Professional Documents
Culture Documents
3
BROWAN COMMUNICATIONS 1
Public Access Control Gateway
BROWAN COMMUNICATIONS 2
Public Access Control Gateway
Copyright
© 2002-2007 BROWAN COMMUNICATIONS.
This DOCUMENT is copyrighted with all rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a re trieval system, or
translated into any language in any form by any means without the written permission of BROWAN.
Notice
BROWAN reserves the right to change specifications without prior notice.
While the information in this document has been compiled with great care, it may not be deemed an assurance of product characteristics. BROWAN shall be
liable only to the degree specified in the terms of sale and delivery.
The reproduction and distribution of the documentation and software supplied with this product and the use of its contents is subject to written authorization
from BROWAN.
BROWAN COMMUNICATIONS 3
Public Access Control Gateway
Trademarks
The product described in this book is a licensed product of BROWAN.
Microsoft, Windows 95, Windows 98, Windows Millennium, Windows NT, Windows 2000, Windows XP, and MS-DOS are registered trademarks of the
Microsoft Corporation.
All other brand and product names are trademarks or registered trademarks of their respective holders.
BROWAN COMMUNICATIONS 4
Public Access Control Gateway
Contents
Copyright .................................................................................................................................................................................................... 3
Notice ......................................................................................................................................................................................................... 3
Trademarks ................................................................................................................................................................................................ 4
CONTENTS ................................................................................................................................................................................................................................. 5
Purpose.................................................................................................................................................................................................... 16
BROWAN COMMUNICATIONS 5
Public Access Control Gateway
Service Differentiation............................................................................................................................................................................ 20
Privacy .................................................................................................................................................................................................. 20
Management Options................................................................................................................................................................................ 21
Features Highlight..................................................................................................................................................................................... 21
AAA ...................................................................................................................................................................................................... 21
VPN ...................................................................................................................................................................................................... 22
Management ......................................................................................................................................................................................... 23
Hardware Introduction............................................................................................................................................................................... 26
LED....................................................................................................................................................................................................... 28
BROWAN COMMUNICATIONS 6
Public Access Control Gateway
Connectors............................................................................................................................................................................................ 28
Access the Browan Public Access Control Gateway by Web interface .................................................................................................... 32
UAT Principle............................................................................................................................................................................................ 41
Login Page............................................................................................................................................................................................ 44
BROWAN COMMUNICATIONS 7
Public Access Control Gateway
Logout Page.......................................................................................................................................................................................... 46
Unauthorized Page................................................................................................................................................................................ 48
FAQ ......................................................................................................................................................................................................... 65
Introduction............................................................................................................................................................................................... 66
Login ........................................................................................................................................................................................................ 70
BROWAN COMMUNICATIONS 8
Public Access Control Gateway
Connection ............................................................................................................................................................................................... 71
Network .................................................................................................................................................................................................... 72
User ......................................................................................................................................................................................................... 75
Status ....................................................................................................................................................................................................... 77
System ..................................................................................................................................................................................................... 79
Telnet ....................................................................................................................................................................................................... 80
Reboot ..................................................................................................................................................................................................... 81
Reset........................................................................................................................................................................................................ 81
Exit ........................................................................................................................................................................................................... 81
Introduction............................................................................................................................................................................................... 82
SNMP Agent............................................................................................................................................................................................. 85
BROWAN COMMUNICATIONS 9
Public Access Control Gateway
Network Interface...................................................................................................................................................................................... 93
BROWAN COMMUNICATIONS 10
Public Access Control Gateway
BROWAN COMMUNICATIONS 11
Public Access Control Gateway
BROWAN COMMUNICATIONS 12
Public Access Control Gateway
BROWAN COMMUNICATIONS 13
Public Access Control Gateway
APPENDIX............................................................................................................................................................................................................................... 217
BROWAN COMMUNICATIONS 14
Public Access Control Gateway
Login.xsl.............................................................................................................................................................................................. 279
Help.html............................................................................................................................................................................................. 285
BROWAN COMMUNICATIONS 15
Public Access Control Gateway
Hardware installers should have a working knowledge of basic electronics and mechanical assembly, and should understand related local building codes.
Network administrators should have a solid understanding of software installation procedures for network operating systems under Microsoft Windows 95,
98, Millennium, 2000, NT, and Windows XP and general networking operations and troubleshooting knowledge.
BROWAN COMMUNICATIONS 16
Public Access Control Gateway
bold Menu commands, buttons and input fields are displayed in bold
code File names, directory names, form names, and system-generated output
such as error messages are displayed in constant-width type
<value> Placeholder for certain values, e.g. user inputs
[value] Input field format, limitations, and/or restrictions.
BROWAN COMMUNICATIONS 17
Public Access Control Gateway
manuals@browan.com
BROWAN COMMUNICATIONS 18
Public Access Control Gateway
Chapter 1 – Introduction
Thank you for choosing the Browan Public Access Control Gateway.
The Browan Public Access Control Gateway is a stand-alone network device designed to provide user-friendly public access services for the Hot-Spots. It
integrates authentication, accounting, and security mechanism that enable operators to instantly delivery commercial internet services to customers.
Product Overview
The Browan Public Access Control Gateway provides multiple secure authentication methods from standard web browser login with certificates or SIM cards.
Together with an AP, the Public Access Control Gateway could also serve as an 802.1x/EAP authentication server with RADIUS-proxy functionality. All
authentication and accounting information could be transferred to an operator‘s RADIUS server via an encrypted tunnel. The Browan Public Access Control
Gateway collects all the real-time information of billing and account, such as online time and transfer volume. Multiple billing plans, pre-paid time, pre-paid
volume flat-rate and so on, could be handled by large among simultaneous users.
BROWAN COMMUNICATIONS 19
Public Access Control Gateway
Service Differentiation
The integrated Web server of the Browan Public Access Control Gateway allows flexible interaction with common web application servers, facilitating the
provisioning of differentiated services with bandwidth management, location based and personalized services. Inter-Provider roaming and multi-OSS support
are guaranteed by the persistent usage of standardized protocols and interfaces like RADIUS, HTTPS and XML. Browan Public Access Control Gateway is
compliant with the recommendations of the Wi-Fi Alliance WISP roaming group.
Remote Control
The Browan Public Access Control Gateway allows the operators to provide cost effective public Wi-Fi services by managing user access control, device
configuration, and radio performance centrally from the operations centre. HTTPs, telnet, SSH or SNMP over VPN could present a secure remote
management.
Privacy
Browan Public Access Control Gateway supports different levels of security and data encryption. Client stations can be separated at the link layer (Layer2 User
Isolation), preventing intruders from accessing the hard discs of other users. User credentials (passwords) are protected by SSL or EAP-based authentication
methods. User traffic can be encrypted by VPNs (pass-through). Operators and service providers can make use of the integrated VPN/tunneling protocols to
protect AAA and management traffic.
BROWAN COMMUNICATIONS 20
Public Access Control Gateway
Management Options
You can use the Public Access Control Gateway management systems through the following interfaces:
Web-browser interface
Command Line interface (CLI)
Simple Network Management Protocol (SNMP v1, v2, v3)
The Public Access Control Gateway management system pages are organized in the same way for the web-browser interface and the CLI. This user manual
provides detailed description of each management option.
Features Highlight
AAA
Multiple authentication methods: UAM, 802.1x/EAP, RADIUS, MAC, Smart Client (e.g. iPass)
WISPr compliant
Internal and external accounting backups
Internal or external web server
Remote user login, logout, session status control via https/XML
AAA proxy server (for simultaneous EAP and UAM)
BROWAN COMMUNICATIONS 21
Public Access Control Gateway
VPN
BROWAN COMMUNICATIONS 22
Public Access Control Gateway
LAN switch
Management
BROWAN COMMUNICATIONS 23
Public Access Control Gateway
Chapter 2 – Installation
This chapter provides the installations and instructions, the hardware and software components of the Browan Public Access Control Gateway. The contents of
this chapter include the following procedures and tasks:
BROWAN COMMUNICATIONS 24
Public Access Control Gateway
If any of these items are missing or damaged, please contact your reseller or Browan sales representative immediately.
BROWAN COMMUNICATIONS 25
Public Access Control Gateway
Hardware Introduction
The front panel of the Browan Public Access Control Gateway contains:
BROWAN COMMUNICATIONS 26
Public Access Control Gateway
Fans Fans
Power
Figure3 Back Panel Socket
The back panel of the Browan Public Access Control Gateway contains: Power
Switch
Power socket and switch
Fans
BROWAN COMMUNICATIONS 27
Public Access Control Gateway
LED
There are two LEDs for SFP link status which are located on the front panel of the Browan Public Access Control Gateway.
Connectors
The Browan Public Access Control Gateway has several connectors on the front panel:
The Browan Public Access Control Gateway has several connectors on the back panel:
BROWAN COMMUNICATIONS 28
Public Access Control Gateway
1. Product Name
1.
2. The Browan Public Access Control Gateway has passed the
requirement of FCC.
BROWAN COMMUNICATIONS 29
Public Access Control Gateway
Hardware Installation
Step 1 Place the Public Access Control Gateway either on a flat work surface or in a 19-inch rack using the enclosed mounting kit.
Step 2 Connect one Ethernet patch cable to the port for LAN interface of the Browan Public Access Control Gateway and to a free hub port on your local
network.
Step 3 Connect one Ethernet patch cable to the port for WAN interface of the Browan Public Access Control Gateway and to an Ethernet port of a
broadband Internet modem or router.
Step 4 Connect the power cord to the Browan Public Access Control Gateway, and switch the power ON.
Step 5 Please wait for few seconds until the boot process is finished
BROWAN COMMUNICATIONS 30
Public Access Control Gateway
Software Introduction
First Configuration
The first web browser connection to the Browan Public Access Control Gateway: either entering the IP address and subnet (default networks settings) into the
browser. The default network settings for the new Browan Public Access Control Gateway are:
BROWAN COMMUNICATIONS 31
Public Access Control Gateway
IP address: 192.168.2.0
https://192.168.2.66/a.rg
Figure5 Local Area Connection
Step 2: Enter the Browan Public Access Control Gateway administrator login
credential to access the Web management interface.
Username: admin
Password: admin01
BROWAN COMMUNICATIONS 32
Public Access Control Gateway
Step 3: After successfully logging on as administrator, you will see the Web
interface which shows the system status of the Browan Public
Access Control Gateway.
BROWAN COMMUNICATIONS 33
Public Access Control Gateway
If DHCP client or PPPoE is selected as a dial-up protocol for the WAN interface, the WAN settings of this table will be overwritten by the values
retrieved from the Internet Provider.
In the network interface | DNS menu, you can specify your local domain
name server or enter the DNS server provided by your ISP (Internet Service
Provider). Figure12 DNS Redirection
BROWAN COMMUNICATIONS 34
Public Access Control Gateway
DNS is set automatically if provided by the ISP dynamically via DHCP or PPPoE.
For automatic IP assignments to client stations, set the DHCP settings in the
network interface | DHCP menu according to your TCP/IP configuration in
step1. Only use the address ranges within the corresponding IP subnet of
the LAN interface. In addition you can switch on the Universal Address
Figure13 UAT introduction
Translation function in the system | access | UAT menu. With UAT users
do not need to change their local TCP/IP settings to log on to the Browan
Public Access Control Gateway. The Browan Public Access Control Gateway
will translate fixed IP numbers used in private networks transparently for the
user.
BROWAN COMMUNICATIONS 35
Public Access Control Gateway
In the network interface | RADIUS settings menu, you could first define the
local settings of the integrated RADIUS client of the Browan Public Access
Control Gateway. For example you could modify timeouts and the NAS
server ID (name of the RADIUS client):
BROWAN COMMUNICATIONS 36
Public Access Control Gateway
You have full flexibility to modify and adapt all these pages according to your
personal designs. For initial set up and testing, using the default configuration
which will present a simple login window with input fields for username and
password is recommended.
Enter any start page you like in the user interface | start page menu. In
Figure17 Start Page
addition you can define a number of free web sites in the walled garden
table on the user interface menu.
