advertisement
1
A
CCESS
G
ATEWAY
Introduction
About this Guide
This User Guide provides information and procedures that will enable system administrators to install, configure, manage, and use the Access Gateway product successfully and efficiently.
Use this guide to take full advantage of the Access Gateway’s functionality and features.
Refer to “Product Specifications” on page 303
for a list of Access Gateway Products that this document supports.
The Nomadix Access Gateway hardware is configured and controlled by Nomadix Service
Engine (NSE) software. The NSE 7.4 Release supports the AG2300, AG3100, and AG5500.
NSE 8.0 supports the AG5600 and AG5800.
NSE 8.2 supports the AG2400, AG5600, and AG5800. The NSE 8.2 software provides several new features, including independent multi-WAN configuration and an optional Load Balancing module. Features and enhancements specific to NSE 8.2 are labeled ( 8.2
).
Introduction 1
2
A
CCESS
G
ATEWAY
Organization
This User Guide is organized into the following sections:
Chapter 1 – Introduction
. The current chapter; an introduction to the features and benefits of the Nomadix Access Gateway.
Chapter 2 –
Installing the Access Gateway . Provides instructions for installing the Access
Gateway and establishing the start-up configuration.
System Administration . Provides all the instructions and procedures necessary to
manage and administer the Access Gateway on the customer’s network, following a successful installation.
. Provides an overview and sample scenario for the
Access Gateway’s subscriber interface. It also includes an outline of the authorization and billing processes utilized by the system, and the Nomadix Information and Control Console.
Chapter 5 –
. Contains product reference information, organized by topic and functionality. It also contains a full listing of all product configuration elements, sorted alphabetically and by menu.
Troubleshooting . Provides information to help you resolve common hardware and
software problems. It also contains a list of error messages associated with the management interface.
. Informs you how to obtain technical support. Refer to
Troubleshooting before contacting Nomadix, Inc. directly.
Glossary of Terms . Provides an explanation of terms directly related to Nomadix product
technology. Glossary entries are organized alphabetically.
Index . The index is a valuable information search tool. Use the index to locate specific topics and categories contained in this User Guide.
Introduction
A
CCESS
G
ATEWAY
Welcome to the Access Gateway
The Access Gateway is a freestanding, fully featured network appliance that enables public access service providers to offer broadband Internet connectivity to their customers.
The Access Gateway handles transparent connectivity, advanced security, policy-based traffic shaping, and service placement supporting thousands of users simultaneously in a broadband environment. The Access Gateway also offers a unique set of security and connectivity features for deploying metro wireless 802.11 networks, including Mesh and WiMAX technologies.
Access Gateway
The Access Gateway yields a complete solution to a set of complex issues in the Enterprise,
Public-LAN, and Residential segments.
Product Configuration and Licensing
All Nomadix Access Gateway products are powered by our patented and patent-pending suite of embedded software, called the Nomadix Service Engine™ (NSE). The Access Gateway employs our NSE core software package and comes pre-packaged with the option to purchase additional modules to expand the product’s functionality.
This User Guide covers all features and functionality provided with the NSE core package, as well as additional optional modules. Your product license must support the optional NSE modules if you want to take advantage of the expanded functionality. The following note will preface procedures that directly relate to optional modules.
See also:
Introduction 3
A
CCESS
G
ATEWAY
Key Features and Benefits
The Access Gateway is a 1U high, free-standing or rack-mountable Access Gateway that employs three fast Ethernet ports to interface with the router (one for network side) and the aggregation equipment (two for subscriber side) within the network. It also incorporates an
RS232 serial port for connecting to a Property Management System (PMS) and for system management and administration, while maintaining one billing relationship with their chosen provider.
The Access Gateway enables a wide variety of network deployment options for different venue types. For example:
Allows for flexible WAN Connectivity (T1/E1, Cable, xDSL, and ISDN).
Supports 802.11a/b/g and hybrid networks utilizing wired Ethernet.
Supports key requirements needed to be compliant with the Wi-Fi ZONE™ program.
Allows you to segment your existing network into public and private sections using
VLANs, then leverage your existing network investment to create new revenue streams.
Enables you to provide Wi-Fi access as a billable service or as an amenity to augment the main line of business for your venue.
Contains an advanced XML interface for accepting and processing XML commands, allowing the implementation of a variety of service plans and offerings.
Offers three user-friendly ways of remote management—through a Web interface,
SNMP MIBs, and Telnet interfaces—allowing for scalable, large public access deployments.
( 8.2
) Provides .capabilities for load balancing and fail-over management across multiple ISPs.
Platform Reliability
The Access Gateway is designed as a network appliance, providing maximum uptime and reliability unlike competitive offerings that use a server-based platform.
4
Local Content and Services
The Access Gateway’s Portal Page feature intercepts the user’s browser settings and directs them to a designated Web site to securely sign up for service or log in if they have a preexisting account.
Allows the provider to present their customers with local services or have the user sign up for service at zero expense.
Introduction
A
CCESS
G
ATEWAY
Offers both pre and post authentication redirects of the user’s browser, providing maximum flexibility in service branding.
Transparent Connectivity
Resolving configuration conflicts is difficult and time consuming for network users who are constantly on the move, and costly to the solution provider. In fact, most users are reluctant to make changes to their computer’s network settings and won’t even bother. This fact alone has prevented the widespread deployment of broadband network services.
