ZyXEL ATP

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Zyxel Firewall ATP equipment for integration with Octopus Platform

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 Radius Server

It is neccessary to include the radius servers of the Wifi Platform, to do that access to Configuration > Object > AAA server and access to the tab RADIUS. Once inside click on Add to add a new Radius server and configured the following parameters:

  • Name: Radius_Guest

  • Authentication Server Settings

    • Server Address: <IP_Radius_1>

    • Authentication Port: 1812

    • Backup Server Address: <IP_Radius_2>

    • Backup Authentication Port: 1812

    • Key: <Secret>

  • Accounting Server Settings

    • Server Address: <IP_Radius_1>

    • Accounting Port: 1813

    • Backup Server Address: <IP_Radius_2>

    • Backup Accounting Port: 1813

    • Key: <Secret>

    • Enable Accounting Interim update: Enable

    • Interim Interval: 10

  • General Server Settings

    • Timeout: 5

    • NAS Identifier: ZYXEL

Once the Radius sever has been added go to Configuration > Object > Auth. Method to add a new authentication method associated to the Radius server that was previously added. Click on Add and configure:

  • Name: AuthMethod_Guest

  • Method List: the one created previously, Radius_Guest

2.2 Walled Garden

To add the domains that the user will have free access before be validated on the captive portal go to Configuration > Object > Address/Geo IP and in the tab Address create an entry (Add) for each domain that we wanto to add with an identifying name.

  • Name: Identifying name

  • Address Type: FQDN

  • FQDN: Domain or sub-domain

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

Once the entries are added we will group them in the Address Group. For that click on Add.

  • Name: Name identification of the list, Walled_Garden, for example.

  • Address Type: FQDN

  • Member List: Select all the elements you are interested in from the list on the left and move them to the right column with the arrow pointing in that direction.

Click on OK to save the changes.

2.3 Captive Portal

Next configure the external captive portal, go to Configuration > Web Authentication and access to the Authentication Type tab. Once inside click on Add and configure the following parameters:

  • Type: Web Portal

  • Profile Name: Guest_Portal

  • Marcar la opción: External Web Portal

    • Login URL: http://<captive_portal_domain>/login/hotspot/zywall

    • Welcome URL: To apply the landing configuration configured in the platform, enter the redirection URL found in the WLAN section of the Octopus Platform.

      • URL Format:<protocol://domain-portal>/login/hotspot/landing/wifiarea /WIFIAREA_ID/WLAN_ID

      • Substitute:

        • Protocol: http or https. Must be the same protocol that is used in Login URL

        • domain-portal: The same domain_captive_portal as used in Login URL

 

Once added click on Apply to save the changes and go to the General window. Then configure the following parameters:

  • Enable Web Authentication: check this box to enable the captive portal.

Finally within Web Authentication Policy Summary click on Add to add a new policy with the following configuration:

  • Enable Policy: enable this option

  • Incoming Interface: Select the interface thath we want to apply to the captive portal.

  • Source Address: any

  • Destination Address: any

  • Authentication: required

  • Single Sign-on: disable this option

  • Force User Authentication: Enable this option

  • Authentication Type: Guest_Portal

Later, also from Web Authentication Policy Summary, add an entry for the walled gardens:

  • Enable Policy: Enable this option

  • Incoming Interface: Select the interface to which we want to apply the captive portal.

  • Source Address: any

  • Destination Address: Walled_Garden,  or Address Group name that was created earlier.

  • Schedule: none

  • Authentication: unneccesary

Click on Apply to save the configuration correctly. Then enter on the submenú: Configuration > System > WWW

  • Enable HTTP and HTTPS options

  • Disable the option "Redirect HTTP to HTTPS"

  • In the Authentication section, select the following configuration at the bottom: Client Authentication Method: AuthMethod

2.4 Authorized MAC Addresses

In order to allow the users to authenticate themselves in the captive portal correctly it is neccessary to identify the NAS that will be able to make authentication requests to the Radius server. In this case the MAC address of the device must be added. To find this MAC address go to the Dashboard and in the Device Information widget you can get the MAC address of the device.

 

For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link Wifiareas>General information

2.5 Additional settings

Idle Timeout

To finish all the configuration it is neccessary to activate the Idle-Timeout so that users are forgotten about the network after a period of inactivity. to do that go to Configuration > Object > User/Group and access to the setting tab.

Within the Miscellaneous Settings section check the Enable user idle detection checkbox and set 15 minutes as User idle timeout.

Apply configuration to WLAN

The first step is to associate the interface to the SSID where you want to apply the configuration. To do this, go to Configuration > Object > AP Profile and select the SSID tab. Once inside, click on Add to add a new SSID profile and configure the following parameters:

  • VLAN ID: Select the vlan associated to the captive portal.

 

To display the configuration in the Access Points, Go to Configuration > Wireless >AP Management and access to the AP Group tab. Select the group where we want to add the guest SSID:

  • Radio 1 Setting: Select the previously created SSID Profile from the list.

  • Radio 2 Setting: Select the previously created SSID Profile from the list.

 


3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1 Configuration of “Access Profiles” funtionality in the Octopus Platform

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Omada. Although the most common and proprietary Omada radius dictionaries are available, the following is a list of some of the most interesting ones:

Attribute

Description

Format

Attribute

Description

Format

Idle-Timeout

Maximum idle time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate.

Seconds

Filter-ID

Returns a Role or connection profile previously created in the Zyxel.

The name of the Group Identifier of the Role must be the same in the Zyxel as in the access profile of the platform.

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Filter-ID Configuration

Go to Object > AAA Server > Radius and select User Login Settings > Group Membership Attibute Filter-ID. Then go to Object > User/Group > User and create a new entry with the settings:

  • User-Name: The one we consider to identify it.

  • User-Type: ext-group-user.

  • Group Identifier: Very important data because it will be the one to be configured in the radius and the one to be returned in the Filter-ID attribute.

  • Associated AAA Server Object: radius.

Example of an Access Profile configuration with the attributes explained above:

 

For more information on how to create an Access Profile in Octopus Platform go to Access profiles