Setup guide
either case, HTTP POST method (if not possible, then - HTTP GET method) is used to send data to
the HotSpot gateway.
HotSpot can authenticate users using local user database or a RADIUS server (local database is
consulted first, then - a RADIUS server). If authentication is done locally, profile corresponding to
that user is used, otherwise (in case of RADIUS) default profile is used to set default values for
parameters, which are not set in RADIUS access-accept message. For more information on how the
interaction with a RADIUS server works, see the respective manual section.
If authentication by HTTP cookie is enabled, then after each successful login cookie is sent to web
browser and the same cookie is added to active HTTP cookie list. Next time a user will try to log in,
web browser will send http cookie. This cookie will be compared to the one stored on the HotSpot
gateway and only if there is the same source MAC address and the same randomly generated ID,
user will be automatically logged in. Otherwise, the user will be prompted to log in, and in the case
authentication was successfull, old cookie will be removed from the local HotSpot active cookie list
and the new one with different random ID and expiration time will be added to the list and sent to
the web browser.
RADIUS authentication is CHAP by defalt, but it is possible to force the HotSpot gateway to use
PAP. To do this, you should enable unencrypted passwords, and remove the possibility for the
servlet to hash the passwords (see Customizing HotSpot servlet chapter on how to do it).
Authorization
One of the two login methods is to be used for each client individually (you may choose one or
allow it to be done automatically in user profile configuration). The enabled-address method is the
preferred one, so if it is configured correctly and the client has a proper IP address (that matches the
one set in the user database), this method will be used. If the enabled-address method is not
enabled or the client's IP address should be changed, the HotSpot Gateway tries to use dhcp-pool
method. In that case, Wandy HotSpot Gateway's DHCP server tries to change the DHCP address
lease the client might have received before the authentication. It is possible to specify what IP
addresses each particular user will receive after he/she logs in (that way a user will always get the
same IP no matter what computer he/she has logged in from)
Address assignment with dhcp-pool login method
To create a HotSpot infrastructure with dhcp-pool method, DHCP server should be configured to
lease IP addresses from a temporary IP address pool for a very short period of time (lease time at
about 14 seconds; lesser values may cause problems with some DHCP clients). This temporary
subnet should have some restrictions, so that the users received a temporary IP address could only
access the HotSpot login page.
Once a user is authenticated, the HotSpot gateway changes the lease assigned to the user so that
he/she will receive an IP address from a different IP address pool when the lease time of the current
temporary lease will be over (it is not possible to recall DHCP lease, so the address will only
change when the temporary lease expires).
Accounting
The HotSpot system makes user accounting through firewall rules. You should create a hotspot
firewall chain, and the system will put there two dynamic rules for each active user (one for upload,
and one for download). You shold make all the traffic you need accounting for to pass through this