribers.
1.
From the Web Management Interface, click on Subscriber Interface, then Subscriber
Labels. The Subscriber Page -- Field Label Definitions screen appears:
2.
Enter the definitions you want for each label in the corresponding fields.
3.
Click on the Submit button to save your changes, or click on the Reset button if you want
to reset all the values to their previous state.
If you want to reset all field values to their default state, click on the Revert button.
System Administration
201
AG 2100
Defining Subscriber Error Messages {Subscriber Errors}
This procedure allows you to define how error messages are displayed to subscribers.
There are 2 (two) pages of error messages available.
202
1.
From the Web Management Interface, click on Subscriber Interface, then Subscriber
Errors, 1 of 2. The Subscriber Page -- Error Message Definitions, 1 of 2 screen appears:
2.
Enter the definitions you want for each error message in the corresponding fields.
System Administration
AG 2100
3.
Click on the Submit button to save your changes, or click on the Reset button if you want
to reset all the values to their previous state.
If you want to reset all field values to their default state, click on the Revert button.
4.
Repeat Steps 1 – 3 for page 2 of 2 (see following screen):
System Administration
203
AG 2100
Defining Subscriber Messages {Subscriber Messages}
This procedure allows you to define how “other” subscriber messages are displayed.
There are 3 (three) pages of subscriber messages available.
1.
From the Web Management Interface, click on Subscriber Interface, then Subscriber
Messages, 1 of 3. The Subscriber Page -- Other Message Definitions, 1 of 3 screen
appears:
204
System Administration
AG 2100
2.
Enter the definitions you want for each subscriber message in the corresponding fields.
3.
Click on the Submit button to save your changes, or click on the Reset button if you want
to reset all the values to their previous state.
If you want to reset all field values to their default state, click on the Revert button.
4.
Repeat Steps 1 – 3 for page 2 of 3 (see following screen):
System Administration
205
AG 2100
5.
206
Repeat Steps 1 – 3 for page 3 of 3 (see following screen):
System Administration
AG 2100
System Menu
Adding an ARP Table Entry {ARP Add}
ARP (Address Resolution Protocol) is used to dynamically bind a high level IP address to a
low level physical hardware (MAC) address. ARP is limited to a single physical network that
supports hardware broadcasting. This procedure shows you how to add an ARP table entry.
1.
From the Web Management Interface, click on System, then ARP Add. The Add ARP
Table Entries screen appears:
1.
Enter the IP Address of the entry you want to add.
2.
Enter the MAC Address.
3.
Define whether this entry is Regular or Static.
4.
Click on the Add button to add your entry, or click on the Reset button if you want to reset
all the values to their previous state.
System Administration
207
AG 2100
Deleting an ARP Table Entry {ARP Delete}
ARP (Address Resolution Protocol) is used to dynamically bind a high level IP address to a
low level physical hardware (MAC) address. ARP is limited to a single physical network that
supports hardware broadcasting. This procedure shows you how to delete an ARP table entry.
208
1.
From the Web Management Interface, click on System, then ARP Delete. The Delete ARP
Table Entries screen appears:
2.
Enter the IP address of the entry you want to delete.
3.
Click on the Delete button to delete this entry, or click on the Reset button if you want to
reset the “IP Address” value to its blank state.
System Administration
AG 2100
Enabling the Bridge Mode Option {Bridge Mode}
Bridge Mode allows complete and unconditional access to devices on the subscriber side of the
AG 2100. When the Bridge Mode option is enabled, the AG 2100 is effectively transparent to
the network in which it is located, allowing clusters of switches (especially Cisco Systems
switch clusters) to be managed using the STP (Spanning Tree Protocol), or any other
algorithm/protocol. The AG 2100 forwards any and all packets (except those addressed to the
AG 2100 network interface). The packets are unmodified and can be forwarded in both
directions. This is a very useful feature when troubleshooting your entire network as it allows
administrators to effectively “remove” the AG 2100 from the network without physically
disconnecting the unit.
You can still manage the AG 2100 when Bridge Mode is enabled, but you have no other
functionality. If you enable the Bridge Mode option and then plug the AG 2100 into a network,
all you need to do is assign it routable IP addresses. You can then set up all other features and
disable the Bridge Mode option whenever you want to start using the AG 2100 in that network.
This procedure shows you how to enable the Bridge Mode option.
1.
From the Web Management Interface, click on System, then Bridge Mode. The Bridge
Mode (Passthrough) Settings screen appears:
2.
Click on the check box for Bridge Mode to enable this feature.
The AG 2100 will be rebooted if this setting is changed.
3.
Click on the Submit button to save your changes, or click on the Reset button if you want
to reset the “Enable” option to its previous state.
System Administration
209
AG 2100
Exporting Configuration Settings to the Archive File {Export}
This procedure shows you how to export the current system configuration settings to an archive
file for future retrieval. This function is useful if you want to change the configuration settings
and you are unsure of the effect that the changes will have. You can restore the archived system
configuration settings at any time with the import function.
1.
From the Web Management Interface, click on System, then Export. The Export
Configuration screen appears:
Click here to view the
“archive.txt” file
2.
210
Click here to view the
“current.txt” file
Click on the OK button to export the current configuration settings to the archive.txt file.
System Administration
AG 2100
Importing the Factory Defaults {Factory}
This procedure shows you how to replace the current configuration settings with the settings
that were established at the factory.
If you restore the factory default configuration settings, you will no longer be
able to access the AG 2100 remotely. However, you always have the option of
using the “import” function to restore system configuration settings from the
archive file.
The factory default configuration does not include the network settings. The
network connection will be lost if this “import” function is performed. To avoid
a prolonged service interruption, perform this procedure from the Admin IP
(172.30.30.172).
Die Standard ab Fabrik eingestellte Konfiguration beeintragt nicht die
Netzwerk einstellungen. Die Netzwerk verbindung geht verloren wenn die
"import" Funktion ausgefuehrt wird. Um einen Service unterbrechen zu
vorkommen, koennen Sie am besten diese Prozedure ausfuehren mit Admin IP
(172.30.30.172)
You will need to reboot the system for some of the imported default settings to
take effect (especially DHCP).
1.
From the Web Management Interface, click on System, then Factory.
System Administration
211
AG 2100
The Factory Configuration screen appears:
Click here to view the
“factory.txt” file
2.
212
Click here to view the
“current.txt” file
Click on the Submit and Reboot button to replace the current system configuration
settings with the factory default settings and reboot the AG 2100.
System Administration
AG 2100
Viewing the History Log {History}
You can view a history log of the system’s Access, Reboot, and Uptime activities. The history
log contains up to 500 entries. Over 500 entries and each new log item removes the oldest
entry in the list. The latest entry is always at the top of the list.
To view the history log, go to the Web Management Interface and click on System, then
History. The Uptime and Access/Reboot History screen appears:
Uptime Indicator
More listings ...
The “Uptime” field displays the time (in days, hours, minutes, and seconds) that the system has
been up and running.
System Administration
213
AG 2100
The “Access and reboot History” log fields include:
z
Message – Administrator / Operator action.
z
Login – User name of the Administrator / Operator.
z
IP – Source IP address (see note).
The source IP displayed may be the source IP of a NAT router instead of the
client of the person accessing the AG 2100.
214
System Administration
AG 2100
Establishing ICMP Blocking Parameters {ICMP}
The AG 2100 includes the option to block all ICMP traffic from “pending” or “non
authenticated” users that are destined to addresses other than those defined in the pass-through
(walled garden) list. The default setting for this option is “disabled” since ICMP pass-through
is a useful end-user troubleshooting feature and also required by certain smart clients (for
example, GRIC).
1.
From the Web Management Interface, click on System, then ICMP.
The ICMP screen appears:
2.
Click on the check box for Block ICMP from pending users to enable (or disable) this
feature, as required.
3.
You can Ping a host via the network port by simply entering the IP address of the host
you want to ping then clicking on the Submit button.
4.
Click on the Submit button to save your changes, or click on the Reset button to reset all
values to their previous state.
System Administration
215
AG 2100
Importing Configuration Settings from the Archive File {Import}
This procedure shows you how to restore the system configuration settings from an archive file
(previously created with the export function).
The archived configuration settings you want to restore may not contain valid
IP addresses. perform this procedure from the Admin IP (172.30.30.172).
Die festgelegte Konfiguration einstellungen die Sie wieder benutzten moechten
darfen keine rechtzeitige IP Admin haben. Diese prozedure soll vom Admin IP
ausgefuehrt werden (172.20.20.172)
You will need to reboot the system for some of the imported default settings to
take effect (especially DHCP).
1.
From the Web Management Interface, click on System, then Import. The Import
Configuration screen appears:
Click here to view the
“archive.txt” file
2.
216
Click here to view the
“current.txt” file
Click on the OK button to replace the current system configuration settings with the
settings contained in the archive.txt file (see notes above).
System Administration
AG 2100
Establishing Login Access Levels {Login}
This procedure shows you how to assign differentiated access levels for operators and
managers at login.
The AG 2100 allows you to define 2 concurrent access levels to differentiate between
managers and operators, where managers are permitted read/write access and operators are
restricted to read access only. Once the logins have been assigned, managers have the ability to
perform all write commands (Submit, Reset, Reboot, Add, Delete, etc.), but operators cannot
change any system settings. When this feature is enabled, one manager and three operators can
access the AG 2100 at any one time (the default is “disabled”). This feature supports the
following interfaces:
z
Telnet
z
Command Line Interface (CLI) – serial
z
Web Management Interface (WMI)
z
FTP (no operator access allows)
Only managers can assign a username and password for the remote RADIUS testing login
option.
1.
From the Web Management Interface, click on System, then Login.
System Administration
217
AG 2100
The Login Name and Password screen appears:
2.
Click on the check box for Administration Concurrency if you want to assign concurrent
Manager and Operator logins.
3.
In the Manager Login field, enter a login name for this manager.
Login names and passwords are case-sensitive. Use login names and passwords
that are easy to remember (up to 11 characters, any character type).
4.
218
In the Manager Password field, enter a password for this manager.
System Administration
AG 2100
5.
In the Confirm Password field, enter the password again to confirm it.
If you forget your password, you will need to contact technical support. See
also, “Appendix A: Technical Support” on page 303.
Wenn Sie Ihren Wachtwort (password) vergessen haben, bitte nehmen Sie
Kontakt auf mit Nomadix Technical Support. Siehe auch, Technical Support.
6.
If you enabled Administration Concurrency, repeat steps 3 to 5 for an operator login.
As part of its Smart Client feature, the AG 2100 offers a remote RADIUS testing feature
(enabled by default). With this feature, the AG 2100 provides a password-protected Web
page. From this Web page, technical support can type a username and password and
instruct the AG 2100 to send a RADIUS access request to the RADIUS server—following
the same basic rules as if the request was from a user. The URL for the test page is http://
AG 2100_IP/radtest/testradius.htm and can be accessed from the network side of the
AG 2100. You must open a separate browser to utilize this feature. The “Framed IP” field
is configurable by the user and can be set to any IP address.
7.
Managers Only: If RADIUS is enabled, you can enter a login name in the Radius Remote
Test Login field.
For RADIUS logins, the maximum number of characters for usernames is 96.
The maximum number of characters for passwords is 128.
8.
Managers Only: If you entered a login name in Step 7, enter a password in the Radius
Remote Test Password field.
9.
Managers Only: Click on the Submit button to save the login and password parameters, or
click on the Reset button if you want to reset all the values to their previous state.
System Administration
219
AG 2100
Defining the MAC Filtering Options {Mac Filtering}
MAC Address filtering enhances Nomadix' access control technology by allowing System
Administrators to block malicious users based on their MAC address. Up to 50 MAC addresses
can be blocked at any one time (see caution).
MAC addresses that you enter here will cause the subscribers at these
addresses to be blocked from service. Please make sure that you enter the
correct addresses before submitting the data.
MAC Adressen die hier festgelegt werden, wird dafuer sorgen dass diese
Adressen keine Service bekommen. Bitte machen Sie sicher dass die
rechtzeitigen Adressen eingetragen werden fuer dass die Daten festgelegt
werden.
1.
From the Web Management Interface, click on System, then MAC Filtering. The MAC
Filtering screen appears:
2.
Click on the check box for MAC Filtering to enable (or disable) this feature, as required.
3.
Enter a MAC address in the MAC field, then click on the Add button to add this address to
the “blocked” list, or click on the Remove button to remove this address from the list.
For advanced security, see also, “Establishing Session Rate Limiting {Session Limit}” on
page 224.
220
System Administration
AG 2100
Rebooting the System {Reboot}
This procedure shows you how to reboot the AG 2100.
The “reboot” procedure outlined on this page allows you to decide when to
reboot (if you are making multiple changes to different menu functions and you
want to reboot just one time after completing all your changes).
1.
From the Web Management Interface, click on System, then Reboot. The Reboot Device
screen appears:
2.
Click on OK to reboot the operating system.
System Administration
221
AG 2100
Adding a Route {Route Add}
This procedure shows you how to add a route into the AG 2100’s routing table. This is
accomplished by establishing the route’s destination IP address, and by setting the gateway or
router IP address by which the route’s destination can be reached.
222
1.
From the Web Management Interface, click on System, then Route Add. The Add Static
Routes screen appears:
2.
Enter the Destination IP address of the route you want to add to the routing table.
3.
Enter the Gateway IP address.
4.
Click on the Add button to add this route to the routing table, or click on the Reset button
if you want to reset all the values to their previous state.
System Administration
AG 2100
Deleting a Route {Route Delete}
This procedure shows you how to delete a route to a specific IP destination.
1.
From the Web Management Interface, click on System, then Route Delete. The Delete
Static Routes screen appears:
2.
Enter the Destination IP address of the route you want to delete from the routing table.
3.
Click on the Delete button to delete this route from the routing table, or click on the Reset
button if you want to reset the “Destination IP” value to its blank state.
System Administration
223
AG 2100
Establishing Session Rate Limiting {Session Limit}
Session Rate Limiting (SRL) significantly reduces the risk of “Denial of Service” attacks by
allowing administrators to limit the number of DAT sessions any one user can take over a given
time period and, if necessary, then block malicious users.
224
1.
From the Web Management Interface, click on System, then Session Limit. The Session
Rate Limiting screen appears:
2.
Click on the check box for Session Rate Limiting to enable (or disable) this feature, as
required.
3.
Enter values for the following session “limiting” parameters:
z
Mean Rate
z
Burst Size
z
Time Interval (in seconds)
4.
Click on the Submit button to save your changes.
5.
For advanced security, see also “Defining the MAC Filtering Options {Mac Filtering}” on
page 220.
System Administration
AG 2100
Adding Static Ports {Static Port-mapping Add}
Static Port-Mapping allows the network administrator to setup a port mapping scheme that
forwards packets received on a specific port to a particular static IP (typically private and misconfigured) and port number on the subscriber side of the AG 2100. The advantage for the
network administrator is that free private IP addresses can be used to manage devices (such as
Access Points) on the subscriber side of the AG 2100 without setting them up with public IP
addresses.
This procedure shows you how to add static ports.
1.
From the Web Management Interface, click on System, then Static Port-mapping Add.
The Add Static Port-Mapping Entries screen appears:
System Administration
225
AG 2100
2.
Enter the Internal IP Address.
Ensure that the device with the Internal IP Address has been added to the
subscriber’s table.
3.
Enter the Internal Port reference.
4.
Enter a valid MAC Address.
5.
Enter the External IP Address.
The External IP address field will default to the IP address of the AG 2100.
6.
Enter the External Port reference.
7.
Optional: Enter the Remote IP Address. Leave this field set to zero if you want to connect
to the internal device from any network-side workstation.
8.
Optional: Enter the Remote Port reference. Leave this field set to zero if you want to
connect to the device from any TCP/UDP port of a network-side workstation.
9.
Select the protocol (TCP or UDP) from the pull-down menu.
10. Click on the Add button to add this static port, or click on the Reset button to reset all
values to their previous state.
For more information about Static Port-Mapping, see also:
226
z
“Displaying the Static Port Mapping Table {Static Port-Mapping}” on page 146.
z
“Deleting Static Ports {Static Port-mapping Delete}” on page 227.
System Administration
AG 2100
Deleting Static Ports {Static Port-mapping Delete}
Static Port-Mapping allows the network administrator to setup a port mapping scheme that
forwards packets received on a specific port to a particular static IP (typically private and misconfigured) and port number on the subscriber side of the AG 2100. The advantage for the
network administrator is that free private IP addresses can be used to manage devices (such as
Access Points) on the subscriber side of the AG 2100 without setting them up with public IP
addresses.
This procedure shows you how to add static ports.
1.
From the Web Management Interface, click on System, then Static Port-Mapping Delete.
The Delete Static Port-Mapping Entries screen appears:
2.
Enter the External IP Address and/or the External Port of the item you want to delete.
3.
Click on the Delete button to delete the static port, or click on the Reset button to reset
your changes to their previous state.
For more information about Static Port-Mapping, see also:
z
“Displaying the Static Port Mapping Table {Static Port-Mapping}” on page 146.
z
“Adding Static Ports {Static Port-mapping Add}” on page 225.
System Administration
227
AG 2100
Blocking a Subscriber Interface {Subscriber Interfaces}
The AG 2100 allows System Administrators to block subscriber interfaces.
1.
From the Web Management Interface, click on System, then Subscriber Interfaces. The
Subscriber Interfaces screen appears:
2.
Enable or disable the following items by clicking on the corresponding check box:
3.
z
Block Subscriber Interface 1
z
Block Subscriber Interface 2
Click on the Submit button to save your changes, or click on the Reset button to reset all
values to their previous state.
Updating the AG 2100 Firmware {Upgrade}
Upgrading the AG 2100 firmware is performed from the AG 2100’s Command Line Interface
(CLI) only. Refer to the Firmware Upgrade Procedure (separate document available from
Nomadix Technical Support).
228
System Administration
AG 2100
Defining Wireless Configuration {Wireless Configuration}
This procedure allows you to configure the AG 2100’s wireless settings and optimize
transmissions and wireless security.