Our patented Dynamic Address Translation™ (DAT) functionality offers a true “plug and play” solution by enabling a seamless and transparent experience and the tools to acquire new customers on-site.
DAT greatly reduces provisioning and technical support costs and enables providers to deliver an easy to use, customer-friendly service.
Introduction 5
6
A
CCESS
G
ATEWAY
Billing Enablement
The Access Gateway supports billing plans using credit cards, scratch cards, or monthly subscriptions, or direct billing to a hotel’s Property Management System (PMS) and can base the billable event on a number of different parameters such as time, volume, IP address type, or bandwidth.
Access Control and Authentication
The Access Gateway ensures that all traffic to the Internet is blocked until authentication has been completed, creating an additional level of security in the network. Also, the Access
Gateway allows service providers to create their own unique “walled garden,” enabling users to access only certain predetermined Web sites before they have been authenticated.
Nomadix simultaneously supports the secure browser-based Universal Access Method (UAM),
IEEE 802.1x, and Smart Clients for companies such as Adjungo Networks, Boingo Wireless,
GRIC and iPass. MAC-based authentication is also available.
Security
The patented iNAT™ (Intelligent Network Address Translation) feature creates an intelligent mapping of IP Addresses and their associated VPN tunnels—by far the most reliable multisession VPN passthrough to be tested against diverse VPN termination servers from companies such as Cisco, Checkpoint, Nortel and Microsoft. Nomadix’ iNAT feature allows multiple tunnels to be established to the same VPN server, creating a seamless connection for all users on the network.
The Access Gateway provides fine-grain management of DoS (Denial of Service) attacks through its Session Rate Limiting (SRL) feature, and MAC filtering for improved network reliability.
5-Step Service Branding
A network enabled with the Nomadix Access Gateway offers a 5-Step service branding methodology for service providers and their partners, comprising:
1.
2.
3.
Initial Flash Page branding.
Initial Portal Page Redirect (Pre-Authentication). Typically, this is used to redirect the user to a venue-specific Welcome and Login page.
Home Page Redirect (Post-Authentication). This redirect page can be tailored to the individual user (as part of the RADIUS Reply message, the URL is received by the NSE) or set to re-display itself at freely configurable intervals.
Introduction
A
CCESS
G
ATEWAY
4.
5.
The Information and Control Console (ICC) contains multiple opportunities for an operator to display its branding or the branding of partners during the user’s session. As an alternative to the ICC, a simple pop-up window provides the opportunity to display a single logo.
The “Goodbye” page is a post-session page that can be defined either as a RADIUS VSA or be driven by the Internal Web Server (IWS) in the NSE. Using the IWS option means that this functionality is also available for other post-paid billing mechanisms (for example, post-paid PMS).
Introduction 7
8
A
CCESS
G
ATEWAY
NSE Core Functionality
Powering Nomadix’ family of Access Gateways, the Nomadix Service Engine (NSE) delivers a full range of features needed to successfully deploy public access networks. These “core” features solve issues of connectivity, security, billing, and roaming in a Wi-Fi public access network.
The NSE’s core package of features includes:
Information and Control Console
International Language Support
Multi-Level Administration Support
Multi-WAN Interface Management (8.2)
Introduction
A
CCESS
G
ATEWAY
RADIUS-driven Auto Configuration
Remember Me and RADIUS Re-Authentication
Access Control
For IP-based access control, the NSE incorporates a master access control list that checks the source (IP address) of administrator logins. A login is permitted only if a match is made with the master list contained within the NSE. If a match is not made, the login is denied, even if a correct login name and password are supplied.
The access control list supports up to 50 (fifty) entries in the form of a specific IP address or range of IP addresses.
The NSE also offers access control based on the interface being used. This feature allows administrators to block access from Telnet, Web Management, and FTP sources.
Administration can now be performed after unblocking the interfaces for the Subscriber side of the NSE. The Administrative ports are configurable as well. See
Administration {Access Control}” on page 87
.
Introduction 9
A
CCESS
G
ATEWAY
Bandwidth Management
The NSE optimizes bandwidth by limiting bandwidth usage symmetrically or asymmetrically on a per device (MAC address / User) basis, and manages the WAN Link traffic to provide complete bandwidth management over the entire network. You can ensure that every user has a quality experience by placing a bandwidth ceiling on each device accessing the network, so every user gets a fair share of the available bandwidth.
With the Nomadix ICC feature enabled, subscribers can increase or decrease their own bandwidth and pricing plans for their service dynamically.
Bandwidth selection (pull down)
Information and Control Console (ICC)
Billing Records Mirroring
NSE-powered devices can send copies of credit card billing records (and optionally, PMS) to external servers that have been previously defined by system administrators. The NSE assumes control of billing transmissions and the saving of billing records. By effectively “mirroring” the billing data, the NSE can send copies of billing records to predefined “carbon copy” servers. Additionally, if the primary and secondary servers are not responding, the NSE can store up to 2,000 billing records. The NSE regularly attempts to connect with the primary and secondary severs. When a connection is re-established (with either server), the NSE sends the cached information to the server. Customers can be confident that their billing information is secure and that no transaction records are lost.
10
Bridge Mode
This feature allows complete and unconditional access to devices. When Bridge Mode is enabled, your NSE-powered product is effectively transparent to the network in which it is located.
Introduction
A
CCESS
G
ATEWAY
The NSE forwards any and all packets (except those addressed to the NSE network interface).