BROWAN COMMUNICATIONS 37
Public Access Control Gateway
If you have a SMTP mail server available for your subscribers, you might
need to enter its IP address and SMTP port number in the connection |
e-mail redirection. Thus all the outgoing e-mails passing through the Figure19 connection | e-mail redirection
Make sure you have saved your changes from each of the seven steps
above, and then click restart button in the system | reset menu. Few
seconds later you can re-load the admin pages or start to log on to the
Browan Public Access Control Gateway as a user. Figure20 system | reset
BROWAN COMMUNICATIONS 38
Public Access Control Gateway
After users connected to the LAN interface of the Browan Public Access
Control Gateway, users will be redirected to welcome and login pages you
defined (if it‘s enabled) regardless of any URL they have entered on their
browser. Administrators can monitor the connected users via the connection
Figure21 connection | users
| users menu.
BROWAN COMMUNICATIONS 39
Public Access Control Gateway
With UAT enabled, the Browan Public Access Control Gateway will
automatically and transparently translate fixed IP settings (IP address,
gateway, DNS, proxy server) on a user‘s PC enabling him/her to connect to
the broadband Internet service, even if the client‘s IP overlaps the IP subnet
of the WAN port. Without UAT public access, subscribers are forced to
switch their TCP/IP settings to DHCP (automatic IP address assignment),
potentially losing any fixed IP address settings they previously entered.
BROWAN COMMUNICATIONS 40
Public Access Control Gateway
UAT Principle
The Browan Public Access Control Gateway acts as an ARP proxy to each
client who has a fixed IP which does not belong to the subnet of LAN
interface. As the figure on right describes, the Browan Public Access Control
Gateway will automatically respond to a client‘s ARP Request if its IP doesn‘t
belong to its LAN subnet to pretend as if the Browan Public Access Control
Gateway is its Gateway; then inside the Browan Public Access Control
Gateway, an uncast router will be added for UAT client.
BROWAN COMMUNICATIONS 41
Public Access Control Gateway
UAT Limitation
When using UAT, operators have to be aware of some principal limitations:
If UAT mode is enabled on the Browan Public Access Control Gateway, it will
act as an ARP Proxy under its LAN interface. If there is a subnet behind a
router which is under the LAN of the Browan Public Access Control Gateway
and if there is a PC whose IP address belongs to the subnet as the figure
shown, the communication between PC2 and PC1 will be failed for the
reason of the Browan Public Access Control Gateway ARP proxy packet.
But if the router is working under NAT mode, the communication from PC2 to
PC1 will be fine.
Figure23 Another subnet under the Browan Public Access Control Gateway
BROWAN COMMUNICATIONS 42
Public Access Control Gateway
When launching his/her web browser the user's initial HTTP request will be redirected to an operator defined set of web pages, further called the user pages.
User pages are:
All further presented user pages are factory default. The Hotspot operator can upload new templates for all user pages.
BROWAN COMMUNICATIONS 43
Public Access Control Gateway
Welcome Page
Welcome page is the first page a Hotspot subscriber receives when he starts
his web browser and enters any URL. By default, it‘s a very simple page and
provides only a link to the login page.
Login Page
The subscriber gets to the login page after clicking the link on the welcome
page. The user should enter the authentication settings: login name and
password, and click the login button.
BROWAN COMMUNICATIONS 44
Public Access Control Gateway
The login name and password can be obtained from your Hotspot Operator. Login format available for the Browan Public Access Control
Gateway:
username@WISPdomain
WISPdomain/username
Prefix+ username (prefix length from 2 to 6, prefix can use the abbreviation name of hotspot owner. For example GSI.)
The login page also displays subscriber‘s logical and physical network
addresses (IP and MAC). Once authenticated, a start page appears. In
addition, a smaller logout window (page) pops up.
The Hotspot operator can change the login page according to its needs.
BROWAN COMMUNICATIONS 45
Public Access Control Gateway
Logout Page
Make sure the JavaScript is enabled on your Web browser; otherwise you will not receive the logout page.
The Logout page contains the detailed subscriber‘s session information and
provides function for logging out of the network.
Input /Output bytes – subscriber‘s session input and output statistics Figure26 Logout Page
in bytes.
Input /Output bytes left – session input and output bytes left for
subscriber limited from RADIUS (in B, KB, MB, GB and unlimited).
Total bytes left – session total (input and output) bytes left for
BROWAN COMMUNICATIONS 46
Public Access Control Gateway
Logout button – click the button to logout from the network. The log-out
pop-up window closes.
The Hotspot operator can change the logout page interface according to its needs.
BROWAN COMMUNICATIONS 47
Public Access Control Gateway
Help Page
Click on the get help link in the login page for help tips related to network
registration, as shown on the right figure.
Unauthorized Page
BROWAN COMMUNICATIONS 48
Public Access Control Gateway
User pages can be modified in the user interface | configuration menu. There are two ways
to change and store new user page templates:
XSL (Extensible Style sheet Language) for welcome | login | logout | one click pages.
HTML (Hypertext Markup Language) for help | unauthorized pages.
The following image formats are supported for new templates. Other formats are not accepted:
PNG
GIF
JPG
BROWAN COMMUNICATIONS 49
Public Access Control Gateway
The following examples demonstrate the use of internal and external user
pages.
Step 1 Prepare your new user pages template for each user page:
welcome | login | logout | help | unauthorized | one click.
BROWAN COMMUNICATIONS 50
Public Access Control Gateway
Step 4 Specify the new user page location in the location field.
Please do not try to upload any formats other than the supported to display the user pages properly.
Step 5 Save the changes you have entered by clicking the apply
changes button
BROWAN COMMUNICATIONS 51
Public Access Control Gateway
If at any time you wish to restore factory default user pages, click the reset button under the system | reset menu.
BROWAN COMMUNICATIONS 52
Public Access Control Gateway
We will use the user pages templates from the Installation CD to show the
example how to upload the internal pages. Follow the steps below:
Step 1 Ensure that internal option is selected for all user pages you want
to change. By default, internal option is defined for all pages.
The memory space in the Browan Public Access Control Gateway for internal user pages is limited to 1 MB.
BROWAN COMMUNICATIONS 53
Public Access Control Gateway
Step 3 Specify the location (Examples directory if you use the Installation
CD) of new user page templates by clicking the browse button or
entering the location manually.
Specify the location for the additional files of new user page
templates: images and a cascading style sheet file (css) by clicking
the browse button or entering the location manually:
BROWAN COMMUNICATIONS 54
Public Access Control Gateway
Step 4 Click the upload button to upload specified templates and files.
You do not need to upload all additional files at once. You can repeat the upload process several times until all necessary images are
uploaded.
Step 5 Check for the newly uploaded user pages and images to ensure
that everything is uploaded and displayed correctly. Go to the link:
https://<device-IP-address>/ to get to the new user
welcome page
BROWAN COMMUNICATIONS 55
Public Access Control Gateway
Anytime if you wish to restore the factory default user pages, click the reset button under the system | reset menu.
BROWAN COMMUNICATIONS 56
Public Access Control Gateway
BROWAN COMMUNICATIONS 57
Public Access Control Gateway
In order to configure the Browan Public Access Control Gateway using the
customized login/ logout page, Customize Page status must set to
Enabled.(Figure40)
Figure40 Enabling customize page status
BROWAN COMMUNICATIONS 58
Public Access Control Gateway
To start uploading the customized template files, click the upload button.
(We will use the coffee bar style template files in the Browan Public Access
Control Gateway CD for this demonstration).
After clicking the upload button, an Update Custom UAM Files will appear.
BROWAN COMMUNICATIONS 59
Public Access Control Gateway
Enter the physical path and filename of the coffee template files, or click the
browse button to search the Browan Public Access Control Gateway CD for
coffee template files.
BROWAN COMMUNICATIONS 60
Public Access Control Gateway
The first two items are for login.html and logout.html files. Additional files are for CSS and image files, such as jpg, gif and etc
After entering all the template files, click upload button to start uploading files
to the Browan Public Access Control Gateway.
Only ten Additional files can be uploaded at a time. To upload more additional files, repeat the same upload process in step 2-4, but please be
aware of the first two items are only for login.html and logout.html files. Image files can only be uploaded to Additional file fields
BROWAN COMMUNICATIONS 61
Public Access Control Gateway
Once all files are uploaded successfully, a list of Uploaded File will show.
BROWAN COMMUNICATIONS 62
Public Access Control Gateway
The README file in each template directory contains the information of the
pixels settings for the logout page. Enter the width size and height size
settings of logout page and click the Save button. E.g. the suggested size
of logout page is 1024 x 768 for the coffee bar template
Figure48 Setting the pixels of logout window
Now, any users that access the internet via the Browan Public Access Control
Gateway will see the new personalized login and logout pages.
Let‘s look at the new appearance of login and logout page based on the
coffee bar template.
BROWAN COMMUNICATIONS 63
Public Access Control Gateway
BROWAN COMMUNICATIONS 64
Public Access Control Gateway
FAQ
1. Question: How to add some links that could be accessed without authentication?
Answer: These authentication-free sites for users are called walled garden area. Please refer to the user‘s guide to configure the related settings.
2. Question: How to hide the user login session information from my customers?
Answer: You can find these set of html code in logout.html we provided:
This set of code uses an embedded window to show the session data in logout window. Commenting them with HTML comments language
―<!--―and ―//-->‖ will hide the session data in logout window.
3. Question: If I don‘t want the logout window to be popped up to users, what could I do?
Answer: Please login to the Browan Public Access Control Gateway and go to user interface | configuration | Custom UAM to disable ―pop logout
page.‖
BROWAN COMMUNICATIONS 65
Public Access Control Gateway
User interface
Network interface
Wireless interface
System
Using the CLI system operator can check:
BROWAN COMMUNICATIONS 66
Public Access Control Gateway
All available key combinations in CLI mode are listed on the right table.
Key and/or Combination Function
? Get context-sensitive help
<TAB> Complete the current keyword or
list all the options
<CTRL> <D> Break out the sub-shell
<CTRL> <A> Jump to the beginning of the line
<CTRL> <E> Jump to the end of the line
<CursUP>/<CursDOWN> Scroll through the history of
commands
Figure51 Key Combinations in CLI
BROWAN COMMUNICATIONS 67
Public Access Control Gateway
Telnet
SSH client
Telnet Connection
Make sure that default access status is allowed and telnet function is enabled on the Browan Public Access Control Gateway before trying to
connect via telnet. Otherwise, no telnet connection will be available.
Connect the Browan Public Access Control Gateway via LAN or WAN
interface using the enclosed UTP cable and start a telnet session (using a
telnet application). For example, connect your device via the WAN interface,
and then make a telnet connection as followed:
telnet 192.168.2.66
192.168.2.66 is the default WAN interface IP.
CLI login will be displayed automatically. Enter the administrator login
settings.
BROWAN COMMUNICATIONS 68
Public Access Control Gateway
SSH Connection
Make sure that default access status is enabled on the Browan Public Access Control Gateway before attempting to connect via SSH.
Otherwise no SSH connection will be available.
Connect the Browan Public Access Control Gateway via LAN or WAN
interface using the enclosed UTP cable and start a SSH session (using an
application as PuTTY). For example, connect your device via the WAN
interface and then make a SSH connection to host IP: 192.168.2.66 (default
WAN interface IP).
CLI login will be displayed automatically. Enter the administrator login settings
(refer to the next section for details).
BROWAN COMMUNICATIONS 69
Public Access Control Gateway
Login
Enter the administrator login settings in the displayed CLI command prompt.
Login: admin
Password: admin01
Figure52 CLI Login
After successful login, command prompt is displayed, and the CLI is ready for
commands. Press ‗?‘ to get a list of main commands:
‗?‘ will not appear on the screen. While pressing this character, the display changes to the desired help page. To enter ‗ ?‘ as character type ‗\?‘.
BROWAN COMMUNICATIONS 70
Public Access Control Gateway
Connection
Connection is a category of commands that is related to the user‘s
connection with the device.
A full list of all available connection commands/subcommands and the parameters are available in the Appendix section: C) CLI Commands
and Parameters.
BROWAN COMMUNICATIONS 71
Public Access Control Gateway
Network
Network is a category of commands that configures the Public Access
Control Gateway interface settings, DNS, DHCP, UAT and RADIUS settings.
network ?
.
BROWAN COMMUNICATIONS 72
Public Access Control Gateway
To configure the desired the Public Access Control Gateway interface setting,
type all required parameters with values and subcommands:
<value>
BROWAN COMMUNICATIONS 73
Public Access Control Gateway
A full list of all available connection commands/subcommands and the parameters are available in the Appendix section: C) CLI Commands
and Parameters.
If successful, a message regarding the successful completion is displayed; otherwise, an error message is displayed.
list (in this case, the RADIUS accounting server which is already updated).