See also:
1.
z
“Why Choose Wireless?” on page 2
z
“Offering Speed and Efficiency” on page 4
z
“Optimizing Performance” on page 4
z
“Installation Considerations” on page 37
z
“Enabling Wireless Connectivity” on page 63
From the Web Management Interface, click on System, then Wireless Configuration.
The Wireless Configuration screen appears:
System Administration
229
AG 2100
2.
To add, edit, or remove Virtual APs (VAPs), click the Virtual AP Setup link at the top of
this window. See “Virtual AP Setup” on page 231.
3.
Select a Regulatory Domain from the drop-down list:
4.
z
USA/Canada
z
ETSI
z
World
z
France
z
China
z
Japan
Select a Frequency Spectrum:
z
11b
z
11g
z
11gb
5.
Select the desired Channel from the pull-down menu.
6.
Select the transmission Rate from the pull-down menu. This is the transmission rate for
the wireless network (in Mbits/s).
7.
Select the transmission Power from the pull-down menu. This is the transmit power,
assignable between minimum power and full power in increments of one eighth, one
quarter, and one half. For security purposes, you may want to limit the distance that the
signal travels.
8.
Define the Fragment Length (between 256 and 2346). This value should remain at its
default setting unless you experience a high packet error rate. Setting the fragment length
too low may result in poor performance.
9.
Define the RTS Length (between 256 and 2346). This value should remain at its default
setting unless you encounter inconsistent data flow. Only minor modifications to this value
are recommended.
10. Define the Beacon Interval (between 20 and 1000). The beacon interval is the amount of
time between beacon transmissions. The default setting (100) is recommended.
11. Define the DTIM value (between 1 and 255). A DTIM (Delivery Traffic Indication
Message) is a countdown informing clients of the next window for listening to broadcast
and multicast messages.
12. If required, check the box for Enable Short Preamble.
13. When finished, you must reboot the system for the new settings to take effect. Click the
check box for Reboot after changes are saved? to reboot the system after saving your
changes.
230
System Administration
AG 2100
Virtual AP Setup
Your product license may not support this feature.
The NSE can create virtual access points (VAPs) from one physical access point by assigning
unique BSSIDs to each SSID. Single providers can use VAPs to offer multiple services (for
example, offering access to different VLANs, using different authentication/association
methods). Multiple providers can also use VAPs to share the same wireless infrastructure.
VAPs are primarily used with enterprise hotspots.
You can create a maximum of 16 VAPs (including the original base AP). It is recommended
that you configure each VAP with a different SSID and Authentication/Association method.
All wireless settings (i.e., channel, rate, frequency, etc.) apply to all VAPs and not
per VAP, except for SSID and broadcasting of SSID.
Pre-existing Multiple SSIDs may be lost during an upgrade unless you follow
the exact upgrade procedures provided by Technical Support and/or the
Firmware Upgrade document.
From the CLI:
z
Go to system->wireless->virtual.
z
Typing the command for VAP will present a menu to Display, Add, Modify or Delete
VAP’s.
Using SNMP:
z
Go to NSE->wireless->wirelessVirtualAps (enterprises.3309.1.x.43.13) for VAP
configuration branch.
z
To Add an entry to the VAP table, SET all VAP variables for required functionality.
z
To Modify, the variable with the index of the VAP to be changed.
z
To Delete/Destroy a VAP, SET the vapStatus variable for the VAP index to destroy
(6).
System Administration
231
AG 2100
Using the WMI:
z
From the System menu, click Wireless Configuration, then Virtual AP Setup.
The Virtual AP Setup window appears:
z
Enable or disable Default 802.1q Tag for System Traffic, and add/edit the
associated VLAN tag if necessary.
Changing the default tag number may result in a loss of connectivity.
Aenderung die Standard Tag Nummer kann die Internet Verbindung wegfallen
lassen.
z
232
The Virtual AP Settings box displays all current VAPs. To Add a Virtual AP, click the
Add button. To Edit or Remove a Virtual AP, click the VAP link in the list. The
Edit/Add Virtual AP screen appears:
System Administration
AG 2100
System Administration
233
AG 2100
1.
Enter an SSID. The SSID (Service Set Identifier) is a unique name that identifies a
wireless network. All devices on a wireless network must share the same SSID name in
order to communicate on the wireless network. The SSID can be up to 32 ASCII
characters. The SSID can be the same as another VAP or AP, but this is not recommended
unless the Authentication method is different. Wireless MAC addresses/BSSIDs range
from 0 to F (i.e., 00:50:E8:02:01:00 to :0F).
Each VAP should be configured with a different SSID and Association/
Authentication method.
2.
Enable or disable SSID Broadcast, as required. This feature “broadcasts” the Virtual
AP’s SSID over the wireless network, making connection easier.
3.
Enable or disable Bridge Mode. Global Bridge Mode supersedes VAP Bridge Mode (see
“Enabling the Bridge Mode Option {Bridge Mode}” on page 209).
With VAP Bridge Mode enabled:
Multicast packets are not bridged.
z
Broadcast packets are bridged to a VAP only if there is a client associated.
z
Incorrect packets and packets with no VLAN tag are bridged to all VAPs with
associated clients.
z
Packets with correct VLAN tags are bridged only to VAPs configured with the same
VLAN tag.
z
IEEE 802.11i and 802.1x still functions.
z
All other NSE functions are disabled, the same as regular bridge mode.
z
If GRE is used with VAP Bridge Mode enabled and VLAN either on/off, subscriber
traffic is bridged outside of the GRE tunnel. See “GRE Tunneling {Gre Tunneling}”
on page 94.
z
If PPPoE is used with VAP Bridge Mode enabled and VLAN either on/off, subscriber
traffic is bridged without a PPP header. See “PPPoE Client” on page 306.
z
Subscribers will appear in Current Table in bridged state (see “Displaying Current
Subscriber Connections {Current}” on page 167).
Enable or disable WAN VLAN tagging of traffic to the wireless network interface. Default
VLAN traffic is separate from VAP. RADIUS and 802.1x authentication is performed
through Default VLAN; subscriber traffic uses VAP VLAN.
z
4.
VLAN tagging is disabled when you use GRE or PPPoE.
234
System Administration
AG 2100
RADIUS-based WAN VLAN takes priority over Virtual AP-based WAN VLAN.
If you enable WAN VLAN, enter a VLAN tag number using one to 10 numeric characters.
Multiple VAPs can be mapped to the same VLAN.
5.
Select an Authentication Method:
z
z
z
z
z
z
Open (no security)
WEP
WPA Personal
WPA Enterprise
WPA 2 Personal
WPA 2 Enterprise
Personal associates using pre-shared key (PSK) and require separate
authentication; Enterprise associates using 802.1x full login with RADIUS
authentication.
Each VAP should be configured with a different SSID and Association/
Authentication method.
If you selected WEP, see “WEP Settings” on page 237.
If you selected a WPA or WPA 2 association method, see “802.11i Settings” on page 236.
System Administration
235
AG 2100
802.11i Settings
802.11i settings are available only for WPA and WPA 2 association methods. If
you chose Open or WEP, please see “WEP Settings” on page 237
IEEE 802.11 and 802.11i can be configured differently per VAP, and is
recommended.
1.
Select a Passphrase. Passphrase is a word or phrase used for WPA Personal or WPA 2
Personal to derive PSK. It can be from eight to 63 ASCII characters in length.
2.
Enable or disable WPA/WPA2 Mixed Mode (available only if WPA 2 is chosen as the
association method). Mixed Mode simultaneously supports WPA-TKIP and WPA 2-AES
to assist the transition from WPA to WPA 2. When Mixed Mode is enabled, Cipher is not
configurable.
The following table shows which features are configurable with each Authentication
method.
3.
4.
236
Association Method
Passphrase
WPA/WPA 2 Mixed Mode
WPA 2 Enterprise
disabled
configurable
WPA 2 Personal
configurable
configurable
WPA Enterprise
disabled
disabled
WPA Personal
configurable
disabled
Select a Cipher (not available when WPA/WPA2 Mixed Mode is selected):
z
Auto supports both TKIP and AES/CCMP simultaneously for the selected WPA
association mode.
z
TKIP
z
AES/CCMP
Select a Group Key Update Interval. Select zero (0) to disable, or enter a time (in
seconds).
System Administration
AG 2100
WEP Settings
WEP features are available only if WEP is selected for Authentication Method. If
you chose a WPA or WPA 2 Authentication method, proceed to “Other Options”
on page 238.
5.
Select an 802.11 Authentication Type: Open or Shared.
6.
Put a check mark next to Non-802.1x Allowed to allow anyone with or without an
802.1x supplicant to login.
7.
Select a Key Length from the drop-down window: 64, 128 or 152. The larger the key
length, the greater the security. The following table shows key lengths and number of
characters required for the key:
Key Length
ASCII characters
Hex characters
64
5
10
128
13
26
152
16
32
8.
Select a Key Type: Hex Digit (limited to hexadecimal numbers 0-9 and characters A-F)
or ASCII.
9.
Select a Default WEP key from the drop-down list.
10. You can define up to four discrete WEP Keys by entering a key identifier in the fields
corresponding to to the four keys.
z
z
z
z
WEP Key 1
WEP Key 2
WEP Key 3
WEP Key 4
In order to use Dynamic WEP, the default key must be set to 2, 3, or 4.
System Administration
237
AG 2100
Other Options
1.
Enable or disable UAM (Universal Access Method). UAM controls [web-browser based]
Authentication, Authorization and Accounting for the VAP. UAM must be enabled for the
VAP to use the Global AAA settings (see “Defining the AAA Services {AAA}” on
page 67). UAM can be disabled for each VAP without disabling Global AAA
This is not configurable when using WPA-Enterprise and WPA 2-Enterprise
2.
Enable or disable 802.1x authentication. 802.1x must be enabled when using:
z
z
dynamic WEP (which uses 802.1x to dynamically obtain WEP keys based on the
response from the RADIUS server)
802.1x with static WEP
The following table shows how each Authentication method affects 802.1x
configurability:
Authentication Method
802.1x
WPA 2 Enterprise
automatically enabled
WPA 2 Personal
disabled
WPA Enterprise
automatically enabled
WPA Personal
disabled
WEP
configurable
Open
configurable
Enabling 802.1x first requires:
238
z
Global 802.1x and Global and VAP RADIUS client to be enabled. See “Defining the
AAA Services {AAA}” on page 67. (802.1x can be disabled for each VAP without
disabling Global 802.1x.)
z
RADIUS to be enabled. See “Defining the RADIUS Client Settings {RADIUS
Client}” on page 116 below.
System Administration
AG 2100
3.
Select a RADIUS Mode:
z
Disabled to disable RADIUS authentication
z
Realm-Based for Realm routing
z
Fixed for routing to predefined RADIUS servers
z
System Defaults to defer to the Global RADIUS Client configuration
Global RADIUS Client settings must first be configured before you select a RADIUS
Mode. See “Defining the RADIUS Client Settings {RADIUS Client}” on page 116.
RADIUS Client can be configured separately for each VAP and wired subscriber
connection.
4.
Select a RADIUS Service Profile from the drop-down list of available profiles. You
must first configure RADIUS Service Profiles. See “Defining the Realm-Based Routing
Settings {Realm-Based Routing}” on page 122 for setting up RADIUS Service Profiles.
5.
If you made any changes to this screen, click the check box for Reboot after changes are
saved?
6.
Click Modify to accept your changes (if editing an existing VAP), or click Add (if adding
a new VAP). You can also click Remove to delete that VAP.
System Administration
239
AG 2100
240
System Administration
AG 2100
System Administration
241
AG 2100
This page intentionally left blank.
242
System Administration
4
AG 2100
The Subscriber Interface
This chapter provides an overview and a sample scenario for the AG 2100’s Subscriber
Interface and a section outlining the authorization and billing processes utilized by the system.
Overview
The Subscriber Interface is the window to the solution provider’s Web site, and much more
than that. When a subscriber accesses the solution provider’s high speed network, the AG 2100
points their browser to a sign-in page. The AG 2100 then creates a database entry that
automatically records the subscriber’s Media Access Control (MAC). Like a router, the AG
2100 continuously tracks subscriber IP and MAC settings, eliminating the need for further
sign-ins and ensuring that subscriber usage and billing is recorded accurately. The AG 2100
also eliminates configuration issues between the subscriber’s computer and the network.
The Subscriber Interface is the portal Web site of the solution provider’s broadband network,
and as such, its appearance and functionality reflect the needs of the solution provider. The AG
2100 is a gateway to this network, providing connection services that enable and automate an
effective Enterprise relationship between a supplier (the solution provider) and its customer
(the subscriber). The AG 2100’s role in this customer/supplier relationship is effectively
“invisible” to subscribers.
Subscriber
AG 2100
Broadband Network
Subscriber
Gateway
Portal
AAA Module
Internet
Billing
The Subscriber Interface
243
AG 2100
Authorization and Billing
As a gateway device, the AG 2100 enables plug-and-play access to broadband networks.
Broadband network solution providers can now offer their subscribers a wide range of high
speed services, including access to the Internet. Of course, a high speed Internet connection is
not free – subscribers pay an access fee, based on the duration of their connection.
Additionally, subscribers may want to take advantage of the solution provider’s local network
services (for example, purchasing goods and local services). In either case, the subscriber is
required to pay. And naturally, subscribers expect to pay only for the services rendered to them.
In any environment, billing is a complex process. It requires accurate data collection and
reconciliation, a means to validate and protect the data, and an efficient method for collecting
payments.
The AG 2100 offers powerful billing support functionality called “Authentication,
Authorization, and Accounting.” This feature (also known as AAA) employs a combination of
command routines designed to create a flexible, efficient, and secure billing environment. For
example, when a subscriber logs into the system, their unique MAC address is placed into an
authorization table. The system then authenticates the subscriber’s MAC address and billing
information before allowing them to access the Internet and make online purchases.
Subscriber
Launch browser
Enter credit card details
Network access
AG 2100
Billing
mirror
server
AAA
Authorize this
subscriber
No
Solution Provider
244
Yes
External
Web
server
bank
account
The Subscriber Interface
AG 2100
The AAA Structure
The AG 2100’s Authentication, Authorization, and Accounting (AAA) module enables the
solution provider to provision, track, and bill new or returning subscribers. This includes:
z
Allowing the solution provider to bill for the high speed network services it provides,
track usage on the network, and deny service to those guests who have not paid.
z
Allowing the solution provider to bill subscribers for services rendered, either directly
to the subscriber, via a mailed invoice, or directly to the subscriber’s credit card
account.
The Authentication module is responsible for ensuring that when subscribers log in to the
system they are correctly identified. It can identify subscribers in many different ways. For
example:
z
Based on their hardware (MAC) address.
z
By validating their user name and password.
z
By looking up subscribers on a local (flash) database.
z
By looking up subscribers on a remote database.
The Authentication module can support user name and MAC address
authentication simultaneously.
The initial login page can be presented in various ways, depending on the system’s
configuration. The AG 2100 supports any of the following methods and tools:
z
Internal and external Web pages.
z
External “portal” page for redirection.
z
User name and MAC-based logins (simultaneous or stand-alone).
z
User-selectable options and parameters (for example, defining the time purchased).
Only subscribers that are correctly identified and authenticated are authorized to access the
system. Once authorized, the subscriber’s activity is logged and billed through the AG 2100’s
Accounting module.
The Accounting module fully supports the following functions:
z
Credit card billing (for example, interaction with AuthorizeNet).
z
User name and password verification.
z
Billing verification.
The Subscriber Interface
245
AG 2100
Process Flow (AAA)
The following flowchart outlines the AAA and billing process. All actions depicted in the chart
are administered and tracked by the AG 2100.
AG 2100 detects connection and verifies user against authorization table
New User
Existing Subscriber
Login Page
Specify lease time
required, and
choose a user ID and
password
Purchase
more time
Yes
Lease time
has expired
No
Provide credit card details
Provider’s Billing System
Reject
Accept
Bill for goods
and services,
and credit
provider’s bank
account
Billing
Mirror
Server
Internal or External Web Server
Solution Provider’s Portal Page
Internet and local online services
Browsing
Online purchases
246
The Subscriber Interface
AG 2100
Internal and External Web Servers
The AG 2100 supports both internal and external Web servers which act as a login interface
between subscribers and the solution provider’s network, including the Internet. The internal
Web server is “flashed” into the system’s memory and the login page is served directly from
the AG 2100. In the external Web server model, the AG 2100 redirects the subscriber’s login
request to an external server. Either method is transparent to the subscriber; however, the
advantage of using the internal Web server is obvious – no login redirection tasks and a faster
response time for the subscriber.
Language Support
The AG 2100’s subscriber interface supports many Asian and European languages, including:
English, Chinese, French, German, Japanese, and Spanish.
Home Page Redirection
The AG 2100 can be configured to redirect all valid subscribers to a Web portal or home page
determined by the solution provider. After a specified time, from the first home page
redirection (determined by the system administrator), subscribers are redirected again to the
portal at the next Web page request.
The Subscriber Interface
247
AG 2100
Subscriber Management
The AG 2100 provides several subscriber management models, including:
z
Free access (for example, no AAA functionality)
z
MAC address
z
User name and password
z
Credit card
Combinations of two or more subscriber management models can be used. When a subscriber
connects to the network and attempts to access the Internet, the AG 2100 looks for each model
in the given order above.
Subscriber Management Models
The system administrator establishes the subscriber management model via the Command Line
Interface (CLI) or the Web Management Interface. These models can be changed while the AG
2100 is running (without rebooting or interrupting the service).
248
z
Free Access – If the AG 2100 is configured to disable AAA services, all subscribers
will have free access to the Internet.
z
MAC Address – Each computer with an Ethernet interface card has a unique MAC
(hardware) address. The AG 2100 can be configured to allow access for specified
MAC addresses. In this model, when a subscriber attempts to access the Internet, the
AG 2100 validates the subscriber’s MAC address against a MAC authorization table.