The packets are unmodified and can be forwarded in both directions. The Bridge Mode function is a very useful feature when troubleshooting your entire network as it allows administrators to effectively “remove” your product from the network without physically disconnecting the unit.
Command Line Interface
The Command Line Interface (CLI) is a character-based user interface that can be accessed remotely or via a direct cable connection. Until your Nomadix product is up and running on the network, the CLI is the Network Administrator’s window to the system. Software upgrades can only be performed from the CLI.
See also “The Management Interfaces (CLI and Web)” on page 49 .
Credit Card
The Credit Card provides a secure interface over SSL to enable billing via a credit card for
High Speed Internet Access (HSIA). This module also includes the Bill Mirror functionality for posting of billing records to multiple sources.
See also:
“Secure Socket Layer (SSL)” on page 20 .
“Billing Records Mirroring” on page 10
.
Dynamic Address Translation™
Dynamic Address Translation (DAT) enables transparent broadband network connectivity, covering all types of IP configurations (static IP, DHCP, DNS), regardless of the platform or the operating system used—ensuring that everyone gets access to the network without the need for changes to their computer’s configuration settings or client-side software. The NSE supports both PPTP and IPSec VPNs in a manner that is transparent to the user and that
provides a more secure standard connection. See also, “Transparent Connectivity” on page 5
.
Dynamic Transparent Proxy
The NSE directs all HTTP and HTTPS proxy requests through an internal proxy which is transparent to subscribers (no need for users to perform any reconfiguration tasks). Uniquely, the NSE also supports clients that dynamically change their browser status from non-proxy to proxy, or vice versa. In addition, the NSE supports proxy ports 80, 800-900, 911 and 990 as well as all unassigned ports (for example, ports above 1024), thus ensuring far fewer proxy related support calls than competitive products.
Introduction 11
12
A
CCESS
G
ATEWAY
End User Licensee Count
The NSE supports a range of simultaneous user counts depending on the Nomadix Access
Gateway you choose. In addition, depending on your platform, various user count upgrades are available for each of our NSE-powered products that allow you to increase the simultaneous user count.
External Web Server Mode
The External Web Server (EWS) interface is for customers who want to develop and use their own content. It allows you to create a “richer” environment than is possible with your product’s embedded Internal Web Server.
The advantages of using an External Web Server are:
Manage frequently changing content from one location.
Serve different pages depending on site, sub-location (for example, VLAN), and user.
Take advantage of the comprehensive Nomadix XML API to implement more complex billing plans.
Recycle existing Web page content for the centrally hosted portal page.
If you choose to use the EWS interface, Nomadix Technical Support can provide you with
sample scripts. See also, “Contact Information” on page 353 .
Home Page Redirect
The NSE supports a comprehensive HTTP redirect logic that allows network administrators to define multiple instances to intercept the browser’s request and replace it with freely configurable URLs.
Portal page redirect enables redirection to a portal page
before
the authentication process. This means that anyone will get redirected to a Web page to establish an account, select a service plan, and pay for access. Home Page redirect enables redirection to a page
after
the authentication process (for example, to welcome a specific user to the service—after the user
has been identified by the authentication process. See also, “Portal Page Redirect” on page 17 .
iNAT™
Nomadix invented a new way of intelligently supporting multiple VPN connections to the same termination at the same time (iNAT™), thus solving a key problem of many public access networks.
Introduction
A
CCESS
G
ATEWAY
Nomadix’ patented iNAT™ (intelligent Network Address Translation) feature contains an advanced, real-time translation engine that analyzes all data packets being communicated between the private address realm and the public address realm.
The NSE performs a defined mode of network address translation based on packet type and protocol (for example, ISAKMP, etc.). UDP packet fragmentation is supported to provide more seamless translation engine for certificate-based VPN connections.
If address translation is needed to ensure the success of a specific application (for example, multiple users trying to access the same VPN termination server at the same time), the packet engine selects an IP address from a freely definable pool of publicly routable IP addresses. The same public IP address can be used as a source IP to support concurrent tunnels to different termination devices—offering unmatched efficiency in the utilization of costly public IP addresses. If the protocol type can be supported without the use of a public IP (for example,
HTTP, FTP), our proven Dynamic Address Translation™ functionality continues to be used.
Some of the benefits of iNAT™ include:
Improves the success rate of VPN connectivity by misconfigured users, thus reducing customer support costs and boosting customer satisfaction.
Maintains the security benefits of traditional address translation technologies while enabling secure VPN connections for mobile workers accessing corporate resources from a public access location.
Dynamically adjusts the mode of address translation during the user's session, depending on the packet type.
Supports users with static private IP addresses (for example, 192.168.x.x) or public
(different subnet) IP addresses without any changes to the client IP settings.
Dramatically heightens the reusability factor of costly public IP addresses.
Information and Control Console
The Nomadix ICC is a HTML-based pop-up window that is presented to subscribers with their
Web browser. The ICC allows subscribers to select their bandwidth and billing options quickly
Introduction 13
A
CCESS
G
ATEWAY and efficiently from a simple pull-down menu. For credit card accounts, the ICC displays a dynamic “time” field to inform subscribers of the time remaining on their account.
14
Information and Control Console (ICC)
Additionally, the ICC contains multiple opportunities for an operator to display its branding or the branding of partners during the user’s session, as well as display advertising banners and present a choice of redirection options to their subscribers.
See also:
Information and Control Console
Initial NSE Configuration (
8.2
)
See
“Installing the Access Gateway” on page 37 for initial installation and configuration
instructions.