BROWAN COMMUNICATIONS 74
Public Access Control Gateway
User
User is a category of commands that configures the Public Access Control
Gateway interface settings, affecting the user‘s interface, redirection URL,
free sites (walled garden), system management access and administrator
login/password
In general, the user command usage is as followed:
user ?
BROWAN COMMUNICATIONS 75
Public Access Control Gateway
A full list of all available connection commands/subcommands and the parameters are available in the Appendix section: C) CLI Commands
and Parameters.
If successful, a message regarding the successful completion is displayed; otherwise, an error message is displayed.
BROWAN COMMUNICATIONS 76
Public Access Control Gateway
Status
Status is a category of commands that‘s displays:
In general, the status command usage is as followed: Figure65 System Status Commands List
Status <command>
status ?
status device :
BROWAN COMMUNICATIONS 77
Public Access Control Gateway
A full list of all available connection commands/subcommands and the parameters are available in the Appendix section: C) CLI Commands
and Parameters.
Here you can find the current firmware version of your AC. This is important information for support requests and for preparing firmware
uploads.
BROWAN COMMUNICATIONS 78
Public Access Control Gateway
System
System is a category of commands that configures access to the Public
Access Control Gateway (telnet, L2 isolation, SNMP, UAT) and configuration:
clock, NTP, syslog, trace.
A full list of all available connection commands/subcommands and the parameters are available in the Appendix section: C) CLI Commands
and Parameters.
BROWAN COMMUNICATIONS 79
Public Access Control Gateway
Telnet
To make a telnet connection, type the telnet command in the command line.
telnet
BROWAN COMMUNICATIONS 80
Public Access Control Gateway
Reboot
To stop the Browan Public Access Control Gateway and reboot the device,
type the reboot command in the command line. If you reboot the device now,
there will be no configuration changes made. The last saved configuration is
applied to the rebooted Public Access Control Gateway.
Reset
To reset the Browan Public Access Control Gateway to factory defaults, type
the reset command. And the device is restarted and defaults values are set.
Please note that even the administrator password will be set back to the factory default. Refer to Appendix section: B) Factory Defaults for
the Access Controller.
Exit
To leave the CLI mode, type the Exit command in the command line.
BROWAN COMMUNICATIONS 81
Public Access Control Gateway
SNMP is an application layer protocol that facilitates the exchange of management information between network devices. It is part of the Transmission Control
Protocol/Internet Protocol (TCP/IP) suite. SNMP enables network administrators to manage network performance, find and solve network problems, and plan
for network growth.
The SNMP agent and management information base (MIB) reside on the Browan Public Access Control Gateway. To configure SNMP on the Browan Public
Access Control Gateway, you should define the relationship between the Network Management System (NMS) and the SNMP agent (the Browan Public
Access Control Gateway). The SNMP agent contains MIB and Browan private MIB variables whose values the SNMP manager can request or change. A
NMS can get a value from an agent or store a value into the agent. The agent gathers data from the MIB, the repository for in formation about device
parameters and network data. The agent can also respond to a manager‘s requests to get or set data.
In order to manage the device, you have to provide your Network Management System software with adequate MIB files. Please consult your
management software manuals on how to do that.
BROWAN COMMUNICATIONS 82
Public Access Control Gateway
SNMP Versions
The Browan Public Access Control Gateway supports the following versions of SNMP:
SNMPv1— The Simple Network Management Protocol: A Full Internet Standard, defined in RFC 1157. (RFC 1157 replaces the earlier version s that were
published as RFC 1067 and RFC 1098.) Security is based on community strings.
SNMPv2c— The community-string based Administrative Framework for SNMPv2. SNMPv2c (the "C" stands for "community") is an Experimental Internet
Protocol defined in RFC 1901, RFC 1905, and RFC 1906. SNMPv2c is an update of the protocol operations and data types of SNMPv2p (SNMPv2
Classic), and uses the community-based security model of SNMPv1.
SNMPv3 – SNMP v3 is based on version 2 with added security features. It addresses security requirements through encryption, authentica tion, and
access control rules.
Both SNMPv1 and SNMPv2c use a community-based form of security. The community of managers able to access the agent's MIB is defined by an IP address
access control list and password.
The Browan Public Access Control Gateway implementation of SNMP supports all MIB II variables (as described in RFC 1213) and defines all traps using the
guidelines described in RFC 1215.The traps described in this RFC are:
BROWAN COMMUNICATIONS 83
Public Access Control Gateway
coldStart
A coldStart trap signifies that the SNMP entity, acting in an agent role, is reinitializing itself and that its configuration may have been altered.
WarmStart
A WarmStart trap signifies that the SNMP entity, acting in an agent role, is reinitializing itself and that its configuration is unaltered.
authenticationFailure
An authenticationFailure trap signifies that the SNMP entity, acting in an agent role, has received a protocol message that i s not properly
authenticated.
linkDown
A linkDown trap signifies that the SNMP entity, acting in an agent role, recognizes a failure in one of the communication links represented in the
agent's configuration.
linkUp
A linkUp trap signifies that the SNMP entity, acting in an agent role, recognizes that one of the communication links represented in the agent's
configuration has come up.
BROWAN COMMUNICATIONS 84
Public Access Control Gateway
SNMP Agent
The SNMP agent responds to SNMP manager requests as followed:
Get a MIB variable—The SNMP agent begins this function in response to a request from the SNMP manager. The agent retrieves the value of the
requested MIB variable and responds to the manager with that value.
Set a MIB variable—The SNMP agent begins this function in response to a message from the SNMP manager. The SNMP agent changes the value of the
MIB variable to the value requested by the manager.
The SNMP agent also sends unsolicited trap messages to notify an SNMP manager that a significant event has occurred (e.g. authentication failures) on the
agent.
Read-only—Gives read access to authorized management stations to all objects in the MIB except the community strings, but does not allow write access.
Read-write—Gives read and write access to authorized management stations to all objects in the MIB, but does not allow access to the com munity strings.
BROWAN COMMUNICATIONS 85
Public Access Control Gateway
As shown in the Figure70 SNMP Network, SNMP agent gathers data from the MIB. The agent can send traps (notification of certain events) to the SNMP
manager, which receives and processes the traps. Traps are messages alerting the SNMP manager to a condition on the network such as improper user
authentication, restarts, link status (up or down), MAC address tracking, and so forth. The SNMP agent also responds to MIB -related queries sent by the SNMP
manager in get-request, get-next-request, and set-request format.
BROWAN COMMUNICATIONS 86
Public Access Control Gateway
BROWAN COMMUNICATIONS 87
Public Access Control Gateway
The web management main menu consists of the following sub menus:
Web Interface
The main web management menu is displayed at the top of the page after
successfully logging into the system (see the right figure). From this menu all
essential configuration pages are accessed.
BROWAN COMMUNICATIONS 88
Public Access Control Gateway
By default, the system | status menu is activated and the current Browan Public Access Control Gateway system status is displayed. The active menu is
displayed in different colors.
Network Interface
Configuration – configuration page for all the Browan Public Access Control Gateway network interfaces
Interface configuration – network interfaces configuration
Bridge –display the status of the bridge configuration
VLAN – define VLAN on your Browan Public Access Control Gateway
Route – define new static route on the Browan Public Access Control Gateway interface
Port forwarding – port-forwarding rules
DHCP Relay – DHCP relay server configuration
User ACL – define packet filter rules
Management subnet – access points (APs) management
Dynroute – display the status of the dynamic route.
DNS – define DNS server settings
DHCP – Dynamic Host Configuration Protocol services configuration
POP3 – define POP3 server settings
Multicast – display the status of the multicast configuration
RADIUS – configuration set for RADIUS servers, includes menu:
BROWAN COMMUNICATIONS 89
Public Access Control Gateway
Settings – NAS server ID, hotspot operator name and other settings
Servers – accounting, authentication RADIUS servers IP, port and other settings
WISP – add new WISP on the system.
Proxy – configure the Browan Public Access Control Gateway to act as RADIUS server proxy.
Accounting backup – backup authentication logs in the remote or external server
Tunnels – set tunnels.
PPPoE/ GRE – connect to ISP via the PPPoE or GRE tunnel
Link over 3layer – display status of the link over IP layer
GRE Client for VPN – set the GRE (Generic Routing Encapsulation) tunnels for the Browan Public Access Control Gateway.
Backup settings – configure the backup settings.
Heart beat – define the heart beat settings
Backup Mode – display the status of the back mode
ALIAS IP – define the alias IP Set
User Interface
BROWAN COMMUNICATIONS 90
Public Access Control Gateway
System
BROWAN COMMUNICATIONS 91
Public Access Control Gateway
Connection
Users – showing the statistics list of connected users, and administrator could log-out the users
E-Mail Redirection – outgoing mail (SMTP) redirection settings
Station Supervision – monitor station availability with ARP-pings settings
In the following sections, short references for all menu items are presented.
BROWAN COMMUNICATIONS 92
Public Access Control Gateway
Network Interface
These interfaces can be configured to work as either local area network (LAN)
or wide area network (WAN) interfaces for Access Points. The LAN interface
is used to connect hubs, switches, Access Points and subscribers. The WAN
interface connects to the Internet or backbone network of the service provider.
Figure72 Interface Configuration Table
All these interfaces are listed in the interface configuration page. All network
interfaces available in the Browan Public Access Control Gateway are shown
on the right table.
BROWAN COMMUNICATIONS 93
Public Access Control Gateway
Do not disable the interface through which you are connected to the BG6020G. Disabling such interface will lose your connection to the device.
Type – The network type can be changed. All the interface can be used
for LAN or WAN.
BROWAN COMMUNICATIONS 94
Public Access Control Gateway
IP address of each interface should be from a different subnet; otherwise, you will receive an error message.
Netmask – Specify the subnet mask [[0-255]. [0-255]. [0-255]. [0-255]]. These
numbers are a binary mask of the IP address, which defines IP address order
and the number of IP addresses in the subnet.
BROWAN COMMUNICATIONS 95
Public Access Control Gateway
The DHCP server settings will be automatically adjusted to match the new network settings.
The restart server request message appears after user click apply changes
Figure77 Applying or Discarding Interface Configuration Changes
button.
Restart – Click restart button to restart the server and apply the changes.
BROWAN COMMUNICATIONS 96
Public Access Control Gateway
BROWAN COMMUNICATIONS 97
Public Access Control Gateway
Priority – Define the bridge‘s priority [high, medium and low]. [Default value is
low.]
Delay – Specify the bridges‘ forward delay time in seconds [0-65535]. Delay
is the time spent in each of the Listening and Learning states before the
Forwarding state is entered. [Default value is 0.]
BROWAN COMMUNICATIONS 98
Public Access Control Gateway
Max. Age – Specify the maximum bridge message age in seconds [0-65535].
If the last received hello packet is more than this value, the bridge in question
will initiate the Root Bridge election procedure. [Default value is 0.]
Click continue button to finish the settings and click new button if user needs
new interfaces added into bridge.
Click new button to add interfaces into bridge and specify the bridge ports
(interfaces).
Port (interface) – Select the interface name to be bound into bridge. Figure81 Bridge setting
Cost – Specify the port‘s path cost in this interface. This value is used in the
designated port and root port selection algorithms. [Default value is low.] Figure82 Adding interface
BROWAN COMMUNICATIONS 99
Public Access Control Gateway
Priority – Specify the priority of ports with equal cost. You can control which
port gets used when there are redundant paths with this function.
If you want to remove interface from bridge click delete button (e.g. remove
ixp0 from bridge.).
The reboot server request message appears after user click apply changes
button. Figure84 Applying and reboot (1)
Reboot – Click reboot button to reboot the server and apply the changes.
To create a VLAN in the Browan Public Access Control Gateway, click the
new button and enter the settings.
Figure85 VLAN
Interface – select interface for your VLAN network [e.g. Interface1]. Cannot
create VLAN on the bridge.
Status – enable/disable your VLAN network. Select [enable] and click the
continue button to configure the VLAN settings:
IP Address – enter the network address of your VLAN [format: digits and
dots].
Click the update and restart and apply changes to save your new VLAN.
Check the interface | configuration | VLAN menu for new created VLAN.
Under the network interface | configuration | route menu, static routes for
the Ethernet interfaces can be set. By default, no static routes are defined on
the system:
Figure91 Route
A routing rule is defined by the target subnet (target IP address and subnet
mask), interface and/or gateway where to route the target traffic. A data
packet that is directed to the target network is routed to the specified Public
Access Control Gateway interface or to another gateway router. To add a new
static route for the system, click the new button under the action column and
Figure92 Adding New Route
specify the following parameters:
Gateway – enter the gateway address for the route. 0.0.0.0 stands for the
default gateway of the selected interface [IP address].