If the MAC address is verified, the AG 2100 authorizes access to the Internet. A
possible scenario for using this model is to allow Internet access to administrative
personnel in all locations.
z
User Name and Password – Each subscriber can choose a unique user name and
password (and be charged for it). In this model, when a subscriber attempts to access
the Internet, they are prompted for the user name and password before access is
authorized. Possible scenarios in which this model is appropriate include allowing
subscribers to use more than one computer or when subscribers want to move between
locations.
z
Credit Card – In this model, when subscribers connect to the network and attempt to
access the Internet, they are prompted for their credit card information. The AG 2100
is pre-configured to use the Authorize.Net service and you will need to open a
merchant trading account with them before using this subscriber management model.
The Subscriber Interface
AG 2100
Configuring the Subscriber Management Models
Model
What You Need To Do
Free access
Disable the AAA services.
MAC address
Enable the AAA services and add a subscriber profile to the
database for each MAC address you want to enable.
User Name and Password
Enable the AAA services and Usernames. Add a subscriber
profile to the database for each user name and password you
want to enable. You will need to request a unique user name
and password when they pay for the service.
The user name and password are optional (the MAC address
will be substituted), but in this event the service is not
transferable between computers.
Credit card
Enable the AAA services. You have the choice of enabling the
AG 2100’s internal authorization module or using an external
credit card authorization server.
Internal Authorization Enabled
Enter the credit card server’s URL and IP address, then enter
the merchant ID you obtain from Authorize.Net.
If you have NOT enabled Internal Authorization
Set up your own external authorization server with your
merchant ID. Enter the secret key (the default is bigbrowndog).
Enter the external authorization server’s URL, then enter its IP
address as a pass-through IP address.
The Subscriber Interface
249
AG 2100
Information and Control Console (ICC)
The Information and Control Console (ICC) is a HTML-based pop-up window that is
presented to subscribers, allowing them to select their bandwidth and billing options quickly
and efficiently, and displays a dynamic “time” field to inform them of the time remaining on
their account. The ICC also offers service providers an opportunity to display advertising
banners and provide a choice of redirection options.
For information about configuring the ICC, refer to “Setting Up the Information and Control
Console {ICC Setup}” on page 183.
ICC Pop-Up Window
The ICC displays a pop-up window from which subscribers can dynamically control their
billing options and bandwidth, and which allows service providers to display advertising
banners and redirect their subscribers to predetermined Web sites.
Banner
Bandwidth selection
(pull down)
Redirect Buttons
Message
Bar
Time remaining
or:
“Logout” (RADIUS only)
The pop-up window automatically displays at Home Page Redirection (HPR) or whenever the
subscriber brings up a new browser window.
250
The Subscriber Interface
5
AG 2100
Quick Reference Guide
This chapter contains product reference information, organized by topic. Use this chapter to
locate the information you need quickly and efficiently.
Web Management Interface (WMI) Menus
The following tables contain a listing and brief explanation of all menus and menu items
contained in the AG 2100’s Web Management Interface (WMI), listed as they appear on screen.
Main Page
Menus
Description
Configuration
Menu
Displays the Configuration menu. The items in this menu allow you to establish
the IP parameters, set the DHCP options, set the DNS and home page
redirection options, and display the configuration settings, and set the system
date and time, SNMP and SYSLOG parameters.
Network Info
Menu
Displays the Network Info menu. The items in this menu are used to monitor
and review network connections, routings, protocols, and network session
statistics.
Port-Location
Menu
Displays the Port-Location menu. The items in this menu allow you to find,
add, remove, and update the Port-Location Assignments (for example, VLAN
tags).
Subscriber
Administration
Menu
Displays the Subscriber Administration menu. The items in this menu allow
you to add, remove, and monitor subscriber profiles, display the current DHCP
leases, and monitor the subscribers currently connected to the network.
Subscriber
Interface Menu
Displays the Subscriber Interface menu. The items in this menu allow you to
define how the subscriber interface is displayed to users and what information
it contains.
System Menu
Displays the System menu. The items in this menu allow you to manage login
names and passwords, configuration settings, and routings.
Quick Reference Guide
251
AG 2100
Configuration Menu Items
Item
Description
AAA
Establishes the AAA service options.
Access Control
To enable secure administration of the product, the AG 2100
incorporates a master access control list that checks the source (IP
address) of administrator logins. A login is permitted only if a match
is made with the master list contained on the AG 2100. If a match is
not made, the login is denied, even if a correct login name and
password are supplied. The access control list supports up to 50
(fifty) entries in the form of a specific IP address or range of IP
addresses.
Additionally, the AG 2100 offers access control based on the type of
Interface being used. This feature allows administrators to block
access from Telnet, Web Management, and FTP sources.
Auto Configuration
Provides an effortless and rapid method for configuring devices for
fast network roll-outs.
Bandwidth
Management
Allows system administrators to manage the bandwidth for
subscribers, defined in Kbps (Kilobits per seconds) for both
upstream and downstream data transmissions.
Bill Record Mirroring
Configures the AG 2100 to send copies of billing records to external
servers.
DHCP
Allows you to assign the AG 2100 as its own DHCP server, or
enable the DHCP relay for an external server.
DNS
Sets up the DNS parameters, including the host name, domain, and
the primary and secondary DNS servers.
Dynamic DNS
Sets Dynamic DNS parameters.
GRE Tunneling
Sets GRE Tunneling parameters.
Home Page Redirect
Allows you to redirect the subscriber’s browser to a specified home
page.
iNAT
Enables Intelligent Address Translation for Transparent VPN
Access.
IPSec
See “Defining IPSec Tunnel Settings {IPSec}” on page 98.
Location
Sets up your location and IP addresses for the network, subscriber,
subnet mask, and default gateway.
252
Quick Reference Guide
AG 2100
Item
Description
Logging
Enables logging options for the system and AAA functions.
Passthrough Addresses
Allows you to establish up to 300 IP pass-through addresses.
RADIUS Client
With the appropriate product license, the AG 2100 supports Remote
Authentication Dial-In User Service (RADIUS). This procedure sets
up the RADIUS client.
Realm-Based Routing
Establishes RADIUS proxies, where different realms can be set up
to directly channel RADIUS messages to the various RADIUS
servers.
Roaming Service
Displays Roaming Service settings.
SMTP
Allows you to enable or disable the SMTP (E-mail) redirection
functions.
SNMP
Establishes the SNMP parameters.
Subnets
Enables dynamic multiple subnet support.
Subscriber Settings
Blocks subscriber-to-subscriber communication.
Summary
Displays a summary listing of all configuration settings.
Time
Allows you to set the system date and time.
URL Filtering
Allows system administrator to dynamically add or remove up to 300
specific IP addresses and domain names to be filtered for each
property.
Quick Reference Guide
253
AG 2100
Network Info Menu Items
Item
Description
ARP
Displays the ARP table, including the destination IP address and the
gateway MAC address.
DAT
Displays the DAT session table.
Hosts
Displays the host table, including host names, associated IP
addresses and any assigned aliases.
ICMP
Displays the ICMP (Internet Control Message Protocol) performance
statistics.
Interfaces
Displays statistics for the interfaces.
IP
Displays the IP performance statistics.
IPSec
Displays IPSec Tunnel Status.
Login Page Failover
Login Page Failover settings.
Routing
Displays the routing tables and performance statistics.
Sockets
Displays the active Internet connections.
Static Port-Mapping
Displays the currently active static port-mapping scheme.
Subscriber Tunnels
Displays subscriber tunnels.
TCP
Displays the TCP performance statistics.
UDP
Displays the UDP performance statistics.
254
Quick Reference Guide
AG 2100
Port-Location Menu Items
Items
Description
Add
Adds or updates port-location assignments.
Delete All
Deletes all port-location assignments. Use this command with
caution.
Delete by Location
Deletes port-location assignments, based on a specified location.
Delete by Port
Deletes port-location assignments, based on a specified port (VLAN
tag).
Export
Exports specified port-location assignments to the location.txt file.
Find by Description
Finds a port-location assignment, based on a unique description.
Find by Location
Finds a port-location assignment, based on a specified location.
Find by Port
Finds a port-location assignment, based on a specified port.
Import
Imports specified port-location assignments from the location.txt file.
List
Displays the port-location file, listing all port-location assignments.
Quick Reference Guide
255
AG 2100
Subscriber Administration Menu Items
Items
Description
Add
Allows you to add subscriber profiles to the database.
Current
Displays a list of all currently connected subscribers.
Delete by MAC
Allows you to delete a subscriber, based on a specific MAC address.
Delete by User
Allows you to delete a subscriber, based on a specific user name.
DHCP Leases
Sets up the current subscriber DHCP leases.
Expired
Allows you to remove expired profiles.
Find by MAC
Enables you to find a subscriber profile, based on a specified MAC
address.
Find by User
Enables you to find a subscriber profile, based on a specified user
name.
List by MAC
Displays a list of authorized subscriber profiles, sorted by MAC
address.
List by User
Displays a list of authorized subscriber profiles, sorted by user name.
RADIUS Session
History
Displays RADIUS Proxy Accounting Session history.
Statistics
Displays the current subscriber profile statistics (for example, how
many profiles are in the database).
256
Quick Reference Guide
AG 2100
Subscriber Interface Menu Items
Items
Description
Billing Options
Establishes the various billing plans and rates (schemes), including
messages and appearance.
ICC Setup
Allows you to set up the Information and Control Console (ICC) for
subscribers.
Language Support
Allows you to define the language to be displayed on the Web
Management Interface and the subscriber’s portal page.
Local Web Server
Defines Local Web Server setup.
Login UI
Defines the appearance of the internal subscriber login user
interface, including all the login messages and fonts, etc., and
establishes the currency.
Port Session UI
Defines the post session “Goodbye” page.
Subscriber Buttons
Allows you to define how each of the subscriber’s user interface
control buttons are displayed.
Subscriber Labels
Allows you to define how the subscriber’s user interface field labels
are displayed.
Subscriber Errors,
1 of 2
Allows you to define how error messages are displayed to
subscribers (page 1 of 2).
Subscriber Errors,
2 of 2
Allows you to define how error messages are displayed to
subscribers (page 2 of 2).
Subscriber Messages,
1 of 3
Allows you to define how “other” general messages are displayed to
subscribers (page 1 of 3).
Subscriber Messages,
2 of 3
Allows you to define how “other” general messages are displayed to
subscribers (page 2 of 3).
Subscriber Messages,
3 of 3
Allows you to define how “other” general messages are displayed to
subscribers (page 3 of 3).
Subscriber Messages
TOA
Displays subscriber terms of agreement.
Quick Reference Guide
257
AG 2100
System Menu Items
Items
Description
ARP Add
Adds an Address Resolution Protocol (ARP) table entry.
ARP Delete
Deletes an ARP table entry.
Bridge Mode
Allows you to enable the Bridge Mode option.
Dynamic Proxy
Enables Dynamic Proxy.
Export
Exports configuration settings to an archive file.
Factory
Imports the factory default settings.
History
Displays a history log of the system’s activity, including Access,
Reboot and Uptime.
ICMP
Defines ICMP settings.
Import
Imports previously exported system configuration settings from an
archive file.
Login
Sets up the login name and password.
MAC Filtering
Enhances Nomadix' access control technology by allowing system
administrators to block malicious users based on their MAC address.
Memory Utilization
Displays system memory usage information.
Reboot
Reboots the AG 2100.
Route Add
Adds a route into the AG 2100’s routing table.
Route Delete
Deletes a route to a specific IP destination.
Session Limit
Limits the number sessions any one user can take over a given time
period and, if necessary, then blocks malicious users.
Static Port-mapping
Add
Sets up static port-mapping schemes.
Static Port-mapping
Delete
Deletes static port-mapping schemes.
Subscriber Interfaces
Blocks subscriber interfaces.
258
Quick Reference Guide
AG 2100
Items
Description
Syslog
Displays syslog history.
System Utilization
Enables or disables system utilization.
Upgrade
Obtain the latest Firmware Upgrade Procedure from Nomadix
Technical Support.
User Settings
Enables or disables blocking of all IPPROTO Traffic from
Misconfigured Subscribers.
Wireless Configuration
Configures the AG 2100’s wireless settings.
Quick Reference Guide
259
AG 2100
Alphabetical Listing of Menu Items (WMI)
Item
Description
Menu
AAA ..................................... Set AAA options ........................................................................................ Configuration
Access Control ..................... Enables secure administration of the AG 2100 .......................................... Configuration
Add....................................... Add subscriber profiles to the database................................................Subscriber Admin
ARP...................................... Display the ARP table ................................................................................. Network Info
ARP Add .............................. Add an ARP table entry......................................................................................... System
ARP Delete .......................... Delete an ARP table entry ..................................................................................... System
Auto Configuration .............. Defines auto configuration parameters....................................................... Configuration
Bandwidth Management ...... Define upstream and downstream bandwidth ............................................ Configuration
Billing Options..................... Establish the billing options ................................................................. Subscriber I’face
Bill Record Mirroring .......... Enable bill record copying to external servers ........................................... Configuration
Bridge Mode ........................ Enable the Bridge Mode option............................................................................. System
Current ................................. Display currently connected subscribers ..............................................Subscriber Admin
DAT...................................... Display the DAT session table..................................................................... Network Info
Delete by MAC .................... Delete subscriber profiles by MAC address.........................................Subscriber Admin
Delete by User...................... Delete subscriber profiles by user ........................................................Subscriber Admin
DHCP ................................... Set the DHCP service options .................................................................... Configuration
DHCP Leases ....................... Set the current subscriber DHCP leases ...............................................Subscriber Admin
DNS...................................... Set the DNS parameters ............................................................................. Configuration
Expired ................................. Remove all expired subscriber profiles from database ........................Subscriber Admin
Export................................... Export configuration settings to the archive file ................................................... System
Factory ................................. Import the factory default configuration settings .................................................. System
Find by MAC ....................... Find a subscriber profile by MAC address...........................................Subscriber Admin
Find by User......................... Find a subscriber profile by user name ................................................Subscriber Admin
History.................................. Display the system’s history log............................................................................ System
Home Page Redirect ............ Redirect the subscriber’s browser .............................................................. Configuration
Hosts .................................... Display the host table .................................................................................. Network Info
ICC Setup............................. Sets up the Information and Control Console ....................................... Subscriber I’face
ICMP.................................... Display ICMP performance statistics.......................................................... Network Info
Import................................... Import configuration settings from the archive file............................................... System
iNAT..................................... Enable translation for transparent VPN access .......................................... Configuration
Interfaces.............................. Display performance statistics for interfaces .............................................. Network Info
IP .......................................... Display IP performance statistics ................................................................ Network Info
Language Support ................ Define different languages .................................................................... Subscriber I’face
List by MAC ........................ List the subscriber database, sorted by MAC address..........................Subscriber Admin
List by User.......................... List the subscriber database, sorted by user name................................Subscriber Admin
Location ............................... Establish your location and network IP parameters ................................... Configuration
Logging ................................ Enable system and AAA logging options .................................................. Configuration
Login .................................... Establish access for managers and operators ........................................................ System
Login UI............................... Establish the internal login screen settings............................................ Subscriber I’face
MAC Filtering...................... Blocks users based on MAC address .................................................................... System
Passthrough Addresses......... Establish up to 100 IP pass-through addresses........................................... Configuration
Ping ...................................... Test a remote host via the network port................................................................. System
RADIUS Client .................... Sets up RADIUS client options.................................................................. Configuration
Realm-Based Routing .......... Sets service profiles, realm-based routing policies ................................... Configuration
Reboot .................................. Reboot the operating system ................................................................................. System
Route Add ............................ Add a route to the routing table............................................................................. System
260
Quick Reference Guide
AG 2100
Route Delete .........................Delete a route from the routing table .....................................................................System
Routing .................................Display routing performance statistics and tables .......................................Network Info
Session Limit ........................Limits subscriber sessions .....................................................................................System
SMTP....................................Set the SMTP redirection options ...............................................................Configuration
SNMP ...................................Establish the SNMP parameters .................................................................Configuration
Sockets..................................Display the active IP connections ................................................................Network Info
Static Port-Mapping..............Displays currently active static port-mapping schemes...............................Network Info
Static Port-Mapping Add......Adds a static port-mapping scheme .......................................................................System
Static Port-Mapping Delete ..Deletes a static port-mapping scheme ...................................................................System
Statistics................................Display the subscriber profile statistics ............................................... Subscriber Admin
Subscriber Buttons ...............Define how control buttons are displayed to subscribers ......................Subscriber I’face
Subscriber Labels .................Define how field labels are displayed....................................................Subscriber I’face
Subscriber Errors ..................Define how error messages are displayed..............................................Subscriber I’face
Subscriber Messages ............Define how “other” general messages are displayed.............................Subscriber I’face
Summary ..............................Display a summary of the configuration settings .......................................Configuration
TCP.......................................Display the TCP performance statistics.......................................................Network Info
Time......................................Set the system date and time.......................................................................Configuration
UDP ......................................Display the UDP performance statistics ......................................................Network Info
Upgrade ................................Upgrade the AG 2100 system firmware ................................................................System
URL Filtering .......................Define URLs for filtering ...........................................................................Configuration
Wireless Configuration.........Sets up the wireless configuration parameters.......................................................System
Quick Reference Guide
261
AG 2100
Default (Factory) Configuration Settings
The following table shows a partial listing of the AG 2100’s primary default configuration
settings (the settings established at manufacturing). For a complete listing of the factory default
settings, refer to the factory.txt file. For more information, go to “Importing the Factory
Defaults {Factory}” on page 211.