Internal Web Server
The NSE offers an embedded Internal Web Server (IWS) to deliver Web pages stored in flash memory. These Web pages are configurable by the system administrator by selecting various parameters to be displayed on the internal pages. When providers or HotSpot owners do not want to develop their own content, the IWS is the answer. A banner at the top of each IWS page is configurable and contains the customer's company logo or any other image file they desire.
To support PDAs and other hand-held devices, the NSE automatically formats the IWS pages to a screen size that is optimal for the particular device being used.
See also:
Introduction
A
CCESS
G
ATEWAY
International Language Support .
International Language Support
The NSE allows you to define the text displayed to your users by the IWS without any HTML or ASP knowledge. The language you select determines the language encoding that the IWS instructs the browser to use. See also,
“Internal Web Server” on page 14 .
NSE 8.2 also allows you to change the language of the Web Management Interface text. See
“Selecting the language of the Web Management Interface” on page 74 .
The available language options are:
English
Chinese (Big 5)
French
German
Japanese (Shift_JIS)
Spanish
Other, with drop-down menu
IP Upsell
System administrators can set two different DHCP pools for the same physical LAN. When
DHCP subscribers select a service plan with a public pool address, the NSE associates their
MAC address with their public IP address for the duration of the service level agreement. The opposite is true if they select a plan with a private pool address. This feature enables a competitive solution and is an instant revenue generator for ISPs.
The IP Upsell feature solves a number of connectivity problems, especially with regard to
L2TP and certain video conferencing and online gaming applications.
The 8.2 NSE provides additional flexibility for configuring up sell scenarios. Users can be assigned WAN’s of different bandwidth capabilities; for example, hotel guests with loyalty memberships can qualify for premium services.
Load Balancing (
8.2
)
The 8.2 NSE provides load balancing as an optional module See
for a more complete description and typical use cases.
Introduction 15
16
A
CCESS
G
ATEWAY
Logout Pop-Up Window
As an alternative to the ICC, the NSE delivers a HTML-based pop-up window with the following functions:
Provides the opportunity to display a single logo.
Displays the session’s elapsed/count-down time.
Presents an explicit Logout button.
See also, “Information and Control Console” on page 13 .
MAC Filtering
MAC Filtering enhances Nomadix' access control technology by allowing system administrators to block malicious users based on their MAC address. Up to 50 MAC addresses can be blocked at any one time. See also,
“Session Rate Limiting (SRL)” on page 20 .
Multi-Level Administration Support
The NSE allows you to define 2 concurrent access levels to differentiate between managers and operators, where managers are permitted read/write access and operators are restricted to read access only.
Once the logins have been assigned, managers have the ability to perform all write commands
(Submit, Reset, Reboot, Add, Delete, etc.), but operators cannot change any system settings.
When Administration Concurrency is enabled, one manager and three operators can access the
Access Gateway platform at any one time.
Multi-WAN Interface Management (
8.2
)
The 8.2 NSE supports multiple independently configurable WAN interfaces, to optimize ISP resource allocation, and provide load balancing (optional), fail-over and upsell capabilities.
NTP Support
The NSE supports Network Time Protocol (NTP), an Internet standard protocol that assures accurate synchronization (to the millisecond) of computer clock times in a network of computers. NTP synchronizes the client’s clock to the U.S. Naval Observatory master clocks.
Running as a continuous background client program on a computer, NTP sends periodic time requests to servers, obtaining server time stamps and using them to adjust the client's clock.
Introduction
A
CCESS
G
ATEWAY
Portal Page Redirect
The NSE contains a comprehensive HTTP page redirection logic that allows for a page redirect
before
(Portal Page Redirect) and/or
after
the authentication process (Home Page Redirect).
As part of the Portal Page Redirect feature, the NSE can send a defined set of parameters to the portal page redirection logic that allows an External Web Server to perform a redirection based on:
Access Gateway ID and IP Address
Origin Server
Port Location
Subscriber MAC address
Externally hosted RADIUS login failure page
This means that the network administrator can now perform location-specific service branding
(for example, an airport lounge) from a centralized Web server.
See also,
“Home Page Redirect” on page 12
.
RADIUS-driven Auto Configuration
Nomadix’ unique RADIUS-driven Auto Configuration functionality utilizes the existing infrastructure of a mobile operator to provide an effortless and rapid method for configuring devices for fast network roll-outs. Once configured, this methodology can also be effectively used to centrally manage configuration profiles for all Nomadix devices in the public access network.
Two subsequent events drive the automatic configuration of Nomadix devices:
1.
A flow of RADIUS Authentication Request and Reply messages between the Nomadix gateway and the centralized RADIUS server that specifies the location of the meta configuration file (containing a listing of the individual configuration files and their download frequency status) are downloaded from an FTP server into the flash of the
Nomadix device.
2.
Defines the automated login into the centralized FTP server and the actual download process into the flash.
Optionally, the RADIUS authentication process and FTP download can be secured by sending the traffic through a peer-to-peer IPSec tunnel established by the Nomadix gateway and
terminated at the NOC (Network Operations Center). See also, “Secure Management” on page 19
.
Introduction 17
18
A
CCESS
G
ATEWAY
(8.2) The 8.2 NSE provides a Radius VSA that supports assigning specific users to specific
WAN interface. See
“Defining Automatic Configuration Settings {Auto Configuration}” on page 90
.