Port Forwarding forwards TCP or UDP traffic trough the local port of the
Browan Public Access Control Gateway to the specified remote port. Use the
Figure94 Port Forwarding Rules
network interface | configuration | port forwarding menu to specify such a
port forwarding rule. By default no port forwards are defined on the controller:
Local Port – the Browan Public Access Control Gateway device interface
port from which the selected traffic should be forwarded.
Example:
With such a rule all traffic coming to port 8080 on the Browan Public Access
Control Gateway interface local address 192.168.2.248 will be forwarded to
port 8080 on the server (host) 1.2.3.4.
If the Browan Public Access Control Gateway use DHCP relay on its LAN
interface, administrator can designate the DHCP relay server.
User ACL provides high flexibility for administrator to define the rules for the
Browan Public Access Control Gateway to filter the packets which will
forward or masquerade by it.
Second step - select the type of source IP and destination IP (special IP/any
IP).
Third step - choose the type of source port and destination port (any
port/special port).
Fourth step - fill out the source IP address and destination IP address
(including IP address and net mask, if you choose any IP in second step,
you do not need to fill out the IP address); fill out the source port and
Figure101 Creating a new rule (fourth step)
destination port (if you select any port in third step or select protocol
ICMP/all, you need not fill out the port).
After complete the rule configuration, click the apply changes button to
save your configuration.
You can also re-order your rules if you have many rules configured and
arrange the priority of them. The rule with index 1 has the highest priority;
with index 2 has the second high priority and so on.
Click the sort button of one rule to re-order its priority and then select the
index number; click save button to save your changes.
Each network interface can have a management subnet. Use the network
interface | configuration | management subnet menu to configure this
feature on selected interface.
To specify new subnet management click the edit button on the selected
Figure104 Management Subnet
interface.
Dynroute (dynamic route) service allows the Browan Public Access Control
Gateway to support the protocol of RIP.
You can click the edit button to change the Dynroute status, the default
status is disabled.
DNS (Domain Name Service) service allows the Browan Public Access
Control Gateway subscribers to enter URLs instead of IP addresses into their
browser to reach the desired web site.
The Browan Public Access Control Gateway can act as a DHCP server
and/or as a DHCP relay gateway. The DHCP (Dynamic Host Configuration
Protocol) service is supported on the LAN interfaces. This service enables
clients on the LAN to request configuration information, such as an IP
address, from a server.
By default, the Browan Public Access Control Gateway is configured to act as a DHCP server.
Each LAN interface runs a different instance of the DHCP service. This
service is configured by defining an IP address range and WINS address for
client workstations. Other settings, such as the default gateway and DNS
server address are configured automatically according to the interface
settings.
To see the complete DHCP service configuration, click the details button in
the action column.
To edit the DHCP service configuration (DHCP server/DHCP relay), click the
edit button in the action column.
DHCP Relay – to route DHCP through the external server, enable relay
service
Select the interface on which you want to configure the DHCP service. Select
the DHCP server and click the update button to specify the DHCP server
parameters.
Select the interface on which you want to configure the DHCP service. Select
the DHCP relay and click the update button to specify the DHCP relay
parameters:
If you want to designate the DHCP relay server, please refer to network
configuration | DHCP relay.
If DHCP relay service is selected, the default WAN gateway is used automatically.
You can click the edit button to change the multicast status.
In the Appendix tables: E) Standard RADIUS Attributes and Vendor Specific Attributes Hotspot operators will find the required standard
RADIUS attributes for setting up the RADIUS system.
General RADIUS settings are configured using the RADIUS settings menu
under the network interface.
RADIUS Retries – Retry counting of the sent RADIUS packets before giving
up.
User Session Timeout - Amount of time from the user side (no network
carrier) before closing the connection [sec].
User Accounting Update Retry – Retry time period in which server should
try to update accounting information before giving up [sec].
See the Location ID and ISO Country codes for your country in the Appendix: F) Location ID and ISO Country Codes.
User can check for the available bandwidth in the logout page statistics.
Select RADIUS setting you need to update, click the edit next to the
selected setting and change the value.
Up to 32 different RADIUS servers can be configured under the RADIUS servers menu.
To view complete RADIUS server settings, click the details button in the
action column.
Default – Check the check box to make the selected RADIUS the default
server.
The port default value of 1812 is based on RFC 2138 Remote Authentication Dial-in User Service (RADIUS).
Accounting Port – Specify the network port used to communicate with RADIUS [1-65535].
Accounting Secret – Shared secret string that is used to encrypt data frames used for
accounting server.
Backup Port – Specify the network port used to communicate with RADIUS [1-65535].
Backup Secret – Shared secret string that is used to encrypt data frames used for backup
server.
Shared secret must be the same on RADIUS server and RADIUS client.
Shared secret must be the same on RADIUS server and RADIUS client.
The AC implementation of RADIUS accounting request is at the client point of view (reverse accounting is disabled).
The value disabled means that Acct-Input RADIUS attributes will contain
bytes/packets sent to the client and Acct-Output RADIUS attributes will
contain bytes/packets received from the client while the service is provided.
The value enabled means that info in the Acct-Input and Acct-Output
RADIUS attributes will be swapped (reversed). That is the Acct-Input will
contain bytes/packets received from the client and the Acct-Output will
contain bytes/packets sent to the client.
Select disabled if you need to send the user login name to RADIUS server
unmodified. Some RADIUS servers can be configured in such way that
requires full-unmodified user name to be sent.
Restart – after applying changes to the system, you should restart the
Browan Public Access Control Gateway to make applied changes work.
Up to 32 WISP entries can be defined using the network interface | RADIUS | WISP menu.
Domain policy means the Browan Public Access Control Gateway use which Figure132 WISP Menu
policy to fetch WISP name from user name then to judge user belong which
domain.
Hotspot owner can use three policies to judge the WISP name from user
name:
Name – new WISP domain name [string, up to 256 symbols, no space, dot or
dash allowed]. Figure134 Defining New WISP
RADIUS Name – select RADIUS for new WISP from list box [non editable].
Bound To – select the WISP binder interface. The WISP can be associated
with appropriate device interface.
The Browan Public Access Control Gateway can forward the RADIUS
authentication and accounting requests from Access Point (AP) to the real
RADIUS server. To configure the RADIUS proxy, follow the steps:
Step 1 Connect the Access Point to any LAN interface available on the
Browan Public Access Control Gateway. The AP should be in the
bridge mode.
The authentication RADIUS proxy port should differ from the accounting port.
Such preconfigured AC will act as RADIUS proxy and will forward the
RADIUS authentication and accounting packets from AP according WISP
and RADIUS server settings in the AC configuration without any
modification.
Backup via syslog – enable this type to send the RADIUS accounting
information via syslog protocol to the specified host [enable/disable] and note
that the Host IP specification is obligatory.
Backup to local file – enable this option, and the download button appears.
This chapter describes the configuration of VPN tunnels. VPN tunnels can be
used to secure management and AAA traffic between the hotspot network
and the network operation center of the operator.
Figure138 Tunnels settings
Use the network interface | tunnels | PPPoE/ GRE menu to connect to ISP
via PPPoE or GRE tunnel. All traffic will be sent via this tunnel.
To specify GRE tunnel for your controller click the edit button.
Link over 3layer is working with the AP. When the AP and AC set
tunnel, the client can work through layer3 network.
Edit – You can click the edit button to change the status of link over 3layer
[the default status is disabled].
To specify new GRE tunnel for your Browan Public Access Control Gateway,
click the edit button.
Backup setting is setting the current Public Access Control Gateway that
is main or backup device:
The Browan Public Access Control Gateway can work for main device or with
backup device. On the main mode, it is the principal part of network
equipment, Then we set the AC as backup mode, when the main AC is down
or the other problem, the backup AC will work and ensure the network can
work well, the customer will continue using the network.
Backup Mode – chose the work mode of device, when disabled is chosen,
the AC works as the main device, and when enabled, the AC becomes the
backup device.
User Interface
Use the user interface menu to configure device settings affecting the user
interface.
Welcome – The first page the user gets when he/she opens the browser
and enters the URL.
If the welcome page with redirect option selected, it will redirects the
user authentication process to the specified location. The welcome, login
and logout pages can be implemented as simple HTML (it‘s not required
to use the .XSL or default user pages templates).
The redirect location URL should be specified as Walled Garden URL, otherwise the redirect would NOT WORK.
Caching option can be used for caching the external uploaded user pages
[available choice: enabled/disabled]
Delete – click Delete button to delete the earlier uploaded files from
Hotspot-in-a-Box memory.
Upload – click Upload button to select and upload new user pages.
Figure154 Upload
The Browan Public Access Control Gateway device supports some http
META tags. Syntax of such META tags:
Click the change button to define new headers of the web management
interface on user pages templates. The default HTML encoding is
ISO-8859-1, language = English.
The system administrator can set the header encoding and language settings
Figure156 Set HTTP Headers
confidentially.
Shared Secret – enter password for WAS [string (4-32), no spaces allowed].
Users could upload their own login and logout pages to the Browan
Public Access Control Gateway (apply with hotspot, enterprise style
or advertisements) with Customized UAM feature.
These features aim for the facility of people who has no knowledge
on XSL and replace the menu: user interface | Configuration |
[pages, upload].
The second step is to update html files. The Update Custom UAM
Files feature is for user to delete or upload the login and logout
pages.
Additional files 01~10 are for uploading image and CSS files
(Current support file formats are JPG, GIF, PNG and CSS).
Click upload button on the second column, and the uploaded files
pages appeared.
The names of image and CSS files must be consistent with your login or logout html pages. The login and logout html file can be anything you
want.
Don‘t forget to adjust the Logout page’s dimension; otherwise logon user maybe can only see the part of your logout page.
The third step is the uploaded file list, where users could find the uploaded
files.
For the external pages, enable the use external page feature,
Entering the external login page URL and external logout page URL. The
Browan Public Access Control Gateway would auto-update the external page
every 7200 seconds (default) or you can change the interval update time.
External page example will be found in the links under the last line.
In External page mode, the Browan Public Access Control Gateway will only fetch the login and logout html page to local, the image or the CSS
files on the customized login/logout page will not be fetched. So the link to the image and CSS files on user customized html file need to be an
absolute address pointing to the external web server.
When using external page, the external web server address needs to be added to the walled garden which is described in User Interface |
Walled Garden for login user free to access.
The Browan Public Access Control Gateway would use the default login or logout page, if user did not upload the customized pages or the
Browan Public Access Control Gateway did not get the external page from the external login/logout page URL.
The Super administrator has the telnet rights on the Browan Public Access
Control Gateway and he/she can access the all Web menus.
To edit or change the super administrator settings, simply click the first
edit button:
Old Password – The old password value used for user authentication in
the system.
New Password –The new password value used for user authentication
in the system [4-32 symbols, spaces not allowed].
The start page is the default web page where users will be redirected to
after log-on. This value will be overwritten by the WISP RADIUS attribute, if
provided in the authentication response message. Using the user interface |
start page menu to view or change the start page URL:
Figure168 Start Page
The administrator can change the start page by clicking the edit button. The
value entry field will change into an editable field.
Value – enter the new redirection URL of start page in valid format [e.g.
Figure169 Edit Start Page
http://www.startpageurl.com].
New URL – click the new URL button, and then enter the new URL
and its description.
New Host –specify hosts in walled garden menu, if you would like to
define hosts (web servers). Click the new host button to enter a new
Figure170 Default Walled Garden
host data and click the update button.
The enabled web proxy allows any connections of clients with configured
proxy settings on their browsers. The Browan Public Access Control
Gateway accepts any client proxy configurations and grants the access to the
Internet. The system administrator should list only ports the Browan Public
Access Control Gateway is listening on for proxy requests.
Edit – to enable or disable the web proxy feature by click edit button.
Web proxy is enabled by default and the port numbers are: 3128 and 8080.
To add more port numbers for web proxy, click the new button:
System
In the system menu, administrator could configure the system settings, control
the access settings, check the status of the Browan Public Access Control
Gateway, reset/reboot the device and update the firmware.
System | Configuration
Syslog – for sending system and debug messages via the syslog protocol.
Trace system – tracing the Browan Public Access Control Gateway services.
NTP server – this feature can be used to query other NTP servers to set the
clock on your Browan Public Access Control Gateway.
Certificates – upload your own SSL certificate and private the key files for
server.
Administrator can trace the system processes of your Browan Public Access
Control Gateway and get the system log messages remotely by using the
system | configuration | syslog menu (By default, the syslog utility is
disabled).
Figure183 Default syslog settings
Edit – to enable or edit the syslog remote sending function, click the edit
button.
Remote Log Status – to disable or enable the remote log Figure184 Syslog Settings
[enabled/disabled].
Host – specify the host IP address where to send the syslog messages
[host IP address]. Figure185 Configuring Syslog Messages
Be sure the remote host is configured properly to receive the syslog protocol messages.
Level – Select the level of messages you need to trace. The level
determines the importance of the message.
Fatal – This item is selected when only fatal message level should
be traced,
Save – save the changes. The syslog messages will be started to send
to the specified host, after user enable and save the settings.
Trace system works with started services such as DHCP, PPPoE, telnet and
SNMP. The number of system messages is according to the selected history
size. The trace system can help operators to locate mis-configurations and
system errors.
By default, the latest messages are displayed at the top of the message list.
Fatal – This item is selected when only fatal message level should
be traced,
Change – click the change button to apply new history size or selected
message level. Trace system will start to sort by selected level at once
you click the change button.
Time Zone – select the time zone [-12.00 – 14.00]. If the NTP service is enabled,
the selected time zone will be applied to the clock settings also.
Save – save the changes. The syslog messages will be started to send to the
specified host, after user enable and save the settings. Figure189 Clock Settings
If the NTP server (see the next section for reference) is enabled on the system, no
manual clock setting is available except time zone.
The NTP (Network Time Protocol) is used to synchronize the clock of the
Browan Public Access Control Gateway. You can change the system clock
settings using the system | configuration | NTP client menu.
Host – entering the trusted NTP server IP on the field. Figure190 NTP Service
The NTP synchronize the device clock with GMT + 0 time. If you need to set the time zone, use the system | configuration | clock menu.
In the case the connection with the first host is fail, you may want to add more
than one NTP hosts. Click the new button to add the additional host settings.
Host – adding the additional NTP service hosts [1-128]. This NTP
server will be used if the connection to the first defined NTP server is Figure192 Adding New NTP Host
lost.
Use the NTP Server menu to configure the NTP server status [disabled/
enabled]. This function is synchronizing the time to NTP client. The default
configuration is disabled.
Discard changes – restore all previous values. Figure195 Saving the Change
After click apply changes button, the restart button will appear:
Restart – Click restart button to restart the server and apply the changes.
You can upload your own SSL certificates files for HTTP connection using
the certificate feature under the system | configuration menu.
Only these certificate files are accepted: 1. Server PEM-encoded X.509 certificate file
Click the upload to upload your own SSL certificates and private key files:
Private Key File – the PEM-encoded private key file for the server.
Figure198 Uploading New Certificate
Private key SHOULD NOT be encrypted with a password. This private key should correspond to the certificate above.
Flash – upload new certificates into the Browan Public Access Control
Gateway.
Uploaded certificate and key file cannot be removed, and it should over write by new uploaded files.
You can save your current device configuration file locally using the save and
restore menu under the system | configuration menu.
Click the download button (Figure200) to start saving the configuration file.
You can change or leave the default configuration file description.
Cancel – click the cancel button to back to the main configuration page.
You can use this file any time you want to restore this configuration to the
device by using the upload button
Flash – click flash button to apply the configuration setting to the device.
Please enter the domain name in the URL format, for example:
www.gsi.com, which will be the same with the host name in the digital Figure205 Domain Name configuration
certificate. Create a new certificate with hostname = www.gsi.com and then
install on Browan Public Access Control Gateways.
You could control the access management and specific the related services of
your Browan Public Access Control Gateway in the access control menu.
Thus, the administrator can control the access of every single user to the
Browan Public Access Control Gateway via Telnet, SSH or SNMP. This can be
done by creating the access control list in Browan Public Access Control
Gateway and checking the incoming user‘s IP address.
Default access status – denying all the connections except the SNMP
service to the Browan Public Access Control Gateway.
SNMP service – this service will helps you to access your device.
Edit – to configure the access control, click the edit button to specify the
network address and allow/deny the services.
New – click new button to create a new access control rule for specific
network to specific service(s) [all/ /ssh/telnet/snmp].
to your Browan Public Access Control Gateway: [all/ssh/telnet/snmp]. Figure206 Access Control
Telnet service should be also enabled in the syst/em | access | telnet, in order to allow the telnet access to the Browan Public Access Control
Gateway. Otherwise, the client or network will not get telnet access.
The Browan Public Access Control Gateway will check the allow rules first, and then the deny rules. In another words, allow rules has the
higher priority than the deny rules.
The default access rule has the lowest priority to other rules no matter its status is allow or deny.
When the telnet connection to the Browan Public Access Control Gateway is
enabled, and the administrator can connect to the CLI interface via telnet.
Make sure that the default access status which in the system | access | access control menu is allow. Otherwise, you will not be able to
connect via telnet, even though the telnet connection is enabled.
To enable the telnet connection, click the edit button and change the status.
It is recommended to use the Browan Public Access Control Gateway for EAP authentication methods.
EAP/802.1x are:
EAPMD5 – 802.1x authenticator with MD-5 method
EAPSIM – 802.1x authenticator with SIM authentication method
EAPTLS – 802.1x authenticator with TLS authentication method
Figure210 AAA Settings
EAPTTLS – 802.1x authenticator with TTLS authentication method
If UAM (web-login) method is disabled, the subscriber will not be able to login through the web interface.
Universal address translation works only on LAN and VLAN interfaces with authentication setting enabled (see more about these settings in
the System | Access | NAV).
The Browan Public Access Control Gateway currently supports 50 UAT clients simultaneously.
Operator could strengthen the security of the Browan Public Access Control
Gateway by define the Isolation feature witch in system | access | isolation
menu.
PAT – stand for port address translation service status. Users can
access the internet with its network gateway address, if user enables
this feature.
This setting is important when user configure the UAT settings. See section: System | Access | UAT for more details.
SNMP Table:
characters, no spaces].
Without the OID is specified, all SNMP request to the Browan Public Access Control Gateway will be redirected to a specific host.
You can configure your SNMP agent to send SNMP Traps (and/or inform
notifications) under the defined host (SNMP manager) and community name Figure221 SNMP Trap Table
(optional).
Port – enter the port number which the trap messages should send
through [number].
Click new button to add a new MAC address. The format of a MAC address
can be:
For web authentication, this item configures whether redirect web logon user
to a HTTPS logon page or HTTP page.
Default configuration is disabled which means the web logon client will be
redirected to a HTTPS logon page for more security.
Portal detect setting is to configure the IP address of portal server, when the
device fail to connect the IP address that we using, and the device will sent
the warning to the trap receiver. The network manager will get the warning
trap, and repair the link.
Host – enter the IP address of Portal server. Figure227 Edit portal service detect
System | Status
Users could check the current status of Browan Public Access Control
Gateway in the system | status menu.
System | Reset
User can reboot the device or reset to factory defaults in the system | reset
menu.
Figure230 Reset
Figure230 Reboot
Keep in mind that resetting the device is an irreversible process. Please note that even the administrator password will be set back to the
factory default.
System | Update
User must upload only the original firmware image in system | update menu,
click the upload button.
Gateway. Now click the flash button to upload this new firmware into the
FLASH memory.
Do not switch off or do not disconnect the Browan Public Access Control Gateway from the power supply during the firmware update process,
because the device could be damaged.
Firmware auto-update:
Update interval – user can define the time interval between each
update in hours [1-9999]. Default value is 48 hours.
On boot auto-update feature checks for available updates on specified server at given URL. If there is different version - device downloads,
installs firmware update and reboots. If firmware version matches with the current version on device - no update takes place.
Connection
Users could view the connected user‘s statistics in the
connection menu, set outgoing mail server or observe
the connected station availability.
Connection | Users
The users menu is for viewing the connected users‘ statistics. Also
administrator can logout user from here.
Details – click on user details to get more information about the client:
Logout User – click this button to explicitly logout user from the
network.
Click the edit button to specify your outgoing mail server settings.
Save – save the new e-mail redirection settings. Figure239 E-mail Redirection Settings
Failure Count – failure count value after which the user is logged out from
the system.
Appendix
Technical Data
LAN Four 10/100Mb Ethernet port switched, auto sensing, RJ-45, 802.1q VLAN support
Management
Interfaces HTTPs, Telnet, SNMP (MIB II, Ethernet MIB, bridge MIB, private MIB), Terminal
Physical Specification
Dimension 436 mm x 260 mm x 44 mm
Weight -
Environment Specification
Temperature Humidity
Power Supply
Input 100-230V AC, 50/60Hz
Package Contents
Browan Public Access Control Gateway Mounting Kit
One Ethernet patch cables Power cords for EU and USA
CD-ROM with software and documentation Printed warranty note, release note
Related Products
Access Points: P-520 54Mb Operator Access Point P-380-HPAM High Power 11MB Outdoor Router
Status Enabled
Type WAN
IP Address 192.168.2.66
Netmask 255.255.255.0
Gateway 192.168.2.1
Interface Ixp0
Status Enabled
Type LAN
IP Address 192.168.3.1
Netmask 255.255.255.0
Gateway Ixp1
Configuration | VLAN
No VLAN entries are defined on system.
Configuration | Route
No routes are defined on system.
Interface Ixp0
Status Disabled
IP Address 0.0.0.0
Netmask 0.0.0.0
DNS
Hostname None
Domain None
Type Primary
IP Address 0.0.0.0
Type Secondary
IP Address 0.0.0.0
DHCP
Status DHCP Server
Interface Ixp0
IP Address to 192.168.3.223
RADIUS Settings
RADIUS Retries 5
RADIUS Timeout 2
NAS Server ID -
Location Terminal_Worldwide
Bandwidth Up 1 Mbps
RADIUS Servers
Name DEFAULT (default)
Type Authentication
IP Address 0.0.0.0
Port 1812
Type Accounting
IP Address 0.0.0.0
Port 1813
WISP
Domain Policy: username@domain
Accounting Backup
Description Backup via syslog
Status Disabled
Host 0.0.0.0
Status Disabled
Host -
Tunnels | PPPoE/GRE
Use Internal
Status Enabled
Location Welcome.xsl
Page Login
Use Internal
Status -
Page Logout
Use Internal
Status -
Location Logout.xsl
Page Help
Use Internal
Status -
Location Images/help.html
Page Unauthorized
Use Internal
Status -
Location Images/unauthorized.html
Caching
Description Enabled
Headers
Description Content-Type
Status Disabled
Description Content-Language
Status Disabled
Remote Authentication
Remote Authentication Disabled
Administrator
Super administrator: Username: admin (case sensitive)
Start Page
Start Page URL http://www.gemtek-systems.com
Walled Garden
No free site (or walled garden) URL is specified.
Web Proxy
Web Proxy Enabled
Host 0.0.0.0
Level Debug
Level Information
Configuration | Clock
Date Time No further known parameter.
Configuration | NTP
NTP Service Enabled
Host Time.windows.com
Time.nist.gov
Configuration | Certificate
Configuration | Pronto
Access | Telnet
Access | AAA
UAM Enabled
EAP802.1x Disabled
MAC Disabled
Access | UAT
Interface Ixp0
IP Address 192.168.3.224
Netmask 192.168.3.224
Access | Isolation
Bindmac Disabled
Isolation Disabled
Access | NAV
Interface Ixp0
IP Address 192.168.3.1
NAT Enabled
Authentication Enabled
Access | SNMP
Name Name
Location Location
Type RO User
Type RW User
MAC Disabled
Pre-paid Enabled
e-billing Enabled
RADIUS Enabled
Update
Status Disabled
Update interval 48
Delay 0
Connection Settings
E-mail Redirection
Status Disabled
Host 0.0.0.0
Port 25
Station Supervision
Interval 20
Failure count 9
Built-in AAA
E-Billing | User Control
User Control No User list available
Pre-paid | Price/Unit
Price(/hour) 5.00
Reminds counts 10
Configuration | Language
English
Configuration | Title
GSI
Network Commands
network
configuration Network Interfaces configuration.
network configuration
interface Network Interfaces configuration.
-s <status> The interface status. Possible values are enabled and disabled.
-g <gateway> Interface gateway in digits and dots notation or name of other interface.
-d <dhcpclient> The status of dhcp client for the interface. May have values enabled and
disabled. Can be used with WAN interface only.
<id> Port Forwarding entry id. Needed with actions E(dit) and D(elete).
-n <filterNetwork> Network from which users are allowed to access management subnet.
-t <filterNetmask> Netmask of network from which users are allowed to access management
subnet.
<interface> Name of LAN interface on which VLAN interface exists. Needed only with
action A.
network dhcp
<interface> Interface name for DHCP server instance.
-s <status> Status of DHCP server for interface. May be server, relay or disabled.
-f <from> Start of IP address range supported for DHCP service. Needed only with
server status.
-t <to> End of IP address range supported for DHCP service. Needed only with
server status.
-l <lease_time> DHCP Server lease time. Needed only with server status.
-c <circuit_id> Circuit ID - a unique NAS identifier. MAC address will be used by default.
Needed only with relay status.
network dns
<type> DNS Server type. May be primary or secondary.
<nameserver> DNS Server IP address in digits and dots notation, e.g. 192.168.2.27.
network radius
accounting_log For sending RADIUS accounting via syslog.
network accounting_log
-l <status> Local accounting log status. Possible values are enabled or disabled.
-r <status> Remote accounting log status. Possible values are enabled or disabled.
-s <secret> Shared secret key for accounting (must be the same on RADIUS server and
RADIUS client).
-s <secret> Shared secret key (must be the same on RADIUS server and RADIUS client).
-d <default> Sets the server as default. Possible values: yes. Note: there can be only one
default Radius server.
-w <status> Strip WISP name before sending to RADIUS. May have values enabled or
disabled.
-u <method> UAM authentication method for RADIUS server. May have values pap, chap,
mschap1 and mschap2.
-b <status> If RADIUS Backup Server feature is on. May have values enabled or disabled.
-s <secret> Shared secret key for backup server(must be the same on RADIUS server
and RADIUS client).
-t <timeout> Maximal amount of time before retrying RADIUS packets (in seconds).
-o <user_timeout> Amount of time from user side (no network carrier) before closing the
connection (in seconds).
-a <acct_update> Period after which server should update accounting information (in seconds).
-c <acct_retry> Retry time period in which server should try to update accounting information
before giving up (in seconds).
-i <idle> Amount of user inactivity time, before automatically disconnecting user from
the network (in seconds).
<radius_id> WISP Radius server id (from Radius authentication server list). Usable only
with A action.
<interface> Interface name to which the WISP should be bound or none. Usable only with
A action.
network tunnels
-e <encryption> PPTP encryption status: enabled or disabled. Used only with A and E actions.
-a <network> PPTP remote network address. Used only with A and E actions.
-m <netmask> PPTP remote network netmask. Used only with A and E actions.
User Commands
user
administrator Administrator login and password change.
user administrator
Enter for wizard Follow the wizard and complete administrator settings changes.
user connected
<action> D(etail) user statistics for or L(ogout) user with specified ip.
user start_page
<url> The web page to which the user is redirected after login.
user walled_garden
host Configures free web sites that are not displayed to users.
<id> Walled Garden entry id. Used only with E(dit) and D(elete) actions.
<id> Walled Garden entry id. Used only with E(dit) and D(elete) actions.
user webproxy
-s <status> Web proxy status: enabled or disabled.
System Commands
system
system access
aaa Multimode settings.
system configuration
clock Manual setting of internal device clock
syslog For sending system and debug messages via syslog protocol.
-m <mode_list> Either disabled or space separated list of modes. Modes may be: uam,
802.1x, mac.
-u <use_password> Mac authentication mode password usage: 'radius' - use radius shared secret
key, 'user' - use of user-defined password.
-p <password> User defined mac authentication password.
system access control
<action> Action to take upon management access entry: A(dd), E(dit), D(elete) or
default.
<id> Management access entry id. Needed only when editing or deleting entry.
-s <service> Services for which the policy should be set: ssh, snmp, telnet or all.
-a <ip/bitmask> 'all' or network ip address and bitmask to (dis)allow service to.
-p <policy> Management access policy: allow or deny(default is deny).
system access isolation
-b <status> Mac binding status: enabled or disabled.
system configuration
clock Manual setting of internal device clock.
syslog For sending system and debug messages via syslog protocol.
-s <status> NTP service status: enabled or disabled. Needed only with S action.
-h <interval> Heartbeat interval in seconds, 'disabled' or 'server' to obtain it from the server.
-h <host> The host IP address where to send the syslog. Needed only when enabling
syslog.
-l <level> The lowest level of messages that will be logged. Possible levels: debug, info,
warning, error, fatal.
level <level> Sets level of trace messages. Possible levels: debug, info, warning, error,
fatal.
Status Commands
status
device General system information.
network Network information.
service Services information.
Connection Commands
connection
email Outgoing Main (SMTP) Redirection settings.
supervision Settings for station availability monitoring with ARP-Pings.
connection email
<status> SMTP redirection status: enabled or disabled.
<host> New SMTP server host IP address.
<port> New port number.
connection supervision
<seconds> <number> ARP-Ping interval in seconds and failure number after reaching which user is
automatically logged out.
The Gemtek System vendor specific attributes are described at the client point of view (reverse accounting is disabled).
Class 25 String X X Attribute provided by the Auth. Server, forwarded to the accounting
server
Called-Station-ID 30 String X X This field should contain the MAC address or other information identifying
the Hotspot-in-a-Box
Acct-Delay-Time 41 Integer X Delay (seconds) between Acctg Event and when Acct-Req sent (doesn‘t
include estimated network transit time)
Acct-Input-Octets 42 Integer X Indicates how many octets have been received from the port over
the course of this service being provided
Acct-Output Octets 43 Integer X Indicates how many octets have been sent to the port in the course of
delivering this service
Acct-Session-ID 44 String X X X Unique Accounting ID to make it easy to match start and stop records in
a log file
Acct-Session-Time 46 Integer X Call duration in seconds (already compensated for idle timeout)
Acct-Input-Packets 47 Integer X Indicates how many packets have been received from the port over
the course of this service being provided
Acct-Output Packets 48 Integer X Indicates how many packets have been sent to the port in the course of
delivering this service
Acct-Terminate-Cause 49 Integer X 1=Explicit Logoff, 4=Idle Timeout, 5=Session Timeout, 6=Admin Reset,
9=NAS Error, 10=NAS Request, 11=NAS Reboot
Acct-Input-Gigawords 52 Integer X This attribute indicates how many times the Acct-Input-Octets counter
32
has wrapped around 2 over the course of this service being provided
Acct-Output-Gigawords 53 Integer X This attribute indicates how many times the Acct-Output-Octets counter
32
has wrapped around 2 in the course of delivering this service
The Wi-Fi Alliance recommends a list of certain Vendor Specific Attributes (VSA). The VSA values are intended to provide location information to the backend
processing system or to deliver service type information back to the Hotspot-in-a-Box.
The Wi-Fi Alliance has registered an IANA Private Enterprise Number (PEN) of 14122, which can be used to pass Vendor-Specific attributes to international
roaming partners.
The Gemtek System vendor specific attributes are described at the client point of view (reverse accounting is disabled).
Acct-Session-Output-Gigawords 24 Integer X Session upload volume limitation in bytes. Forced logout once volume
limitation is reached
Acct-Session-Octets 25 Integer X Upload and download limitation
Acct-Session-Gigawords 26 Integer X Upload and download limitation
AL Albania LT Lithuania
DZ Algeria LU Luxembourg
AO Angola MG Madagascar
AI Anguilla MW Malawi
AQ Antarctica MY Malaysia
AR Argentina ML Mali
AM Armenia MT Malta
AU Australia MQ Martinique
AT Austria MR Mauritania
AZ Azerbaijan MU Mauritius
BS Bahamas YT Mayotte
BH Bahrain MX Mexico
BY Belarus MC Monaco
BE Belgium MN Mongolia
BZ Belize MS Montserrat
BJ Benin MA Morocco
BM Bermuda MZ Mozambique
BT Bhutan MM Myanmar
BO Bolivia NA Namibia
BW Botswana NP Nepal
BG Bulgaria NI Nicaragua
BI Burundi NG Nigeria
KH Cambodia NU Niue
TD Chad PW Palau
CN China PA Panama
CO Colombia PE Peru
KM Comoros PH Philippines
CG Congo PN Pitcairn
HR Croatia RE Réunion
CU Cuba RO Romania
EG Egypt WS Samoa
EE Estonia SN Senegal
ET Ethiopia SC Seychelles
FJ Fiji SK Slovakia
FI Finland SI Slovenia
TF French southern territories GS South Georgia and the south sandwich islands
GA Gabon ES Spain
GE Georgia SD Sudan
DE Germany SR Suriname
GI Gibraltar SZ Swaziland
GR Greece SE Sweden
GL Greenland CH Switzerland
GU Guam TJ Tajikistan
GN Guinea TH Thailand
GW Guinea-Bissau TL Timor-Leste
GY Guyana TG Togo
HT Haiti TK Tokelau
HN Honduras TN Tunisia
HU Hungary TM Turkmenistan
IN India TV Tuvalu
ID Indonesia UG Uganda
JM Jamaica UY Uruguay
JP Japan UZ Uzbekistan
JO Jordan VU Vanuatu
KE Kenya VE Venezuela
KI Kiribati VN Vietnam
LV Latvia YU Yugoslavia
LS Lesotho ZM Zambia
LR Liberia ZW Zimbabwe
Example:
<?xml version="1.0"?>
<Gemtek>
<Header Script_Name="login.user" Title="Login" charset="; charset=ISO8859-1" language="en"/>
<Data nasid="TestLab" version="BG6020G" help="images/help.html" ip="192.168.4.1"
mac="00923456789A" original_url="https://192.168.4.4:7777/login.user";
type="2" username="g1">
<entry descr="Gemtek Baltic" id="0" url="http://www.gemtek.lt"/>;
<entry descr="Gemtek Systems, Inc." id="1" url="http://www.gemtek-systems.com"/>;
</Data>
<WISPAccessGatewayParam MessageType="120" ResponseCode="100">
<entry ReplyMessage="Your password has expired."/>
</WISPAccessGatewayParam>
<Errors id="4102"/>
</Gemtek>
Current script filename (to be used in forms action attribute) can be located in the XML tree at: /Gemtek/Header/@Script_Name
/Gemtek/Header/@Title
Custom char set (if enabled on administration pages) for user pages at:
/Gemtek/Header/@charset
Welcome.xsl
Welcome page is the first page that the user sees while not registered on the network. This page provides welcome text to the user w ho is connected to the
controller and supplies a link to the login page.
Attribute in XML tree at /Gemtek/Data/@cmd defines the link to the login page. This link should be used to point the user from the welcome screen to login
screen. The Welcome page also lists defined walled garden entries, informing the user where to browse without registering on the network.
Walled Garden information is located in the XML tree under /Gemtek/Data with multiple "entry" branches. These branches have the following attributes:
Login.xsl
Login page appears when the user is not registered to the network and tries to open a webpage. The user proceeds to the login page, following the link from
the welcome page. The Login page has variables that can be used:
/Gemtek/Header/@Script_Name - script name to send back to the BG6020G user login information;
/Gemtek/Data/@username - the username to be entered into the user name field – usually the name the user entered before while unsuccessful in
registering on the network;
/Gemtek/Data/@ip - detected user IP from which he/she tries to register on the network;
error description
error description
1 Failed to authorize
4 Accounting error
It is advisable to first check the error codes because they return more precise information. Branch "Type" returns RADIUS se rver response, which gives
additional information about the user status. This can help in detecting whether the user is just logged in or has come to this page while already logged-in.
/Gemtek/WISPAccessGatewayParam/entry/@ReplyMessage - the RADIUS server response message on user logon [optional]. This parameter
supports multiple messages.
This optional RADIUS Reply-Message's could provide more detailed information, why user logon failed.
/Gemtek/Data/@cmd - link to logout page. The logout page displays network usage statistics and provides the logout from the network function.
/Gemtek/Data/@url - the URL of start page to where the user is redirected after successful login. Usually it can be the website of the company or
organization providing the BG6020G controller and configuring the users to visit their website.
/Gemtek/Data/@help - link to help page regarding how the user should register on the network.
When the user clicks the login button, information is sent to: /Gemtek/Header/@Script_Name location with following information:
Logout.xsl
The logout page displays network usage statistics and the user ability to logout from the network. The Logout page is displayed after the successful login and
with usage statistics which are automatically refreshed after a defined time period.
/Gemtek/Header/@Script_Name - current script name, to send command to logout or refresh the statistics on page.
error description
4107 Already logged in. This error code usually comes from
login screen, when redirecting.
Following error codes are sent when other than the LOGOUT command is submitted:
error description
Following error codes are sent when other than LOGOUT command is submitted:
error description
/Gemtek/Data/@login - link to login page. This is used when the user is logged-off and to provide a quick link to be used to register again.
/Gemtek/Data/entry/@ip - detected user IP address from which the user has made his attempt to register on the network.
If there is no /Gemtek/Data/entry in XML tree, it indicates that the user is not logged in.
<a href="/logout.user?cmd=logout">.
To get user usage statistics, simply refresh the script defined in /Gemtek/Header/@Script_Name with no variables set. This could be done by defining the
simple link:
<a href="/logout.user">.
Help.html
This is a HTML file with no embedded cgi prepared. It is advisable to write instructions for the user on how to register to the network or what to do in the case of
troubleshooting.
Unauthorized.html
This page appears if the user is not registered on the network or the web authentication is not provided on the AC. It is rec ommended to include information on
how to contact the network administrator (e.g. phone number).
Smart Client
The BG6020G cannot only be used with a browser, but with a smart client connected to the BG6020G through HTTPS connection; thus, retrieving information
given as XML in the same login.user output. To support a smart client, the following lines should be included in all user XS L templates:
<xsl:import href="xml-in-comments.xsl"/>
<xsl:apply-templates select="Gemtek/WISPAccessGatewayParam"/>
https://BG6020G_ip_address/welcome.user
https://BG6020G_ip_address/login.user
https://BG6020G_ip_address/logout.user
For the user who is logged in, the form should be posted to /login.user address and the form should have the following parameters:
https://BG6020G_ip_address/logout.user
To disconnect a user who is currently connected, the following address should be used:
Entering the following address into the browser will disconnect the currently logged in user:
https://BG6020G_ip_address/logout.user?cmd=logout
Upload Templates
All user pages files (welcome.xsl, login.xsl, logout.xsl, help.html, unauthorized.html) can be on an external server or on th e BG6020G. Which templates are to
be used is found in user interface | configuration | pages. The BG6020G has default user templates that can be replaced by uploading new templates. Any
uploaded templates and images override the default templates.
PNG
GIF
JPG
Supported cascading style sheets:
CSS
Uploaded file types are detected by their extension.
The Hotspot-in-a-Box administrator is responsible to conduct tests to ensure that all uploaded templates are correct and work as expected. After the upload,
the controller does not verify the correctness of the uploaded templates. If the controller is not able to load the uploaded xsl template, it will use the default
built-in templates.
Image Location
Designers who prepare custom user templates should take note of the location of the images used. All uploaded images, style s heets and static HTML pages
(help.html and unauthorized.html) are located at the virtual directory 'images'. Uploaded image example.gif will be accessible at the following path:
'images/example.gif'
Using other paths like 'webserver/example.gif' or 'example.gif' will redirect to images/unauthorized.html' or if UAM is enabled to user page (welcome.user,
login.user or logout.user depending on device configuration and user status).
Example:
<?xml version="1.0"?>
<Gemtek>
<Header Script_Name="login.user" Title="Login" charset="; charset=ISO8859-1" language="en"/>
<Data nasid="TestLab" version="BG6020G" help="images/help.html" ip="192.168.4.1"
mac="00923456789A" original_url="https://192.168.4.4:7777/login.user";
type="2" username="g1">
<entry descr="Gemtek Baltic" id="0" url="http://www.gemtek.lt"/>;
<entry descr="Gemtek Systems, Inc." id="1" url="http://www.gemtek-systems.com"/>;
</Data>
<WISPAccessGatewayParam MessageType="120" ResponseCode="100">
<entry ReplyMessage="Your password has expired."/>
</WISPAccessGatewayParam>
<Errors id="4102"/>
</Gemtek>
Current script filename (to be used in forms action attribute) can be located in the XML tree at: /Gemtek/Header/@Script_Name
/Gemtek/Header/@Title
Custom char set (if enabled on administration pages) for user pages at:
/Gemtek/Header/@charset
Welcome.xsl
Welcome page is the first page that the user sees while not registered on the network. This page provides welcome text to the user who is connected to the
controller and supplies a link to the login page.
Attribute in XML tree at /Gemtek/Data/@cmd defines the link to the login page. This link should be used to point the user from the welcome screen to login
screen. The Welcome page also lists defined walled garden entries, informing the user where to browse without registering on the network.
Walled Garden information is located in the XML tree under /Gemtek/Data with multiple "entry" branches. These branches have the following attributes:
Login.xsl
Login page appears when the user is not registered to the network and tries to open a webpage. The user proceeds to the login page, following the link from
the welcome page. The Login page has variables that can be used:
/Gemtek/Header/@Script_Name - script name to send back to the BG6020G user login information;
/Gemtek/Data/@username - the username to be entered into the user name field – usually the name the user entered before while unsuccessful in
registering on the network;
/Gemtek/Data/@ip - detected user IP from which he/she tries to register on the network;
error description
4101 Failed to authorize.
4102 Login or/and password incorrect.
4103 Network connection failed.
4104 Accounting error.
4105 Unknown authorization error.
4106 Could not get redirection URL.
4107 Already logged in.
/Gemtek/Data/@type - returns to BG6020G response for login request. Type values are as followed:
error description
0 Ok - logged in, redirect user to start page
1 Failed to authorize
2 Login or/and password incorrect
3 Network connection failed
4 Accounting error
5 User already logged in
It is advisable to first check the error codes, because they return more precise information. Branch "Type" returns RADIUS s erver response, which gives
additional information about the user status. This can help in detecting whether the user is just logged in or has come to this page while already logged-in.
/Gemtek/WISPAccessGatewayParam/entry/@ReplyMessage - the RADIUS server response message on user logon [optional]. This parameter
supports multiple messages.
This optional RADIUS Reply-Message's could provide more detailed information, why user logon failed.
/Gemtek/Data/@cmd - link to logout page. The logout page displays network usage statistics and provides the logout from the network function.
/Gemtek/Data/@url - the URL of start page to where the user is redirected after successful login. Usually it can be the website of the company or
organization providing the BG6020G controller and configuring the users to visit their website.
/Gemtek/Data/@help - link to help page regarding how the user should register on the network.
When the user clicks the login button, information is sent to: /Gemtek/Header/@Script_Name location with following information:
Logout.xsl
The logout page displays network usage statistics and the user ability to logout from the network. The Logout page is displayed after the successful login and
with usage statistics which are automatically refreshed after a defined time period.
/Gemtek/Header/@Script_Name - current script name, to send command to logout or refresh the statistics on page.
error description
4107 Already logged in. This error code usually comes from login screen, when
redirecting.
Following error codes are sent when other than the LOGOUT command is submitted:
error description
4201 Failed to authorize.
4202 Login failed.
4203 Network connection failed.
4204 Accounting error.
4205 Undefined error return from RADIUS client on BG6020G.
4206 Already logged in.
Following error codes are sent when other than LOGOUT command is submitted:
error description
/Gemtek/Data/@login - link to login page. This is used when the user is logged-off and to provide a quick link to be used to register again.
/Gemtek/Data/entry/@ip - detected user IP address from which the user has made his attempt to register on the network.
If there is no /Gemtek/Data/entry in XML tree, it indicates that the user is not logged in.
<a href="/logout.user?cmd=logout">.
To get user usage statistics, simply refresh the script defined in /Gemtek/Header/@Script_Name with no variables set. This could be done by defining the
simple link:
<a href="/logout.user">.
Help.html
This is a HTML file with no embedded cgi prepared. It is advisable to write instructions for the user on how to register to the network or what to do in the case of
troubleshooting.
Unauthorized.html
This page appears if the user is not registered on the network or the web authentication is not provided on the AC. It is recommended to include information on
how to contact the network administrator (e.g. phone number).
Smart Client
The BG6020G cannot only be used with a browser, but with a smart client connected to the BG6020G through HTTPS connection; thus, retrieving information
given as XML in the same login.user output. To support a smart client, the following lines should be included in all user XSL templates:
<xsl:import href="xml-in-comments.xsl"/>
<xsl:apply-templates select="Gemtek/WISPAccessGatewayParam"/>
https://BG6020G_ip_address/welcome.user
https://BG6020G_ip_address/login.user
https://BG6020G_ip_address/logout.user
For the user who is logged in, the form should be posted to /login.user address and the form should have the following parameters:
To receive connected user session information, the following address should be used:
https://BG6020G_ip_address/logout.user
To disconnect a user who is currently connected, the following address should be used:
Entering the following address into the browser will disconnect the currently logged in user:
https://BG6020G_ip_address/logout.user?cmd=logout
Upload Templates
All user pages files (welcome.xsl, login.xsl, logout.xsl, help.html, unauthorized.html) can be on an external server or on th e BG6020G. Which templates are to
be used is found in user interface | configuration | pages. The BG6020G has default user templates that can be replaced by uploading new templates. Any
uploaded templates and images override the default templates.
PNG
GIF
JPG
Supported cascading style sheets:
CSS
Uploaded file types are detected by their extension.
The Hotspot-in-a-Box administrator is responsible to conduct tests to ensure that all uploaded templates are correct and work as expected. After the upload,
the controller does not verify the correctness of the uploaded templates. If the controller is not able to load the uploaded xsl template, it will use the default
built-in templates.
Image Location
Designers who prepare custom user templates should take note of the location of the images used. All uploaded images, style sheets and static HTML pages
(help.html and unauthorized.html) are located at the virtual directory 'images'. Uploaded image example.gif will be ac cessible at the following path:
'images/example.gif'
Using other paths like 'webserver/example.gif' or 'example.gif' will redirect to images/unauthorized.html' or if UAM is enabl ed to user page (welcome.user,
login.user or logout.user depending on device configuration and user status).
Glossary
Symbols:
802.11: 802.11 is a family of specifications for wireless local area networks (WLANs) developed by a working group of the Institute of Electrical and Electronics
Engineers (IEEE). The original specification provides for an Ethernet Media Access Controller (MAC) and several physical laye r (PHY) options, the most
popular of which uses GFSK modulation at 2.4GHz, enabling data rates of 1 or 2Mbps. Since its inception, two major PHY enhancements have been adopted
and become "industry standards".
802.11b adds CCK modulation enabling data rates of up to 11Mbps, and 802.11a specifies OFDM modulation in frequency bands in the 5 to 6GHz range, and
enables data rates up to 54Mbps.
A
AAA: Authentication, Authorization and Accounting. A method for transmitting roaming access requests in the form of user credentials (typically user@domain
and password), service authorization, and session accounting details between devices and networks in a real-time manner.
authentication: The process of establishing the identity of another unit (client, user, device) prior to exchanging sensitive information.
B
backbone: The primary connectivity mechanism of a hierarchical distributed system. All systems, which have connectivity to an intermediat e system on the
backbone, are assured of connectivity to each other. This does not prevent systems from setting up private arrangem ents with each other to bypass the
backbone for reasons of cost, performance, or security.
Bandwidth: Technically, the difference, in Hertz (Hz), between the highest and lowest frequencies of a transmission channel. However, as typically used, the
amount of data that can be sent through a given communications circuit. For example, typical Ethernet has a bandwidth of 100Mbps.
D
DHCP: Dynamic Host Configuration Protocol (DHCP) is a communications protocol that lets network administrators manage centrally and automate the
assignment of Internet Protocol (IP) addresses in an organization's network. Using the Internet Protocol, each machine that c an connect to the Internet needs a
unique IP address. When an organization sets up its computer users with a connection to the Internet, ÿn IP address must be assigned to each mac hine.
Without DHCP, the IP address must be entered manually at each computer and, if computers move to another location in another part of the network, a new IP
address must be entered. DHCP lets a network administrator supervise and distribute IP addresses from a central point and aut omatically sends a new IP
address when a computer is plugged into a different place in the network.
DNS: Domain Name Service. An Internet service that translates a domain name such as gemtek-systems.com to an IP address, in the form xx.xx.xx.xx, where
xx is an 8 bit hex number.
E
EAP: Extensible Authentication Protocol. Defined in [RFC2284] and used by IEEE 802.1x Port Based Authentication Protocol [8021x] that provides additional
authentication methods. EAP-TLS (Transport Level Security) provides for mutual authentication, integrity-protected ciphersuite negotiation and key exchange
between two endpoints [RFC2716]. EAP-TTLS (Tunneled TLS Authentication Protocol) provides an authentication negotiation enhancement to TLS (see
Internet-Draft <draft-ietf-pppext-eap-ttls-00.txt>).
G
gateway: A gateway is a network point that acts as an entrance to another network. On the Internet, a node or stopping point can be either a gateway node or a
host (end-point) node. Both the computers of Internet users and the computers that serve pages to users are host nodes. The computers t hat control traffic
within your company's network or at your local Internet service provider (ISP) are gateway nodes.
H
hotspot: A hotspot is wireless public access system that allows subscribers to be connected to a wireless network in order to access the Internet or other
devices, such as printers. Hot-spots are created by WLAN access points, installed in public venues. Common locations for public access are hotels, airport
lounges, railway stations or coffee shops.
hotspot operator: An entity that operates a facility consisting of a Wi-Fi public access network and participates in the authentication.
HTTP: The Hypertext Transfer Protocol (HTTP) is the set of rules for exchanging files (text, graphic images, sound, video, and othe r multimedia files) on the
World Wide Web. Relative to the TCP/IP suite of protocols (which are the basis for information exchange on the Internet), HTTP is an application protocol.
HTTPS: HTTPS (Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a Web protocol developed by Netscape and built into its
browser that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. HTTPS is real ly just the use of Netscape's
Secure Socket Layer (SSL) as a sublayer under its regular HTTP application layering.
I
ICMP: ICMP (Internet Control Message Protocol) is a message control and error-reporting protocol between a host server and a gateway to the Internet. ICMP
uses Internet Protocol (IP) datagrams, but the messages are processed by the IP software and are not directly apparent to the application user.
IEEE: Institute of Electrical and Electronics Engineers. The IEEE describes itself as the world's largest professional society. The IEEE fosters the development
of standards that often become national and international standards, such as 802.11.
IP: The Internet Protocol (IP) is the method or protocol by which data is sent from one computer to another on the Internet. Each computer (known as a host) on
the Internet has at least one IP address that uniquely identifies it from all other computers on the Internet. When you send or receive data (for example, an
e-mail note or a Web page), the message gets divided into little chunks called packets. Each of these packets contains both the sender's Internet address and
the receiver's address. Any packet is sent first to a gateway computer that understands a small part of the Internet. The gateway computer reads the
destination address and forwards the packet to an adjacent gateway that in turn reads the destination address and so forth across the Internet until one
gateway recognizes the packet as belonging to a computer within its immediate neighborhood or domain. That gateway then forwa rds the packet directly to the
computer whose address is specified.
IPsec: IPsec (Internet Protocol Security) is a developing standard for security at the network or packet processing layer of network communication . Earlier
security approaches have inserted security at the application layer of the communications model. IPsec will be especially useful for implementing virtual private
networks and for remote user access through dial-up connection to private networks. A big advantage of IPsec is that security arrangements can be handled
without requiring changes to individual user computers. Cisco has been a leader in proposing IPsec as a standard (or combination of standards and
technologies) and has included support for it in its network routers.
IPsec provides two choices of security service: Authentication Header (AH), which essentially allows authentication of the sender of data, and Encapsulating
Security Payload (ESP), which supports both authentication of the sender and encryption of data as well. The specific informa tion associated with each of
these services is inserted into the packet in a header that follows the IP packet header. Separate key protocols can be selected, such as the ISAKMP/Oakley
protocol.
ISP: An ISP (Internet Service Provider) is a company that provides individuals and other companies access to the Internet and ot her related services such as
Web site building and virtual hosting. An ISP has the equipment and the telecommunication line access required to have a poin t-of-presence on the Internet for
the geographic area served.
L
LAN: A local area network (LAN) is a group of computers and associated devices that share a common communications line and typically share the resources
of a single processor or server within a small geographic area (for example, within an office building). Usually, the server has applications and data storage that
are shared in common by multiple computer users. A local area network may serve as few as two or three users (for example, in a home network) or many as
thousands of users (for example, in an FDDI network).
M
MAC: Medium Access Control. In a WLAN network card, the MAC is the radio controller protocol. It corresponds to the ISO Network Model's level 2 Data Link
layer. The IEEE 802.11 standard specifies the MAC protocol for medium sharing, packet formatting and addressing, and error de tection.
N
NAT: NAT (Network Address Translation) is the translation of an Internet Protocol address (IP address) used within one network t o a different IP address
known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network
addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses.
P
POP3: POP3 (Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is
received and held for you by your Internet server. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail.
POP3 is built into the Netmanage suite of Internet products and one of the most popular e-mail products, Eudora. It's also built into the Netscape and Microsoft
Internet Explorer browsers.
PPP: PPP (Point-to-Point Protocol) is a protocol for communication between two computers using a serial interface, typically a personal computer connected
by phone line to a server. PPP uses the Internet protocol (IP) (and is designed to handle others). It is sometimes considered a member of the TCP/IP suite of
protocols. Relative to the Open Systems Interconnection (OSI) reference model, PPP provides layer 2 (data-link layer) service. Essentially, it packages your
computer's TCP/IP packets and forwards them to the server where they can actually be put on the Internet.
PPP is a full-duplex protocol that can be used on various physical media, including twisted pair or fiber optic lines or satellite transmission. It uses a variation of
High Speed Data Link Control (HDLC) for packet encapsulation.
PPP is usually preferred over the earlier de facto standard Serial Line Internet Protocol (SLIP) because it can handle synchronous as well as asynchronous
communication. PPP can share a line with other users and it has error detection that SLIP lacks. Where a choice is possible, PPP is preferred.
PPPoE: PPPoE (Point-to-Point Protocol over Ethernet) is a specification for connecting multiple computer users on an Ethernet local area network to a remote
site through common customer premises equipment, which is the telephone company's term for a modem and similar devices. PPPoE can be used to have an
office or building-full of users share a common Digital Subscriber Line (DSL), cable modem, or wireless connection to the Internet. PPPoE combines the
Point-to-Point Protocol (PPP), commonly used in dialup connections, with the Ethernet protocol, which supports multiple users in a loc al area network. The
PPP protocol information is encapsulated within an Ethernet frame.
PPPoE has the advantage that neither the telephone company nor the Internet service provider (ISP) needs to provide any speci al support. Unlike dialup
connections, DSL and cable modem connections are "always on." Since a number of different users are sharing the same physical connection to the remote
service provider, a way is needed to keep track of which user traffic should go to and which user should be billed. PPPoE pro vides for each user-remote site
session to learn each other's network addresses (during an initial exchange called "discovery"). Once a session is established between an individual user and
the remote site (for example, an Internet service provider), the session can be monitored for billing purposes.
PPTP: Point-to-Point Tunneling Protocol (PPTP) is a protocol (set of communication rules) that allows corporations to extend their own corporate n etwork
through private "tunnels" over the public Internet. Effectively, a corporation uses a wide-area network as a single large local area network. This kind of
interconnection is known as a virtual private network (VPN).
R
RADIUS: RADIUS (Remote Authentication Dial-In User Service) is a client/server protocol and software that enables remote access servers to communicate
with a central server to authenticate dial-in users and authorize their access to the requested system or service. RADIUS allows a company to maintain user
profiles in a central database that all remote servers can share. It provides better security, allowing a company to set up a policy that can be applied at a single
administered network point. Having a central service also means that it's easier to track usage for billing and for keeping n etwork statistics.
S
SNMP: Simple Network Management Protocol (SNMP) is the protocol governing network management and the monitoring of network devices and their
functions. It is not necessarily limited to TCP/IP networks.
SNMP is described formally in the Internet Engineering Task Force (IETF) Request for Comment (RFC) 1157 and in a number of other related RFCs.
SSL: The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet. SSL has recently
been succeeded by Transport Layer Security (TLS), which is based on SSL. SSL uses a program layer located between the Internet's Hypertext Transfer
Protocol (HTTP) and Transport Control Protocol (TCP) layers. The "sockets" part of the term refers to the sockets method of passing data back and forth
between a client and a server program in a network or between program layers in the same computer. SSL uses the public-and-private key encryption system
from RSA, which also includes the use of a digital certificate.
T
TCP: TCP (Transmission Control Protocol) is a set of rules (protocol) used along with the Internet Protocol (IP) to send data in the form of message units
between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP takes care of keepi ng track of the individual units of
data (called packets) that a message is divided into for efficient routing through the Internet.
TCP is a connection-oriented protocol, which means that a connection is established and maintained until such time as the message or messages to be
exchanged by the application programs at each end have been exchanged. TCP is responsible for ensuring that a message is divided into the packets that IP
manages and for reassembling the packets back into the complete message at the other end. In the Open Systems Inte rconnection (OSI) communication
model, TCP is in layer 4, the Transport Layer.
TCP/IP: TCP/IP (Transmission Control Protocol/Internet Protocol) is the basic communication language or protocol of the Internet. It can also be used as a
communications protocol in a private network (either an intranet or an extranet). When you are set up with direct access to the Internet, your com puter is
provided with a copy of the TCP/IP program just as every other computer that you may send messages to or get information from also has a copy of TCP/IP.
TCP/IP is a two-layer program. The higher layer, Transmission Control Protocol, manages the assembling of a message or file into smaller pack ets that are
transmitted over the Internet and received by a TCP layer that reassem bles the packets into the original message. The lower layer, Internet Protocol, handles
the address part of each packet so that it gets to the right destination.
Telnet: Telnet is the way to access someone else's computer, assuming they have given permission. (Such a computer is frequently called a host computer.)
More technically, Telnet is a user command and an underlying TCP/IP protocol for accessing remote computers. On the Web, HTTP and FTP protocols allow
to request specific files from remote computers, but not to actually be logged on as a user of that computer.
U
UAM: Universal Access Method is the current recommended methodology for providing secure web-based service presentment, authentication, authorization
and accounting of users is a WISP network. This methodology enables any standard Wi-Fi enabled TCP/IP device with a browser to gain access to the WISP
network.
W
WAN: A wide area network (WAN) is a geographically dispersed telecommunications network. The term distinguishes a broader telecommunication structure
from a local area network (LAN). A wide area network may be privately owned or rented, but the term usually connotes the incl usion of public (shared user)
networks. An intermediate form of network in terms of geography is a metropolitan area network (MAN).
X
XSL (Extensible Style sheet Language), formerly called Extensible Style Language, is a language for creating a style sheet that describes how data sent over
the Web using the Extensible Markup Language (XML) is to be presented to the user.
Index
A
AAA, 7
configuration, 87
AC specification, 111
access AC
using Web-browser, 12
access control on device, 85
administrator, 75
authentication, 89
B
back pannel, 9
C
certificates upload, 82
CLI, 39
connection commands, 127
network commands, 119
create log-on, 17
D
DHCP, 57
DNS, 56
E
e-mail redirection, 101
F
factory defaults values, 113
Features list, 7
H
hardware introduction, 9
headers, 71
help page, 24, 70
I
initilization, 12
installation
connecting the controller, 8
package content, 8
introduction
IP router, 7
ISO country codes, 131
L
LAN switch, 7
LED's, 9
location ID, 131
login, 17, 22, 70
logout, 23, 70
M
Management, 7
management subnet, 55
N
NAT, 89
NTP, 81
P
port forwarding, 53
PPPoE/PPPTP for DSL, 67
Product overview, 6
proxy
configuration, 65
R
RADIUS
WISP, 64
RADIUS, 59
servers, 62
settings, 60
RADIUS
accounting backup, 66
RADIUS
attributes, 128
RADIUS
attributes, 129
redirection URL, 77
restore settings, 83
route
configuration, 52
S
save settings, 83
SNMP, 45, 90, 92
start up
administrator password, 18
e-mail redirection, 18
start-up
create welcome, 17
DNS set-up, 16
IP address management, 16
RADIUS set-up, 16
station supervision, 101
step by step, 16
support, 5
syslog, 79
system, 79
system reset, 96
system status, 93
T
technical data, 111
telnet access, 87
trace system, 80
trace system levels, 80
tunnels, 67
U
UAT, 19, 88
upgrade, 97
user isolation, 89
user pages
help, 24
logon, 22
logout, 23
unauthorized, 24
welcome, 22
user pages templates, 135
user pages upload, 71
users statistics, 99
V
visitor access, 89
VLAN
configuration, 51
VPN, 7
W
walled garden, 77
web interface
connection, 99
menu, 48
user, 69
web proxy, 78
welcome, 22, 70