Function
Default Setting
Version
AG 2100 ID
Network Interface MAC
Subscriber Interface MAC
AG v1.3.xxx (depends on firmware version)
ag
MAC address is unique for each product
MAC address is unique for each product
Network Interface IP
Subnet Mask
Default Gateway IP
DHCP Client
Admin IP
10.0.0.10
255.255.255.0
10.0.0.1
Enabled
172.30.30.172
Wireless Setings:
SSID
SSID Broadcast
Channel
Rate
Power
Fragment Length
RTS Length
Beacon Interval
DTIM
Enable Short Preamble
WEP
WEP Key Length
Nomadix
Enabled
Auto
Auto
Full
2346
2346
100
1
Disabled
Disabled
64
Domain
Host Name
Primary DNS
Secondary DNS
Tertiary DNS
nomadix.
ag
0.0.0.2
0.0.0.0
0.0.0.0
DHCP Relay
External DHCP Server IP
DHCP Relay Agent IP
Disabled
0.0.0.0
0.0.0.0
DHCP Server
DHCP Server IP
DHCP Subnet Mask
DHCP Pool Start IP
DHCP Pool End IP
Lease Duration Minutes
Enabled
10.0.0.4
255.255.255.0
10.0.0.12
10.0.0.250
1440
Home Page Redirection
Parameter Passing
Redirection Frequency Minutes
Disabled
Disabled
3600
262
Quick Reference Guide
AG 2100
Function
Default Setting
Dynamic Address Translation (DAT)
Enabled (cannot be changed)
AAA Logging
AAA Log Server Number
AAA Log Server IP
Disabled
3
0.0.0.0
SYSLOG (System Logging)
SYSLOG Server Number
SYSLOG Server IP
Disabled
2
0.0.0.0
AAA Services
Internal Authorization
New Subscribers
Credit Card Service
Parameter Passing
Usernames
XML
Disabled
Enabled
Enabled
Enabled
Disabled
Enabled
Disabled
DNS Redirection
SMTP Redirection
SMTP Server IP
Enabled
Disabled
0.0.0.0
SNMP
SNMP Get Community
SNMP Set Community
SNMP Trap IP
Disabled
public
private
0.0.0.0
System Administration Login User Name
System Administration Password
admin
admin
Quick Reference Guide
263
AG 2100
Product Specifications
Specifications
PUBLIC ACCESS
User Support:
AG 2100 supports a total of 100 wired and wireless users. Nomadix
recommends a maximum of 50 wireless concurrent users.
Dynamic Address Translation (DAT)
Home Page Redirection (Pre and Post Authentication)
iNAT (for seamless VPN connectivity)
SMTP Redirection
Full Authorization, Authentication and Accounting Support
RADIUS Client
Bandwidth Management
Information and Control Console (ICC)
Global Roaming Support
MEDIA ACCESS CONTROL
CSMA/CA
PORTS
10/100Base-T Ethernet, RJ-45 (UTP)
WIRELESS
802.11b Specifications:
Frequency band: 2.4 GHz - 2.4835 GHz
Data Rates: 11, 5.5, 2, 1 Mbps
Modulation: Direct Sequence Spread Spectrum
(CCK, DQPSK, DBPSK)
802.11g Specifications:
Frequency band: 2.4 GHz - 2.482 GHz
Data Rates: 54, 48, 36, 24, 18, 12, 6 Mbps
Modulation: Orthogonal Frequency Division Modulation
(64 QAM, 16 QAM, QPSK, BPSK)
264
Quick Reference Guide
AG 2100
Specifications
NETWORKING
IEEE 802.3 / 3u
IEEE 802.1d
PoE per IEEE 802.3af
DHCP Server
DHCP Relay
DHCP Client
RADIUS Client (MD-5, PAP, CHAP, MS-CHAPv1, v2)
PPPoE Client
SECURITY
64-bit/128-bit WEP with dynamic keying
iNAT
MAC Address Filtering and Session Limiting
WPA/2
ANTENNA TYPE
802.11b/g: 2dBi
AUTHENTICATION
Internal data base
Universal Access Method (UAM) using SSL
Smart Client Support:
Adjungo Networks, Boingo Wireless, iPass, GoRemote
IEEE 802.1x (SIM / MD-5 / TLS / TTLS / PEAP)
MANAGEMENT
Multi-Level Administration Controls
Access Control Lists
Web Administration UI
SNMP v2c
Secure XML API
Auto Confirguration and Upgrades
Syslog/AAA Log
POWER
100 to 240 VAC w/ ±10% margin
50/60 Hz w/ +2%, -4% margin
EN61000-3-2 compliant
Quick Reference Guide
265
AG 2100
Specifications
ENVIRONMENT
Operating temperature: 0 - 40°C
Operating humidity: 10 - 90% RH non-condensing
Storage temperature: -25 - 60°C
Storage humidity: 5 - 95% RH non-condensing
REGULATORY
FCC Part 15
CE Mark
CE/R&TTE: EN301328 / EN301893 / EN301489-1, EN301489-17
VCCI Class B, Telec
UL 1950, CSA22.2 No 950, TÜV/GS(EN60950)
For further information on the certifications for the AG 2100 product, visit
www.nomadix.com/downloads.
COMPATIBILITY
Communicates with all Wi-Fi certified wireless adapters
PHYSICAL
9.25(L) x 6.25(W) x 1.5(H) inches
91.2(L) x 54(W) x 36.4(H) mm
Weight: 500 grams
Wall Mountable
LEDS
Power Indicator
10/100, ACT/Link
TRANSMITTER OUTPUT POWER
11g TX Power Specification:
Typical RF Output Power at each Data Rate and at room temperature: 25°C
+13 dBm at 54 Mbps
+15 dBm at 48 Mbps
+17 dBm at 36 Mbps
+18 dBm at 24, 18, 12, 9, & 6 Mbps
ALC loop to control transmit power within 0.9 dB tolerance in room temperature
11b TX Power Specification:
Typical 18 dBm at 11, 5.5, 2, & 1 Mbps at room temperature 25°C
ALC loop to control transmit power within 0.9 dB tolerance in room temperature
266
Quick Reference Guide
AG 2100
Sample AAA Log
The following table shows a sample AAA log. This log is generated by the AG 2100 and sent
to the SYSLOG server that is assigned to AAA logging.
Time
AG 2100
Name
Mar
31
18:23:10
nomad237
.nomadix
.com
INFO
AG_AAA:
4207
AAA_Authentication Successful
00:00:0E:32:2C:BC
2 hrs
1 min
Mar
31
18:23:26
nomad237
.nomadix
.com
INFO
AG_AAA:
4207
AAA_Authentication Successful
00:10:5A:61:40:FF
12 hrs
0 min
Mar
31
18:21:53
nomad237
.nomadix
.com
INFO
AG_AAA:
4106
AAA_lookup
Added_in_memory_table_
pending
00:00:0E:32:2C:BC
Mar
31
18:43:54
nomad237
.nomadix
.com
INFO
AG_AAA:
4208
AAA_Authentication
Unsuccessful_Error
00:60:08:B4:20:6A
Mar
31
21:34:21
nomad237
.nomadix
.com
INFO
AG_AAA:
4007
AAA_Interface
Added_by_administrator
00:00:0:12:34:56
20 hrs
34 min
Mar
31
21:35:15
nomad237
.nomadix
.com
INFO
AG_AAA:
4009
AAA Interface
Updated_by_administrator
00:00:0:12:34:56
2 hrs
34 min
nomad237
.nomadix
.com
INFO
AG_AAA:
4006
AAA Interface
Removed_by_administrator
00:00:0:12:34:56
Date
Mar
31
Quick Reference Guide
Type of
Data
Log Code
Log Message
Subscriber MAC
Address
Expiratio
n Time
267
AG 2100
Message Definitions (AAA Log)
The six basic messages are defined as follows:
Message
Definition
AAA_Authentication Successful
Subscriber profile was successfully added to the AG 2100 authorization table
after being authenticated by the credit card server.
AAA_Authentication
Unsuccessful_Error
Subscriber profile was not added to the AG 2100 authorization table because the
credit card server did not recognize the transaction.
AAA_lookup
Added_in_memory_table_pending
Subscriber profile has been recognized and the AG 2100 is waiting to
authenticate the user.
AAA_Interface
Added_by_administrator
Subscriber profile was manually added to the authorization table.
AAA_Interface
Updated_by_administrator
Subscriber profile was updated.
AAA_Interface
Removed_by_administrator
Subscriber profile was manually removed from the authorization table.
Sample SYSLOG Report
Syslog reports are generated by the AG 2100 and sent to the syslog server that is assigned to
general error detection and reporting.
2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [AG v1.3.028]
DHCP: ndxDHCPInit: 0021 DHCP initialized
2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [AG v1.3.028]
CLISRD: 0206 Setting COM1 to 9600 baud
2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [AG v1.3.028]
CLISRD: Starting CLI on the serial port
2003-02-10 11:25:53 Local2.Info 1.2.3.4 INFO [AG v1.3.028]
AG 2100_INIT: AG 2100 v1.3.028 with ID 010384 Initialized
268
Quick Reference Guide
AG 2100
Sample History Log
A history log is generated by the AG 2100 which includes the system’s activity (Access,
Reboot and Uptime).
More listings ...
Quick Reference Guide
269
AG 2100
Keyboard Shortcuts
The following table shows the most common keyboard shortcuts.
Action
Keyboard Shortcut
Cut selected data and place it on the clipboard.
Ctrl + X
Copy selected data to the clipboard.
Ctrl + C
Paste data from the clipboard into a document (at the insertion point).
Ctrl + V
Copy the active window to the clipboard.
Alt + Print Screen
Copy the entire desktop image to the clipboard.
Print Screen
Abort an action at any time.
Esc
Go back to the previous screen.
b
Access the Help screen.
?
270
Quick Reference Guide
AG 2100
RADIUS Attributes
RADIUS (Remote Authentication Dial-In User Service) was originally created to allow remote
authentication to the dial-in networks of corporations and dial-up ISPs. It is defined and
standardized by the IETF (Internet Engineering Task Force) and several RADIUS server
packages exist in both the public domain and for commercial sale.
RADIUS software stores a database of attributes about their valid subscriber base. For
example, usernames, passwords, access privileges, account limits and subscriber attributes can
all be stored in a RADIUS database. RADIUS works in conjunctions with NAS (Network
Access Server) devices to determine if access to the service network should be granted, and if
so, with what privileges.
All subscribers attempting to gain access to
the network are validated by RADIUS.
Quick Reference Guide
271
AG 2100
When a subscriber attempts to access the service provider's network, the AG 2100 delivers a
Web page to the subscriber asking for a login name and password. This information (password)
is encrypted and sent across the network to the ISP's RADIUS server. The RADIUS server
decrypts the information and compares it against its list of valid users. If the subscriber can be
authenticated, the RADIUS server replies to the AG 2100 with a message instructing it to grant
access to the subscriber.
Optionally, the RADIUS server can instruct the NAS to perform other functions; for example,
the RADIUS server can tell the AG 2100 what upstream and downstream bandwidth the
subscriber should receive. If RADIUS cannot authenticate the subscriber, it will instruct the
NAS to deny access to the network.
The Nomadix AG 2100 RADIUS functionality can be broken down into the following
categories:
272
z
Authentication-Request
z
Authentication-Reply (Accept)
z
Accounting-Request
z
Selected Detailed Descriptions
z
Nomadix Vendor Specific Attributes
Quick Reference Guide
AG 2100
Authentication-Request
z
Username
z
Password
z
Service-Type
z
NAS-Port (port number)
z
NAS-Identifier
z
Framed-IP Address
z
NAS-IP Address
z
NAS-Port-Type
z
Acct-Session-ID
z
Log-Off-URL
z
EAP-Packet (used for 802.1x)
z
Message-Authenticator (used for 802.1x)
z
State (used/tested for 802.1x)
z
Called-Station-ID
z
Calling-Station-ID
Quick Reference Guide
273
AG 2100
Authentication-Reply (Accept)
z
Reply-Message
z
Reject-Message
z
State (used/tested for 802.1x)
z
Class
z
Session-Timeout
z
Idle-Timeout
z
EAP-Packet (used for 802.1x)
z
Message-Authenticator (used for 802.1x)
z
Acct-Interim-Interval
z
Nomadix VSAs:
z
z
z
z
z
z
z
z
z
274
Nomadix-Bw-Up
Nomadix-Bw-Down
Nomadix-URL-Redirection
Nomadix-IP-Upsell
Nomadix-MaxBytesUp
Nomadix-MaxBytesDown
Nomadix-Net-VLAN
Nomadix-Session-Terminate-End-Of-Day
Nomadix-Expiration
Quick Reference Guide
AG 2100
Accounting-Request
z
Username
z
Acct-Status-Type (Start/Stop/Update)
z
Acct-Session-ID
z
Acct-Output-Octets
z
Acct-Input-Octets
z
Acct-Output-Packets
z
Acct-Input-Packets
z
Class
z
Nomadix VSAs:
z
Nomadix-URL-Redirection
z
Nomadix-IP-Upsell
Acct-Session-Time (Stop)
z
Terminate-Cause (Stop)
z
NAS ID
z
NAS-IP Address
z
NAS-Port-Type
z
NAS-Port
z
Framed-IP Address
z
Acct-Delay-Time
z
Called-Station-ID
z
Calling-Station-ID
z
Quick Reference Guide
275
AG 2100
Selected Detailed Descriptions
Acct-Session-ID
The Acct-Session-ID is created when the RADIUS authentication request is built. It is
transmitted in both the Access-Request and the Accounting-Request.
Session Timeout
There is currently no default session timeout settable in the AG 2100’s Web Management
Interface (WMI). If the Radius server does not send a Session-Timeout, the AG 2100 will set
the subscriber expiration time to 0, which means access forever.
Log-Off-URL
Allows for the placement of a log off URL (for example, 1.1.1.1) on an external portal page.
Idle Timeout
The WMI allows the setting of a default timeout. If the Radius server does not send an IdleTimeout in the Radius Access-Accept, the AG 2100 will use the default one to disconnect
subscribers. "0" means forever.
Timeout Detection
If a subscriber is sending traffic through the AG 2100, the AG 2100 will immediately detect a
Session-Timeout. However in the case of an Idle-Timeout or an inactive subscriber SessionTimeout, the AG 2100 detects it via a clean-up function that is currently called every 2
minutes. Thus the current precision for sending the Acct-Stop is about 2 minutes.
Subscriber Session Duration
Acct-Session-Time is calculated the following way (for each transmitted/retransmitted AcctStop):
Acct-Session-Time = time of last sent packet - subscriber login time.
Another attribute, Acct-Delay-Time, will take into consideration the time spent in
retransmissions.
276
Quick Reference Guide
AG 2100
Interim Accounting Updates
The AG 2100 parses the attribute Acct-Interim-Interval in an Access-Accept. If this attribute is
present the AG 2100 tries every [Acct-Interim-Interval] seconds to send a Radius Accounting
Interim message for the specific subscriber. If this attribute is not present or equal to 0, no
Interim message is sent.
The precision is 2 minutes. The AG 2100 will not send Interim messages more frequently than
every 2 minutes.
Called-Station-ID
This is the Media Access Control (MAC) address of the AG 2100.
Calling-Station-ID
This is the Media Access Control (MAC) address of the client's computer.
New Attributes in Acct-Request
The AG 2100 has to send the following attributes in an Accounting-Stop:
z
Acct-Output-Packets: number of packets sent by subscriber.
z
Acct-Input-Packets: number of packets received by subscriber.
Upon a reboot, these 2 attributes are saved in currfile.dat the same way as for Acct-InputOctets and Acct-Input-Octets.
If you plan to implement RADIUS, go to “Contact Information” on page 303 for
Nomadix Technical Support.
Quick Reference Guide
277
AG 2100
Nomadix Vendor Specific Attributes
Nomadix-Bw-Up
This attribute value (in Kbps) restricts the speed at which uploads are performed.
Nomadix-Bw-Down
This attribute value (in Kbps) restricts the speed at which downloads are performed.
Nomadix-URL-Redirection
This attribute allows the administrator to redirect the user to a page of the administrators choice
each time the user logs in.
Nomadix-IP-Upsell
This attribute allows the user to receive a public address from a DHCP pool when the AG 2100
has the IP-Upsell feature enabled.
Nomadix-Volume-Based-Session-Timeout
This attribute allows you to terminate a session once a specified data volume has been reached.
Nomadix-Session-Terminate-End-Of-Day
This attribute allows business policies to terminate the session at midnight of every day.
Nomadix-Expiration
This attribute defines a fixed time and date at which a session will be terminated. This feature
can be used to cut off access to a certain profile for a defined user group at a specified time.
278
Quick Reference Guide
AG 2100
Setting Up the SSL Feature
This section describes how to set up the AG 2100’s SSL feature.
Prerequisites
z
The AG 2100 should support SSL feature. Please go to “Displaying Your
Configuration Settings {Summary}” on page 133 and verify that the Licensed
Features include "AAA SSL Support".
z
You should be a business that is qualified to obtain an SSL secure server ID from
different Certificate Authorities (CAs), such as VeriSign. The Certificate Authority
sets this qualification criterion.
z
You will need to generate your own Private Key and Certificate Signing Request
(these instructions are provided below).
z
You must obtain your own Signed Public Key from the Certificate Authority. The
selected Certificate Authority should be commonly supported in the subscribers'
browser. We recommend that you use VeriSign (all instructions in this document are
based on obtaining a key from VeriSign). Please contact Nomadix Technical Support
if you want to use a different Certificate Authority.
For Nomadix technical support, go to “Contact Information” on page 303.
Quick Reference Guide
279
AG 2100
Obtain a Private Key File (cakey.pem)
To create a Private Key File, you must install OpenSSL on your Windows 9x or NT operating
system on a PC with Internet access.
Requirements for Certificate Signing Request (CSR) and Key Generation
z
Cygwin and OpenSSL application installed on Windows 9x or NT.
z
5 large random files residing on the workstation (large compressed log files
recommended by VeriSign). These files are put in as file1:file2:file3:file4:file5 in the
key generation command.
Downloading Cygwin
There are several sources for obtaining "Cygwin" to install OpenSSL. One popular source is:
http://sources.redhat.com/cygwin/.
Nomadix used Cygwin version 1.3.2 for generating this section of the User’s
Guide.
280
Quick Reference Guide
AG 2100
Installing Cygwin and OpenSSL on a PC
The example in this document is based on downloading the software with
Netscape 4.75.
The procedure starts from the Cygwin Net Release Setup Program screen:
Click on the Next button.
The following screen appears:
Quick Reference Guide
281
AG 2100
Click on the Next button to display the next setup screen.
Click on the Next button to display the next setup screen.