RADIUS Client
Nomadix offers an integrated RADIUS (Remote Authentication Dial-In User Service) client with the NSE allowing service providers to track or bill users based on the number of connections, location of the connection, bytes sent and received, connect time, etc. The customer database can exist in a central RADIUS server, along with associated attributes for each user. When a customer connects into the network, the RADIUS client authenticates the customer with the RADIUS server, applies associated attributes stored in that customer's profile, and logs their activity (including bytes transferred, connect time, etc.). The NSE's
RADIUS implementation also handles vendor specific attributes (VSAs), required by WISPs that want to enable more advanced services and billing schemes, such as a per device/per month connectivity fee. See also,
.
RADIUS Proxy
The RADIUS Proxy feature relays authentication and accounting packets between the parties performing the authentication process. Different realms can be set up to directly channel
RADIUS messages to the various RADIUS servers. This functionality can be effectively deployed to:
Support a wholesale WISP model directly from the edge without the need for any centralized AAA proxy infrastructure.
Support EAP authenticators (for example, WLAN APs) on the subscriber-side of the
NSE to transparently proxy all EAP types (TLS, SIM, etc.) and to allow for the distribution of per-session keys to EAP authenticators and supplicants.
Complementing the RADIUS Proxy functionality is the ability to route RADIUS messages depending on the Network Access Identifier (NAI). Both prefix-based (for example, ISP/
[email protected]) and suffix-based ([email protected]) NAI routing mechanisms are supported. Together, the RADIUS Proxy and Realm-Based Routing further support the deployment of the Wholesale Wi-Fi™ model allowing multiple providers to service one
location. See also, “RADIUS Client” on page 18
.
Realm-Based Routing
Realm-Based Routing provides advanced NAI (Network Access Identifier) routing capabilities, enabling multiple service providers to share a HotSpot location, further supporting a Wi-Fi wholesale model. This functionality allows users to interact only with their chosen provider in a seamless and transparent manner.
Introduction
A
CCESS
G
ATEWAY
Remember Me and RADIUS Re-Authentication
The NSE’s Internal Web Server (IWS) stores encrypted login cookies in the browser to remember logins, using usernames and passwords. This “Remember Me” functionality creates a more efficient and better user experience in wireless networks.
The RADIUS Re-Authentication buffer has been expanded to 720 hours, allowing an even more seamless and transparent connection experience for repeat users.
Secure Management
There are many different ways to configure, manage and monitor the performance and up-time of network devices. SNMP, Telnet, HTTP and ICMP are all common protocols to accomplish network management objectives. And within those objectives is the requirement to provide the highest level of security possible.
While several network protocols have evolved that offer some level of security and data encryption, the preferred method for attaining maximum security across all network devices is to establish an IPSec tunnel between the NOC (Network Operations Center) and the edge device (early VPN protocols such as PPTP have been widely discredited as a secure tunneling method).
As part of Nomadix’ commitment to provide outstanding carrier-class network management capabilities to its family of public access gateways, we offer secure management through the
NSE’s standards-driven, peer-to-peer IPSec tunneling with strong data encryption.
Establishing the IPSec tunnel not only allows for the secure management of the Nomadix gateway using any preferred management protocol, but also the secure management of third party devices (for example, WLAN Access Points and 802.3 switches) on private subnets on the subscriber side of the Nomadix gateway. See also,
“Defining IPSec Tunnel Settings” on page 179 .
Two subsequent events drive the secure management function of the Nomadix gateway and the devices behind it:
1.
Establishing an IPSec tunnel to a centralized IPSec termination server (for example,
Nortel Contivity). As part of the session establishment process, key tunnel parameters are exchanged (for example, Hash Algorithm, Security Association Lifetimes, etc.).
2.
The exchange of management traffic, either originating at the NOC or from the edge device through the IPSec tunnel. Alternatively, AAA data such as RADIUS
Authentication and Accounting traffic can be sent through the IPSec tunnel. See also,
“RADIUS-driven Auto Configuration” on page 17 .
The advantage of using IPSec is that all types of management traffic are supported, including the following typical examples:
ICMP - PING from NOC to edge devices
Introduction 19
20
A
CCESS
G
ATEWAY
Telnet - Telnet from NOC to edge devices
Web Management - HTTP access from NOC to edge devices
SNMP
SNMP GET from NOC to subscriber-side device (for example, AP)
SNMP SET from NOC to subscriber-side device (for example, AP)
SNMP Trap from subscriber-side device (for example, AP) to NOC
Secure Socket Layer (SSL)
This feature allows for the creation of an end-to-end encrypted link between your NSEpowered product and wireless clients by enabling the Internal Web Server (IWS) to display pages under a secure link—important when transmitting AAA information in a wireless network when using RADIUS.
SSL requires service providers to obtain digital certificates to create HTTPS pages.
Instructions for obtaining certificates are provided by Nomadix.
Secure XML API
XML (Extensible Markup Language) is used by the subscriber management module for user administration. The XML interface allows the NSE to accept and process XML commands from an external source. XML commands are sent over the network to your NSE-powered product which executes the commands, and returns data to the system that initiated the command request. XML enables solution providers to customize and enhance their product installations.
This feature allows the operator to use Nomadix' popular XML API using the built-in SSL certificate functionality in the NSE so that parameters passed between the Gateway and the centralized Web server are secured via SSL.
If you plan to implement XML for external billing, please contact technical
support for the XML specification of your product. Refer to
Session Rate Limiting (SRL)
Session Rate Limiting (SRL) significantly reduces the risk of “Denial of Service” attacks by allowing administrators to limit the number sessions any one user can take over a given time period and, if necessary, then block malicious users.
Introduction
A
CCESS
G
ATEWAY
Session Termination Redirect
Once connected to the public access network, the NSE will automatically redirect the customer to a Web site for local or personalized services if the customer logs out or the customer’s account expires while online and the goodbye page is enabled. In addition, the NSE also provides pre- and post-authentication redirects as well as one at session termination.
Smart Client Support
The NSE supports authentication mechanisms used by Smart Clients by companies such as
Adjungo Networks, Boingo Wireless, GRIC and iPass.
SNMP Nomadix Private MIB
Nomadix’ Access Gateways can be easily managed over the Internet with an SNMP client manager (for example, HP OpenView or Castle Rock).
To take advantage of the functionality provided with Nomadix’ private MIB (Management
Information Base), simply import the
nomadix.mib
file from the Accessories CD (supplied with the product) to view and manage SNMP objects on your product.
See also:
Installing the Nomadix Private MIB
Static Port Mapping
This feature allows the network administrator to setup a port mapping scheme that forwards packets received on a specific port to a particular static IP (typically private and misconfigured) and port number on the subscriber side of the NSE. The advantage for the network administrator is that free private IP addresses can be used to manage devices (such as
Access Points) on the subscriber side of the NSE without setting them up with Public IP addresses.
Tri-Mode Authentication
The NSE enables multiple authentication models providing the maximum amount of flexibility to the end user and to the operator by supporting any type of client entering their network and any type of business relationship on the back end. For example, in addition to supporting the secure browser-based Universal Access Method (UAM) via SSL, Nomadix is the only
Introduction 21
22
A
CCESS
G
ATEWAY company to simultaneously support port-based authentication using IEEE 802.1x and authentication mechanisms used by Smart Clients. MAC-based authentication is also available.
See also:
Access Control and Authentication
URL Filtering
The NSE can restrict access to specified Web sites based on URLs defined by the system administrator. URL filtering will block access to a list of sites and/or domains entered by the administrator using the following three methods:
Host IP address (for example, 1.2.3.4).
Host DNS name (for example, www.yahoo.com).
DNS domain name (for example, *.yahoo.com, meaning all sites under the yahoo.com hierarchy, such as finance.yahoo.com, sports.yahoo.com, etc.).
The system administrator can dynamically add or remove up to 300 specific IP addresses and domain names to be filtered for each property.
Walled Garden
The NSE provides up to 300 IP passthrough addresses (and/or DNS entries), allowing you to create a “Walled Garden” within the Internet where unauthenticated users can be granted or denied access to sites of your choosing.
Web Management Interface
Nomadix’ Access Gateways can be managed remotely via the built-in Web Management
Interface where various levels of administration can be established. See also,
Management Interface (WMI)” on page 74
.
Introduction
A
CCESS
G
ATEWAY
Optional NSE Modules
Load Balancing (
8.2
)
Load Balancing requires an optional NSE product license
With the 8.2 NSE Load Balancing Module, Internet traffic is balanced across multiple WAN/
ISP connections to ensure that traffic is distributed based on the capability of each connection.
For example, organizations may wish to balance traffic between a low-cost DSL WAN/ISP and one high-performance, high-capacity WAN/ISP. This is of value when multiple links are used to optimize cost for Internet service, such as balancing traffic between one low-cost DSL
WAN/ISP and one high-performance, high-capacity WAN/ISP. Hotels may also use this capability to provide tiered services reflecting the capacity of the WAN/ISP connection.
The Link Failover feature of the Load Balancing Module is designed to improve business continuity. In the event that one or more links fail, traffic is seamlessly rerouted to the remaining surviving links without lapse of service. When the failed links recover, the NSE routes new connections toward the now-working links until a normal, balanced configuration is reached.
For details of the Load Balancing capabilities and sample use cases, see “Load Balancing and
.
Hospitality Module
The optional Hospitality Module provides the widest range of Property Management System
(PMS) interfaces to enable in-room guest billing for High Speed Internet Access (HSIA) service. This module also includes 2-Way PMS interface capability for in-room billing in a Wi-
Fi enabled network. In addition, the Hospitality Module includes the Bill Mirror functionality for posting of billing records to multiple sources. With this module, the NSE also supports billing over a TCP/IP connection to select PMS interfaces.
Introduction 23
24
A
CCESS
G
ATEWAY
PMS Integration
Your product license may not support this feature.
Some Property Management Systems may require you to obtain a license before integrating the PMS with the Access Gateway. Check with the PMS vendor.
By integrating with a hotel’s PMS, your NSE-powered product can post charges for Internet access directly to a guest’s hotel bill. In this case, the guest is billed only once. The NSE outputs a call accounting record to the PMS system whenever a subscriber purchases Internet service and decides to post the charges to their room. Nomadix’ Access Gateways are equipped with a serial PMS interface port to facilitate connectivity with a customer’s Property
Management System.
High Availability Module
Your product license may not support this feature.
The optional High Availability Module offers enhanced network uptime and service availability when delivering high-quality Wi-Fi service by providing Fail-Over functionality.
This module allows a secondary Nomadix Access Gateway to be placed in the network that can take over if the primary device fails, ensuring Wi-Fi service remains uninterrupted.
Introduction
A
CCESS
G
ATEWAY
Network Architecture (Sample)
The Access Gateway can be deployed effectively in a variety of wireless and wired broadband environments where there are many users—usually mobile—who need high speed access to the Internet.
The following example shows a potential Hospitality application:
Phone
Laptop
PMS
DSL Modem
DSLAM
PBX
AG
Router
Introduction 25
A
CCESS
G
ATEWAY
Load Balancing and Link Failover (
8.2
)
This section describes the optional NSE 8.2 Load Balancing features. The 8.2 NSE supports individual configuration of multiple WANs on an Access Gateway (supported on AG2400,
AG5600, and AG5800 hardware). Hotels can use this capability in a number of ways, including load balancing, failure protection, and subscriber allocation.
This section provides use cases and scenarios to help you consider the full advantage of these capabilities.
Definitions and Concepts
Load Balancing
Load balancing refers to the general process of balancing user traffic across multiple ISP connections. All load-balancing appliances, as well as the Nomadix NSE, support load balancing.
Link Aggregation
Link aggregation refers to the process of connecting multiple ISP connections to an appliance and having the sum of all of the ISP bandwidth available to be shared across all users.
However, one individual connection is limited to the speed of the ISP connection that is currently being used. For example, a hotel may aggregate 5 x 1.5Mbps DSL connections together. This means that a total of 7.5Mbps of bandwidth is available to be shared across all users, but a single user can receive a maximum of 1.5Mbps. All load-balancing appliances, as well as the Nomadix NSE, support link aggregation. In most cases, link aggregation and load balancing is effectively the same thing.
Link Failover
Link failover (sometimes referred to ISP redundancy) is the process of providing a second (or occasionally a third or more) ISP link as a back up to the primary ISP link. In the event that the primary link fails, all traffic is re-routed to the backup link, until such time as the primary link becomes available.
Combined Load Balancing and Link Failover
This is the process where both load balancing and link failover are combined together. It represents the best of both worlds. Where multiple ISP links are used in load balancing mode, in the event that one or more links fail, all traffic is automatically rerouted to the remaining surviving links. When the failed links recover, new connections are routed toward these until the normal balanced configuration is reached.
26 Introduction
A
CCESS
G
ATEWAY
ISP link Selection Criteria
In a load-balancing scenario, some criteria must be used to decide which ISP is selected for outgoing traffic. There a number of factors that influence this decision, including:
Identity of the users: Is a random ISP section used or is it desirable to have certain users steered toward a particular ISP?
For random ISP: Whether subscriber, destination address or session-based link selection is used?
User-Based ISP Selection versus Random ISP Selection
User-based ISP selection is the process whereby the ISP link that is selected in a load-balanced environment is based on the identity of the user. For example, all users from guest rooms may be steered toward one ISP link, and all meeting room users steered toward another ISP link that is only used for meetings and conferences.
The alternative is to use random ISP selection, whereby the load balancer or NSE selects the
ISP to be used according to the current load conditions. The Nomadix NSE uses random ISP selection by default.
Link Availability Detection Method and Time
Load balancing and failover requires some form of monitoring of each ISP link to determine its availability for executing load balancing and failover decisions. Generally, link monitoring is accomplished by two different methods:
1.
Periodic probing of predefined hosts using HTTP or ICMP ping requests.
2.
Periodic DNS queries to the DNS servers provided by each ISP.
The period between successive link tests is usually configured, and is typically set to between
30 seconds and 60 seconds. This represents the maximum time for which a user will remain connected to a failed ISP connection before being re-routed to a working ISP link in an ISP failure scenario.
Traffic Balancing and Weighting
Load balancers have some form of weighting of traffic between links to achieve a desired balance scenario. With the Nomadix NSE, traffic is balanced by individual subscriber numbers, and weighted according to the speed of the ISP connected to each port. For example, if an NSE has 2 x 10M links connected and currently has 100 active subscribers, then 50 users would be connected to each link. If the ISP links were 10 Mbps and 40Mbps, then 20 users would be connected to the 10M link and 80 users to the 40M link, and so on.
Introduction 27
28
A
CCESS
G
ATEWAY
Load Rebalancing upon Link Recovery
Load balancing and failover with well-configured link availability detection provides fast and effective recovery from ISP link failure occurrences. Additional consideration must be made as to what actions should be taken when a failed ISP link recovers. The Nomadix approach is to rebalance as the ISP links change, thus making sure the maximum level of service is always provided. There is a small yet important waiting time to ensure changing links is kept to a minimum.
Load Balancing and Failure Considerations
1.
Is load balancing or just ISP failover required?
2.
3.
4.
Is aggregation of multiple low-speed links required?
How reliable are different local ISP services?
What are the relative costs of different ISP services?
Do ISP links need to be shared between guest and back-office users?
5.
6.
Is there a requirement to have certain users connected to a particular ISP?
1. It may be a requirement to provide just a backup service to the primary ISP service in the case that the main HSIA ISP fails. The backup service may be on a pay-to-use basis through a
3G or 4G wireless modem, or be a low-cost, lower-tier service, such as a cable modem service, that is only used when the main ISP link is down, on the basis that providing a reduced HSIA service is better than no service at all when the main ISP link is down. Alternatively, the organization may have multiple ISP links, and wants to be able to fully utilize all of them under normal conditions. The Nomadix NSE supports both failover only and combined load balancing with failover.
2. In some instances, suitable high-speed internet services required to meet the aggregate needs of the organization may not be available or are simply too expensive. In this case it may be desirable to aggregate multiple lower-cost, lower-speed lines together. The Nomadix AG2400 and AG5600 can aggregate services from up to three ISP links, and the AG5800 can handle up to five links.
3. It is important to consider the relative quality of each ISP link. If a second link is much lower quality than the main ISP link, then it should only be used as a back-up link in failover mode, and not in a load-balanced environment. If the quality of the links is much the same, then load balancing with failover should be used.
4. It is important to consider the relative cost of links. If all links have a fixed monthly charge, then ideally they should be used in a load-balanced mode, so that costly links are not sitting unused most of the time. But if an ISP link has a relatively low monthly charge with high permegabyte data usage charges, then it should only be used in failover mode as a backup to a main ISP link.
Introduction
A
CCESS
G
ATEWAY
5. It may be requirement to share ISP bandwidth between Guest HSIA and Hotel Admin networks, or have each network available as a fall-back network for the other. Both scenarios can be handled with the Nomadix NSE.
6. It may be desirable to have certain users connected to a particular ISP link, and other users connected to a different ISP link. Nomadix 8.2 NSE provides a "preferred WAN" radius attribute (VSA). For example, paying users may be connected to an expensive high-quality link, with free users connected to a lower-quality link, with link failover still available if the preferred link fails.
Some examples of typical common deployment scenarios are outlined below: These are just examples and other deployment scenarios can be handled, as well.
Load Balancing across Multiple Low Speed Links
In this example, an establishment has access to only low-speed, DSL-based ISP circuits and wishes to aggregate five such links together. The Nomadix NSE is configured with load balancing between all links.
Failover to Standby ISP Link
In this example, the organization has a high-quality 100M Ethernet service. But to guarantee continuous HSIA service, the organization has a back-up ISP service from a low-cost wireless
Introduction 29
A
CCESS
G
ATEWAY provider, which charges on a data volume basis. The organization only wishes for this link to be used when the main ISP circuit is not available.
The Nomadix NSE is configured for failover only from the WAN to port Eth2 on the NSE.
30
Separate Guest HSIA and Admin ISP Links, with Failover Between Each
ISP Link
In this scenario, the hotel has separate HSIA and Hotel Admin ISP circuits. Under normal circumstances, Guests will be connected to the Guest HSIA ISP, and Hotel Admin users will connect to the Admin ISP. If either link fails, then failover to the other link will occur. If the
Guest HSIA link fails, the guests will be connected to the Admin ISP link until the Guest HSIA link is restored. If the Admin ISP link fails, the Admin users will be connected to the Guest
HSIA link until the Admin ISP is restored
The Nomadix NSE is configured with load balancing and failover. All Guests use ISP 1 as the preferred WAN, the Admin network router uses ISP2 as the preferred WAN.
Introduction
A
CCESS
G
ATEWAY
Guest HSIA Failover Only, to Admin Network
In this scenario, the hotel has separate ISP circuits for the Guest HSIA network and Hotel
Admin network. The hotel wants the Admin network to be available as a back-up link in case the Guest HSIA ISP link fails. There is no back-up for the Admin ISP network.
The Nomadix NSE is configured with link failover between the WAN port and port ETH2, which is connected to the hotel Admin network router.
Introduction 31
A
CCESS
G
ATEWAY
32
Sharing of Guest HSIA Network and Hotel Admin Network Amongst
Multiple ISP Links
In this scenario, multiple ISP links are connected to the Nomadix NSE, in a similar method to the first scenario, but both the guest HSIA network and the Hotel Admin network are connected to the NSE and share the aggregate bandwidth of the combined ISP links.
The Nomadix NSE is configured for load balancing, and the back office router's MAC address is registered in as a device in the NSE with an appropriate bandwidth limit.
Introduction
A
CCESS
G
ATEWAY
Load Balancing With Users Connected to a Preferred ISP Link
In this scenario the hotel has purchased 2 x ISP links for guest HSIA. One is a high-quality, high-cost "business grade" ISP circuit, and the other is a low-cost, lower-grade domestic service provided by the local cable TV operator. The hotel has a number of bill plan options including free-to-use and pay-to-use premium plans. Under normal circumstances, the hotel wants guests who have selected a free plan to use the low-cost link, and guests who have selected a premium service to use the higher-cost, business-grade ISP connection. If either link fails, guest should fail over to the other links until the preferred link is restored.
Introduction 33
A
CCESS
G
ATEWAY
34 Introduction
A
CCESS
G
ATEWAY
Online Help (WebHelp)
The Access Gateway incorporates an online Help system called “WebHelp” which is accessible through the Web Management Interface (when a remote Internet connection is established following a successful installation). WebHelp can be viewed on any platform (for example, Windows, Macintosh, or UNIX-based platforms) using either Internet Explorer or
Netscape Navigator (see note).
WebHelp is useful when you have an Internet connection to the Access Gateway and you want to access information quickly and efficiently. It contains all the information you will find in this User Guide.
For more information about WebHelp and other online documentation resources, go to “Online
Documentation and Help” on page 53 .
Notes, Cautions, and Warnings
The following formats are used throughout this User Guide:
General notes and additional information that may be useful are indicated with a
Note.
Cautions and warnings are indicated with a Caution. Cautions and warnings provide important information to eliminate the risk of a system malfunction or possible damage.
Introduction 35
A
CCESS
G
ATEWAY
36 Introduction
advertisement
Related manuals
advertisement