ZyXEL Nebula

Owned by Santiago Nanclares (Unlicensed)
Last updated: Oct 18, 2021
4 min read

CONFIGURATION GUIDE

The purpose of the following manual is to describe the configuration required for the ZyXEL Nebula Controller Center solution for integration with Octopus Platform.

1- Pre-requisites

  • In order to comply with the data retention law in the integration with the WiFi platform, it is necessary to purchase the Nebula Pro Pack license that allows you to configure Radius Accounting Servers.

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 Initial Configuration

If a new SSID is created from scratch, go to Access point > Configure > SSID overview > Show All and fill in the following parameters:

  • Name: Set the SSID that the APs will radiate

  • Enabled: ON

  • Guest Network: OFF





 

2.2 SSID

Network Access

Inside Access point > Configure > Authentication, select in the upper part the SSID object of wifi guests and configure the following parameters: 

  • Network access: Open

  • Sign-in method: Sign-on with My RADIUS server



Radius Servers

Add the radius servers for authentication and accounting.

  • RADIUS server:

    • Host: <IP_Radius_1>

    • Port: 1812

    • Secret: <Secret>

    • Host: <IP_Radius_2>

    • Port: 1812

    • Secret: <Secret>

  • NAS Identifier: Dejar en blanco

  • RADIUS accounting: RADIUS Accounting enabled

  • RADIUS accounting servers:

    • Host: <IP_Radius_1>

    • Port: 1813

    • Secret: <Secret>

    • Host: <IP_Radius_2>

    • Port: 1813

    • Secret: <Secret>

 

 

Walled Garden

The necessary domains will be added with free access before being validated in the captive portal. Depending on the access methods selected in the captive portal, it will be necessary to configure a list of allowed domains in the configuration of the WLAN solution.

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

 

  • The Zyxel Nebula Control Center solution does not allow adding more than 20 rules in the Walled Garden.

  • If any rule is duplicated, it will not allow saving the changes.

Captive portal access attribute

In the section Captive portal access attribute configure the following parametres:

  • Login on multiple client devices: Multiple devices access simultaneously

  • Strict Policy: Block all access until sign-on

2.3 Captive portal

In the section Access point > Configure > Captive Portal , select the SSID guest object at the top and in the section External captive portal URL configure:

  • Use URL: ON

  • URL: http://<captive_portal_domain>/login/hotspot/zynebula

 

Finally, the URL to which users will be redirected after logging in will be configured in the Captive portal behaviour section. A URL generated by the Wifi platform will be introduced so that this management can be done from it.

  • To promotion URL: https://<captive_portal_domain>/login/hotspot/landing/wifiarea/WIFIAREA_ID/WLAN_ID

 

 

To obtain the complete URL, access the WIFI platform and within the Location configuration access WLAN > Redirections by access type.

2.4 Authorized MAC addresses

In this case it is necessary to add on the WiFi platform all the MAC addresses of the APs where the SSID will be radiated with the captive portal. To obtain these MAC addresses easily go to AP > Monitor > Access Point and look for the column where the MAC address of each of the APs appears.


3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1 Configuration of “Access Profiles” funtionality in the Octopus Platform

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Zyxel. Although the most common and proprietary Zyxel radius dictionaries are available, the following is a list of some of the most interesting ones:

Atributo

Descripción

Format

Atributo

Descripción

Format

Idle-Timeout

Maximum idle time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate.

Seconds

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Example of an Access Profile configuration with the attributes explained above: