4ipnet

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of 4ipnet equipment for integration with Octopus Platform.

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1  Radius Servers

Radius Authentication

Now we will make the configuration of the Radius Servers for the validation of the users on the captive portal. First access to Users > External Authentication > RADIUS and edit the desired one with the following parameters:

  • NAS Identifier: FOURIPNET

  • Attributes Priority:

    • Acct Interim Interval: 10 Minutes

IMPORTANT: Change the value of the combo that appears as “Overwrite Server’s Settings” for the value “Set if not Present”, otherwise incorrect session times will result.

  • Retransmission Settings:

    • Number of Retries: 2

    • Timeout: 3

  • Primary RADIUS Server:

    • Authentication Server: <IP_Radius_1>

    • Authentication Port: 1812

    • Authentication Secret Key: <Secret>

    • Authentication Protocol: PAP

    • Accounting Service: Enable

    • Accounting Server: <IP_Radius_1>

    • Acounting Port: 1813

    • Accounting Secret Key: <Secret>

  • Secondary RADIUS Server:

    • Authentication Server: <IP_Radius_2>

    • Authentication Port: 1812

    • Authentication Secret Key: <Secret>

    • Authentication Protocol: PAP

    • Accounting Service: Enable

    • Accounting Server: <IP_Radius_2>

    • Acounting Port: 1813

    • Accounting Secret Key: <Secret>

 

 

 

 

Authentication Server

It is neccessary to defined a Postfix with the name of the Realm associated to the Locations inside of the platform, so the controller does not return the error Authentication Option (associated with the postfix) is not found.

To do this within the WiFi Platform, access Configuration > Organization to view the List of clients and obtain the REALM parameter of the Locations in question.

Finally, access within the configuration of the manufacturer to Users > Authentication Servers and edit the server Authentication RADIUS:

And fill with the following parameters:

  • User Postfix: <REALM>

2.2 Captive Portal

We must now configure the captive portal to which we will redirect the users in order to validate their access to the WiFi service. To do this, go to System > Service Zones and configure the "Authentication Settings" section first to enable the access policies for the chosen zone:

  • Authentication: Enable

  • Portal URL: Url to which you want to redirect the user. You can force a specific one (by checking the "Specific" option), leave the original one to which the user navigated (option "Original") or not force any (option "None").

  • Authentication Options: mark as "default" and "enabled" the RADIUS option created in the previous step

  • All other options are left as default.

Then click on Login Page Customization and then on General Login Page and configure with the following parameters:

  • Use External Page: Selected

  • External URL: https://<captive_portal_domain>/login/hotspot/fouripnet

Finally, we will configure the URL to which the users will be redirected after logging in. To do this we access System > Service Zones and edit the zone where we want to make the configuration. Click on Login Page Customization and then on Service Disclaimer. If you wish to configure the redirection from the WiFi platform, go to Login Success Page and configure with the following parameters:

Use External Page: Selected

External URL: https://<captive_portal_domain>/login/hotspot/landing/wifiarea/WIFIAREA_ID/WLAN_ID

To obtain the WIFIAREA_ID and WLAN_ID parameters to complete the above URL, access the WIFI platform and within the Location configuration access WLAN > Redirections by type of access. You can then obtain the URL to be configured for the external redirection of each SSID after user validation.

2.3 Walled Garden

The next step is to add the domains to which the user will have free access before validating in the captive portal. To do this go to Network > Walled Garden and click on Add Walled Garden List. Fill in the following parameters:

  • Domain Name/IP Address/URL: domain to release

  • Walled Garden:

    • Active: Selected

    • Service Zone: Select the zone where the captive portal has been configured

Finally click on Apply to save the changes.

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

2.4 HTTP or HTTPS login process configuration

There are two configuration options for the validation of the captive portal: One through http connectivity, where the traffic would not be encrypted, and the other through https.


HTTP option

Leaving default values, we can use this configuration.

HTTPS option

The controller has a built-in factory default certificate (gateway.example.com) that cannot be deleted, but it allows to upload new certificate. For that, access to Main Menu > Utilities > Certificate and edit the certificate System Certificate that is going to be used for the HTTPS login:

 

To upload the new certificate click on Browse and select the 3 files provided by the support team:

  • Certificate: certificate.crt

  • Private Key: certificate.key

  • Intermediate CA: certificate.ca.crt

To finish click on Upload Files.

Finally, it is neccessary to select the certificate to use it in the login process. To do it access to General Settings and configure it with the following parameters:

  • HTTPS Certificate: name of the new certificate.

  • User HTTPS Login: Enable

    • Secure: Enable

  • Internal Domain Name: Enable Use the name on SSL certificate (It will change automatically when rebooting the controller)

 

Finally apply the changes and restart the controller:

To verify that all has been upload propertly, we can verify that the Internal Domain Name has change:

This subdomain associated with the certificate will resolve to the controller's management IP.

2.4 Authorized MAC Addresses

In order to allow the users to authenticate themselves in the captive portal correctly, it is necessary to identify the NAS that will send the authentication requests to the Radius Server. In this case, it is neccessary to add the MAC WAN of the controller. To obtain it access Status > System Summary > System Report and select the WAN Interface of the internet output to get the MAC Address:

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1 Captive portal + MAC Authentication configuration

To activate MAC authentication it is necessary to edit the zone enabled for the captive portal and enable this option. To do this we must access System > Service Zones, select the zone to be configured and in the "Authentication Settings" section mark as enabled the configuration called "MAC authentication" and select the RADIUS server previously registered in the enabled combo "MAC Auth. Server":