Click on the Next button to display the next setup screen.
282
Quick Reference Guide
AG 2100
Click on the Next button to display the next setup screen.
Select a location and click on the Next button.
For the purposes of this document, Nomadix used:
ftp://planetmirror.com
In the following screens, please skip all packages except "cygwin" and "openssl," then click on
the Next when you are done.
At the time of this writing, there are more than 70 packages to install. Please
ensure that you "skip" all of them except the two packages mentioned above.
Quick Reference Guide
283
AG 2100
284
Quick Reference Guide
AG 2100
Click on the Next button to start the “download” process. Wait for the download process to
complete.
Click on the Next button to start the “install” process. Wait for the install process to complete.
There will be a pop-up dialog to inform you that the installation process is completed. At the
pop-up dialog, click on the OK button.
Quick Reference Guide
285
AG 2100
Private Key Generation
Create a directory from Root and put 5 random files, a.dat, b.dat, c.dat, d.dat, and e.dat (see
note) into the C:\cygwin\bin\ directory (or the directory where you installed openssl.exe).
These random files can be any file type, such as Word, Excel, etc. Change the
files to .dat files (shown above). All files must follow the DOS naming format
(maximum 8 characters)..
Run the "command" prompt from Windows, then click on the OK button.
Go to the c:\cygwin\bin\ directory and run the following command:
>openssl genrsa -rand file1:file2:file3:file4:file5 1024 > cakey.pem
286
Quick Reference Guide
AG 2100
The following table provides an explanation of the command elements:
openssl
"openssl" command.
genrsa
A parameter for "openssl" to generate an RSA key.
Rand
A parameter for "openssl" to generate a random number
from the files list.
file1:file2…:file5
These five large random files are residing on the
workstation (large compressed log files recommended
by VeriSign). These files are entered in the key
generation command as file1:file2:file3:file4:file5
>
Output to.
cakey.pem
The file that contains the private key. You must have the
file name "cakey.pem" to be used in the AG 2100.
Because there is a parameter buffer size limitation of the "openssl" command, the argument
length should not have more than 80 characters.
If you are creating multiple keys, please output them into different directories and save them as
different names. However, if you saving them as a different namse, you must change the names
back to "cakey.pem" when trying to FTP to the AG 2100.
Do not include "-des3" option to keep the private key in an unencrypted form.
Here is the output of cakey.pem:
Quick Reference Guide
287
AG 2100
Create a Certificate Signing Request (CSR) File
Run the following command to generate the certificate signing request:
>openssl req -new -key cakey.pem > server.csr
The following table provides an explanation of the command elements:
openssl
"openssl" command
req
A parameter for creating a
request
new
Defining a "new" request …
key
… from private key
>
Output to …
server.csr
… the output file
Fill in your company information. If "States" or "Province" names do not exist in your country,
please repeat the "Locality Name."
288
Quick Reference Guide
AG 2100
The "Common Name" is the name used in the AG->AAA->SSL Certificate Domain Name.
The Common Name in the Public Key must match the SSL Certificate Domain Name in the
Web Management Interface of the AG 2100 (refer to the AG 2100 setup information).
Here is the output of server.csr:
Quick Reference Guide
289
AG 2100
Create a Public Key File (server.pem)
VeriSign Purchasing Process
The signing process varies by Certificate Authority. Generally, you will need to send a
Certificate Signing Request to the Certificate Authority (CA) and the CA will create a public
key base on the certificate request.
This is the procedure to get a 40-bit encryption or 128-bit Public Key from VeriSign.
With IE or Netscape, go to www.verisign.com/products/site/index.html.
290
Quick Reference Guide
AG 2100
Select Buy for Secure Site Service.
Select Buy Now for 40-bit SSL (Secure Server) ID or 128-bit SSL (Global Server) ID.
Some older versions of popular browsers only support 40-bit or 56-bit
encryption. Since it impossible to forecast the browsers that may be used in a
visitor-based network, Nomadix recommends implementing a 40-bit Public Key.
During the process, VeriSign will ask for your business information and verification. There are
several ways to proof the existence of your business. Please follow the instruction from
VeriSign carefully. In addition, there is one section about generating a CSR; however, since
you have already created the CSR in step 2 with OpenSSL, you can skip the instructions.
Quick Reference Guide
291
AG 2100
CSR Submission to VeriSign
Please select "Apache Freeware" to submit the CSR to VeriSign. The Certificate Signing
Request is in the server.csr (created in the previous step). Open server.csr and copy and paste
all data into the edit box.
Select the purchase method and summit the required contact information.
For Expedited Service, you will typically be able to get the Public Key by email
within two days. For Regular Service, you will typically be able to obtain the key
within seven days.
When you receive an email from VeriSign with "Secure Server ID" (Global Server ID if you
create a 128-bit key) that contains the Public Key information, cut and paste the key to paste it
into a new file, named server.pem.
292
Quick Reference Guide
AG 2100
The file, "server.pem" will look like this:
You have now finished the process of obtaining a public key.
Quick Reference Guide
293
AG 2100
Setting Up AG 2100 for SSL Secure Login
1.
FTP the "cakey.pem" and "server.pem" files into the AG 2100 platform's flash directory:
FTP to the AG 2100 by Netscape: ftp://username:password@AG_Network_IP/flash/.
2.
Drag and drop the "cakey.pem" and "server.pem" files into the directory.
3.
Changing Settings in the WMI
4.
To change settings in the Web Management Interface (WMI), go to “Defining the AAA
Services {AAA}” on page 67.
Setting Up the Portal Page
System administrators can create login button(s) on the Portal Page, and can setup "http" links
for regular logins, secure logins, or both. When subscribers enter the Portal Page, they can then
choose either a regular login or a secure login. To setup the Portal Page, add the following:
For Regular Logins:
http://ag2100w_ip:1111/usg/login?OS=http://after_login_finished_page.html
For Secure Logins:
https://Certificate_DNS_Name:1112/usg/login?OS=http://
after_login_finished_page.html
294
Quick Reference Guide
AG 2100
Mirroring Billing Records
Multiple AG 2100 units can send copies of credit card billing records to a number of external
servers that have been previously defined by system administrators. The AG 2100 assumes
control of billing transmissions and saving billing records. By effectively "mirroring" the
billing data, the AG 2100 can send copies of billing records to predefined "carbon copy"
servers.
Additionally, if the primary and secondary servers are down, the AG 2100 can store up to
2,000 credit card transaction records. The AG 2100 regularly attempts to connect with the
primary and secondary servers. When a connection is re-established (with either server), the
AG 2100 sends the cached information to the server. Customers can be confident that their
billing information is secure and that no transaction records are lost.
This document describes the process used by the Nomadix Hospitality Service Gateway for
mirroring billing records, and is organized into the following sections:
z
“Sending Billing Records” on page 295
z
“XML Interface” on page 296
z
“Using the Web Management Interface (WMI)” on page 66
Sending Billing Records
When there is a message (billing record) in the message queue, the system "wakes up" and
performs the following tasks:
1.
Stores the billing record in the flash
2.
Create an XML packet, based on the new billing record
3.
Send the billing record to the carbon copy server(s)
4.
Transmit the data currently stored in the flash, based on the specified retransmission
method (round-robin: A-B-A-B, or fail-over: A-A-B-B)
The system stores the billing record in the flash so that the record will not be lost (for example,
if the AG 2100 is powered down during transmission attempts.
Billing records are sent to the carbon copy server(s) only after the records are
placed in the message queue. Carbon copy servers will not receive the records
again if a task for retransmitting to the primary or secondary server needs to be
performed.
Quick Reference Guide
295
AG 2100
XML Interface
XML for the External Server
The AG 2100 sends a string of XML commands according to specifications. HTTP headers are
added to the XML packets that are built, as the billing “mirroring” information is sent to the
external server in HTTP compliant XML format. The XML string built from the billing mirror
record is in the following format:
AG 2100 to External Server:
<USG RMTLOG_COMMAND="ADD_REC">
<REC_NUM> max 4 characters </REC_NUM>
<USG_ID> max 6 characters </USG_ID>
<PROPERTY_ID> max 64 characters </PROPERTY_ID>
<DATE> max 10 characters </DATE>
<TIME> max 8 characters </TIME>
<ROOM_NUM> max 20 characters </ROOM_NUM>
<AMOUNT> max 10 characters </AMOUNT>
<TRANS_TYPE> max 5 characters </TRANS_TYPE>
</USG>
Format for each field:
REC_NUM:
AG_ID:
PROPERTY_ID:
DATE:
TIME:
ROOM_NUM:
AMOUNT:
TRANS_TYPE:
RESULT_VALUE:
IP:
296
00923 (numbers only, no alpha characters)
00020b
Any regular string
03/30/2001 (mm/dd/yyyy)
23:41:38 (24 hour format)
Any regular string
234.34
CC
OK or ERROR
Standard IP address format (123.123.123.123)
Quick Reference Guide
AG 2100
The packet after the HTTP headers added looks like this:
XML to AG 2100
The AG 2100 uses USG commands for XML strings.
The AG 2100 accepts a single line of XML text in the specified format. The XML string is a
command sent by the External Server to the AG 2100 product. In this case, the
acknowledgement received from the External Server forms the command. The AG 2100
expects the acknowledgement in the following format:
External Server to AG 2100:
<AG COMMAND="RMTLOG_ACK">
<ACK_VALUE>RESULT_VALUE</ACK_VALUE>
<IP_ADDR>Server IP</IP_ADDR>
<ERROR_CODE>ERROR_CODE</ERROR_CODE>
</AG>
Example of a Positive Acknowledgement:
<AG COMMAND="RMTLOG_ACK">
<ACK_VALUE>OK</ACK_VALUE>
<IP_ADDR>11.22.33.44</IP_ADDR>
<ERROR_CODE>1</ERROR_CODE>
</AG>
Quick Reference Guide
297
AG 2100
Example of a Negative Acknowledgement:
<AG COMMAND="RMTLOG_ACK">
<ACK_VALUE>ERROR</ACK_VALUE>
<IP_ADDR>11.22.33.44</IP_ADDR>
<ERROR_CODE>5</ERROR_CODE>
</AG>
Format for each Field:
RESULT_VALUE:
IP:
ERROR_CODE
OK or ERROR
Standard IP format (123.123.123.123)
1 for OK, or any other number
Please contact Nomadix Technical Support for the complete XML DTD. Refer to
“Contact Information” on page 303.
298
Quick Reference Guide
6
AG 2100
Troubleshooting
This chapter provides information to help you resolve common hardware and software
problems. It also contains a list of known error messages associated with the Management
Interface.
General Hints and Tips
The AG 2100 is both a hardware device and a powerful software utility. As a hardware
computing device, the AG 2100 requires careful handling. It should be positioned in a dust-free
and temperature-controlled environment.
Management Interface Error Messages
The following table contains the error messages associated with the Management Interface
(CLI and Web). All messages are listed alphabetically. .
Error Message
Cause
AAA must be enabled before adding a
subscriber to the profile database.
You are attempting to add a subscriber profile
while AAA is disabled.
Command not available “xx”
The system does not recognize your
command (“xx” denotes your input).
Current settings were not archived.
This message is displayed if you answer “no”
when prompted to overwrite the configuration
archive file with new settings.
Current settings were not changed.
This is either a response to your decision not
to change settings, or the message is
generated by the system when it fails to locate
the data it needs.
Error loading factory settings.
The system cannot find the default
configuration file when attempting to restore
the factory settings.
Error occurred, ARP entry not added.
The IP or MAC address is invalid. Ensure that
you input the correct format for these fields.
Troubleshooting
299
AG 2100
Error Message
Cause
NFS client support not included.
This message is displayed when the system
reboots and NFS clients are not supported.
No matching MAC address found in profile
database.
The system could not match the MAC address
you defined while attempting to remove a
subscriber profile.
[not defined]
This is the factory default for some system
parameters.
The system must be reset to function properly.
You have made changes to the system’s
configuration that requires you to reboot
before your changes become effective.
The system must be rebooted to function
properly!
Warning: before using this command you must
FTP a valid boot image to the flash.
When upgrading the software, the system
needs the new boot image file. You must FTP
the file from NOMADIX™ to your local hard
drive.
Warning: no DHCP services are available to
subscribers.
This message is displayed because you have
disabled both the external DHCP relay and the
system’s DHCP service. To make DHCP
available to subscribers, at least one of these
functions must be enabled.
“x” is ambiguous.
The system has more than one option it can
display. You must provide additional
characters to narrow the system’s choices
down to just one.
“xxx” is invalid, enter ...
Your input is not recognized by the system.
300
Troubleshooting
AG 2100
Common Problems
If you are having problems, you may find the answers here. An updated version of this list can
be found at: www.nomadix.com/techsup.
Problem
Possible Cause
When using the internal AAA
login Web server, you cannot
communicate with
Authorize.Net.
The internal AAA login server
communicates with
Authorize.Net on a specified
port which is not enabled
within the company’s firewall.
Enable communications with
Authorize.Net on port 1111.
When a subscriber who is
enabled with DHCP logs onto
the system, they are not
assigned an IP address.
The DHCP relay is enabled
with an incorrect IP address
for the external DHCP server.
Check the IP address for the
external DHCP server. If
necessary, test the
communication with the “ping”
command.
The DHCP relay is enabled
with the correct IP address for
the external DHCP server, but
the DHCP server is
misconfigured.
Check the external DHCP
server settings (for example,
is it configured to a routable
class of IP addresses? Are
there enough IP address
specified? If you specified a
subnet, is it correct?). If you
suspect the subnet, try using
255.255.255.0
The DHCP relay is disabled
and the DHCP service
settings in the AG 2100 are
misconfigured.
Check the internal DHCP
service settings.
The DNS server settings are
misconfigured.
Check the DNS settings (host,
domain, and the primary,
secondary, and tertiary DNS).
The DNS server is down.
Check with the service
provider. Is the DNS server
down?
Subscribers are unable to
route to a domain name, but
they can route to an IP
address.
Troubleshooting
Solution
301
AG 2100
Problem
When a subscriber logs in for
the first time, their browser is
not redirected to the specified
home page.
302
Possible Cause
Solution
Home page redirection is not
enabled in the AG 2100.
Enable home page
redirection.
The home page URL was
entered into the AG 2100
incorrectly.
Re-enter the correct URL.
The server that hosts the
home page is down, or the
service provider (if different
from the host) is not able to
route to your page.
Check that the server is
operational and that the home
page can be accessed
through your service provider
(if different).
DNS is misconfigured in the
AG 2100.
Check the DNS settings (host,
domain, and the primary,
secondary, and tertiary DNS).
Troubleshooting
A
AG 2100
Appendix A: Technical Support
We have tried to ensure that you get the most up-to-date information available about the
Nomadix AG 2100, and we hope this User’s Guide has met all your operational and
performance needs. However, we understand that occasionally you may run into problems that
require additional technical support.
“Troubleshooting” on page 299 provides some basic troubleshooting information and
procedures that will help you to diagnose and solve your problem (if the problem is related to
the AG 2100). Additionally, you should check with your network documentation to verify that
the network components are functioning correctly.
If you cannot resolve the problem with your documentation resources, try connecting to our
corporate Web site. We may have new information posted here that addresses your issues.
www.nomadix.com/techsup
If you are still having problems, our friendly and experienced technical support team is always
ready to assist you.
When contacting technical support, please have your AG 2100’s serial number
available. The serial number is located on the bottom of your AG 2100.
Contact Information
You can contact us by Email, fax, telephone, or regular mail.
Telephone
++1.818.575.2590
E-mail
support@nomadix.com
Fax
++1.818.597.1502
Address
Nomadix, Inc.
1100 Business Center Circle, Suite 100
Newbury Park, California 91320
Attn: Technical Support
Appendix A: Technical Support
303
AG 2100
This page intentionally left blank.
304
Appendix A: Technical Support
B
AG 2100
Appendix B: Addendum
This Addendum provides information and procedures that will enable system administrators to
configure and use the specific features introduced in the 1.3 Maintenance, 1.3 M+ and 1.4
releases for the Nomadix Wireless Access Gateway (AG 2100). The features covered are:
1.3M and 1.3M+ Features:
z
PPPoE Client
z
L2TP Tunneling
z
Local Syslog and Syslog Filters
z
Periodic Syslogs: System Report Syslogs
Appendix B: Addendum
305
AG 2100
PPPoE Client
These settings can be accessed under the following menus:
WMI Configuration
z
Go to Configuration->Location to enable PPPoE Client
z
On Location page, click on ‘Configure PPPoE Client’ link to get to the PPPoE
configuration page.
CLI Configuration
z
Go to Configuration->Location to enable PPPoE Client
z
Go to Configuration->PPPoeclient to configure PPPoE Client
SNMP Configuration
306
z
Go to AG->pppoeClient (enterprises.3309.1.3.43) for PPPoE Client configuration
branch
z
Go to AG->location (enterprises.3309.1.3.19) to SET locationNetIntfCfgMode
variable (enterprises.3309.1.3.19.15) to 2 to enable PPPoE Client.
Appendix B: Addendum
AG 2100
Appendix B: Addendum
307
AG 2100
308
Appendix B: Addendum
AG 2100
PPPoE Service Name
This is the Service-Name TAG. The maximum allowed length is 31 characters.
PPP Keep Alive
z
Echo Request Interval in seconds - Setting this to 0 will disable echo requests from
the NSE. The default value for this parameter is 30 seconds.
z
Maximum Missed Responses allowed - This is the number of echo-requests that can
be allowed to go without a response before the NSE determines that the PPP link is
down. This parameter can only set to whole number above 0.
PPP Authentication
z
Username - This is the username for PPP based authentication required by your
service provider.
z
Password - This is the password for PPP based authentication required by your
service provider. Max length for both username and password is 128 characters
IP Configuration Mode
This defines the IP address configuration mode for the NSE. Setting this to Dynamic will
obtain a dynamic IP address from PPPoE server similar to DHCP client. Setting this to static
will require manually configuring IP address in the text box.
Maximum TCP MSS
Please note that this is the MSS not MTU. The maximum value suggested by the RFC is 1452.
Appendix B: Addendum
309
AG 2100
L2TP Tunneling
Define RADIUS Service Profiles
RADIUS service profiles are used to direct username access requests for both
plain RADIUS users and users who supply realm/domain in their username.
Certain RADIUS servers can only be set to interpret tunnel profiles in either
prefix or suffix-mode so a minimum of two RADIUS servers are required if both
prefix and suffix-based usernames are to be handled. What these RADIUS servers
will return in response to a RADIUS access request is the L2TP tunnel
parameters that the AG 2100 will use to establish an L2TP tunnel. See next figure
for an example of a RADIUS service profile.
310
z
Create a RADIUS service profile to a RADIUS server that will handle Prefix-based
users. This is to handle users that will login with a username in the format type of
“ISP/username”. In this case the delimiter is “/” and what appears before it, “ISP”, is
the realm name.
z
Create a RADIUS service profile for a RADIUS server that will handle Suffix-based
users. This is to handle users that will login with a username in the format type of
“username@ISP.com”. In this case the delimiter is “@” and what appears after it,
“ISP.com”, is the realm name.
Appendix B: Addendum
AG 2100
Appendix B: Addendum
311
AG 2100
Define Tunnel Profiles
Tunnel profiles can be defined when L2TP tunnel parameters are known and it is not necessary
to send an access request to a RADIUS server to obtain those parameters or for accounting
purposes.
Create a tunnel profile for each L2TP tunnel whose parameters are known. The tunnel
parameters that the profile contains are the IP address of the LNS and the tunnel password. See
next figure for an example of a tunnel profile.
312
Appendix B: Addendum
AG 2100
Define Realm Routing Policies
Realm routing policies are used to determine how supplied username/password input is used to
authenticate users.
z
Create a realm routing policy for each realm that will be handled. The realm routing
policy will reference either a RADIUS service profile or a tunnel profile. Many
different realm routing policies can reference the same RADIUS service or tunnel
profile.
See next figure for a realm routing policy that handles prefix-based usernames using a
RADIUS service profile. Notice that “Specific Realm” is clicked and the “Realm name” is
“cisp”. Also notice that “Prefix match only” is clicked and that the delimiter is “/”. This means
that this realm routing policy will match usernames that are of the format “cisp/username”.
This policy references a RADIUS service profile so a realm match will result in an access
request being sent to the RADIUS server(s) specified in the RADIUS service profile. In this
case, the RADIUS service profile “RadiusPrefix” is referenced and so the RADIUS server(s)
defined therein will receive RADIUS access requests.
Notice that the checkbox is unchecked for “Strip off routing information when sending to
RADIUS server”. This box must always be unchecked in order to pass realm information to
the RADIUS server(s) for matching of realm information to its defined tunnel profiles, which
contain the needed tunnel parameters.
The checkbox “Strip off routing information when sending to tunnel server” may or may not
be checked depending on the configuration of the tunnel server and how it will be
authenticating subscribers. In this example, it is checked and so realm information will be
stripped leaving only the simple username and password to be passed to the tunnel server.
The tunnel server in this case is configured to authenticate users via another RADIUS server
that handles a single realm. Since it handles a single realm, no realm information is needed for
users and so must be stripped. In this case, it is stripped by the AG 2100, but it could easily
have been stripped by the tunnel server, or by the tunnel server’s RADIUS server. This was
designed for maximum flexibility.
Also note that the “Local hostname” field is blank which means that the AG 2100’s default
local hostname of “usg_lac” will be used by the AG 2100. This allows for setting the local
hostname to any desired value other than the default. The L2TP peers exchange their local
hostnames during tunnel negotiation.
Appendix B: Addendum
313
AG 2100
See next figure for a realm routing policy that handles suffix-based usernames using a tunnel
profile. The differences in this example are the realm name is “tcisp.com”, “Suffix match only”
is enabled (the delimiter in this case is “@”), and a tunnel profile, “LNS-One”, is selected
instead of a RADIUS service profile.
This means that this realm routing policy will match usernames that are of the format
“username@tcisp.com”. Since this policy references a tunnel profile, no RADIUS access
requests will be sent to any RADIUS server. In this case, the AG 2100 will use the L2TP tunnel
parameters specified in the tunnel profile to establish a tunnel and pass the username/password
input to the tunnel server.
314
Appendix B: Addendum
AG 2100
As before, the username passed to the tunnel server will have realm information stripped since
the checkbox for “Strip off routing information when sending to tunnel server” is checked.
This checkbox may be unchecked if it is necessary for usernames to contain realm information
for user authentication.
The “Local hostname” field is also blank in this example which means that the AG 2100 will
use the default value of “usg_lac” during tunnel negotiation.
Appendix B: Addendum
315
AG 2100
Configure RADIUS Client
The AG 2100 RADIUS client must be setup for realm-based routing mode since realm
information will be used by the AG 2100’s L2TP tunnel feature to determine how to handle
usernames that contain realm information. See next figure for an example of setting the routing
mode to handle realm-based usernames.
That should cover the main points regarding configuring an AG 2100 to support L2TP
tunneling.
316
Appendix B: Addendum
AG 2100
Local Syslog and Syslog Filters
These settings can be accessed under the Configuration/Logging menu.
Appendix B: Addendum
317
AG 2100
Log Filter Setting:
The syslogs can be filtered at 7 levels as shown above. Setting the level to a number disables
any syslogs above that filter setting. For e.g. setting the filter to 2:Critical only generates
0:Emergency, 1:Alert and 2:Critical level syslogs. All other syslogs are not generated.
Log save to file Setting:
This setting enables/disables saving of syslogs generated by the system to a file named
“syslog.txt” in the /flash directory of the NSE. This setting abides by the other settings set for
the syslogs like filters, number and enable/disable.
It is not required to input a server IP address if you intend to only store the syslogs locally.
Please leave the IP address field blank for such cases.
Warning: Do not configure the Server IP as the IP address of the gateway.
Stored syslogs are viewable under System/Syslog menu. A total of 500 syslogs are stored
locally.
318
Appendix B: Addendum
AG 2100
PageFaults are stored in the file named “lograw.txt” in the /flash directory and is
not viewable on the web management interface.
Appendix B: Addendum
319
AG 2100
Periodic Syslogs: System Report Syslogs
These settings can be accessed under the Configuration/Logging menu.
320
Appendix B: Addendum
AG 2100
The following Logs are available for configuration on the NSE:
AAA Log
These logs record events related to Authentication, Authorization, and Accounting on the
NSE.
RADIUS History Log
These logs record RADIUS proxy accounting messages sent or received by the RADIUS
proxy. Please refer to “Viewing RADIUS Proxy Accounting History {RADIUS Session
History}” on page 176 for additional configuration information.
System Report Log
These are Periodic Syslogs <add to index> that report the status of the NSE and carry
information about the NSE ID, NSE IP Address and the current number of Subscribers on
the NSE.
Example:
INFO [nse_product_name version] SYSRPT: ID: 012345 IP: 11.222.333.444 (unresolved)
Subscribers: 010
Additional Configuration:
System Report Log Interval
This is the time interval in minutes between the system report syslogs.
Appendix B: Addendum
321
AG 2100
Subscriber Tracking Log
Enabling this checkbox enables the Subscriber Tracking log. Use this to track the network
usage of specific Subscribers on the network by receiving a syslog of every Session that is
opened by each subscriber. Each new DAT session that is created for subscribers is logged
in these syslogs. Proxy state, type of access, and Username are included besides the source
and destination information of each session. There are IN and OUT messages for the
beginning and ending of each session.
Examples:
INFO [AG 2100 v2.4.113] LI : IN-->: THU JUN 23 11:43:58 2005 | testlab |
S(192.168.2.4/3444), D(66.163.175.128/80), X(67.130.149.4/5004), non-proxy ,
00:90:27:78:81:00, RADIUS, IPASS/0U0000
INFO [AG 2100 v2.4.113] LI : OUT-->: THU JUN 23 11:44:01 2005 | testlab |
S(192.168.2.4/3444), D(66.163.175.128/80), X(67.130.149.4/5004), non-proxy ,
00:90:27:78:81:00, RADIUS, IPASS/0U0000
Field formats explained:
LI : IN-->: Day Month Date Time Year | NSE_Site_Name | S(Source_IP/Port),
D(Destination_IP/Port), X(NSE_Translated_IP/Port), proxy_type , Subscriber_MAC,
Billing_Type, UserName(first 12 char). LI : IN-->: THU JUN 23 11:43:58 2005 | testlab |
S(192.168.2.4/3444), D(66.163.175.128/80), (67.130.149.4/5004), non-proxy ,
00:90:27:78:81:00, RADIUS, IPASS/0U0000
322
Appendix B: Addendum
AG 2100
Glossary of Terms
802.11x
Refers to a family of specifications developed by the IEEE for wireless LAN technology. 802.11 specifies an over-theair interface between a wireless client and a base station, or between two wireless clients. The IEEE accepted the
specification in 1997. There are several specifications in the 802.11 family:
802.11
Applies to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either Frequency Hopping
Spread Spectrum (FHSS) or Direct Sequence Spread Spectrum (DSSS).
802.11a
An extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in the 5GHz band. 802.11a uses an
Orthogonal Frequency Division Multiplexing (OFDM) encoding scheme rather than FHSS or DSSS.
802.11b
(also referred to as 802.11 High Rate or Wi-Fi™) An extension to 802.11 that applies to wireless LANs and provides
11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4 GHz band. 802.11b uses only DSSS. 802.11b
was a 1999 ratification to the original 802.11 standard, allowing wireless functionality comparable to Ethernet.
802.11g
Applies to wireless LANs and provides 20+ Mbps in the 2.4 GHz band.
802.1Q
An IEEE standard for providing a virtual LAN capability within a campus network. 802.1Q establishes a standard
format for frame tagging (Layer 2 VLAN markings), enabling the creation of VLANs that use equipment from
multiple vendors.
10/100 Ethernet
See Ethernet.
AAA
(Authentication, Authorization, and Accounting) A combination of commands used by Nomadix Gateways to
authenticate, authorize, and subsequently bill subscribers for their use of the customer’s network. When a subscriber
logs into the system, their unique MAC address is placed into an authorization table. The system then authenticates the
subscriber’s MAC address and billing information before allowing them to access the Internet and make online
purchases. See also, MAC Address.
Access Concentrator
A type of multiplexor that combines multiple channels onto a single transmission medium in such a way that all the
individual channels can be simultaneously active. For example, ISPs use concentrators to combine their dial-up
modem connections onto faster T-1 lines that connect to the Internet. Concentrators are also used in Local Area
Networks (LANs) to combine transmissions from a cluster of nodes. In this case, the concentrator is often called a hub.
Access Router
A router at a customer site, which connects to the network service provider. Also known as a Customer Premises
Equipment (CPE) router. See also, Router.
Glossary of Terms
323
AG 2100
ACK
(ACKnowledgment) If all the transmitted data is present and correct, the receiving device sends an ACK signal, which
acts as a request for the next data packet.
Adaptive Configuration Technology
A Nomadix, Inc. patented technology that enables Dynamic Address Translation. See also, DAT.
ad-hoc mode
An 802.11x networking framework in which devices or stations communicate directly with each other, without the use
of an Access Point (AP). Ad-hoc mode is also referred to as peer-to-peer mode, or an Independent Basic Service Set
(IBSS). Ad-hoc mode is useful for establishing a network where wireless infrastructure does not exist or where
services are not required.
ADSL
(Asynchronous Digital Subscriber Line) A method for moving data at high speed over regular phone lines.
AES
Advance Encryption Security; symmetric cipher defined in FIPS-197; base upon Rijndael algorithm.
AP
(Access Point) A hardware device or a computer's software that acts as a communication hub for users of a wireless
device to connect to a wired LAN. APs are important for providing heightened wireless security and for extending the
physical range of service a wireless user has access to.
ARP
(Address Resolution Protocol) Used to dynamically bind a high level IP address to a low level physical hardware
address. ARP is limited to a single physical network that supports hardware broadcasting.
ATM
(Asynchronous Transfer Mode) A network technology based on transferring data in “cells” or packets of a fixed size
(53 bytes each). The cell used with ATM is relatively small compared to units used with older technologies. The small,
constant cell size allows ATM equipment to transmit video, audio, and computer data over the same network, and
assures that no single type of data monopolizes the line. ATM can offer multi-gigabit bandwidth. See also, Bandwidth
and Packet.
Bandwidth
The maximum speed at which data can be transmitted between computers across a network, usually measured in bits
per second (bps). If you think of the communication path as a water pipe, the bandwidth represents the width of the
pipe which consequently determines how many gallons of water can flow through it at any given time. See also,
Broadband.
Beacon
A management frame sent by an access point (or in the case of an ad-hoc network, sent by a peer station) that allows
wireless stations to establish and maintain communication across a wireless network. The body of the beacon frame
contains data such as SSID, timestamps, supported rates, etc.
Beacon Interval
The amount of time between beacon transmissions.
Broadband
A high speed data transmission medium capable of supporting a wide range of varying frequencies. Broadband can
carry multiple signals at fast rates of speed by dividing the total capacity of the medium into multiple, independent
bandwidth channels, where each channel operates only on a specific range of frequencies. See also, Bandwidth.
324
Glossary of Terms
AG 2100
BSS
(Basic Service Set) See infrastructure mode.
carrier frequency
A frequency in a communications channel modulated to carry analog or digital signal information. For example, an
FM radio transmitter modulates the frequency of a carrier signal and the receiver processes the carrier signal to extract
the analog information. An AM radio transmitter modulates the amplitude of a carrier signal.
CCMP
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol; cryptography based upon CCM
mode of AES encryption algorithm.
CoS
(Class of Service) A category based on the type of user, type of application, or some other criteria that QoS systems
can use to provide differentiated classes of service. The characteristics of the CoS may be appropriate for high
throughput traffic, for traffic with a requirement for low latency, or simply for best effort. The QoS experienced by a
particular flow of traffic will be dependent on the number and type of other traffic flows admitted to its class. See also,
QoS.
Daemon
A program that runs continuously in the background, or is activated by a particular event (for example, an error may
trigger Syslog). The word daemon is Greek for “spirit” or “soul.” See also, SYSLOG.
DAT
(Dynamic Address Translation) Nomadix Gateways provide “plug-and-play” access to subscribers who are
misconfigured with static (permanent) IP addresses, or subscribers that do not have DHCP functionality on their
computers. DAT is a Nomadix, Inc. patented technology that allows all users to obtain network access, regardless of
their computer’s network settings. See also, DHCP.
DHCP
(Dynamic Host Configuration Protocol) A standard method for assigning IP addresses automatically to devices
connected on a TCP/IP network. When a new device connects to the network, the DHCP server assigns an IP address
from a list of its available addresses. The device retains this IP address for the duration of the session. When the device
disconnects from the network, the IP address becomes available for reassignment to another device. See also,
Dynamic IP Address, IP Address, Static IP Address, and TCP/IP.
DNS
(Domain Name System) A system that maps meaningful domain names with complex numeric IP addresses. See also,
Domain Name and IP Address.
Domain Name
A unique and meaningful name representing each addressable computing device on a dynamic network (for example,
the Internet). Some devices have more than one domain name. When a user types a domain name, requesting a
connection to the device, DNS converts the domain name into a numeric IP address. The location of the device on the
network is known by its IP address. WWW.YAHOO.COM is an example of a commercial domain name on the World
Wide Web. See also, DNS, Internet, and IP Address.
Glossary of Terms
325
AG 2100
DSSS
(Direct Sequence Spread Spectrum) One of two types of spread spectrum radio—the other being Frequency Hopping
Spread Spectrum (FHSS). DSSS is a transmission technology used in WLAN transmissions where a data signal at the
sending station is combined with a higher data rate bit sequence, or “chipping” code, that divides the user data
according to a spreading ratio. The chipping code is a redundant bit pattern for each bit that is transmitted, which
increases the signal's resistance to interference. If one or more bits in the pattern are damaged during transmission, the
original data can be recovered due to the redundancy of the transmission.
DTIM
(Delivery Traffic Indication Message) A message included in data packets that can increase wireless efficiency.
Dynamic IP Address
A temporary IP address that is assigned by the DHCP server to a device. Devices retain dynamic IP addresses only for
the duration of their networking session. When a device disconnects from the network, the IP address is recaptured by
the DHCP server and becomes available for reassignment to another device. See also, DHCP, IP Address, IP
Address Translation, Static IP Address, and Translation.
EAP
(Extensible Authentication Protocol) An extension to PPP. EAP is a general protocol for authentication that also
supports multiple authentication methods (for example, public key authentication and smart cards). IEEE 802.1x
specifies how EAP should be encapsulated in LAN frames. In wireless communications using EAP, a user requests
connection to a WLAN through an AP, which then requests the identity of the user and transmits that identity to an
authentication server such as RADIUS. The server asks the AP for proof of identity, which the AP gets from the user
and then sends back to the server to complete the authentication.
ECommerce
A business venture between a supplier and its customers using online services (for example, the Internet). Both parties
use online services to conduct business transactions. Transactions may include generating orders, invoices, and
payments, and submitting inquiries. Also known as Enterprise.
Enterprise
WPA-Enterprise or WPA 2-Enterprise; requires IEEE 802.1x to obtain keys from RADIUS server; similar to dynamic
WEP
ESS
(Extended Service Set) See infrastructure mode.
Ethernet
A Local Area Network (LAN) protocol developed by Xerox Corporation in cooperation with DEC and Intel in 1976.
Ethernet uses a bus or star topology and supports data transfer rates of 10 Mbps. The Ethernet specification served as
the basis for the IEEE 802.3 standard, which specifies the physical and lower software layers. Ethernet is one of the
most widely implemented LAN standards. A newer version of Ethernet, called 100Base-T (or Fast Ethernet), supports
data transfer rates of 100 Mbps. The latest version, Gigabit Ethernet, supports data rates of 1 Gigabit (1,000 Mbps) per
second. See also, Mbps.
Fast Ethernet
See Ethernet.
FCC
(Federal Communications Commission) US wireless regulatory authority. The FCC was established by the
Communications Act of 1934 and is charged with regulating Interstate and International communications by radio,
television, wire, satellite and cable.
326
Glossary of Terms
AG 2100
FDM
(Frequency Division Multiplexing) A multiplexing technique that uses different frequencies to combine multiple
streams of data for transmission over a communications medium. FDM assigns a discrete carrier frequency to each
data stream and then combines many modulated carrier frequencies for transmission. For example, television
transmitters use FDM to broadcast several channels at once.
FHSS
(Frequency Hopping Spread Spectrum) One of two types of spread spectrum radio—the other being Direct-Sequence
Spread Spectrum (DSSS). FHSS is a transmission technology used in WLAN transmissions where the data signal is
modulated with a narrowband carrier signal that "hops" in a random but predictable sequence from frequency to
frequency as a function of time over a wide band of frequencies. The signal energy is spread in time domain rather
than chopping each bit into small pieces in the frequency domain. This technique reduces interference because a signal
from a narrowband system will only affect the spread spectrum signal if both are transmitting at the same frequency at
the same time. If synchronized properly, a single logical channel is maintained. The transmission frequencies are
determined by a “spreading” or “hopping” code. The receiver must be set to the same hopping code and must listen to
the incoming signal at the right time and correct frequency in order to properly receive the signal. Current FCC
regulations require manufacturers to use 75 or more frequencies per transmission channel with a maximum dwell time
(the time spent at a particular frequency during any single hop) of 400 ms.
Flash Memory
A special type of EEPROM (Electrically Erasable Programmable Read Only Memory) that can be erased and
reprogrammed in blocks instead of one byte at a time. Many modern PCs have their BIOS stored on a flash memory
chip so that it can easily be updated. Such a BIOS is sometimes called a flash BIOS. Flash memory is also popular in
modems because it enables the modem manufacturer to support new protocols as they become standardized.
Forwarding Rate
The maximum rate at which 64K packets can be delivered to their destination. See also, Packet, Packet Switching
Network, pps, and Throughput.
Fragment Length (Fragmentation)
Breaking a packet into smaller units when transmitting over a network medium that cannot support the original size of
the packet. The fragment length value should remain at its default setting unless you experience a high packet error
rate. Setting the fragment length too low may result in poor performance.
FTP
(File Transfer Protocol) A standard protocol used for copying and moving files quickly, efficiently, and securely across
public and private networks. An FTP site is one where files are available for downloading and uploading. FTP sites
usually require a secure login (name and password) to gain access.
Gateway
Any device that provides a seamless connection between otherwise incompatible systems.
Gopher
A computer program, and an accompanying data transfer protocol, for reading information that has been made
available to the public on the Internet. Gopher is gradually being superseded by HTML.
Home Page
Usually the first page users see when they visit a Web site (if they address the home page’s URL). A well constructed
Web site will normally consist of a home page that provides a clear and concise overview of the entire Web site,
together with the tools for accessing other pages and topics quickly and efficiently. In this case, the home page is the
“portal” to the Web site. See also, Portal and URL.
Glossary of Terms
327
AG 2100
Host
Any computer that provides services to other computers that are linked to it by a network. Generally, the host is the
more remote of the computers. For example, if a user in California accesses a computer in New York, the computer in
New York is considered the host.
HPR
(Home Page Redirection) Nomadix Gateways enable solution providers to redirect subscribers to a “portal” home page
of their choice. This allows the solution provider to generate online advertising revenues and increase business
exposure. See also, Home Page.
HTML
(HyperText Markup Language) The programming language used to create hypertext documents for use on the Internet.
See also, HTTP, Hypertext, and Internet.
HTTP
(HyperText Transfer Protocol) The standard method used for publishing hypertext documents in HTML format on the
Internet. See also, HTML, Hypertext and Internet.
Hypertext
Electronic documents that are structured to enable readers to go directly to the source of the information they need by
following directional links (unlike books which are generally read sequentially). Help files and CD-ROM
encyclopedias are examples of hypertext documents.
ICMP
(Internet Control Message Protocol) A standard Internet protocol that delivers error and control messages from hosts to
message requestors. An ICMP echo test can determine whether a target destination is reachable. An ICMP echo test is
also called a ping. See also, Ping.
IEEE
(Institute of Electrical and Electronics Engineers) Founded in 1884, the IEEE is an organization composed of
engineers, scientists, and students. The IEEE is best known for developing standards for the computer and electronics
industry. In particular, the IEEE 802 standards for Local Area Networks are widely followed.
iNAT™
(Intelligent Network Address Translation) Nomadix’ iNAT™ feature creates an intelligent mapping of IP addresses
and their associated VPN tunnels allowing multiple tunnels to be established to the same VPN server—creating a
seamless connection for all the users at the public access location.
infrastructure mode
An 802.11x networking framework in which devices communicate with each other by first going through an Access
Point (AP). In infrastructure mode, wireless devices can communicate with each other or can communicate with a
wired network. When one AP is connected to a wired network and a set of wireless stations it is referred to as a Basic
Service Set (BSS). An Extended Service Set (ESS) is a set of two or more BSSs that form a single subnetwork. Most
corporate wireless LANs operate in infrastructure mode because they require access to the wired LAN in order to use
services such as file servers or printers. See also, ad-hoc mode.
Internet
Originally developed by the U.S. Defense Department, the Internet is now a global collection of networks that transfer
information between each other using the Internet Protocol (IP). Additionally, the Internet carries the hypertext system
commonly known as the World Wide Web. See also, Hypertext and Internet Protocol.
328
Glossary of Terms
AG 2100
Internet Protocol
The global standard used to regulate data transmissions between computers and the Internet. Data is broken up into
packets which are then sent over the network. By using IP addressing, Internet Protocol ensures that the data reaches
its destination, even though different packets may pass through different networks to get to the same location. See also,
Internet and IP Address.
Internet Service Provider
The agency that provides you with access to the Internet. Your Internet Service Provider (ISP) may be a large
commercial organization (for example, America Online) or, if you access the Internet via your employer, then your
employer is your Internet Service Provider. See also, Internet.
Intranet
A network confined to a single organization (but not necessarily a single site). Usually thought of as a corporate mini
Internet.
IP
See Internet Protocol.
IP Address
The numeric address of a device, in the format used on the Internet. The actual numeric value takes the form of a 32bit binary number broken up into four 8-bit groups, with each group separated by a period (for example, 198.43.7.85).
To make it easier for the user, the IP address is mapped to a meaningful domain name. IP addresses can be static
(permanent) or dynamic (assigned each time you connect). See also, Domain Name, Dynamic IP Address, Internet
Protocol, and Static IP Address.
IP Address Translation
Nomadix Gateways use adaptive configuration technology which can accommodate all network configurations,
including dynamic and static IP address assignments. This enables it to solve IP addressing problems in environments
where the service provider does not have control over the subscriber’s network settings. Whenever a subscriber logs
on, your Nomadix Gateway automatically translates their computer’s network settings to provide them with seamless
access to the broadband network. Subscribers no longer need to alter their computer’s settings. See also, Dynamic IP
Address, IP Address, and Static IP Address.
ISDN
(Integrated Services Digital Network) An international communications standard for sending voice, video, and data
over digital telephone lines or normal telephone wires. ISDN supports data transfer rates of 64 Kbps (64,000 bits per
second).
ISP
See Internet Service Provider.
LAWN
(Local Area Wireless Network) A type of Local Area Network that uses high-frequency radio waves rather than wires
to communicate between nodes. Also referred to as WLAN. See also, Node.
LDAP
(Lightweight Directory Access Protocol) Directories containing information such as names, phone numbers, and
addresses are often stored on a variety of incompatible systems. LDAP provides a simple protocol that allows you to
access and search these disparate directories over the Internet. LDAP is commonly used for online billing applications.
Glossary of Terms
329
AG 2100
MAC Address
(Media Access Control) The hardware address that uniquely identifies each node of a network. In IEEE 802 networks,
the Data Link Control (DLC) layer of the OSI Reference Model is divided into two sub layers – the Logical Link
Control (LLC) layer and the Media Access Control (MAC) layer. The MAC layer interfaces directly with the network
media. Consequently, each type of network media requires a different MAC layer. On networks that do not conform to
the IEEE 802 standards but do conform to the OSI Reference Model, the node address is called the Data Link Control
(DLC) address.
Mbps
(Megabits per second) A standard measure for data transmission speeds (for example, the rate at which information
travels over the Internet). 1 Mbps denotes one million bits per second. Several factors can influence how quickly data
travels, including modem speed, bandwidth capacity, and Internet traffic levels at the time of transmission. Not to be
confused with MegaBytes per second (MBps). See also, Throughput.
MIB
(Management Information Base) A set of parameters an SNMP management station can query or establish in the
SNMP agent of a network device (for example, a router). Standard minimal MIBs have been defined, and vendors
often have their own private enterprise MIBs. In theory, any SNMP manager can talk to any SNMP agent with a
properly defined MIB. See also, SNMP.
Misconfigured User
A Nomadix, Inc. term used to describe users who have IP address configurations that are different from the current
network. For example, if the current network is 123.45.67.89 but the user’s IP address is 10.10.10.15, then this user is
considered to be “misconfigured.”
NAT
(Network Address Translation) An Internet standard that enables a Local Area Network (LAN) to use one set of IP
addresses for internal traffic and a second set of IP addresses for external traffic. A NAT box located where the LAN
meets the Internet performs all the necessary IP address translations. NAT provides a type of firewall by hiding its
internal IP addresses. Additionally, NAT enables companies to use more internal IP addresses (because the addresses
are only used internally and there’s no possibility of conflicting with IP addresses used by other companies). NAT also
allows companies to combine multiple ISDN connections into a single Internet connection. See also, ISDN.
Node
An addressable point on a network. A node can connect a computer system, a terminal, or various peripheral devices to
the network. Each node on a network has a distinct name. On the Internet, a node is a host computer with a unique
domain name and IP address. See also, Domain Name and IP Address.
NTP
(Network Time Protocol) An Internet standard protocol (built on top of TCP/IP) that assures accurate synchronization
(to the millisecond) of computer clock times in a network of computers. Based on UTC, NTP synchronizes client
workstation clocks to the U.S. Naval Observatory master clocks. Running as a continuous background client program
on a computer, NTP sends periodic time requests to servers, obtaining server time stamps and using them to adjust the
client's clock.
OFDM
(Orthogonal Frequency Division Multiplexing) An FDM modulation technique for transmitting large amounts of
digital data over a radio wave. OFDM works by splitting the radio signal into multiple smaller sub-signals that are then
transmitted simultaneously at different frequencies to the receiver. OFDM reduces the amount of crosstalk in signal
transmissions. 802.11a WLAN technology uses OFDM.
330
Glossary of Terms
AG 2100
OSPF
(Open Shortest Path First) This routing protocol was developed for IP networks based on the shortest path first or linkstate algorithm. Routers use link-state algorithms to send routing information to all nodes on a network by calculating
the shortest path to each node based on a topography of the Internet constructed by each node. Routers send that
portion of the routing table (keeping track of routes to particular network destinations) that describes the state of its
own links, and it also sends the complete routing structure (topography). The advantage of shortest path first
algorithms is that they result in smaller more frequent updates everywhere. They converge quickly, thus preventing
such problems as routing loops and count-to-infinity (when routers continuously increment the hop count to a
particular network). This makes for a stable network. OSPF (version 2) is defined in RFC 1583 and is rapidly
replacing RIP on the Internet as the preferred routing protocol. See also, RFC and Router.
Packet
How data is distributed over the Internet. A packet contains the source and destination addresses, as well as the data.
An ethernet packet is normally 1,518 bytes. In IP networks, packets are often called datagrams. See also, Forwarding
Rate, Packet Switching Network, pps, and Throughput.
Packet Switching Network
Refers to protocols in which messages are divided into packets before they are sent. Each packet is then transmitted
individually and can even follow different routes to its destination. Once all the packets forming a message arrive at its
destination, they are recompiled into the original message. Most modern Wide Area Network (WAN) protocols,
including TCP/IP, X.25, and Frame Relay, are based on packet-switching technologies. By contrast, normal telephone
services use a circuit-switching technology in which a dedicated line is allocated for transmission between two parties.
Circuit-switching is ideal for fast data transmissions where the data must arrive in the same order in which it is sent.
This is the case with most real-time data, such as live audio and video. Packet switching is more efficient and robust
for data that can withstand some delays in transmission, such as e-mail messages and Web pages. See also,
Forwarding Rate, Packet, pps, and Throughput.
Passphrase
A word or phrase used for WPA-Personal or WPA 2-Personal to derive PSK
PDF
(Portable Document Format) A type of file format developed by Adobe Systems© that displays documents identically
on any computer system. PDF files retain their original formatted design, unlike HTML documents which adjust the
format depending on the users viewing medium (for example, monitor size).
Personal
WPA-Personal or WPA 2-Personal; does not and cannot use IEEE 802.1x; uses PSK or passphrase; similar to static
WEP.
Ping
(Packet INternet Groper) A program that transmits a signal to a host and expects a response within a predetermined
time. This is useful when troubleshooting network transmission problems. See also, ICMP.
Portal
A portal is a Web site. The portal consists of a collection of links to the most popular Web services on the Internet.
Generally speaking, a portal is a door to the Internet. See also, Internet.
PPP
(Point-to-Point Protocol) PPP has superseded SLIP as the standard protocol for serial data communications over the
Internet. See also, SLIP.
Glossary of Terms
331
AG 2100
pps
(packets per second) The rate at which packets are delivered to their destination. See also, Forwarding Rate, Packet,
and Packet Switching Network.
PPTP
(Point-to-Point Tunneling Protocol) Developed jointly by Microsoft Corporation, U.S. Robotics, and several remote
access vendor companies, known collectively as the PPTP Forum, PPTP is a new technology used for creating Virtual
Private Networks (VPNs). Because the Internet is essentially an open network, PPTP is used to ensure that messages
transmitted from one VPN node to another are secure. PPTP allows users to dial in to their corporate networks via the
Internet. See also, Internet, Tunneling, and VPN.
Preamble
In wireless networks, part of the wireless signal that synchronizes network traffic.
Profile
An electronic file that defines how subscribers normally interact with the service provider’s network.
Protocol
A standard process consisting of a set of rules and conditions that regulates data transmissions between computing
devices. Some examples of protocols include HTTP (HyperText Transfer Protocol), FTP (File Transfer Protocol),
TCP/IP (Transmission Control Protocol/Internet Protocol), and POP (Post Office Protocol). All these protocols are
responsible for regulating the transmission of their specific data file types.
PSK
Pre-Shared Key; derived from the passphrase.
QoS
(Quality of Service) A collective measure of the level of service delivered to the customer. QoS can be characterized by
several basic performance criteria, including availability (low downtime), error performance, response time and
throughput, lost calls or transmissions due to network congestion, connection set-up time, and the speed of fault
detection and correction. Service providers may guarantee a particular level of QoS (defined by a service level
agreement) to their subscribers. QoS-enabled hardware and software solutions sort and classify IP packet requests into
different traffic classes and allocate the proper resources to direct traffic based on various criteria, including application
type, user or application ID, source or destination IP address, time of day, and other user-specified variables. See also,
CoS and ToS.
RADIUS
(Remote Authentication Dial-In User Service) An authentication and accounting system used by many Internet Service
Providers (ISPs). When you dial in to the ISP you must enter your username and password. This information is passed
to a RADIUS server which checks that the information is correct and then authorizes access to the ISP system.
RFC
(Request for Comments) A series of notes about the Internet, started in 1969 (when the Internet was the ARPANET).
An RFC note can be submitted by anyone. Each RFC is designated by an RFC number. Once published, an RFC never
changes. Any modifications to an original RFC are assigned a new RFC number.
Roaming
In wireless networking, roaming refers to the ability to move from one AP coverage area to another without
interruption in service or loss in connectivity.
Round Robin Queuing
An algorithm that services each queue in a predefined sequence. For example, it might empty 1,500 bytes apiece from
queue 1 (high priority), queue 2 (medium priority), and queue 3 (low priority), servicing each in turn.
332
Glossary of Terms
AG 2100
Router
A hardware device that connects two or more networks and routes the incoming data packets to the appropriate
network.
RSN
Robust Secure Network; protocol for establishing secure communication using AES/CCMP.
RSNA
RSN Associations.
RTS (Length)
(Request to Send) A packet sent when a computer has data to transmit. The computer will wait for a CTS (Clear To
Send) message before sending data. The RTS Length value should remain at its default setting unless you encounter
inconsistent data flow. Only minor modifications to this value are recommended
SLIP
(Serial Line Internet Protocol) SLIP is a standard protocol for connecting to the Internet with a modem over a phone
line. It has trouble with noisy dial-up lines and other error-prone connections, so look to higher-level protocols like
PPP for error correction.
SMTP
(Simple Mail Transfer Protocol) A standard protocol that regulates how e-mail is distributed over the Internet. See
also, Protocol.
SNMP
(Simple Network Management Protocol) A standard protocol that regulates network management over the Internet.
SNMP uses TCP/IP to communicate with a management platform, and offers a standard set of commands that make
multi-vendor operability possible. SNMP uses a standard set of definitions, known as a MIB (Management
Information Base), which can be supplemented with enterprise-specific extensions. See also, TCP/IP and MIB.
Socket
A communication path between two computer programs, not necessarily running on the same machine. Sockets are
managed by a “socket device driver” that establishes network connections, as needed. Programs that communicate
through sockets need not know anything about how the network functions.
Solution Provider
Vendors are considered to be solution providers when they provide products and/or services that meet their customer’s
specific needs. Normally, a solution provider is offering a solution that isn’t readily available on the open market. For
example, NOMADIX™ is a solution provider to its customers (broadband network service providers), and those
customers are solution providers to their end users (network subscribers).
SSID
(Service Set Identifier) A 32-character unique identifier attached to the header of packets sent over a WLAN that acts
as a password when a mobile device tries to connect to the BSS. The SSID differentiates one WLAN from another, so
all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not
be permitted to join the BSS unless it can provide the unique SSID. Because an SSID can be “sniffed” in plain text
from a packet it does not supply any security to the network. An SSID is also referred to as a “network name” because
essentially it is a name that identifies a wireless network.
Glossary of Terms
333
AG 2100
SSL
(Secure Sockets Layer) A protocol developed by Netscape for transmitting private documents via the Internet. SSL
works by using a private key to encrypt data that is transferred over the SSL connection. Both Netscape Navigator and
Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as
credit card numbers. See also, Protocol.
Static IP Address
An IP address that is assigned to a computing device permanently (or until the user changes it manually), unlike a
dynamic IP address which is assigned to a device temporarily by the DHCP server. See also, DHCP, IP Address and
Dynamic IP Address.
STP
(Spanning Tree Protocol) A link management protocol that is part of the IEEE 802.1 standard for media access control
bridges. Using the spanning tree algorithm, STP provides path redundancy while preventing undesirable loops in a
network that are created by multiple active paths between stations. Loops occur when there are alternate routes
between hosts. To establish path redundancy, STP creates a tree that spans all of the switches in an extended network,
forcing redundant paths into a standby (or blocked) state. STP allows only one active path at a time between any two
network devices (this prevents the loops) but establishes the redundant links as a backup if the initial link should fail. If
STP costs change, or if one network segment in the STP becomes unreachable, the spanning tree algorithm
reconfigures the spanning tree topology and reestablishes the link by activating the standby path. Without spanning
tree in place, it is possible that both connections may be simultaneously “live,” which could result in an endless loop of
traffic on the LAN.
Subnet
A portion of a network, which may be a physically independent network segment, which shares a network address with
other portions of the network and is distinguished by a unique subnet address. In general, a subnet is to a network what
a network is to the Internet.
Subnet Address
The subnet portion of an IP address that is dedicated to the subnet. In a subnetted network, the host portion of an IP
address is split into a subnet portion and a host portion using an address (subnet) mask. See also, IP Address and
Subnet.
Subnet Mask
See Subnet Address.
Subscriber
Any person or organization that pays a period fee for services.
SYSLOG
(SYStem LOGging) Syslog is the standard event logging subsystem for Unix and consists of a server daemon, a client
function library, and a client command line utility. You can log to files, terminal devices, logged on users, or even
forward to other syslog systems. See also, Daemon.
TCP
(Transmission Control Protocol) Manages data into small packets and ensures that the data is transmitted correctly over
a network. If an error is detected, the data is transmitted again in its original form. See also, TCP/IP.
TCP/IP
(Transmission Control Protocol/Internet Protocol). A suite of protocols that regulates data communications for the
Internet. See also, Internet Protocol, Protocol, and TCP.
334
Glossary of Terms
AG 2100
Telnet
A software program and command utility used to connect between remote locations and services. Telnet connects you
to the login prompt of another host (that you have access rights to). See also, Host.
Throughput
The net data transfer rate between an information source and its destination, using the maximum packet size without
loss. Throughput is expressed as Megabits per second (Mbps), defined by RFC1242, Section 3.17. See also,
Forwarding Rate, Mbps, Packet, Packet Switching Network, pps, and RFC.
TKIP
Temporary Key Integrity Protocol.
TLS
(Transport Layer Security) A protocol that guarantees privacy and data integrity between client/server applications
communicating over the Internet. The TLS protocol is made up of two layers:
TLS Record Protocol
Layered on top of a reliable transport protocol, such as TCP, it ensures that the connection is private by using
symmetric data encryption and ensures that the connection is reliable. The TLS Record Protocol also is used for
encapsulation of higher-level protocols, such as the TLS Handshake Protocol.
TLS Handshake Protocol
Allows authentication between the server and client and the negotiation of an encryption algorithm and cryptographic
keys before the application protocol transmits or receives any data.
TLS is application protocol-independent. Higher-level protocols can layer on top of the TLS protocol transparently.
Based on Netscape’s SSL 3.0, TLS supercedes and is an extension of SSL. TLS and SSL are not interoperable. See
also, Protocol and SSL.
Translation
See IP Address Translation.
Tunneling
A technology that enables one network to send its data via another network's connections. Tunneling works by
encapsulating a network protocol within packets carried by the second network. For example, Microsoft's PPTP
technology enables organizations to use the Internet to transmit data across a Virtual Private Network (VPN). It does
this by embedding its own network protocol within the TCP/IP packets carried by the Internet. See also, TCP/IP and
VPN.
ToS
(Type of Service) A field within an IP header which can be used by the device originating the packet, or by an
intermediate networking device, to signal a request for a specific QoS level. ToS uses three bits to tell a router how to
prioritize a packet and one bit apiece to signal requirements for delay, throughput, and reliability. See also, Packet,
QoS, Router, and Throughput.
URL
(Uniform Resource Locator) The standard method used for identifying the location of information available to the
Internet. This is effectively the “address” of a document or file, expressed in the form: protocol://domain.filename/
path.type (for example, http://www.myfile.com/nextpage.html).
Glossary of Terms
335
AG 2100
UTC
(Coordinated Universal Time) A time scale that couples Greenwich Mean Time (GMT), which is based solely on the
Earth's inconsistent rotation rate, with highly accurate atomic time. When atomic time and Earth time approach a one
second difference, a leap second is calculated into UTC. UTC was devised on January 1, 1972 and is coordinated in
Paris by the International Bureau of Weights and Measures. UTC, like GMT, is set at 0 degrees longitude on the prime
meridian.
Virtual Access Point (VAP)
VAPs are created when one physical access point emulates multiple access points by using unique BSSIDs for each
Service Set Identifier (SSID).
VoIP
(Voice over IP) An emerging technology for transporting integrated digital voice, video, and data over IP networks. A
major advantage of VoIP and Internet telephony is that it avoids the tolls charged by ordinary telephone services. See
also, Internet and IP.
VPN
(Virtual Private Network) A network that is constructed by using public wires to connect nodes. For example, there are
a number of systems that enable you to create networks using the Internet as the medium for transporting data. These
systems use encryption and other security mechanisms to ensure that only authorized users can access the network and
that the data cannot be intercepted.
VxWorks ®
A real-time operating system, manufactured and sold by Wind River Systems of California, USA. VxWorks program
development requires a host machine running Unix or Windows.
W3C
(World Wide Web Consortium) An international consortium of companies involved with the Internet and the Web. The
organization's purpose is to develop open standards so that the Web evolves in a single direction rather than being
splintered among competing factions. The W3C is the chief standards body for HTTP and HTML. See also, HTML and
HTTP.
WAN
(Wide Area Network) Take two local area networks, hook them together, and you've got a WAN. Wide area networks
can be made up of interconnected smaller networks spread throughout a building, a state, a country, or the entire globe.
WEP
(Wired Equivalent Privacy) A security protocol for wireless local area networks (WLANs) defined in the 802.11b
standard. WEP is designed to provide the same level of security as that of a wired LAN. LANs are inherently more
secure than WLANs because LANs are somewhat protected by the physicalities of their structure, having some or all
of the network inside a building that can be protected from unauthorized access. WLANs, which are over radio waves,
do not have the same physical structure and therefore are more vulnerable to tampering. WEP aims to provide security
by encrypting data over radio waves so that it is protected as it is transmitted from one end point to another.
Wi-Fi™
(Wireless Fidelity) Used generically when referring of any type of 802.11 network, whether 802.11b, 802.11a, dualband, etc. The term is promulgated by the Wi-Fi Alliance. Any products tested and approved as "Wi-Fi Certified" (a
registered trademark) by the Wi-Fi Alliance are certified as interoperable with each other, even if they are from
different manufacturers. A user with a "Wi-Fi Certified" product can use any brand of access point with any other
brand of client hardware that also is certified. Typically, however, any Wi-Fi product using the same radio frequency
(for example, 2.4GHz for 802.11b or 802.11g, or 5GHz for 802.11a) will work with any other product, even if that
product is not "Wi-Fi Certified."
336
Glossary of Terms
AG 2100
WLAN
(Wireless Local Area Network) Also referred to as LAWN. A type of local-area network that uses high-frequency
radio waves rather than wires to communicate between nodes. See also, Node.
WMI
(Web Management Interface) The browser-based system administrators interface for all Nomadix Gateways.
WPA
(Wi-Fi™ Protected Access) A Wi-Fi™ standard that was designed to improve upon the security features of WEP. The
technology is designed to work with existing Wi-Fi products that have been enabled with WEP (as a software upgrade
to existing hardware), but the technology includes two improvements over WEP:
Improved data encryption through the temporal key integrity protocol (TKIP). TKIP scrambles the keys using a
hashing algorithm and, by adding an integrity-checking feature, ensures that the keys haven’t been tampered with.
User authentication, which is generally missing in WEP, through the extensible authentication protocol (EAP). WEP
regulates access to a wireless network based on a computer’s hardware-specific MAC address, which is relatively
simple to be “sniffed out” and stolen. EAP is built on a more secure public-key encryption system to ensure that only
authorized network users can access the network.
It should be noted that WPA is an interim standard that will be replaced with the IEEE’s 802.11i standard upon its
completion.
WPA 2
Wireless Protected Access version 2.
WPA 2 Mixed Mode
Simultaneously supports WPA-TKIP and WPA 2-AES.
XML
(eXtensible Markup Language) A specification developed by the W3C. XML is a pared down version of SGML,
designed especially for Web documents. It enables designers to create their own customized tags to provide
functionality not available with HTML. For example, XML supports links that point to multiple documents, as
opposed to HTML links, which can reference just one destination each. For all Nomadix Gateways, XML is used by
the subscriber management module for port location and user administration. Enabling the XML interface allows your
Nomadix Gateway to accept and process XML commands from an external source. XML commands are appended to
a URL in the form of an encoded query string. Nomadix Gateways parse the query string, executes the commands
specified by the string, and return data to the system that initiated the command request. See also, HTML, TCP, and
W3C.
Glossary of Terms
337
AG 2100
This page intentionally left blank.
338
Glossary of Terms
1
AG 5000
Index
Numerics
802 236
802.11i
cipher 236
group key update interval 236
mixed mode (WPA / WPA 2) 236
passphrase 236
settings 236
802.1x
VAP association 235
A
AAA
log
message definitions 268
log sample 267
process flow 246
structure
an overview 245
AAA log 321
AAA Passthrough Port 70
AAA services 67
External Web Server 75
Internal Web Server 71
access control 7, 76
access levels 217
accounting 67
AES/CCMP 236
AG 2100
installation 33, 34
installation workflow 35
unpacking 34
welcome 3
alphabetical listing 260
archiving 60
ARP tables 138
adding entries 207
deleting entries 208
authentication 67
Authentication/Association method 235
Index
authorization 67, 244
and billing 244
auto configuration 19, 79
B
bandwidth management 83
Basic configuration 57
Beacon interval 230
benefits and features 6
billing 8, 244
process overview 244
billing log options 106
billing options 178
billing records
mirroring 295
billing records mirroring 84
blocking subscriber interfaces 228
bridge mode 209
Bridge mode (VAPs) 234
C
Channel 230
character lengths 42
Cipher 236
CLI
logging in
AG 2100
logging in 38
overview 39
Command Line Interface 38
inputting data 40
logging in 38
making selections 40
overview 39
common problems 301
concurrent login 217
Configuration menu 67
configuration settings 133
archiving 60
exporting 210
1
AG 5000
importing from archive 216
contacting NOMADIX 303
Copyright ii
Credit Card Module 26
Current table 234
D
DAT 6
DAT sessions 139
data 42
inputting 42
date and time 134
default
gateway
assigning IP address 54
login name 38
password 38
deployment options 4, 5
DHCP
enabling service (CLI) 57
DHCP leases 170
DHCP service options 86
DNS 60
server
primary IP address 59
secondary IP address 59
setting (CLI) 59
DNS options 90, 91
domain name 59, 90
DTIM 230
E
error messages 202, 299
EWS 13
exporting configuration settings 210
External Web Server 13
external Web server 247
F
features 6
firmware 228
updating 228
foreign language support 16, 189, 247
Fragment length 230
frequency range 4
2
Frequency spectrum 230
G
glossary of terms 323, 1
Goodbye page 197
GRE Tunneling
VAPs 234
Group key update interval 236
H
High Availability Module 26
hints and tips 299
history 213
history log 213, 269
home page redirect 13
home page redirection 95, 247
host name 59, 90
hosts table 140
HPR 13, 95
I
ICC 15, 183, 250
ICMP blocking 215
ICMP statistics 141
IEEE standards 4
importing 216
importing configuration settings 216
In room port mapping 112
iNAT 14, 96
Information and Control Console 15, 183, 250
assigning banners 186
assigning buttons 185
pixel sizes 188
time formats 188
inputting data 42
in-room port mapping 114
Installation 33
installation
parts list 34
unpacking 34
workflow 35
interfaces 142
Internal Web Server 16
internal Web server 247
international language support 189
Index
AG 5000
Introduction 1
IP
addresses
assigning (CLI) 54
IP addresses 54
IP connections 145
IP statistics 143
IP upsell 17
IPSec 98
IKE channel security 100
tunnel peers 99
tunnel security policies 101
tunnel settings 98
IPSec tunnel 136
IWS 16
J
JAVA
applet (ICC) 250
K
keyboard shortcuts 270
L
language support 16, 189, 247
languages 16, 247
licensing 5, 67
local content and services 7
location 56
location file
creating 162
locations 104, 106
Log settings
AAA log 321
RADIUS history log 321
Subscriber tracking log 322
System report log 321
System report log interval 321
logging
in 38, 67
options (CLI) 51
logging in 67
default
login name 38
password 38
Index
logging options 106
login
name
assigning 46
screen
subscriber
sample 196
login access levels 217
logout console 17
M
MAC filtering 17, 220
Management Information Base
installing 61
management interface
overview 39
menus
alphabetical listing 260
organization (WMI) 40
messages 204
MIB 23
installing 61
multi-level administration 17, 217
multiple subnets 131
N
network
interface IP address 54
network architecture 27
Network Info menu 138
network interfaces 142
Nomadix private MIB 23
NSE core functionality 9
NTP support 18
O
online Help 31
optional NSE modules 26
Credit Card Module 26
High Availability Module 26
P
partitioning 4
parts list 34
3
AG 5000
passthrough addresses 109
password
assigning 46
pop up 250
pop-up window 17
port assignments 150, 153, 154
adding 150
deleting all 154
deleting by location 155
deleting by port 156
exporting 157
finding by description 158
finding by location 159
finding by port 160
importing 161
mapping 163
updating 153
port locations 111
port mapping 18, 114, 146, 225
in-room port mapping 112
portal page redirect 18
Port-based billing policies 70
Port-Location menu 149
In room port mapping 114
post session user interface 197
PPPoE
VAPs 234
private MIB 23
problem solving 299
product
configuration 5
licensing 5
specifications 264
product definitions 3
product licensing 67
product specifications 28
PSK 235
Q
Quick Reference Guide 251
Port-Location menu 255
product specifications 264
Web Management Interface 251
configuration menu 252
main page 251
4
subscriber administration menu 256
subscriber interface menu 257
system menu 258
Web Management Interfacenetwork info
menu 254
R
RADIUS
client 19, 116
proxy 19, 119
realms 122
routings 122
RADIUS attributes 271
RADIUS history log 321
rebooting 221
redirection
home page 247
Regulatory domain 230
remember me 20
Resetting the AG 2100 47
resetting setting to factory defaults 47
resetting the administrative login name and
password 47
routes 222, 223
adding 222
deleting 223
routing tables 144
RTS length 230
S
secure administration 76
secure management 21
secure socket layer 22
security 4, 7
segmenting users 4
session rate limiting 23, 224
session termination 23
setting
SNMP parameters 49
Short preamble 230
Smart Client support 23
SMTP redirection 128
SNMP 23
parameters 49
SNMP communities 129
Index
AG 5000
SNMP manager 65
sockets 145
specifications 28, 264
SRL 23
SSID 234
SSID broadcast 234
SSL 22
setting up 279
Start Up configuration 44
static port mapping 146, 225
static ports
adding 225
deleting 227
mapping 225
subnet mask
setting up 54, 106
subnets 131
subscriber
configuring management models 249
management 248
models 248
Subscriber Administration 164
Subscriber Interface 243
subscriber interface 197
subscriber interfaces
blocking 228
subscriber messages 204
subscriber profiles
adding 164
deleting all expired 171
deleting by MAC 168
deleting by user 169
displaying 177
finding by MAC 172
finding by user 173
listing by MAC 174
listing by user 175
Subscriber tracking log 322
Subscriber UI buttons 200
Subscriber UI error messages 202
Subscriber UI labels 201
subscribers
current connections 167
summary report 133
support
administration 303
Index
technical 303
user 303
SYSLOG 51
report
sample 268
System 207
System Administration 63
System report log 321
System report log interval 321
T
TCP statistics 147
technical support 303
contact information 303
Telnet 38
Telnet client 65
time 134
TKIP 236
transparent connectivity 6
troubleshooting 299
common problems 301
error messages 299
hints and tips 299
U
UAM 238
UDP statistics 148
UI buttons 200
UI labels 201
unpacking 34
updating firmware 228
URL filtering 24, 135
V
VAPs
adding, editing and removing 230, 232
authentication/association method 235
bridge mode 234
default tag number 232
maximum number 24, 231
replacing Multiple SSIDs 231
setup 231
SSID 234
SSID broadcast 234
UAM 238
5
AG 5000
VLAN tags 234
WAN VLAN tagging 234
VPN tunneling 136
W
walled garden 25
Web Management Interface 25, 66
menu organizatiion 40
overview 39
Web servers 247
WEP 235
authentication 237
default key 237
dynamic WEP 237
key length 237
key type 237
settings 237
Wireless configuration 229
beacon interval 230
channel 230
DTIM 230
fragment length 230
frequency spectrum 230
power 230
rate 230
regulatory domain 230
RTS length 230
short preamble 230
wireless configuration 229
WMI
menu organization 40
overview 39
workflow
installation 35
WPA 235
WPA 2 235
X
XML API 22
XML interface 296
6
Index
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising